Jump to content


Photo

Interesting Error Logs


  • Please log in to reply
5 replies to this topic

#1 Bob Crabb

Bob Crabb

    Immediate Family

  • Members
  • PipPipPipPip
  • 555 posts

Posted 09 January 2008 - 12:38 PM

For the past couple of days, I've noticed some interesting entries in the error log of one of my sites. It appears as though several people are trying to find scripts in:

/pm/add_ons/mail_this_entry/mail_autocheck.php
or
/pm/add_ons/mail_this_entry/mailserver.php

I don't have anything like this on the site, so it generates a "File does not exist" error. Is this a spammer looking for a commonly known vulnerable script?

#2 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 09 January 2008 - 12:47 PM

Most likely.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#3 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 09 January 2008 - 01:51 PM

I don't have anything like this on the site, so it generates a "File does not exist" error. Is this a spammer looking for a commonly known vulnerable script?


They are looking for sites running a vulnerable Mail This Entry addon on their pMachine sites. The vulnerable version of the addon is a couple years old, but it's usually still pretty easy to find people who have not upgraded.
<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#4 Bob Crabb

Bob Crabb

    Immediate Family

  • Members
  • PipPipPipPip
  • 555 posts

Posted 09 January 2008 - 04:49 PM

Pmachine! I wondered what the pm stood for. Thanks for the info.

#5 pagoda

pagoda

    Immediate Family

  • Members
  • PipPipPipPip
  • 205 posts

Posted 09 January 2008 - 05:00 PM

Greetings,

(Whoops - this response has been sitting on my desktop while my train of thought was derailed (deranged? :thumbdown:) for a while, so it looks like I am duplicating some previous remarks...)

Only posting this for posterity and people considering or already using this software.

Worse - there are/have been known exploits for people using PMachine by EllisLab (formerly name PMachine - this product was their flagship product), an online publishing program which used to have both a free and purchasable version but was discontinued formally by EllisLab and released into the public domain and is now developed by the user community. There have been a number of exploits associated with this software with the potential for root access having been the most egregious.

One of the more popular exploits allowed an attacker to execute commands with the same privilege level as the underlying web server (namely - the Apache process) - this is the attempt you were seeing in your log files. And as icing on the cake, there is an escalation of privilege that can occur in some instances allowing root access on a machine.

Pretty serious hole for people using PMachine Pro and PMachine Free. Worse yet, variants of this problem first appeared in 2003 (if memory serves me correctly). The issue became even more serious sometime in 2005 when the root escalation issue was reported. Affected versions were/are PMachine Pro/Free versions up to and including 2.4. It should be noted that (AFAIK) the current version is 2.4.1. A good amount of additional information on this exploit is found on the SANS website at (http://www.sans.org/...lay.php?v=4&i=8). SANS is likely the best place to check when you see mysterious log entries such as this one. I've taken several SANS courses (as a "white hat" of course :rolleyes1: ); SANS is very likely one of the best resources for exploits as reported in near real time - of particular interest is the daily updated SANS Internet Storm Center at http://isc.sans.org.

Additional information in case others come across this software and/or the same log entries or similar problems:

When I see something like this (i.e. BS in my logfiles that shouldn't be there) and it is consistent and from either a single static IP, class C network or the like I'll just block the whole bloody lot of them. However, if one is running either a dedicated server or reseller account, then one needs to be vigilant but less likely to block IPs in case valid users might be trying to connect from that IP or block of IPs.

On personal machines I am rather ruthless with this kind of crap. 9 times out of 10 it is spammers trying to hawk either drug "services", pornography or other common scams. This can ultimately, if successfully exploited, cause your IP(s), entire machine or even TCH to be blocked by others. But, given the age of this exploit my guess is that you are probably looking at script kiddies trying to have some "fun" with spam at your expense (literally - since bandwidth costs you should they actually achieve their goal - I've been victim to this prior to moving to TCH in 2003).

If you are not running a dedicated server or a reseller account you can still block other's IPs, an IP range etc. using the IP Deny Manager in your cPanel.

Be Virtually Safe :) ,

Pagoda

P.S. My favorite (and most cynical) observation is that when a company with a particular name based on their flagship product ends up having a root escalation issue, what do you do? Simple: you change your business name! LOL!!! :) (This is clearly a glib remark, but still - it did make me laugh! - I found myself wondering how many times Microsoft would have changed their name if they had this policy... are there that many words in the dictionary? Bwaaaa Haaaa! :))

Edited by pagoda, 09 January 2008 - 05:05 PM.

Skype: patrick.goda

Spiffy Quote: " abcdefghijklmnopqrstuvwxyz"*

* Some assembly required

#6 Bob Crabb

Bob Crabb

    Immediate Family

  • Members
  • PipPipPipPip
  • 555 posts

Posted 09 January 2008 - 11:14 PM

Pagoda,

Thanks for the additional information. Next time I need to research something like this, I'll try the SANS site.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users