| Author |
Message |
gsicard
Regular
Joined: May 21, 2003
Posts: 50
Location: Suffolk, VA USA
|
 Posted:
Wed Mar 31, 2004 7:29 pm |
|
Hi Raven,
Thanks for taking the time to talk with me today. After digging around in my database I found some weird things.... here we go.
More info - I noticed that my Last_Referer was displaying the webpages for the actual referer links.... here is what I found in my nuke-referer table:
Code:
INSERT INTO nuke_referer VALUES (911, 'http://www.molosserdogs.com/admin.php?op=banIP');
INSERT INTO nuke_referer VALUES (912, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (913, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (914, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (915, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (916, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (917, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (918, '"><iframe src="mailto:CyberPunk Ownz, Enjoy!" height="0" width="0');
INSERT INTO nuke_referer VALUES (919, '"><iframe src="mailto:CyberPunk Ownz, Enjoy!" height="0" width="0');
INSERT INTO nuke_referer VALUES (920, 'telnet://');
INSERT INTO nuke_referer VALUES (921, 'telnet://');
INSERT INTO nuke_referer VALUES (922, '"><META http-equiv="refresh" content="0;URL=http://google.com');
INSERT INTO nuke_referer VALUES (923, 'http://www.nukecops.com/postt26148.html');
INSERT INTO nuke_referer VALUES (924, 'http://www.nukecops.com/postt26148.html');
INSERT INTO nuke_referer VALUES (925, 'http://www.neapolitan.org/phpBB/viewtopic.php?t=3284');
INSERT INTO nuke_referer VALUES (926, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (927, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (928, 'http://www.caucasian.org/');
INSERT INTO nuke_referer VALUES (929, 'http://home.no.net/cindya/');
INSERT INTO nuke_referer VALUES (930, 'http://home.no.net/cindya/');
INSERT INTO nuke_referer VALUES (931, 'http://www.nukecops.com/postp115055.html');
|
And this was found in my nuke_referer table:
So, does this mean that Cyber Punk used caucasian.org to stage their attack on the block_Last_Referer.php ? Is this a nuke wide thing or just specific to my site.... |
| |
|
   
 |
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Wed Mar 31, 2004 7:47 pm |
|
Grab your logs. It must be an sql injection because iframe "Shouldn't" pass the sec filter in mainfile.php. |
| |
|
|
|
|
gsicard
|
| Posted:
Wed Mar 31, 2004 7:51 pm |
|
I got the logs. And I had also added Chatserv's patch to admin.php so this was a surprise. I deleted the Last_Referer block until there is a fix. Wish I was smart enough to fix it my self... hehee. |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Wed Mar 31, 2004 7:55 pm |
|
Search the log for %20 that might narrow it down. |
| |
|
|
|
|
gsicard
|
| Posted:
Wed Mar 31, 2004 8:51 pm |
|
found this:
Code:HTTP/1.1" 200 412 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
67.74.216.79 - - [31/Mar/2004:15:41:17 -0500] "GET /mailt..</a><br></font></td>%20%20%20%20%20%20%20%20%20%20%20</tr>%20%20%20%20%20%20%20%20%20</table>%20%20%20%20%20%20%20%20</td>%20%20%20%20%20%20</tr>%20%20%20%20</table>%20%20%20</td>%20%20%20</tr>%20%20</table>%20%20</td>%20%20</tr></table><table%20border= HTTP/1.1" 404 534 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; JUNO)"
|
and this
Code:
67.74.216.79 - - [31/Mar/2004:15:41:50 -0500] "GET /mailt..</a><br></font></td>%20%20%20%20%20%20%20%20%20%20%20</tr>%20%20%20%20%20%20%20%20%20</table>%20%20%20%20%20%20%20%20</td>%20%20%20%20%20%20</tr>%20%20%20%20</table>%20%20%20</td>%20%20%20</tr>%20%20</table>%20%20</td>%20%20</tr></table><table%20border= HTTP/1.1" 404 534 "-" 67.74.216.79 - - [31/Mar/2004:15:41:50 -0500] "GET /images/language/flag-macedonian.png HTTP/1.1" 404 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; JUNO)"
|
and this:
Code:
148.122.36.135 - - [31/Mar/2004:15:43:59 -0500] "GET /mailt..</a><br></font></td>%20%20%20%20%20%20%20%20%20%20%20</tr>%20%20%20%20%20%20%20%20%20</table>%20%20%20%20%20%20%20%20</td>%20%20%20%20%20%20</tr>%20%20%20%20</table>%20%20%20</td>%20%20%20</tr>%20%20</table>%20%20</td>%20%20</tr></table><table%20border= HTTP/1.1" 404 534 "http://molosserdogs.com/modules.php?name=Private_Messages&file=index&folder=inbox" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP/6.22/1.01/Kidsurf)"
148.122.36.135 - - [31/Mar/2004:15:43:59 -0500] "GET /mailt..</a><br></font></td>%20%20%20%20%20%20%20%20%20%20%20</tr>%20%20%20%20%20%20%20%20%20</table>%20%20%20%20%20%20%20%20</td>%20%20%20%20%20%20</tr>%20%20%20%20</table>%20%20%20</td>%20%20%20</tr>%20%20</table>%20%20</td>%20%20</tr></table><table%20border= HTTP/1.1" 404 534 "http://molosserdogs.com/modules.php?name=Private_Messages&file=index&folder=inbox" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP/6.22/1.01/Kidsurf)"
66.119.34.39 - - [31/Mar/2004:15:44:00 -0500] "GET /modules/NaviNuke/pic/arrow.gif HTTP/1.1" 200 62 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:02 -0500] "GET /modules/NaviNuke/pic/arrow-sil.gif HTTP/1.1" 200 64 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:02 -0500] "GET /modules/NaviNuke/pic/search.gif HTTP/1.1" 200 980 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:02 -0500] "GET /modules/NaviNuke/pic/home.gif HTTP/1.1" 200 709 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:04 -0500] "GET /modules/NaviNuke/images/sub.gif HTTP/1.1" 200 91 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:04 -0500] "GET /modules/NaviNuke/pic/user.gif HTTP/1.1" 200 1049 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:04 -0500] "GET /modules/NaviNuke/pic/recommend.gif HTTP/1.1" 200 166 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:06 -0500] "GET /modules/NaviNuke/pic/gallery.gif HTTP/1.1" 200 142 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
217.208.109.23 - - [31/Mar/2004:15:44:06 -0500] "GET /modules.php?name=Site_Messenger&file=buddy&op=check&ref_intervall=20000 HTTP/1.1" 200 412 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
66.119.34.39 - - [31/Mar/2004:15:44:06 -0500] "GET /modules/NaviNuke/pic/downloads.gif HTTP/1.1" 200 191 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:07 -0500] "GET /modules/NaviNuke/pic/community.gif HTTP/1.1" 200 1171 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:08 -0500] "GET /modules/NaviNuke/pic/members.gif HTTP/1.1" 200 755 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:08 -0500] "GET /modules/NaviNuke/pic/edit.gif HTTP/1.1" 200 983 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:09 -0500] "GET /modules/NaviNuke/pic/top.gif HTTP/1.1" 200 918 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:11 -0500] "GET /modules/NaviNuke/pic/microphone.gif HTTP/1.1" 200 1059 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:11 -0500] "GET /modules/NaviNuke/pic/folders.gif HTTP/1.1" 200 80 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:11 -0500] "GET /modules/NaviNuke/pic/poll.gif HTTP/1.1" 200 343 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:13 -0500] "GET /modules/NaviNuke/pic/link.gif HTTP/1.1" 200 972 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:13 -0500] "GET /modules/NaviNuke/pic/news.gif HTTP/1.1" 200 1182 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:13 -0500] "GET /modules/NaviNuke/pic/guides.gif HTTP/1.1" 200 1189 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:15 -0500] "GET /modules/NaviNuke/pic/pic.jpg HTTP/1.1" 200 631 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:16 -0500] "GET /modules/NaviNuke/pic/topics.gif HTTP/1.1" 200 1092 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:17 -0500] "GET /modules/NaviNuke/pic/mail.gif HTTP/1.1" 200 199 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:20 -0500] "GET /modules/NaviNuke/pic/email.gif HTTP/1.1" 200 733 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:20 -0500] "GET /modules/NaviNuke/pic/admin.gif HTTP/1.1" 200 1090 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:20 -0500] "GET /modules/NaviNuke/pic/authors.gif HTTP/1.1" 200 380 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:21 -0500] "GET /images/language/flag-albanian.png HTTP/1.1" 404 316 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:22 -0500] "GET /images/language/flag-arabic.png HTTP/1.1" 200 421 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:22 -0500] "GET /images/language/flag-brazilian.png HTTP/1.1" 200 720 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:23 -0500] "GET /images/language/flag-chinese.png HTTP/1.1" 200 1163 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:23 -0500] "GET /images/language/flag-czech.png HTTP/1.1" 200 817 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:24 -0500] "GET /images/language/flag-catala.png HTTP/1.1" 200 449 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:24 -0500] "GET /images/language/flag-danish.png HTTP/1.1" 200 497 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:25 -0500] "GET /images/language/flag-dutch.png HTTP/1.1" 200 394 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:26 -0500] "GET /mailt..%3c/a%3e%3cbr%3e%3c/font%3e%3c/td%3e%20%20%20%20%20%20%20%20%20%20%20%3c/tr%3e%20%20%20%20%20%20%20%20%20%3c/table%3e%20%20%20%20%20%20%20%20%3c/td%3e%20%20%20%20%20%20%3c/tr%3e%20%20%20%20%3c/table%3e%20%20%20%3c/td%3e%20%20%20%3c/tr%3e%20%20%3c/table%3e%20%20%3c/td%3e%20%20%3c/tr%3e%3c/table%3e%3ctable%20border= HTTP/1.1" 404 534 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:26 -0500] "GET /images/language/flag-euskara.png HTTP/1.1" 404 315 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:27 -0500] "GET /images/language/flag-finnish.png HTTP/1.1" 404 315 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.119.34.39 - - [31/Mar/2004:15:44:27 -0500] "GET /images/language/flag-english.png HTTP/1.1" 200 576 "http://www.molosserdogs.com/modules.php?name=Amazon&asin=0696206358" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
217.208.109.23 - - [31/Mar/2004:15:44:27 -0500] "GET /modules.php?name=Site_Messenger&file=buddy&op=check&ref_intervall=20000 HTTP/1.1" 200 412 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
|
Banning the ips. |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Wed Mar 31, 2004 9:25 pm |
|
I should have said %20union %20 is just a space. The only thing that looks out of place there is the last one and that could be legit too I don't have Site_Messenger but
Site_Messenger&file=buddy&op=check&ref_intervall=20000 seems like a large and not very random number. Maybe trying to force an error there.
Things to look for might be the actual code that was passed.
%20union%20
%20join%20
<iframe
<meta
Anything like this
%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5 |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Apr 01, 2004 8:47 am |
|
Gary,
I thought when we talked yesterday that you had said that you had the union patch in place? Obviously not though. If you have not applied my hackattempt script, I would advise you to do so. It will trap the UNION and the admin.php hack. |
| |
|
|
|
|
gsicard
|
| Posted:
Thu Apr 01, 2004 4:07 pm |
|
Thank Raven. Will apply your hackattempt script. Six - look up in this thread and you can see the
<iframe
<meta
code in the nuke_referer table. |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Thu Apr 01, 2004 6:54 pm |
|
Yeah I saw it was there but hoped to see how it was put there exactly. When and who? I'd bet a lot of these attacks are done without so much as a proxy. The exploits are so easily obtainable people using them probably don't know what a proxy is. Hardly the sort to be running a zombie network (If they where that sort they wouldn't have been so nice about it). Figure it may be a good chance for you to "Fight Back" a little. Though they did at least host the javascript on a free host which indicates they have way too much free time to think this stuff up. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
