Jump to content

Archived

This topic is now archived and is closed to further replies.

DunWeb

Silly Hacker !

Recommended Posts

Ok, this hacker wanna-be has been bombarding a clients website for more than 6 hrs with the following url from literally hundreds of proxy servers from every country in the world:

 

/?option=com_google&controller=../../../../../../../../../../../../../../../proc/self/environ\0

 

/?option=com_ccnewsletter&controller=../../../../../../../../../../../../../../../proc/self/environ\0

 

/?option=com_login.php&controller=../../../../../../../../../../../../../../../proc/self/environ\0

 

/?option=com_mail&controller=../../../../../../../../../../../../../../../proc/self/environ\0

 

Anyone know what he/she is trying to accomplish ? Every attempt results in the hacker landing on the index.php but I am curious what he/she is trying to do.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

On a poorly-secured LAMP stack, that would read out your server's environment variables. That is one step in a process that would grant the hacker root access to your box. Be thankful it's not working.

 

Hacker is a bad term for this. This is more on the Script Kiddie level.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Jim,

 

Well, he isn't doing anything except flooding the site and adding hundreds of lines to Supertracker. Why would he keep trying hundreds of times knowing the first 50 didn't work ?

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

As I said, Script Kiddie. He's just running some script he got somewhere. It's probably hitting thousands of sites with hundreds of attacks, just trying to find one that will get through.

 

If this really annoys you, you can add something to your .htaccess. Here's mine:

# Block another hacker
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC]
RewriteRule ^.* - [F]

That assumes the rewrite engine is already on. Turn it on if it's not.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Thanks Jim,

 

I will give it a try. I just checked the site again and he has hit it just over 600 times in about 7 hours, hopefully this will prevent him from running that script on it.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

This was trying for Local File Inclusion vulnerabilities via the Joomla/Mambo script.

 

Attacks like this can be mitigated by running mod_security on the server.

 

a query string such as ../../../../ would also be reduced to harmless dots by Security Pro if the attacked file were an osCommerce file which included application_top.php.

Share this post


Link to post
Share on other sites

Hi Robert,

 

The site is running Security Pro. The listing of attempted entry were recorded by Super Track, 626 times in 7 hours before I applied Jim's .htaccess code snippet. Since then, it has stopped.

 

 

 

Thank you for the reply.

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Robert,

 

The site is running Security Pro. The listing of attempted entry were recorded by Super Track, 626 times in 7 hours before I applied Jim's .htaccess code snippet. Since then, it has stopped.

 

 

 

Thank you for the reply.

 

Chris

 

Yes Chris .. as I mentioned that attack was aimed at Joomla/Mambo, Security Pro only works on osCommerce files that include application_top.php so of course it would have done nothing.

 

I still say you are better off with mod_security than adding blacklist code to .htaccess.

 

It never works taking a blacklist approach to hacking vectors.Which is probably why Jim said "If this really annoys you".

Share this post


Link to post
Share on other sites

×