IntegraMOD

[viragotech]

Your phpBB Version: 2.0.
phpBB Type: Standard phpBB
MODs: No
Your knowledge: Beginner
Board URL: http://mysite.com

PHP Version:
MySQL Version:


What was done before the problem appeared?



What was done to try to solve the problem?




De.scription and Message

Done caught one person red handed ill quote info about that below. Then caught a 2nd attempt wich I got more info. this is what they are running to get admin info

I did same thing and it works. I have deleted all my links.php files

"http://myforum.com/phpBB/links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*"

[viragotech]

here is info on first person I caught doing this, they got in with admin access for a sec.

just caught somone tonight, they came in via the links.php from what I can see. I just happen to catch the dude logged in as the main admin, which I don't use.

Didn't get nothin done that I know of and block his whole 3rd world IP range block.

I changed the password for said main admin and disabled that account.

That use to be an old trick. you make a new user to have admin power and use it, then diable the main admin account which hackers target.

IP Address: 85.99.161.93
Location: ANKARA (39.928N, 32.856E)
IP Range: 85.0.0.0 - 85.255.255.255

he found me using this google search

http://www.google.com.tr/search?q=+alli ... t=140&sa=N

I check out http://www.google.com.tr to make sure it used different IP and also block it from my whole hosting account.

[viragotech]

Info on 2nd person I caught and got that more info
this one was out of Terhan

IP Address: 84.241.0.4
Location: Rajai shahr (35.800N, 50.967E)
84.0.0.0 - 84.255.255.255

[Helter]

ctracker should block this type of attack.

I just ran it on all my sites and got this warning every time

- SECURITY ALERT -
The Board Security System has detected, that you wanted to bring bad
Code to this Forum or you have tried to exploit something here or maybe
another attack like this.

This attempt was blocked and we logged all information about this.


If you see this message after including a new MOD to your Forum or if
you have reached this site over a normal Forum Link, please contact
the Board Administrator to fix this Problem.

CBACK CrackerTracker v4

[CaNNon]

I get a 404 error on my site, it won't run. You must have something open viragotech?

[Drop-Forged]

Just tried it on my site and CT blocked ità ¢Ã¢â€š ¬Ã‚ ¦

[viragotech]

Well yea something ain't right but I love a good fight. And Ill take them stinky folks on any way I can.

Id like to say some bad things about them folks who live over there in that area but Ill be nice. Had a good 10hr battle with them as the just kept trying even after I temp deleted the file on 2nd try, which made it real easy to see who it was my the live error logs. When 1 IP hits the links.php on all of my site which were deleted id block them and their whole IP block.

Here is the full list of ones I ended up blocking. All in places with large groups of said stinky people.


81.167.224.138
Location: Stavanger (58.967N, 5.750E)
81.0.0.0 - 81.255.255.255

IP Address: 82.148.97.67
Location: DOHA (25.250N, 51.600E)
82.0.0.0 - 82.255.255.255

83.44.157.29
Location: MADRID (40.400N, 3.683W)
83.0.0.0 - 83.255.255.255

IP Address: 84.241.0.4
Location: Rajai shahr (35.800N, 50.967E)
84.0.0.0 - 84.255.255.255

IP Address: 85.99.161.93
Location: ANKARA (39.928N, 32.856E)
IP Range: 85.0.0.0 - 85.255.255.255

86.23.235.7
Location: Rennes (48.106N, 1.683W)
86.0.0.0 - 86.255.255.255


87.125.25.9
Location: 42.250N, 8.733W
87.0.0.0 - 87.255.255.255

IP Address: 88.224.215.111
Location: Samsun (41.294N, 36.333E)
88.0.0.0 - 88.255.255.255

88.235.235.97
Location: Istanbul (41.017N, 28.961E)
88.0.0.0 - 88.255.255.255

89.142.100.6
Location: LJUBLJANA (46.067N, 14.500E)
89.0.0.0 - 89.255.255.255

213.163.109.78
Location: Pristina (42.650N, 21.167E)
213.163.96.0 - 213.163.127.255

[viragotech]

though in any case id like to konw why the links.php file would do or allow that forgettin about CT.

As its not like it load s a page of code, it a nice formated page with the admin info n md5hash

like it was made to be able to do that.

[sanji]

Even without ctracker, this request can normally not be executed. I have just been banned from mz web site for testing it...

sanji