| Re: Increase in attempyed exploits |
| by Tobias on 2008/4/24 6:01:08 Quote: Just saying because that tugzip site is hacked and may serve up malware. At the time of writing this, perhaps they clean it up soon. It's cleaned up, just for the record. |
| Re: Increase in attempted exploits |
| by peterr on 2008/4/24 0:36:55 There is one pattern of a lot of exploits, and it is this as part of the uri Quote:
Apparently, that is related to Mambo exploits, so I did a google search on the site, and looked for 'mambo' , and sure enough, there is one page that has Mambo described in it. So, no doubt the huge increase in exploits is because the attempted exploiters think the website is running Mambo. I'll remove that page, and then see if there is a decrease; it may take several weeks before the Google cache is updated of course. |
| Re: Increase in attempyed exploits |
| by Tobias on 2008/4/17 16:54:56 Quote:
My XOOPS installation has exactly one database.php which sits at class/database. If your attackers try to find a database.php all over the place, then that's probably just a crapshot. Perhaps some modules also have a database.php. In any case, if there's a pattern and you want to make sure, you can probably just block all requests containing the string database.php in your htaccess file. I can't imagine any reason why a script by that name should be legitimately called from the outside. Quote:
Just saying because that tugzip site is hacked and may serve up malware. At the time of writing this, perhaps they clean it up soon. |
| Re: Increase in attempyed exploits |
| by jobrazo on 2008/4/17 10:53:27 I also have a major increase of exploit attempts the past few weeks. Targetted module is wiwimod, there looking for the spaweditor, witch is removed because of know exploits. |
| Re: Increase in attempted exploits |
| by peterr on 2008/4/17 6:57:00 Quote:
Yes, I use Protector, I wouldn't use XOOPS without it. Yep, lots of the text files have 'passthru' and other commands in them, clearly malicious activity, which I'd expect, but it has risen so much, I'm wondering if there is a new XOOPS exploit that people know about, and they are giving the site a hammering. Fortunately, the server is configured to return a 403 on most of these, or a 404. Quite a lot of these entries have 'database.php' in them, that's why I was wondering if there is a new expoit, but as yet unknown to a lot of people. Found one at http://www.milw0rm.com/exploits/2623 , but it is dated Oct 2006, a long time ago. Quote:
Coming from many different IP addresses. Hmm, look funky, not too sure what you mean there ?? Oh, the domain name has been changed, for obvious security reasons, we don't want people actually trying it. Quote:
In the past, I sometimes used to actually look up the IP and contact the person/s concerned, and CC in their ISP, but that was when there were only a few a day. Much of that contact resulted in either the person having their account suspended or terminated, or other action. Most hosts appreciated being contacted. Also, as you mention, contact the 'source' from where the scripts are served, yes, did that in the past, in a lot of cases, it resulted in the file being removed. But some sort of automatted system would be better. Quote:
The host I use has it all tied down fairly well, but the 403 messages have now changed to 404's, so I'll ask why the server change. Quote:
Yes, I don't use IE, Firefox for me.
|