Admin Access Attempts

**hex1848** · 03-09-2006, 11:17 AM

Originally Posted by PassThis

My friend who came over yesterday offered to help me apply updates to my site. He doesn't know what the admin url is, and I was on the phone. I told him to go to my bookmarks and go to THE CIGAR site. Not knowing which one it was, and me being preoccupied, he went to the wrong site, and by the time I came back in, he tried to log into cigarsmokers multiple times, instead of cigarpass..

While that would be a plausible explanation I decided to look deeper into the logs to see if that could be confirmed.

Your "friend" first accessed cigarsmokers.com at 20:17:00:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:17:00 -0500] "GET / HTTP/1.1" 200 9726 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0"

He went straight to view my profile:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:17:24 -0500] "GET /member.php?u=1 HTTP/1.1" 200 6812 "http://www.cigarsmokers.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Back to the home page:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:19:41 -0500] "GET /index.php HTTP/1.1" 200 9736 "http://www.cigarsmokers.com/online.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Got curious about who was online:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:28:11 -0500] "GET /online.php HTTP/1.1" 200 8545 "http://www.cigarsmokers.com/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Tried to find the admin pages:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:31:29 -0500] "GET /admin HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"
cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:31:36 -0500] "GET /administration HTTP/1.1" 404 220 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"
cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:32:08 -0500] "GET /admin.php HTTP/1.1" 404 215 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Back to the home page:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:32:17 -0500] "GET / HTTP/1.1" 200 9863 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Refresh the home page:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:32:25 -0500] "GET / HTTP/1.1" 200 9840 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Back to the who is online page:

cigarsmokers.com.1141776000:216.165.244.XXX - - [07/Mar/2006:20:32:48 -0500] "GET /online.php HTTP/1.1" 200 8507 "http://www.cigarsmokers.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

Where the browser Meta Refreshes every 60 seconds for 3.5 hours: (a request appears in the logs identical to the one below every ~60 seconds from ~20:32:48 to ~08/Mar/2006:00:06:55)

cigarsmokers.com.1141776000:216.165.244.XXX - - [08/Mar/2006:00:06:55 -0500] "GET /online.php?order=asc&sort=username&pp=20&page=1 HTTP/1.1" 200 7997 "http://www.cigarsmokers.com/online.php?order=asc&sort=username&pp=20&page=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7" "bblastvisit=1140293145; bblastactivity=0; bbsessionhash=a8140c62b30577b5df919bb99d121948"

That’s an interesting way to try and upgrade a website. I wanted to learn more about Invision (The forum software that runs CigarPass) so I signed up for a demo account over at invisionpower.com. It looks like Invision uses /admin.php as the starting point for the Admin Control Panel. Why was your friend who apparently knows Invision well enough for you to trust to do maintenance trying to access /administration and /admin prior to even trying admin.php? I also noticed that no login attempts where ever made in that session, you would think that someone trying to gain administrative access to do site maintenance would try to log in right off the bat.

Cigarsmokers.com

A cigar smokers community and discussion forum.

Thread: Admin Access Attempts

Thread Tools

Display

Hybrid View

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions