Recently I found out that my webserver is overloaded. I viewed the access log and found entries like this:
62.112.193.34 - - [28/Sep/2008:12:16:22 +0400] "GET /Alina11_22?CmtText=pharmacy%3B+http%3A%2F%2Fwww.da.eng.ufmg.br%2Fforum%2Fviewtopic.php%3Fp%3D6172%236172+hoodia+en+pharmacie%3B+http%3A%2F%2Fcontent.ix2.net%2Fshowthread.php%3Fp%3D66277%23post66277+cialis+substitute%3B+http%3A%2F%2Fwww.acidpit.info%2Fviewtopic.php%3Fp%3D26550%2326550+alternative+to+cialis%3B+http%3A%2F%2Fwww.alladstop.com%2Fforums%2Fviewtopic.php%3Fp%3D711623%23711623+hoodia+gordini%3B+http%3A%2F%2Firadepuiff.ru%2Fforum%2Fviewtopic.php%3Fp%3D1018%231018+tratamientos+para+la+eyaculacion+precoz%3B+http%3A%2F%2Ftricitiesultimate.com%2Fphpbb%2Fviewtopic.php%3Fp%3D32953%2332953+natural+cialis%3B+http%3A%2F%2Fjuegos.tv%2Fconsolas%2Fforo%2Fviewtopic.php%3Fp%3D1528%231528+natural+male+enhancement+products%3B+http%3A%2F%2Fwww.sportlinksnetwork.com%2Fkayakfishing%2Fviewtopic.php%3Fp%3D149537%23149537+natural+alternative+to+cialis%3B+http%3A%2F%2Fthebravehearts.org%2FBB%2Fviewtopic.php%3Fp%3D75269%2375269+cialis+substitute%3B+http%3A%2F%2F163.26.133.1%2Fxoops228%2Fmodules%2Fnewbb%2Fviewtopic.php%3Ftopic_id%3D161170%26post_id%3D285757%26order%3D0%26viewmode%3Dflat%26pid%3D0%26forum%3D3%23forumpost285757+%C3%A9jaculation+pr%C3%A9matur%C3%A9e%3B+http%3A%2F%2Fblogdogs.co.uk%2Fviewtopic.php%3Fp%3D94481%2394481+curar+la+eyaculacion+precoz%3B+http%3A%2F%2Fwww.dipolognon.com%2Fkagayanonforum%2Fviewtopic.php%3Fp%3D38546%2338546+natural+cialis%3B+http%3A%2F%2Fwww.tibha.com%2FForums%2Fviewtopic.php%3Fp%3D440394%23440394+alternative+to+cialis%3B+http%3A%2F%2Fyour20.net%2Fmodules.php%3Fname%3DForums%26file%3Dviewtopic%26p%3D58746%2358746+help+last+longer+in+bed%3B+http%3A%2F%2Fwww.game.bg%2Fforum%2Fviewtopic.php%3Fp%3D21480%2321480+hoodia+side+effects%3B+http%3A%2F%2Flost.forumche.org%2Fviewtopic.php%3Fp%3D36%2336+last+longer+in+bed%3B+http%3A%2F%2Fwww.ethelredtmo.org%2FphpBB2%2Fviewtopic.php%3Fp%3D195121%23195121+alternative+to+cialis%3B+http%3A%2F%2Fwww.gelreband.nl%2Fforum%2F%2Fviewtopic.php%3Fp%3D351027%23351027+alternative+to+cialis%3B+http%3A%2F%2Fwww.nevadamoms.org%2Fforums%2Fshowthread.php%3Fp%3D37872%23post37872+aumento+de+tama%C3%B1o+del+pene%3B+http%3A%2F%2Fwww.gemat.biz%2Fforum%2Fviewtopic.php%3Fp%3D114%23114+cialis+substitute%3B+http%3A%2F%2Fcontent.ix2.net%2Fshowthread.php%3Fp%3D63930%23post63930+eyaculaci%C3%B3n+precoz%3B+http%3A%2F%2Ftest.wellingtonlivemusic.com%2FphpBB2%2Fviewtopic.php%3Fp%3D232%23232+taille+du+p%C3%A9nis%3B+http%3A%2F%2Fwww.cptce.it%2Fmodules%2Fnewbb%2Fviewtopic.php%3Ftopic_id%3D168929%26post_id%3D460674%26order%3D0%26viewmode%3Dflat%26pid%3D0%26forum%3D1%23forumpost460674+remedios+para+la+eyaculacion+precoz%3B+http%3A%2F%2Fwww.lesjetaime.com%2FphpBB%2Fviewtopic.php%3Ftopic%3D39975%26forum%3D3%260+hoodia+products%3B+http%3A%2F%2Ftherealhelterskelter.com%2Fchat%2F%2Fviewtopic.php%3Fp%3D345741%23345741+natural+male+enhancements%3B+http%3A%2F%2Fwww.torcn.com%2Fforum%2Fviewtopic.php%3Fp%3D461305%23461305+effective+herbal+cialis%2C%0D%3B+http%3A%2F%2Fwww.k1ck.com%2Fforum%2Fviewtopic.php%3Fp%3D350334%23350334+natural+health+hoodia%3B+http%3A%2F%2Fpuchschool2.jino-net.ru%2Fforum%2Ftopic.php%3Fforum%3D1%26topic%3D1683+%C3%A9jaculation+rapide%3B+http%3A%2F%2Fwww.bizclown.com%2FBizforum%2Fviewtopic.php%3Fp%3D316%23316+natural+cialis%3B+http%3A%2F%2Fusers.atw.hu%2Fcsocso-band%2Fforum%2Fviewtopic.php%3Fp%3D3603%233603+fr%C3%BChzeitige+ejakulation%3B+http%3A%2F%2Fpkminami.fu8.com%2Fforum%2Fviewtopic.php%3Fp%3D749%23749+natural+cialis%3B+http%3A%2F%2Farcyk.duu.pl%2Fgra%2F%2Fviewtopic.php%3Fp%3D813%23813+avis+hoodia%3B+http%3A%2F%2Fwww.funnyisraeli.com%2Fviewtopic.php%3Fp%3D442982%23442982+premature+ejactulation+%3B+http%3A%2F%2Fwww.lesjetaime.com%2FphpBB%2Fviewtopic.php%3Ftopic%3D40339%26forum%3D3%260+herbal+cialis%3B+&CmtParent=0 HTTP/1.0" 200 38919 "http://samaroid.ru/Alina11_22" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Does it mean that my site is hacked? I see that the charge to my hosting is growing exactly at that moment.
Maybe, it is possible to restrain the lengths of symbols that can be put in browser?
no need for profile commets and guest book, so delete the guestbook.php file or rename it to something different
The fact is, that I have already deleted guestbook.php file... Maybe it's something else..
add the fllowing code to your ray/modules/global/inc/content.inc.php
add it at the top above the 1st require once command
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
so it looks like this :
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
this stops any see more
I'll try it as soon as possible.
just wait a little, nobody more can be able to spam in your dolphin
I'm using 6.1.4 release. register_globals are off. I don't want any problems with some dolphin parts, so I leave allow_url_fopen allowed.
a server is only vulnerable if register_globals and allow_url_include are on, both should be off.
75.150.10.62 - - [30/Sep/2008:12:14:32 +0400] "GET /skandaloff464?CmtText=pharmacy%3B+http%3A%2F%2Fleto2005.variant.lv%2Fforum%2Ftopic.php%3Fforum%3D1%26topic%3D239998+soma%3B+http%3A%2F%2Fglebka.ru%2Fforum%2Fviewtopic.php%3Fp%3D314517%23314517+soma%3B+http%3A%2F%2Fantichp.mypressonline.com%2Ffor .... +soma+usa%3B+&CmtParent=0 HTTP/1.0" 200 37060 "http://samaroid.ru/skandaloff464" "Mozilla/4.0 see more
I was very pleased to find here so nice people who, in spite of my very bad English, tried to help me :) Thank you all! I am conviced one more time, that I'm on right way I choose to use Dolphin.
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
error_log("HACKING ATTEMPT. User with the IP of ".$_SERVER["REMOTE_ADDR"]." has attempted to hack us using ".$_SERVER["SCRIPT_FILENAME"]);
This should log the error in Apache's error log. Handy!