: What was this hack-bot trying to achieve via directory traversal? I was walking through my server logs and the following kinda stunned me: ACCESS ERROR 404 from IP 62.112.152.161: Path:
I was walking through my server logs and the following kinda stunned me:
ACCESS ERROR 404 from IP 62.112.152.161:
Path: /index.php?page=weblog&env=../../../../../../../../etc/passwd%00
ACCESS ERROR 404 from IP 62.112.152.161:
Path: /download.php?dlfilename=../../../../../../../../etc/passwd%00
ACCESS ERROR 404 from IP 62.112.152.161:
Path: /download.php?filename=../../../../../../../../etc/passwd%00
ACCESS ERROR 404 from IP 62.112.152.161:
Path: /agb.php?lang=../../../../../../../../etc/passwd%00
ACCESS ERROR 404 from IP 62.112.152.161:
Path: /angemeldet.php?lang=../../../../../../../../etc/passwd%00
There were lot's more variations, always triyng to get the same file. They wouldn't succeed even if there was some "download.php"*, but I'm curious what would it do if they did.
Also, I wonder if there's something I can do against this BOT in more global scope, to help other webmasters who might have their site vulnerable against such attack.
Unfortunatelly, HTTP headers were not registered.
*I'm running on virtual server where PHP's top dir is the website's root.
More posts by @Samaraweera270
1 Comments
Sorted by latest first Latest Oldest Best
Ironically, this is exactly the kinds of things I study in my automated security analysis research.
The bot is trying to take advantage of a PHP application vulnerability to read your password file. With success, the hacker would attempt to log into various resources including the PHP application that hosted the vulnerability, as well as, other PHP applications and services such as FTP, SMTP, SSH, etc.
You can either block the ip address and/or domain name, use a regex in your .htaccess file, or (preferred) use mod_security to block these attempts.
Mod_Security is preferred since it covers a multitude of attacks. www.modsecurity.org/
This is likely a compromised system that was hacked in the same way. It is likely executing a script or executable and may hit may sites before long. I do not have and attacks from this IP address in my database so it is likely new.
IP: 62.112.152.161 / Netdiscounter GmbH autonomous system - Domain Name: 441.hosttech.eu
I have other PHP application vulnerability hack attempt entries for:
190.hosttech.eu [ip: 82.220.34.55, asn: AS9044, BSE Software GmbH] (Sun Aug 19 2012)
sh-501.premium.hosttech.eu [ip: 176.9.138.35, asn: AS24940, Hetzner Online AG] (Thu Jun 6 2013)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.