RayVega

Ok, check this out.
our computer system is being hacked. It is a password protected area for brokers (mainstream) It appears that somone is hitting the response form and since they are not under a brokers ID, it is trying to send the response to a non existent broker.

Am I correct about this, and how should I stop it? Advice anyone?

LOG:
[23/JUNE/2008 01:30:19] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:22] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:28] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:30] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:34] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:36] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

HorseShit

uh that doesn't look like a hack attempt

Dirty F

Well you got his IP address.
127.0.0.1 <--- very evil, used by lots of hackers.
Ask your host to block 127.0.0.1

ladida

Your script is attacking you. Uber eleet hacking is going on

__________________
agentGFY *at* gmail.com

Iron Fist

DamianJ

There's no place like 127.0.0.1

Chris

i cant hack my way out of a paper bag and to me that looks like your computer is doing it

__________________
[email protected]

V_RocKs

Would need a link to your form...

Jens Van Assterdam

no shit

__________________
Read TOS for signature rules

Phoenix

hello fbi....i just wanted to say hello

__________________
Skype Phoenixskype1
Telegram PhoenixBrad
https://quantads.io

StuartD

__________________
This is me on facebook
This is me on twitter

RayVega

Thanks guys. So there is a possibility that it is just a bug in the form submission script and not a hack at all? This shit is driving me nuts...every few days the server goes down and we lose the last few days of data.

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

woj

__________________
Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

RayVega

bump bump

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

StuartD

I'd start checking your automated scripts. Anything that is supposed to run on it's own.

__________________
This is me on facebook
This is me on twitter

2MuchMark

Hi Ray -

You're not being hacked.

The IP Address 127.0.0.1 is your local machine that is running this script. (hence the "home" jokes). The messages above are trying to tell you that This Local Machine cannot send the message because the recipient is unknown. (Wrong email address).

That's all - no hackers are doing anything nasty to you.

Cheers!

__________________

Custom Coding | Videochat Solutions | Age Verification | IT Help & Support
www.2Much.net

munki

I still want that shirt...

__________________

sumphatpimp

you should do a whois on that 127.0.0.1 and see where he lives then go over his place and fuck his ass up good. he fucked with me a few years ago but I found him and beat the living shit out of him with baseball bat. I fucked him up good, he went to the hospital and all.
now this fucker at 192.1683.0.3 is fucking with me, guess I will have to go over his place and straighten out that sonuvabitch too!
I am telling you. being a webmaster ain't easy!

RayVega

Very funny guys...I am very well aware that 127.0.0.1 is the local machine. The problem is that someone or something is triggering it to attempt to send an email every few minutes and in some cases several times a second. This is not a regular user trying to use the form improperly causing an error message, this is either a crazy loop, DOS attack, or attempt to use the form to spam. The attempts are crashing the system.

The way the scripts were designed, the main script(script one) passes info to script two to send the form results to several people...therefore my thoughts on this could be that someone (or a bot they use) are trying to use script number two to send out email to targets so it is untraceable to them, they are using script number two to attempt a DOS attack on someone, or it's just a bug that loops causing the scripting engine to blow up.

problem is that I am not familiar enough with ASP (or the windows web server platform). If the script was in PERL or PHP on a linux box for example, the issue would be resolved already.

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

RayVega

Anyone recommend somone to go in and fix it (without spending a fortune)? I don't have the time to debug it.

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

sumphatpimp

problem is that I am not familiar enough with ASP (or the windows web server platform). If the script was in PERL or PHP on a linux box for example, the issue would be resolved already.

Ray, as a suggestion, maybe you should start a thread "Need Windows programmer" and then work from there. may get you better results.

RayVega

Yes, I'll post later when more people are online...I really wanted some opinions as to what it was (ex.whether it is an attack or a script bug). Seems that it looks like a script bug and not an attack after all..

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

ladida

DingDing..

Your scripts are attacking you man. I told you already. Get a programmer to debug that for you, and stop with hacking theories, they remind me of hollywood movies

__________________
agentGFY *at* gmail.com

psili

If the scripts were running, unchanged, for a period of time without issue, it could be external. If the scripts were implemented and the problem arose soon after, it's probably a script issue.

Just my $.02 on where to start debugging.

__________________
Your post count means nothing.

RayVega

um...yea...I think we acertained that almost right away. But it doesn't mean it's definitely what it is. Thanks for the help though.

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

RayVega

Well, I just took over the problem. I didn't even know it was happening until recently. IT just restored the server every time without saying anything. Aparently, it has been doing it for a long time, like once a month, but it is getting worse and worse, now it crashes twice a day.

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]

_Richard_

RayVega

OK well check this out...while this log file explosion is taking place, different websites show in the status bar, and these sites whois back to places like bulgaria etc.

In other words, while you are trying to go to the site, and it is hanging up trying to load, it say's in the status bar "loading www.bulgariasite.com" instead of "loading www.mysite.com". It is a different russian or bulgarian site every time and the url is registered but the site doesn't exist. Also, it is not putting my entire site into a giant iframe, I checked to see if that was the case, so how in the hell could another site name come up?

What in the hell would cause that?

__________________
Ray "The Don" Vega

Managing Director
Private Equity Fund

[email protected]