|
Posted by Jonathan N. Little on 02/14/07 01:01
Obviously I am witnessing some kind of hacking in an attempt to exploit
some security flaw in phpbb because I am seeing the activity being
logged in my 404 handler script. What puzzles me is that the referrer
value comes from a fictitious subdomain 'forum' and with this accounts'
DNS registration includes all subdomains so if the page really existed
forum.example.com/real.html would be automatically redirected to
www.example.com/real.html. Somehow they are hacking the referrer value.
Interesting other point is the same sequence of request|referrer pairs
get logged on each episode:
http://forum.example.com/forum/index.php
http://forum.example.com/phpbb/index.php
http://forum.example.com/phpbb2/index.php
http://forum.example.com/forums/index.php
http://forum.example.com/board/index.php
The UA and the originating IP same for series of 5 attempt URLs so it
might be some hacking script but is is different for each set of
attempts. Originating IP been from various places in North America but
all seem to be from hopone.net
I don't have phpbb, nor indexes on and the 404 script is trapping them
but just wondering how they are spoofing the referrer?
--
Take care,
Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
Navigation:
[Reply to this message]
|