Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
CurtisH
Life Cycles Becoming CPU Cycles


Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI

PostPosted: Sun Mar 27, 2005 8:46 pm Reply with quote

In the last 72 hours I have recieved a TON of emails from many of the nuke site domains that I am a member of. Everyone of them contained a virus.

Anyone else experiencing this?

_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe 
View user's profile Send private message Visit poster's website Yahoo Messenger
Nukeum66
Life Cycles Becoming CPU Cycles


Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA

PostPosted: Sun Mar 27, 2005 9:02 pm Reply with quote

What type of virus?

_________________
Scott Johnson MIS Ubuntu/Linux 11.10 
View user's profile Send private message Visit poster's website
CurtisH
PostPosted: Sun Mar 27, 2005 9:11 pm Reply with quote

w32.Lovegate.R@mm in most of them.
 
Nukeum66
PostPosted: Sun Mar 27, 2005 9:29 pm Reply with quote

Are you sure they are really coming from the sites and not just spoofed email addresses?
 
CurtisH
PostPosted: Sun Mar 27, 2005 9:46 pm Reply with quote

Well I am unsure about all of them, I only looked closely at the last few which indeed appear to be coming from the actual domains. I was just curious if anyone else has been getting these emails.
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon Mar 28, 2005 6:46 am Reply with quote

I was and changed my email addresses a while back because of it. It was a huge pain in the rear but sometimes its the only recourse.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Mon Mar 28, 2005 9:43 am Reply with quote

Hhmmmm... so the key question is, do you use the same email address on your nuke registrations than what you normally use for personal reasons? It is very troublesome to me if a virus was written specific to Nuke and get access to the nuke_users table. If you use the same email address for other things to, is it more probable that you are on other people's personal distribution lists, which is the primary model for email virus' to attack and propogate.

Sure hope we don't have a nuke-specific issue...

Regards,
montego

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
CurtisH
PostPosted: Mon Mar 28, 2005 9:46 am Reply with quote

Well the interesting thing is that on one of my servers that was running SPCHat and Coppermine I found a folder in the root directory entitled mailer. Inside that folder were php files that were definately snuck in. It looks like someone was using that domain to send stuff with using the php mail function.
 
montego
PostPosted: Mon Mar 28, 2005 10:04 am Reply with quote

Funny how Coppermine always comes in discussions with mischief. And it does not surpise me that a Chat tool could cause vulnerabilities especially if it allows for file sharing.

Thank you for letting all of us know of what you have found!

I am always very leary about using any tool that allows the uploading of files. Sure seems like there needs to be some tool, like Norton or McAfee which can also inspect PHP and other uploaded files. But, somehow, the tools would have to allow site admins to do whatever they need to do.

Sure seems like there may be a nitch market that is not being met...

montego
 
sixonetonoffun
PostPosted: Mon Mar 28, 2005 11:06 am Reply with quote

There was a somewhat un-herolded SPChat security issue a while back. I updated without really giving any thought to posting anything about it here.
 
CurtisH
PostPosted: Mon Mar 28, 2005 11:11 am Reply with quote

So are you saying that my issue was most likely caused by SPChat? I am just curious as to which one of the two it most likely was. I miss my Coppermine already! *LMAO*
 
sixonetonoffun
PostPosted: Mon Mar 28, 2005 11:44 am Reply with quote

No I couldn't tell you which one was the culpurt. But it would be worth comparing the version # of your SPChat against what is the latest posted.
 
Zydor
New Member
New Member


Joined: Mar 29, 2005
Posts: 5

PostPosted: Tue Mar 29, 2005 8:52 am Reply with quote

Slightly off topic - but you mentioned you had to change Email due to Spam. It would be worth looking at "One Time Only" Email addresses. It does not stop the Spam at source, but it is VERY effective in diverting it to useless email addys, leaving your box vertually spam free and clean.

Just a thought, its worked well for many people.

Zy
 
View user's profile Send private message
sixonetonoffun
PostPosted: Tue Mar 29, 2005 9:36 am Reply with quote

Yes it would be. I visit a lot of sites to help debug login features or the ever annoying limited access areas for people. So my email addy gets on some strange lists once in while. But the recent rash of email worms was just too much. I was getting around 10-12 infected emails to every 1 valid one before creating a new identity for this purpose. But to create a one time address everytime would just be way to time consuming.
 
Zydor
PostPosted: Tue Mar 29, 2005 10:03 am Reply with quote

You dont have to. I was very sceptical at first, but this really does work and is a very good practical solution.

Type in "Temporary Email" into any web search engine - Google / MSN give good results on this. The basic idea is that temporary emails are automatically set for you. When you give your email into a dubious or untried source (maybe a new website you want their products or registration, but are unsure of the security) you use a temp email addy. You will still get registration, communication with the site in question, but you trap any resulting Spam, and you find out where it came from - and can give the offending Site a "Thick Ear" Smile

I know it sounds complex & time consuming, but its not - its very neat, quick and elegent. Dozens of temp email addy Providers have sprung up, many are free, but with many of those who charge its dirt cheap.

Its worth a good read on this - it kills spam quickly, and when you do get it, it does not get in your way, your main email box remains free.

Its a very clever innovative solution, thats spreading rapidly because its so easy to use.

Zy
 
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Tue Mar 29, 2005 10:29 am Reply with quote

Only registered users can see links on this board! Get registered or login!

This worm runs on Windows OS so it's definatly not coppermine or spchat.
Maybe your computer is infected.

The only way to find out who send you the email is to look in the email headers.
The headers show you from which IP the email is send.
If the IP doesn't belong to the site you think it is then you must excuse yourself that a php-nuke site is the issue.

In windows cmd or command prompt you can "ping Only registered users can see links on this board! Get registered or login!" to find the IP.
on websites like ripe, arin, lacnic, etc. you can find out to whom the IP belongs.
 
View user's profile Send private message Visit poster's website
Zydor
PostPosted: Tue Mar 29, 2005 10:40 am Reply with quote

Quick addendum to the temp email / anti spam addy posted 2 above

Anyone interested take a look at Only registered users can see links on this board! Get registered or login! - they give a good explanation on the principles, showing how easy it is to use, and they are known as one of the better providers of the genre.

Zy
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©