Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Gremmie
Former Moderator in Good Standing



Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Mon Jan 14, 2008 8:58 pm Reply with quote

A gaming clan that I help out now and then has been getting forum spam. The baddie is able to post a new topic to their forum without being a registered user. The forum post also contains a flash (!!) video.

The clan is running some kind of security lax NukePlatinum distro. I checked it out, and helped them disable SQuery and vWar. The phpBB they are running appears to be 2.0.17 from the admin panel, although it still says 2.0.10 on the forum itself (probably just an old template), and 2.0.13 on the copyright link.

Here is what I found in the log for one of the bad posts:

Code:


12.215.143.218 - - [14/Jan/2008:11:43:21 -0700] "GET /modules.php?name=Forums&file=viewforum&f=44 HTTP/1.0" 200 65163 "http://college-paid.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"
12.215.143.218 - - [14/Jan/2008:11:43:30 -0700] "GET /modules.php?name=Forums&file=posting&mode=newtopic&f=44 HTTP/1.0" 200 77478 "http://xxx.us/modules.php?name=Forums&file=posting&mode=newtopic&f=44" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"
12.215.143.218 - - [14/Jan/2008:11:43:38 -0700] "POST /modules.php?name=Forums&file=posting HTTP/1.0" 200 50730 "http://xxx.us/modules.php?name=Forums&file=posting&mode=newtopic&f=44" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"
12.215.143.218 - - [14/Jan/2008:11:43:43 -0700] "GET /modules.php?name=Forums&file=viewtopic&p=27682#27682 HTTP/1.0" 200 63121 "http://xxx.us/modules.php?name=Forums&file=viewtopic&p=27682#27682" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"


I'm probably going to have to convince them to switch to RavenNuke, or install Sentinel or something, but in the meantime, any idea what they are doing and how I can stop them temporarily? It almost looks like they already have a cookie. Thanks.

_________________
GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module 
View user's profile Send private message
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Jan 14, 2008 10:22 pm Reply with quote

Not to ask to obvious a question, but do you know for sure that none of their forums are open to anonymous posting? I only ask because it can be a little tricky to make sure that none are.
 
View user's profile Send private message Visit poster's website
slackervaara
Worker
Worker



Joined: Aug 26, 2007
Posts: 236

PostPosted: Tue Jan 15, 2008 2:55 am Reply with quote

I have used bbantispam for 6 months and I have not had a single spam in the forum or elsewhere although the forum is open for guests. It is best and simplest to put the installation code for bbantispam in config.php. [ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Tue Jan 15, 2008 6:40 am Reply with quote

I would definitely make sure they are all the up to 2.0.22 of BBtoNuke and ensure the session checking code is "in" (i.e., if this doesn't jog your memory, PM me as I do not want to discuss the exploit openly).

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
Gremmie







PostPosted: Tue Jan 15, 2008 1:02 pm Reply with quote

fkelly wrote:
Not to ask to obvious a question, but do you know for sure that none of their forums are open to anonymous posting? I only ask because it can be a little tricky to make sure that none are.


killing me Groovy Smack

For some reason I missed your guys replies and had to find out the hard way that this indeed was the case! HA HA HA HA HA

I was pouring over logs, checking the forum files, when it suddenly occurred to me this spammer was only doing this to one particular sub-forum that had been created not long ago by a novice admin.

Always check the obvious first!!! D'OH!!

Boy, did you know those Platinum guys replaced the phpBB copyright statements with THEIR OWN copyright statement in all the forum files? Sheesh! They did mod it, or maybe applied some common forum mods, but they didn't write it!!!

I don't want to ruffle any feathers or make anyone mad, but I'm not impressed with the guts of NukePlatinum. Not only did they integrate some very buggy and exploitable 3rd party modules (vWar, SQuery), but they didn't seem to have security in mind in the stuff they wrote and they didn't seem to respect copyrights either.
 
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Tue Jan 15, 2008 3:14 pm Reply with quote

Definitely want to update the forums to latest version though, even with registered only turned on it isn't 'safe'.
Careful with that flash file too. There have been recent exploits of flash files on websites generating code which is saved to a random location on the visitors PC which in turn is used to to create a zombie machine - I don't think Norton or some of the other well respected anti-virus has a fix for it yet - only got the data today myself.
 
View user's profile Send private message Send e-mail
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Jan 15, 2008 6:24 pm Reply with quote

Yea copyrights are supposed to be kept - any changes to the files should only ADD to the copyright

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
Guardian2003







PostPosted: Wed Jan 16, 2008 1:20 am Reply with quote

I seem to remember a VERY lengthy discussion on this fork from maybe a couple of years ago. I believe it was down to a one man 'team' called Steve? The same guy that claimed he was working for FB on the nuke 8.0 release which he was being paid a small fortune for writing a whole new forum for - funny how it never appeared though Wink
 
Gremmie







PostPosted: Wed Jan 16, 2008 8:28 am Reply with quote

I would try to update their forums for them, but they apparently have been heavily modded by the Platinum guys. Their copyright headers mention 3 or 4 people.
 
Guardian2003







PostPosted: Wed Jan 16, 2008 8:52 am Reply with quote

Yikes! - hard to port and full steam 'away' lol.
 
gazj
Worker
Worker



Joined: Apr 28, 2006
Posts: 152
Location: doncaster england

PostPosted: Tue Apr 15, 2008 12:07 am Reply with quote

not sure if you fixed this but the same ip shows on everyone so just do if ip == 12.215.143.218 then die(); or headerlocation or something for now might fix it short term well for that ip or just get the webmaster to go with raven nuke or nuke8.1

_________________
as i stare into the abyss and battle with my demons i yell timeout and have a coffee break. 
View user's profile Send private message Visit poster's website
Gremmie







PostPosted: Tue Apr 15, 2008 7:36 am Reply with quote

gazj, the forum was incorrectly configured to allow anonymous users to post. Once that was fixed the spamming stopped.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©