Attempted hack on your site? (type: OOS Security)
Verfasst: 06.10.2010, 12:25
Hallo,
ich habe gestern eine etwas komische E-Mail von Shopsystem erhalten. Ich bin mir auch nicht sicher, ob diese vom System generiert wurde. Wie gesagt komisch. Ich hoffe, ihr könnt mir weiterhelfen.
******************************************************************************************************************************************************************************************************************************************************************
Attention site admin of MTW Medizintechnik Shop,
On Dienstag, 05. Oktober 2010 at 22:18:00 the oos shop code has detected that somebody tried to send information to your site that may have been intended as a hack. Do not panic, it may be harmless: maybe this detection was triggered by something you did! Anyway, it was detected and blocked.
The suspicious activity was recognized in /www/htdocs/xxxxxxxxxxx/medizintechnik/includes/functions/function_input.php on line 86, and is of the type OOS Security.
Additional information given by the code which detected this: Intrusion detection.
Below you will find a lot of information obtained about this attempt, that may help you to find what happened and maybe who did it.
=====================================
Information about this user:
=====================================
This person is not logged in.
IP numbers: [note: when you are dealing with a real cracker these IP numbers might not be from the actual computer he is working on]
IP according to HTTP_CLIENT_IP:
IP according to REMOTE_ADDR: 190.12.28.228
IP according to GetHostByName($remote): 190.12.28.228
=====================================
Information in the $_REQUEST array
=====================================
REQUEST * amp; :
REQUEST * mp : products
REQUEST * amp;file : info
REQUEST * amp;products_id : 1250 and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c) /*
REQUEST * OOSSID : 6fe05e98c4f827e3acd8456599e24a83
=====================================
Information in the $_GET array
This is about variables that may have been in the URL string or in a 'GET' type form.
=====================================
GET * amp; :
GET * mp : products
GET * amp;file : info
GET * amp;products_id : 1250 and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c) /*
=====================================
Information in the $_POST array
This is about visible and invisible form elements.
=====================================
=====================================
Browser information
=====================================
HTTP_USER_AGENT:
BROWSER * browser_name_regex : ^.*$
BROWSER * browser_name_pattern : *
BROWSER * browser : Default Browser
BROWSER * version : 0
BROWSER * majorver : 0
BROWSER * minorver : 0
BROWSER * platform : unknown
BROWSER * alpha :
BROWSER * beta :
BROWSER * win16 :
BROWSER * win32 :
BROWSER * win64 :
BROWSER * frames : 1
BROWSER * iframes :
BROWSER * tables : 1
BROWSER * cookies :
BROWSER * backgroundsounds :
BROWSER * cdf :
BROWSER * vbscript :
BROWSER * javaapplets :
BROWSER * javascript :
BROWSER * activexcontrols :
BROWSER * isbanned :
BROWSER * ismobiledevice :
BROWSER * issyndicationreader :
BROWSER * crawler :
BROWSER * cssversion : 0
BROWSER * supportscss :
BROWSER * aol :
BROWSER * aolversion : 0
=====================================
Information in the $_SERVER array
=====================================
SERVER * HTTP_USER_AGENT : Update
SERVER * HTTP_HOST : www.mtw-medizintechnik.de
SERVER * HTTP_COOKIE : OOSSID=6fe05e98c4f827e3acd8456599e24a83
SERVER * PATH : /sbin:/usr/sbin:/usr/local/sbin:/opt/gnome/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin
SERVER * SERVER_SIGNATURE :
SERVER * SERVER_SOFTWARE : Apache
SERVER * SERVER_NAME : www.mtw-medizintechnik.de
SERVER * SERVER_ADDR : 85.13.138.236
SERVER * SERVER_PORT : 80
SERVER * REMOTE_ADDR : 190.12.28.228
SERVER * DOCUMENT_ROOT : /www/htdocs/xxxxxxxx/
SERVER * SERVER_ADMIN : webmaster@mtw-medizintechnik.de
SERVER * SCRIPT_FILENAME : /www/htdocs/xxxxxxx/medizintechnik/index.php
SERVER * REMOTE_PORT : 1509
SERVER * GATEWAY_INTERFACE : CGI/1.1
SERVER * SERVER_PROTOCOL : HTTP/1.1
SERVER * REQUEST_METHOD : GET
SERVER * QUERY_STRING : amp;&mp=products&file=info&products_id=1250%20and%201=2%20union%20select%20CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c)%20/*
SERVER * REQUEST_URI : /medizintechnik/index.php?amp;&mp=products&file=info&products_id=1250%20and%201=2%20union%20select%20CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c)%20/*
SERVER * SCRIPT_NAME : /medizintechnik/index.php
SERVER * PHP_SELF : /medizintechnik/index.php
SERVER * PATH_TRANSLATED : /www/htdocs/w0074037/medizintechnik/index.php
SERVER * argv : Array
SERVER * argc : 1
=====================================
Information in the $_ENV array
=====================================
=====================================
Information in the $_COOKIE array
=====================================
COOKIE * OOSSID : 6fe05e98c4f827e3acd8456599e24a83
=====================================
Information in the $_FILES array
=====================================
=====================================
Information in the $_SESSION array
=====================================
SESSION * cart : Object
SESSION * navigation : Object
SESSION * error_cart_msg :
SESSION * language : deu
SESSION * language_id : 1
SESSION * member : Object
SESSION * currency : EUR
SESSION * products_history : Object
SESSION * theme : oos
*********************************************************************************************************************************************************************************************************************
Gruß
Tobias
ich habe gestern eine etwas komische E-Mail von Shopsystem erhalten. Ich bin mir auch nicht sicher, ob diese vom System generiert wurde. Wie gesagt komisch. Ich hoffe, ihr könnt mir weiterhelfen.
******************************************************************************************************************************************************************************************************************************************************************
Attention site admin of MTW Medizintechnik Shop,
On Dienstag, 05. Oktober 2010 at 22:18:00 the oos shop code has detected that somebody tried to send information to your site that may have been intended as a hack. Do not panic, it may be harmless: maybe this detection was triggered by something you did! Anyway, it was detected and blocked.
The suspicious activity was recognized in /www/htdocs/xxxxxxxxxxx/medizintechnik/includes/functions/function_input.php on line 86, and is of the type OOS Security.
Additional information given by the code which detected this: Intrusion detection.
Below you will find a lot of information obtained about this attempt, that may help you to find what happened and maybe who did it.
=====================================
Information about this user:
=====================================
This person is not logged in.
IP numbers: [note: when you are dealing with a real cracker these IP numbers might not be from the actual computer he is working on]
IP according to HTTP_CLIENT_IP:
IP according to REMOTE_ADDR: 190.12.28.228
IP according to GetHostByName($remote): 190.12.28.228
=====================================
Information in the $_REQUEST array
=====================================
REQUEST * amp; :
REQUEST * mp : products
REQUEST * amp;file : info
REQUEST * amp;products_id : 1250 and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c) /*
REQUEST * OOSSID : 6fe05e98c4f827e3acd8456599e24a83
=====================================
Information in the $_GET array
This is about variables that may have been in the URL string or in a 'GET' type form.
=====================================
GET * amp; :
GET * mp : products
GET * amp;file : info
GET * amp;products_id : 1250 and 1=2 union select CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c) /*
=====================================
Information in the $_POST array
This is about visible and invisible form elements.
=====================================
=====================================
Browser information
=====================================
HTTP_USER_AGENT:
BROWSER * browser_name_regex : ^.*$
BROWSER * browser_name_pattern : *
BROWSER * browser : Default Browser
BROWSER * version : 0
BROWSER * majorver : 0
BROWSER * minorver : 0
BROWSER * platform : unknown
BROWSER * alpha :
BROWSER * beta :
BROWSER * win16 :
BROWSER * win32 :
BROWSER * win64 :
BROWSER * frames : 1
BROWSER * iframes :
BROWSER * tables : 1
BROWSER * cookies :
BROWSER * backgroundsounds :
BROWSER * cdf :
BROWSER * vbscript :
BROWSER * javaapplets :
BROWSER * javascript :
BROWSER * activexcontrols :
BROWSER * isbanned :
BROWSER * ismobiledevice :
BROWSER * issyndicationreader :
BROWSER * crawler :
BROWSER * cssversion : 0
BROWSER * supportscss :
BROWSER * aol :
BROWSER * aolversion : 0
=====================================
Information in the $_SERVER array
=====================================
SERVER * HTTP_USER_AGENT : Update
SERVER * HTTP_HOST : www.mtw-medizintechnik.de
SERVER * HTTP_COOKIE : OOSSID=6fe05e98c4f827e3acd8456599e24a83
SERVER * PATH : /sbin:/usr/sbin:/usr/local/sbin:/opt/gnome/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin
SERVER * SERVER_SIGNATURE :
SERVER * SERVER_SOFTWARE : Apache
SERVER * SERVER_NAME : www.mtw-medizintechnik.de
SERVER * SERVER_ADDR : 85.13.138.236
SERVER * SERVER_PORT : 80
SERVER * REMOTE_ADDR : 190.12.28.228
SERVER * DOCUMENT_ROOT : /www/htdocs/xxxxxxxx/
SERVER * SERVER_ADMIN : webmaster@mtw-medizintechnik.de
SERVER * SCRIPT_FILENAME : /www/htdocs/xxxxxxx/medizintechnik/index.php
SERVER * REMOTE_PORT : 1509
SERVER * GATEWAY_INTERFACE : CGI/1.1
SERVER * SERVER_PROTOCOL : HTTP/1.1
SERVER * REQUEST_METHOD : GET
SERVER * QUERY_STRING : amp;&mp=products&file=info&products_id=1250%20and%201=2%20union%20select%20CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c)%20/*
SERVER * REQUEST_URI : /medizintechnik/index.php?amp;&mp=products&file=info&products_id=1250%20and%201=2%20union%20select%20CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c)%20/*
SERVER * SCRIPT_NAME : /medizintechnik/index.php
SERVER * PHP_SELF : /medizintechnik/index.php
SERVER * PATH_TRANSLATED : /www/htdocs/w0074037/medizintechnik/index.php
SERVER * argv : Array
SERVER * argc : 1
=====================================
Information in the $_ENV array
=====================================
=====================================
Information in the $_COOKIE array
=====================================
COOKIE * OOSSID : 6fe05e98c4f827e3acd8456599e24a83
=====================================
Information in the $_FILES array
=====================================
=====================================
Information in the $_SESSION array
=====================================
SESSION * cart : Object
SESSION * navigation : Object
SESSION * error_cart_msg :
SESSION * language : deu
SESSION * language_id : 1
SESSION * member : Object
SESSION * currency : EUR
SESSION * products_history : Object
SESSION * theme : oos
*********************************************************************************************************************************************************************************************************************
Gruß
Tobias