Accessing Remote Module, Whaaa? (php-nuke)

zoid · #1 (**permalink**) 03-27-2004, 04:32 PM

the Who-is-Where block on my site said that someone was accessing a module that doesn't exist... look below

Quote:

Originally Posted by Who-Is-Where

01: 152.92.106.62 -> http://217.27.212.16/~machado/

i have no idea what that could be, but the directory listing of that url is show below:

Quote:

Index of /~machado

Name Last modified Size Description

Parent Directory 24-Mar-2004 16:16 -
Eivissa-Tu_Tu_Tu_Ta.mp3 06-Oct-2003 01:11 5.5M
_Machado_-horrivel-r..> 21-Feb-2004 06:07 27k
_Machado_-rosto-feio..> 21-Feb-2004 06:06 22k
atst.gif 19-Mar-2004 06:27 1k
atst2.gif 18-Mar-2004 04:07 13k
blink182-full-album-..> 16-Dec-2003 06:01 67.6M
bnc.pl 21-Mar-2004 23:43 17k
colassuncao.zip 30-Nov-2003 23:21 65.6M
dcphp3.gif 18-Mar-2004 05:53 1k
ep 28-Feb-2004 05:34 7k
kernelmremap.c 28-Feb-2004 07:34 7k
mremap.c 28-Feb-2004 07:40 8k
mremap_pte.c 11-Mar-2004 04:39 6k
qex.c 11-Mar-2003 11:02 7k
redhot/ 15-Feb-2004 04:05 -
sk.tgz 26-Feb-2004 06:44 128k
su.c 11-Nov-2001 16:17 12k
xfree86.c 21-Feb-2004 03:52 2k

http://www.machadoz.org !!!! :) :) :) machado@machadoz.org

The URL shown was http://bitchx.hu/~machado/ so i guess it had to do with BitchX.

A little strange though, it was shown as a module, it linked to something or other like this http:// ... /module.php? ...

oh yeah, this is what came up on the whois:

Quote:

Server Used: [ whois.lacnic.net ]

152.92.106.62 = [ magnum.ime.uerj.br ]

inetnum: 152.92/16
status: assigned
owner: UERJ - Universidade do Estado do Rio de Janeiro
ownerid: BR-UUER-LACNIC
address: AV. Sao Francisci Xavier 524 - BLOCO F - 1 andar
address: Maracana - Rio de Janeiro - RJ
address: CEP 20550
country: BR
owner-c: AS300-ARIN
inetrev: 152.92/16
nserver: MASTER.UERJ.BR
nsstat: 20040326 AA
nslastaa: 20040326
nserver: CEOP1.REDERIO.BR
nsstat: 20040326 NOAA
nslastaa: 20040203
created: 19910902
changed: 19940411
source: ARIN-LACNIC-TRANSITION
nic-hdl: AS300-ARIN
person: Alexandre Sztajnberg
e-mail: postmaster@VMESA.UERJ.BR

address: UERJ - Universidade do Estado do Rio de Janeiro
address: AV. Sao Francisco Xavier 524 - BLOCO F
address: - 1 andar
address: Maracana - Rio de Janeiro -
address: RJ
address: CEP 20550
country: BR
phone: 55-21-284-8322 x247
source: ARIN-LACNIC-TRANSITION

the whois was done by samspade.org

what could be going on?

Tommy · #2 (**permalink**) 03-27-2004, 07:03 PM

I got the same thing.

It was very very strange... :?

zoid · #3 (**permalink**) 03-27-2004, 10:22 PM

i was thinking someone was trying to exploit some flaw in PHP-Nuke in order to hack and/or break the site.

does your server backup the accounts in case such a thing happens?

edit: see http://nukecops.com/postt25615.html
other people had the same problem!

Tommy · #4 (**permalink**) 03-28-2004, 12:30 AM

Well, as the nukecop posts suggest, it seems like someone just doing vulnerability scanning. Nothing too new. If that is all it is, there shouldn't be too much to worry about (unless the system is insecure).

Quote:

Originally Posted by zoid

does your server backup the accounts in case such a thing happens?

No, it is the users responsibility. However, I personally take daily backups of the PCplayground site.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode