Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
3 + 8 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
   

Re: Increase in attempyed exploits
by Tobias on 2008/4/24 6:01:08

Quote:
Just saying because that tugzip site is hacked and may serve up malware. At the time of writing this, perhaps they clean it up soon.

It's cleaned up, just for the record.
Re: Increase in attempted exploits
by peterr on 2008/4/24 0:36:55

There is one pattern of a lot of exploits, and it is this as part of the uri

Quote:

.....mosConfig_absolute_path=.....


Apparently, that is related to Mambo exploits, so I did a google search on the site, and looked for 'mambo' , and sure enough, there is one page that has Mambo described in it.

So, no doubt the huge increase in exploits is because the attempted exploiters think the website is running Mambo.

I'll remove that page, and then see if there is a decrease; it may take several weeks before the Google cache is updated of course.
Re: Increase in attempyed exploits
by Tobias on 2008/4/17 16:54:56

Quote:

Quite a lot of these entries have 'database.php' in them, that's why I was wondering if there is a new expoit, but as yet unknown to a lot of people. Found one at http://www.milw0rm.com/exploits/2623 , but it is dated Oct 2006, a long time ago.

My XOOPS installation has exactly one database.php which sits at class/database. If your attackers try to find a database.php all over the place, then that's probably just a crapshot. Perhaps some modules also have a database.php.

In any case, if there's a pattern and you want to make sure, you can probably just block all requests containing the string database.php in your htaccess file. I can't imagine any reason why a script by that name should be legitimately called from the outside.


Quote:

Yes, I don't use IE, Firefox for me.


Just saying because that tugzip site is hacked and may serve up malware. At the time of writing this, perhaps they clean it up soon.
Re: Increase in attempyed exploits
by jobrazo on 2008/4/17 10:53:27

I also have a major increase of exploit attempts the past few weeks.
Targetted module is wiwimod, there looking for the spaweditor, witch is removed because of know exploits.
Re: Increase in attempted exploits
by peterr on 2008/4/17 6:57:00

Quote:

Somebody is clearly trying to break in. I hope you have your XOOPS Protector module up and running. Many of these hits may be random, but they clearly try to deliver a payload, and you can actually see it if you call up the txt files the hacker wants to execute on your server. Those are scripts that sniff out vulnerabilities in the servers setup and try to get shell access.


Yes, I use Protector, I wouldn't use XOOPS without it. Yep, lots of the text files have 'passthru' and other commands in them, clearly malicious activity, which I'd expect, but it has risen so much, I'm wondering if there is a new XOOPS exploit that people know about, and they are giving the site a hammering.

Fortunately, the server is configured to return a 403 on most of these, or a 404.

Quite a lot of these entries have 'database.php' in them, that's why I was wondering if there is a new expoit, but as yet unknown to a lot of people. Found one at http://www.milw0rm.com/exploits/2623 , but it is dated Oct 2006, a long time ago.

Quote:

Where are these log entries from, anyway? They look funky.


Coming from many different IP addresses. Hmm, look funky, not too sure what you mean there ?? Oh, the domain name has been changed, for obvious security reasons, we don't want people actually trying it.

Quote:

If you have a lot of time to spare, you can contact the webhosts from which these scripts are served and tell them that some of their users are making nonsense. But then, that's a fight against windmills.


In the past, I sometimes used to actually look up the IP and contact the person/s concerned, and CC in their ISP, but that was when there were only a few a day. Much of that contact resulted in either the person having their account suspended or terminated, or other action. Most hosts appreciated being contacted. Also, as you mention, contact the 'source' from where the scripts are served, yes, did that in the past, in a lot of cases, it resulted in the file being removed. But some sort of automatted system would be better.

Quote:

You can also send a sample to your own webhost and ask them for guidance, and to make sure that the servers are configured correctly.


The host I use has it all tied down fairly well, but the 403 messages have now changed to 404's, so I'll ask why the server change.

Quote:

*edit* But probably, you don't want to have to do with those tugzip folks. So forget the suggestion with contacting them. In any case, make sure you don't use the Internet Explorer if you want to look around what's going on there.


Yes, I don't use IE, Firefox for me.

Who's Online

451 user(s) are online (403 user(s) are browsing Support Forums)


Members: 0


Guests: 451


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits