Jump to content

Archived

This topic is now archived and is closed to further replies.

Guest99999999

Attack hackers to install mallware

Recommended Posts

Who knows what the hackers are trying to do with this attack from the log (24 hours a day):

 

[Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(?:(?:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"]

 

www.xxxx.nl = website customer ...

 

Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions).

So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem).

What are they trying to do ? Who can explain me ?

What security updates for later versions are important for oscommerce (ms2) ?

Why do they attack my customer, what and how have they detected to choose my customer ?

Share this post


Link to post
Share on other sites

Who knows what the hackers are trying to do with this attack from the log (24 hours a day):

 

[Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(?sad.gif?:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"]

 

www.xxxx.nl = website customer ...

 

Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions).

So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem).

What are they trying to do ? Who can explain me ?

What security updates for later versions are important for oscommerce (ms2) ?

Why do they attack my customer, what and how have they detected to choose my customer ?

 

 

ms2 wont work with rg off unless modified, have they turned rg back on in the app? They would be best upgrading to 2.2rc2a and adding security http://forums.oscommerce.com/index.php?showtopic=313323


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thanks Sam, I go to study your changes for making some old sites for my customers more secured.

 

You can change ms2 to rg off, with modifications in application_top and /functions/sessions.php.

 

I sent the attack to the RSA and Paypal organization but nobody answers, only to take your website down.

 

But maybe after your modifications, they can't come in anymore (until now they still fail).

Share this post


Link to post
Share on other sites

Who knows what the hackers are trying to do with this attack from the log (24 hours a day):

 

[Wed Nov 11 19:54:56 2009] [error] [client 71.134.205.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((?:wiki_up|temp)/(?:(?:gif|ion|jpe?g|lala)\\.ph(p(3|4)?|tml)|.*\\.(?:php(3|4)?|tml|cgi|sh))|(?:/|^)phpterm|(?:c99|c99shell)\\.txt\\?|iblis\\.htm\\?|/gif\\.gif\\?|/go\\.php\\.txt\\?|sh[0-9]\\.(gif|jpe?g|txt|bmp|png)\\?|iys\\.(gif|jpe?g|txt|bmp|png)\\?|shell[0-9]\\.(gi ..." at REQUEST_URI. [file "/etc/asl/50_asl_rootkits.conf"] [line "51"] [id "390147"] [rev "7"] [msg "Rootkit attack: Known rootkit or remote shell"] [severity "CRITICAL"] [hostname "www.xxxxx.nl"] [uri "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php"] [unique_id "9nXXHn8AAAEAAGyZON4AAAAF"]

 

www.xxxx.nl = website customer ...

 

Ok when my customer had his oscommerce shop on the first server (php4 and register globals on) the hackers could come in and installed mallware in some directories for phishing emails (shows fake screens for Paypal and JP Morgan Bank logins). Ok after warnings from Paypal and JP Morgan Banks we have to secure the server/website better, so my customer moved to another provider and I changed the website to php5 and register globals off (no updates for oscommerce to later versions).

So now on the new server 24 hours a day the hackers are busy (an automatic process) to come in with above attack (but they failed so far, but maybe one day we have the same problem).

What are they trying to do ? Who can explain me ?

What security updates for later versions are important for oscommerce (ms2) ?

Why do they attack my customer, what and how have they detected to choose my customer ?

 

Is one trying to install folder/program "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php" in the webserver ? When they were succesfully on the previous server, they installed mallware in that folder! But how and where they come in and do they use a password or is that not necessary for this possibility ?

Share this post


Link to post
Share on other sites

Is one trying to install folder/program "/temp/paypallogin_page_login_billinginformation_admin123223356/webscr.php" in the webserver ? When they were succesfully on the previous server, they installed mallware in that folder! But how and where they come in and do they use a password or is that not necessary for this possibility ?

 

 

My suspicion is they have still hacked the site, its just your server security is blocking some stuff they try. Remember when sites are hacked they often leave hidden back doors, thats why its best to wipe as host then restore with known clean backup.

 

If the site is not properly secured there are a number of ways in without passwords, see my thread & Jan's thread on admin I linked to in it.

 

Good luck! smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

×