Help with stats and abuse

Bunchadogs

Bunchadogs

Perch
I've had some problems with accounts getting 'hacked' and seeing tons of disk usage and bandwidth usage. It looked like it was from a comprimised PHP script (Gallery2 and Coppermine seem to be the worst).

So...I deleted the files and the entire directory...but it still looks like SOMETHING is going on:

March 21 - 5,132 hits - 18,393 KB
March 22 - 4,350 hits - 15,591 KB
March 23 - 3,572 hits - 12,851 KB
March 24 - 3,930 hits - 14,224 KB

Top URL's
1 44,865 Hits 468,975 KB /gallery2/main.php
2 176 Hits 8 KB /robots.txt
3 158 Hits 508 KB /
4 70 Hits 461 JB /external.css

I deleted the entire /gallery2 directory on March 23 - yet on those two days there were still nearly 8,000 hits and 26,000KB transfer of...something?

The above stats are from Webalizer.

Modlogan reports:
March 21 Hits 5132 17.96 Mb
March 22 Hits 9514 34.07 Mb
March 23 Hits 8688 30.45 Mb
March 24 Hits 8130 28.62 Mb

and for URLs by traffic:
1 118,575 835.33 Mb /gallery2/main.php
2 15690 53.39 Mb /gallery2/
3 814 2.83 Mb /gallery2/main.php%3Fg2_view%3Dcore.Down...
4 258 830.10 kb /

I've got several accounts under by reseller account with similar traffic and disk usage.

The sites themselves are NOT being defaced or altered in any way...and in the case of the Gallerys, these were just test setups that never got used, and have virtually nothing in them (even after all the traffic!).

Any suggestions in tracking this kind of thing down (and putting a stop to it)?
 
Looks to me like a compromised PC, a zombie, trying over and over to exploit some vulnerabilities in these gallery scripts. Perhaps the bot is looking for a version older or newer than what you have so that you're not actually getting defaced...or, perhaps it's trying (or succeeding) to send spam via a vulnerable script.

Have you looked at the log files to see where these requests are coming from? You might be able to then block all requests via your htaccess to that user agent or IP.

Tim
 
It's the French - I guess I told too many jokes about the French or their military....

I've been looking for security or vulnerability reports on Coppermine and Gallery2 - didn't really find anything helpful....

It looks like something is filling the MySQL database with what looks like forum and email spam - poorly written stuff about pills, ringtones, cracks, warez, etc. Maybe other zombie/bots are then suppose to be retreiving this data to post elsewhere?

In the example I posted, I guess they're exploiting something in main.php (Gallery2) to execute SQL commands.

I've been relying on the include stats packages - but I guess I really should be looking at raw logs? I assume these files are available somewhere....
 
The log files are available via FTP, at the same level as the yourdomain.com directory.

It sounds like they're trying to fill your forums / galleries with spam messages just for Google-stuffing purposes by calling main.php directly.

Tim
 
You must log in or register to reply here.
Back
Top