Guest Posted January 17, 2011 Share Posted January 17, 2011 Ok, this hacker wanna-be has been bombarding a clients website for more than 6 hrs with the following url from literally hundreds of proxy servers from every country in the world: /?option=com_google&controller=../../../../../../../../../../../../../../../proc/self/environ\0 /?option=com_ccnewsletter&controller=../../../../../../../../../../../../../../../proc/self/environ\0 /?option=com_login.php&controller=../../../../../../../../../../../../../../../proc/self/environ\0 /?option=com_mail&controller=../../../../../../../../../../../../../../../proc/self/environ\0 Anyone know what he/she is trying to accomplish ? Every attempt results in the hacker landing on the index.php but I am curious what he/she is trying to do. Chris Link to comment Share on other sites More sharing options...
♥kymation Posted January 17, 2011 Share Posted January 17, 2011 On a poorly-secured LAMP stack, that would read out your server's environment variables. That is one step in a process that would grant the hacker root access to your box. Be thankful it's not working. Hacker is a bad term for this. This is more on the Script Kiddie level. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
Guest Posted January 17, 2011 Share Posted January 17, 2011 Jim, Well, he isn't doing anything except flooding the site and adding hundreds of lines to Supertracker. Why would he keep trying hundreds of times knowing the first 50 didn't work ? Chris Link to comment Share on other sites More sharing options...
♥kymation Posted January 17, 2011 Share Posted January 17, 2011 As I said, Script Kiddie. He's just running some script he got somewhere. It's probably hitting thousands of sites with hundreds of attacks, just trying to find one that will get through. If this really annoys you, you can add something to your .htaccess. Here's mine: # Block another hacker RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC] RewriteRule ^.* - [F] That assumes the rewrite engine is already on. Turn it on if it's not. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
Guest Posted January 17, 2011 Share Posted January 17, 2011 Thanks Jim, I will give it a try. I just checked the site again and he has hit it just over 600 times in about 7 hours, hopefully this will prevent him from running that script on it. Chris Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 17, 2011 Share Posted January 17, 2011 This was trying for Local File Inclusion vulnerabilities via the Joomla/Mambo script. Attacks like this can be mitigated by running mod_security on the server. a query string such as ../../../../ would also be reduced to harmless dots by Security Pro if the attacked file were an osCommerce file which included application_top.php. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted January 17, 2011 Share Posted January 17, 2011 Hi Robert, The site is running Security Pro. The listing of attempted entry were recorded by Super Track, 626 times in 7 hours before I applied Jim's .htaccess code snippet. Since then, it has stopped. Thank you for the reply. Chris Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 17, 2011 Share Posted January 17, 2011 Hi Robert, The site is running Security Pro. The listing of attempted entry were recorded by Super Track, 626 times in 7 hours before I applied Jim's .htaccess code snippet. Since then, it has stopped. Thank you for the reply. Chris Yes Chris .. as I mentioned that attack was aimed at Joomla/Mambo, Security Pro only works on osCommerce files that include application_top.php so of course it would have done nothing. I still say you are better off with mod_security than adding blacklist code to .htaccess. It never works taking a blacklist approach to hacking vectors.Which is probably why Jim said "If this really annoys you". Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.