Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
floppydrivez
Involved
Involved


Joined: Feb 26, 2006
Posts: 340
Location: Jackson, Mississippi

PostPosted: Thu May 17, 2007 9:50 am Reply with quote

Check out this url. I can't exactly put my finger on how to stop this.

Quote:
/modules.php?name=Forums&username1=6jdi1@see.it&subject= CASINO ONLINE GUIDE &ft=Verdana&fs=8&fc=white&helpbox= CASINO ONLINE GUIDE &message=Russo!gymnasiums sub:Americas credulity rural beckoning Rousseau Only registered users can see links on this board! Get registered or login! VIRTUAL CASINOS Only registered users can see links on this board! Get registered or login! invaders predominated? Only registered users can see links on this board! Get registered or login! CASINO GAMES Only registered users can see links on this board! Get registered or login! feline malignantly Only registered users can see links on this board! Get registered or login! ROULETTE ONLINE Only registered users can see links on this board! Get registered or login! tendencies censure.Elgin Only registered users can see links on this board! Get registered or login! LASVEGAS GAMBLING CASINO Only registered users can see links on this board! Get registered or login! Arianist erupt. Only registered users can see links on this board! Get registered or login! CYBER CASINO Only registered users can see links on this board! Get registered or login! slurry conquest:technologies capability mumblings Only registered users can see links on this board! Get registered or login! CRAPS Only registered users can see links on this board! Get registered or login! thesis!aspirants bodied? Only registered users can see links on this board! Get registered or login! CASINO Only registered users can see links on this board! Get registered or login! transpacific &image_verify= CASINO ONLINE GUIDE &mode=reply&t=896&post=Submit
 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu May 17, 2007 11:20 am Reply with quote

I get an illegal operation when trying that on the latest Patched files.

This is when I allow guest posting too. Really I would encourage everyone to disable guest posting.. you'll stop many attempts that way.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
floppydrivez
PostPosted: Thu May 17, 2007 12:33 pm Reply with quote

This is a registered forum evaders. Thats what confuses me.
 
evaders99
PostPosted: Thu May 17, 2007 9:10 pm Reply with quote

And it posted sucessfully? What version are you using?
 
floppydrivez
PostPosted: Fri May 18, 2007 6:38 am Reply with quote

I think 3.1 evaders. Whatever came with rn2.0.2. I got the new distro on a test site so I can get the upgrade done and my custom edits back in place.
 
evaders99
PostPosted: Fri May 18, 2007 7:29 am Reply with quote

If you're using the latest RavenNuke and still getting this problem, let us know Smile
 
floppydrivez
PostPosted: Fri May 18, 2007 7:34 am Reply with quote

Thanks evaders.
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Fri May 18, 2007 7:46 am Reply with quote

What should be happening when anonymous tries to post is something like this:

Quote:
SQL was: SELECT MAX(post_time) AS last_post_time
FROM nuke_bbposts
WHERE poster_id =
client IP: || remote addr: 216.32.81.18.
May 16, 2007, 3:39 pm 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1179344356, 12, 0, 0, 0)' at line 1
SQL was: INSERT INTO nuke_bbtopics (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type, topic_vote) VALUES ('Buy Propecia Real Pills', , 1179344356, 12, 0, 0, 0)
client IP: || remote addr: 216.32.81.18.
May 16, 2007, 4:59 pm 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3


I have a little "patch" into the /db/mysql.php on my production site that captures these. But try this: log out of both your normal user and admin and come into your site as anonymous. Go to Forums and try to create a post. Forums will let you all the way thru creating it but when you actually try to submit it you should see the SQL error right on the Forums screen. If you don't then you don't have the right patch level, or RN distribution running.

We really should fix forums so that anonymous doesn't even see the new topic button or have any other "opportunity" to even begin to create a post, but of course that involves mucking with the PHPBB code and risking having it overwritten the next time there is a PHPBB upgrade.
 
