Hacking question...hacking gurus step inside.
 

Ok, check this out.
our computer system is being hacked. It is a password protected area for brokers (mainstream) It appears that somone is hitting the response form and since they are not under a brokers ID, it is trying to send the response to a non existent broker.

Am I correct about this, and how should I stop it? Advice anyone?

LOG:
[23/JUNE/2008 01:30:19] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:22] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:28] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:30] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:34] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1
[23/JUNE/2008 01:30:36] Attempt to deliver to unknown recipient </script>, from <[email protected]>, IP address 127.0.0.1

uh that doesn't look like a hack attempt

Well you got his IP address.
127.0.0.1 <--- very evil, used by lots of hackers.
Ask your host to block 127.0.0.1

Your script is attacking you. Uber eleet hacking is going on

:1orglaugh:1orglaugh:1orglaugh

There's no place like 127.0.0.1

i cant hack my way out of a paper bag and to me that looks like your computer is doing it

Would need a link to your form...

no shit :1orglaugh:1orglaugh:1orglaugh

hello fbi....i just wanted to say hello

Thanks guys. So there is a possibility that it is just a bug in the form submission script and not a hack at all? This shit is driving me nuts...every few days the server goes down and we lose the last few days of data.

:thumbsup:1orglaugh

bump bump

I'd start checking your automated scripts. Anything that is supposed to run on it's own.

Hi Ray -

You're not being hacked.

The IP Address 127.0.0.1 is your local machine that is running this script. (hence the "home" jokes). The messages above are trying to tell you that This Local Machine cannot send the message because the recipient is unknown. (Wrong email address).

That's all - no hackers are doing anything nasty to you.

Cheers!

I still want that shirt...

you should do a whois on that 127.0.0.1 and see where he lives then go over his place and fuck his ass up good. he fucked with me a few years ago but I found him and beat the living shit out of him with baseball bat. I fucked him up good, he went to the hospital and all.
now this fucker at 192.1683.0.3 is fucking with me, guess I will have to go over his place and straighten out that sonuvabitch too!
I am telling you. being a webmaster ain't easy!

Very funny guys...I am very well aware that 127.0.0.1 is the local machine. The problem is that someone or something is triggering it to attempt to send an email every few minutes and in some cases several times a second. This is not a regular user trying to use the form improperly causing an error message, this is either a crazy loop, DOS attack, or attempt to use the form to spam. The attempts are crashing the system.

The way the scripts were designed, the main script(script one) passes info to script two to send the form results to several people...therefore my thoughts on this could be that someone (or a bot they use) are trying to use script number two to send out email to targets so it is untraceable to them, they are using script number two to attempt a DOS attack on someone, or it's just a bug that loops causing the scripting engine to blow up.

problem is that I am not familiar enough with ASP (or the windows web server platform). If the script was in PERL or PHP on a linux box for example, the issue would be resolved already.

Anyone recommend somone to go in and fix it (without spending a fortune)? I don't have the time to debug it.

problem is that I am not familiar enough with ASP (or the windows web server platform). If the script was in PERL or PHP on a linux box for example, the issue would be resolved already.

Ray, as a suggestion, maybe you should start a thread "Need Windows programmer" and then work from there. may get you better results.

Yes, I'll post later when more people are online...I really wanted some opinions as to what it was (ex.whether it is an attack or a script bug). Seems that it looks like a script bug and not an attack after all..

DingDing..

Your scripts are attacking you man. I told you already. Get a programmer to debug that for you, and stop with hacking theories, they remind me of hollywood movies :)

If the scripts were running, unchanged, for a period of time without issue, it could be external. If the scripts were implemented and the problem arose soon after, it's probably a script issue.

Just my $.02 on where to start debugging.

um...yea...I think we acertained that almost right away. But it doesn't mean it's definitely what it is. Thanks for the help though.

Well, I just took over the problem. I didn't even know it was happening until recently. IT just restored the server every time without saying anything. Aparently, it has been doing it for a long time, like once a month, but it is getting worse and worse, now it crashes twice a day.

:1orglaugh:1orglaugh

OK well check this out...while this log file explosion is taking place, different websites show in the status bar, and these sites whois back to places like bulgaria etc.

In other words, while you are trying to go to the site, and it is hanging up trying to load, it say's in the status bar "loading www.bulgariasite.com" instead of "loading www.mysite.com". It is a different russian or bulgarian site every time and the url is registered but the site doesn't exist. Also, it is not putting my entire site into a giant iframe, I checked to see if that was the case, so how in the hell could another site name come up?

What in the hell would cause that?