HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Suspected hacking attempt

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#50400 (In Topic #10985)
LB
Avatar

Well-settled

got 4 messages from my site?

Hello,
Not sure what is it? I got 4 messages from my site since last night (all 4 seems to be "slightly" different), I do not think that me or other admin been doing something on the site when we got those messages:

A potential hacking attempt has been detected. Please do not be alarmed: approximately half of the suspected attempts are triggered innocently (the software intentionally has a paranoid security model, to give you very high security). Real hacking attempts are almost always caused by 'bots' (computer programs) that automatically crawl the internet looking for websites which may contain vulnerabilities, and then reporting any found vulnerabilities to their 'master' for future exploitation (usually, to assist in spam relaying). If this was a real hack attempt, it has failed - you might want to try and analyse the logged details (in case it gives clues to a real and persistant offender). More information on security is given in the software documentation.

Reason: A suspicious GET parameter was given (type as m ../ocp-103/index.php?req_path=../../../../../../../../../../
../../../../../../../../../../../../../../etc/passwdsuspected hack attempt is neither correct nor benign, but rather actually represents a substantial stability problem in the website software, read the information below. Otherwise, do not read on.


Below is a stack trace revealing the state the software was in when the error occurred. If this represents a bug in the unmodified software, you may want to check ocPortal website for a fix, and if there isn't one, report this as a bug. Please note that merely posting a stack trace is not sufficient for us to solve your problem; the stack trace is just an aid that presents us with additional information. We still need to know the error message, what you tried to do, how you tried to do it, version numbers, and any other appropriate information.
We apologise for this problem and if it's a bug we hope you will work with us so that we can fix it for you promptly.

File '/hsphere/local/home/snibbler/plant-doctor.net/sources/failu
re.php' Line '110' Function 'get_html_trace' Args
File '/hsphere/local/home/snibbler/plant-doctor.net/sources/globa
l2.php' Line '850' Function '_log_hack_attack_and_exit' Args
'DODGY_GET_HACK'

'type'

'm …/ocp-103/index.php?req_path=../../../../../../../../../../.
./../../../../../../../../../../../../../etc/passwd Line '1,351' Function 'log_hack_attack_and_exit' Args

'DODGY_GET_HACK'

'type'

'm …/ocp-103/index.php?req_path=../../../../../../../../../../.
./../../../../../../../../../../../../../etc/passwd Args
File '/hsphere/local/home/snibbler/plant-doctor.net/sources/globa
l2.php' Line '850' Function '_log_hack_attack_and_exit' Args

'DODGY_GET_HACK'

'type'

'm …/ocp-103/index.php?req_path=../../../../../../../../../../.
./../../../../../../../../../../../../../etc/passwd../ocp-103
/index.php?req_path=../../../../../../../../../../../../../..
/../../../../../../../../../../etc/passwd/> File '/hsphere/local/home/snibbler/plant-doctor.net/sources/globa
l.php' Line '136' Function 'call_user_func' Args

'init__global2'


File '/hsphere/local/home/snibbler/plant-doctor.net/sources/globa
l.php' Line '419' Function 'require_code' Args
'global2'


File '/hsphere/local/home/snibbler/plant-doctor.net/site/index.ph
p' Line '48' Args
'/hsphere/local/home/snibbler/plant-doctor.net/sources/globa
l.php'

Function 'require'
Back to the top
 
Posted
Rating:
#50501
Avatar

Community saint

I had gotten them as well.. I think even the same day as you. However I checked the site and all was fine.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Rating:
#50502
Avatar

This is a bot going around trying to hack sites by a vulnerability in the first version of ocPortal.

That vulnerability only applied to poorly configured servers, was fixed very fast, and I don't think there is a single site out there running version 1 any more (not for years). So it's bizarre really, because someone has gone to the effort of writing it, but all it is going to do is trigger hack-attack alerts on various sites and get itself banned.

I think it is running on a botnet.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#50504
Avatar

Community saint

Now that is funny! I just have to wonder what that guy is thinking…

"Gee… my hacking bot should have caused massive chaos on all those ocportal sites, but instead it got banned…"

I have to wonder why people even bother making hacking bots, but good to know it didn't get through. Still.. glad I do my weekly backups.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: