Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
TheosEleos
Life Cycles Becoming CPU Cycles


Joined: Sep 18, 2003
Posts: 960
Location: Missouri

PostPosted: Wed Feb 25, 2004 7:11 pm Reply with quote

Raven wrote:
Try removing the trailing slash.


Got me too.

Thanks for this.

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address ICQ Number
Frogger
Worker
Worker


Joined: Oct 06, 2003
Posts: 108

PostPosted: Wed Feb 25, 2004 11:58 pm Reply with quote

Da Dummy Speaks...

I was hit with the union thingy.....fortunately already had the latest sec-patch from Only registered users can see links on this board! Get registered or login! (chatserv)

After adding your hack.....script....and running the exploit the result returned me to my index page.

Just to check. I checked an old beta site (not patched).....added your script and the referring page was the hack....php

What is the correct result.....

Patched = main page
Unpatched = hack warning page

vice/versa

Like I said.......da dummy speaks....

Either way. the unpatched site only returned a page stating ..... (1 word returned) READ

I ran the exploit on web links, sections and reviews to test.

unlike other exploits I've seen...

just trying to understand (although patched) what to expect in an effort to explain to others....... Smile

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger ICQ Number
Frogger
PostPosted: Thu Feb 26, 2004 12:00 am Reply with quote

oh, yeah.....the script does have xxxx.php/ and i changed it to /xxxx.php to make it work....
 
Frogger
PostPosted: Fri Feb 27, 2004 12:15 am Reply with quote

hmmmm
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Feb 27, 2004 12:21 am Reply with quote

I don't know. Other than what is mentioned in this thread, there have been no issues at all. There's really nothing else that I can think of.
 
View user's profile Send private message
Darrell3831
Worker
Worker


Joined: Feb 18, 2004
Posts: 244

PostPosted: Wed Mar 03, 2004 7:24 am Reply with quote

Frogger,

If your running chatserv's latest patches and follow all the instructions provided in ravens installation guide then you will return to the index page.

This is because Raven has you entering this on the first line at the top of the script.

Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php/");


Then down around line 16 or 17 for your safety Chatserv has this:

Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");


It took me a full day about two weeks ago, with Ravens help, to learn that if there is not a die(); statement after the header line that program execution continues right on through.

To get Ravens code to work and stop popping back to the index page I commented out Chatserv's code. I don't know if it's appropriate to add the die(); afters Ravens stuff or not in this situation.

Perhaps someone more knowledgeable than me can help you there.

But anyway, commenting out Chatserv's line 16 does work.

Darrell

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Wed Mar 03, 2004 7:27 am Reply with quote

Always a good thing to do Smile. Code it like this
Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {

header("Location: hackattempt.php/");
die();
}
 
ballymuntrev
Hangin' Around


Joined: Mar 22, 2004
Posts: 49

PostPosted: Fri Mar 26, 2004 3:32 pm Reply with quote

I can't download the script from here, says I'm not authorised ?
Any chance I could "authorised" to get it please ??

I'm going here to get it from, correct me if I'm wrong...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Fri Mar 26, 2004 3:38 pm Reply with quote

Please read the red notice in the download panel about what causes that to happen. You will need to adjust your setup temporarily.
 
ballymuntrev
PostPosted: Fri Mar 26, 2004 3:43 pm Reply with quote

Sorry, my bad, missed the bit about proxies. I'm using Satellite internet and it runs over their proxy service.
 
Raven
PostPosted: Fri Mar 26, 2004 3:46 pm Reply with quote

NP. Contact me via email if you aren't able to get it.
 
ballymuntrev
PostPosted: Sat Mar 27, 2004 5:32 am Reply with quote

I guess I'll send you an email so Smile
I tried with just the dialup on, no proxy, no VPN, no anti virus running but it still says un-authorised. It's the only download that I've had probs with, anything else I've downloaded worked fine.
 
Raven
PostPosted: Sat Mar 27, 2004 6:29 am Reply with quote

ballymuntrev wrote:
I can't download the script from here, says I'm not authorised ?
Any chance I could "authorised" to get it please ??

I'm going here to get it from, correct me if I'm wrong...
Only registered users can see links on this board! Get registered or login!
Where did you get that address? It's .com not .net (as you already figured out) Smile
 
ballymuntrev
PostPosted: Sat Mar 27, 2004 7:10 am Reply with quote

Not exactly sure now, think it may be that I hadn't your site bookmarked at home, only in work, and was trying to remember the address, but failed Rolling Eyes so done a search on google and the .net address for the site came up, I'm actually browsing and logged into the site now via the .net address Smile
Guess I better change it then Very Happy
 
Raven
PostPosted: Sat Mar 27, 2004 7:31 am Reply with quote

Actually ... I have the .net address mapped to .com however I wasn't allowing that address into my downloads. I just modified the rules. See if you can get in through the .net address now.
 
ballymuntrev
PostPosted: Sat Mar 27, 2004 9:03 pm Reply with quote

Yep, working through the .net address now too, good stuff !
Working also over both my satellite internet proxy and VPN too, which is nice Smile
 
Tank863
New Member
New Member


Joined: May 29, 2003
Posts: 16

PostPosted: Sat Mar 27, 2004 10:55 pm Reply with quote

awesome code I might add...

It worked to prevent a hack on my site last night...

here is what happened...

I have Protector System Installed, Raven's Hack ALert & Admin Secure Installed on my site... they do work together.. and provide a different level of protection. Anyway... last night err.. this morning when I woke.. I received this email from my Admin Secure.. and from Raven's Hack Alert

Admin Secure detecting external file linking through modules.php inclusion. This is might be a possible suspicious hacking attempt activity on your website. For security consideration, this session has been blocked by Admin Secure to protect your site. Admin Secure collecting these information for your evaluation:

- Date: 27 March 2004, 02:42
- IP Address: 24.1.200.29
- Host: c-24-1-200-29.client.comcast.net
- User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; .NET CLR 1.1.4322)
- URI: /modules.php?name=Forums&file=viewtopi...
- VAR: $file = viewtopi...

Note:
You can turn-off mail notification from Admin Secure configuration setting.


I ran a samspade check on the IP addy...

OrgName: Comcast Cable Communications IP Services
OrgID: CCCIS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
NetRange: 24.0.0.0 - 24.15.255.255
CIDR: 24.0.0.0/12
NetName: EASTERNSHORE-1
NetHandle: NET-24-0-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.JDC01.PA.COMCAST.NET
NameServer: DNS02.JDC01.PA.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
RegDate: 2003-10-06
Updated: 2003-12-23
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: 1-856-317-7272
OrgAbuseEmail: Only registered users can see links on this board! Get registered or login!
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: 1-856-317-7200
OrgTechEmail: Only registered users can see links on this board! Get registered or login!
CustName: Comcast Cable Communications
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
RegDate: 2003-10-10
Updated: 2003-10-10
NetRange: 24.0.0.0 - 24.1.255.255
CIDR: 24.0.0.0/15
NetName: TEXAS-8
NetHandle: NET-24-0-0-0-2
Parent: NET-24-0-0-0-1
NetType: Reassigned
Comment: NONE
RegDate: 2003-10-10
Updated: 2003-10-10
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: 1-856-317-7272
OrgAbuseEmail: Only registered users can see links on this board! Get registered or login!
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: 1-856-317-7200
OrgTechEmail: Only registered users can see links on this board! Get registered or login!

Here in the log is what he/she did to cause the alarm...

24.1.200.29 - - [27/Mar/2004:02:42:13 -0500] "GET /modules.php?name=Forums&file=viewtopi... HTTP/1.1" 302 39 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; .NET CLR 1.1.4322)"

Anyone know what hack attempt this is?

Tank863
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©