logo       
<prev   next>

RE: Weird behavior in possible hacking scheme: msg#00009

Subject: RE: Weird behavior in possible hacking scheme 
-----Original Message-----
From: drupal-support-bounces@xxxxxxxxxx

Hi

> Last week, I noticed bandwidth consumption had jumped dramatically on my
> Drupal site, from maybe 500 megabytes a day to 2.2 gigabytes a day.

> Here's one example:

> www.universalhub.com 221.232.79.8 - - [01/Sep/2004:00:31:21 -0400] "GET
> http://www.xmlrevenue.com/s.php?keywords=DSL&username=infome
> nl HTTP/1.0" 200 39857 "http://www.gbahome.com/ads/xmlrevenue.htm";
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"

Just to make sure we are using teh same defenitions. Your host (universalhub) 
has been accessed by 221.232.79.8 and this client did a get of the file 
s.php[...]infomenl from the host xmlrevenue.com with a referrer from 
gbahome.com and this request was *successfull* (200)?

This results in the following:
* you are being abused either as a refer bomb or for -more likely- a adware 
abuse
* your webserver is serving this page and generates this page with a status 200 
(checked with livehttpheaders, old drupal error of servering a 404 with a 200)
* your webserver is listening to *any* website address (checked with adding 
your ip to my /etc/hosts with ww.somesite.com, your webserver is serving the 
page)

I would advise to do the following
* make sure that there are known exploitable php scripts on your server and 
there is no weird activity in the system logfiles (last/syslog/security etc)
* block any referrer from gbahome.com in your apache config
* make sure your webserver only serves pages for the FQDName(s) and its IP 
addres(es), not for other sites
* file an abuse (from a spamable email addres :-) to xmlrevenue, including log 
files and timezone the were gathered in, that way the lame kiddie wont get paid!
* upgrade to a later drupal version were the 200 status is solved for a 404 (is 
this in 4.5?)

Hope this helps

-- 
groets,

bert boerland
---     pinkroccade infrastructure services      ---
   Unless your universe is very different from mine, 
                                you can't save time.
voice://020-5704939/      http://www.pinkroccade.nl/
--
[ Drupal support list | http://list.drupal.org/ ]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Weird behavior in possible hacking scheme, Todd Dailey
Next by Date:  RE: Weird behavior in possible hacking scheme, Adam Gaffin
Previous by Thread:  RE: Weird behavior in possible hacking scheme, Adam Gaffin
Next by Thread:  RE: Weird behavior in possible hacking scheme, Adam Gaffin
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
science.linguis...    culture.sf.lite...    video.mplayer.c...    yellowdog.gener...    ietf.rfc822/199...    emacs.help/2002...    redhat.release....    kernel.speakup/...    java.openejb.de...    debian.devel.gt...    xfree86.newbie/...    bug-tracking.ma...    pam/2003-05/msg...    games.devel.ope...    user-groups.lin...    music.pancham/2...    network.mq.deve...    web.html.genera...    arklinux.bugs/2...    linux.ecasound/...    qnx.openqnx.dev...    org.user-groups...    file-systems.sf...    trustix.contrib...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe