hack attempts

tanelorn

Joined: 2007-02-06
Posts: 1
Posted: Thu, 2008-05-22 18:43

Hi,

I'm seeing a lot of this type of hack attempt on my site, can someone give me some iformation on what they are trying to do?

this person is scraping my site so I don't mind putting the ip here.
my gallery 2 is embedded in Joomla 1.0.15 and its all working correctly, I'm just curious about these entries.

I use jcheck to scan my home dir for changes and so far I don't think they've been able to get in.

Thoughts?

72.74.233.177 - - [11/May/2008:13:49:56 -
0400] "GET /component/option,com_frontpage/Itemid,37/limit,9/limitstart,9/component/option,com
_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Item
id,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/componen
t/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_g
allery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,
37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/op
tion,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_galler

y2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/
component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/op
tion,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_galle
ry2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/
component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/opti
on,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/
Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/co
mponent/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,
com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/It
emid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/comp
onent/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,
com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/
Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/compon
ent/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com
_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Item
id,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/componen
t/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_g
allery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,
37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/
option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gall
ery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/
component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/op
tion,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_galle
ry2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/
component/option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/
option,com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/component/option,
com_gallery2/Itemid,37/component/option,com_gallery2/Itemid,37/index.php HTTP/1.1" 200 31937 
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


Gallery version (not just "2"):2.2.4
PHP version (e.g. 5.1.6):5.25
PHPInfo Link (see FAQ):http://www.fredsnet.org/test.php
Webserver (e.g. Apache 1.3.33):1.3.41
Database (e.g. MySql 5.0.32):4.1.22
Activated toolkits (e.g. NetPbm, GD):
Operating system (e.g. Linux):linux
Browser (e.g. Firefox 2.0):any
Login or register to post comments
taz79

Joined: 2006-01-16
Posts: 5
Posted: Sat, 2008-05-24 21:33

I also seem to have hacking attempts.. But i cant figure out what they are doing? Can anyone? I can see this same kind of traffic going on for about 5 hours today.. Now i banned his IP from my webserver thats why the 403 response codes...

Anyone? plz?

82.158.219.103 - - [24/May/2008:22:34:39 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_navId=x3346828e&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
82.158.219.103 - - [24/May/2008:22:34:40 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_fromNavId=x4c07c195&g2_navId=xeae7e6b1 HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
82.158.219.103 - - [24/May/2008:22:34:40 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_return=/gallery/main.php?g2_view=core.UserAdmin&g2_GALLERYSID=15bc4cfe4cbc9a9bf4d45dbc8d901d74&g2_returnName=edit%20album&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET)"
82.158.219.103 - - [24/May/2008:22:34:41 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_navId=x7b7f18d9&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
82.158.219.103 - - [24/May/2008:22:34:42 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_navId=x38d980d4&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET)"
82.158.219.103 - - [24/May/2008:22:34:42 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=/gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_GALLERYSID=d1291c6cff1d09665424970f56dcd869&g2_GALLERY=&g2_navId=x714c2567&g2_navId=x714c2567&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
82.158.219.103 - - [24/May/2008:22:34:43 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_return=/gallery/main.php?g2_view=core.UserAdmin&g2_GALLERYSID=5d17401ec701472a213fc202b0ddb489&g2_returnName=edit%20album&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)"
82.158.219.103 - - [24/May/2008:22:34:43 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_return=/gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_GALLERYSID=9b4dd6d956bf57958934fb9ce60f8c61&g2_GALLERY=&g2_navId=x8adfa672&g2_navId=x8adfa672&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"
82.158.219.103 - - [24/May/2008:22:34:44 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=/gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_GALLERYSID=6ef78e15504a7c60903b790fd886c478&g2_GALLERY=&g2_navId=xe241500a&g2_navId=xe241500a&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)"
82.158.219.103 - - [24/May/2008:22:34:45 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_navId=xa6479611&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
82.158.219.103 - - [24/May/2008:22:34:45 +0200] "GET /gallery/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=/gallery/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_GALLERY=&g2_GALLERYSID=e7e39b62164bce4fa0caec0ded85600f&g2_navId=x5e536926&g2_navId=x5e536926&g2_GALLERY HTTP/1.1" 403 218 "-" "Mozilla/4.0

Login or register to post comments
chalsall

Joined: 2008-05-06
Posts: 19
Posted: Tue, 2008-05-27 23:13

Let me please throw out a *wild* idea for consideration...

How about the G2 system detect when something which is obviously not a human keeps trying to do things which no-one should do, and stops considering (and taking the time rendering) *all* HTTP requests. (AKA a 403.)

A more advanced version of this idea would allow instances of G2 to coordinate amongst themselves to ban known troublemakers. (Prior art: "denyhosts".)

It's great that G2 is so secure that we don't mind people constantly knocking on our doors. But perhaps it might also be good to not have them knocking at all?
Login or register to post comments