View user's profile Send private message Visit poster's website
floppydrivez
PostPosted: Fri May 18, 2007 7:53 am Reply with quote

I have already fixed so anonymous don't see any buttons, quote, the whole 9. Thats how I know it through script.
 
floppydrivez
PostPosted: Fri May 18, 2007 1:30 pm Reply with quote

Coming back to this, but a little off subject. I have stripped nearly all options from anonymous in every module. Mainly for SEO/Sitemap reasons. It builds up so many link that are just unnecessary.
 
fkelly
PostPosted: Fri May 18, 2007 1:39 pm Reply with quote

You made me curious Floppy. Like I said, I am seeing SQL errors when anonymous tries to post in my Forums. I haven't wanted to go into Forum code and do what you've done ... taking buttons off for anonymous for instance. I hate doing things that can just get undone with the next update.

But anyway, I went into my raw access logs to see what they are doing to try to post as anonymous. Here is a typical attempt (edited to obscure the path):

Quote:
200.35.34.58 - - [18/May/2007:09:36:14 -0400] "GET /xx/modules.php?name=Forums&file=viewforum&f=12 HTTP/1.1" 200 13748 "http://xxx.org/modules.php?name=Forums&file=viewforum&f=12" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"


All the efforts I am seeing are some variant of that and I am seeing a good handful each day from various IP's. I don't know if it's from a script or from someone coming on my site and trying to post. None of the posts are getting thru, they are all getting the SQL error I posted earlier. I am then banning them thru htaccess, though I have a feeling that's like putting a finger in the dike.

I've been thinking of modifying my /db/mysql.php hack to check for the string "bbpost" in the failed sql and write that IP out to htaccess. Or maybe this is an additional check that NukeSentinel should do?
 
floppydrivez
PostPosted: Fri May 18, 2007 1:44 pm Reply with quote

Where can I pickup this patch of yours as a quick fix till I can get all my mods converted to the new rvnuke? If it can be singled out.
 
fkelly
PostPosted: Fri May 18, 2007 2:15 pm Reply with quote

Well, with some hesitation since this has not been extensively tested, I will post the code I am using in mysql.php. If you decide to use it, please make a backup copy of your current code in case any problems occur. First, the code, then some notes:

Code:
function sql_query($query = '', $transaction = FALSE)

   {
      global $db_error_toscreen;
   // Remove any pre-existing queries
      unset($this->query_result);
      if($query != '')
                {

         $this->query_result = @mysql_query($query, $this->db_connect_id);

      }
      if($this->query_result)
      {
         unset($this->row[$this->query_result]);
         unset($this->rowset[$this->query_result]);
         return $this->query_result;
      }
      else
         {
            $error = $this->sql_error($query);
          // set $db_error_toscreen in rnconfig ?
         if ($db_error_toscreen) {
             echo $error['code'] . ' : ' .  $error['message']. '<br />';
             echo 'for the following sql: ' . $query . '<br />';
         }
         else {
            $fplog = fopen('dblog.txt','a');
         $logvar = date("F j, Y, g:i a") . ' ' ;
         $logvar .= $error['code'] . ' : ' .  $error['message'] . "\n";
         $logvar .= 'SQL was: ' . $query . "\n";
         $logvar .= 'client IP: ' . getenv("HTTP_CLIENT_IP") . '||' .
         ' remote addr: ' . $_SERVER['REMOTE_ADDR'];
         fwrite($fplog, "$logvar. \n");
         fclose($fplog); }
         return ( $transaction == END_TRANSACTION ) ? true : false;
      }
   }


Note that this just replaces the function sql_query. You will also need to create a file called dblog.txt in your Nuke root directory to receive output.
I had to give it permissions of 666 to get it to work. The db_error_toscreen check is not implemented at this time and will just be bypassed. I'm leaning towards eliminating this also.

Note also that all this does is log mysql errors. It doesn't stop any hack attacks or anything else. I have been "manually" reviewing bbtopic related mysql errors and sticking the IP's I find there in my htaccess file. Longer term that's something we'd want to automate.

An obvious caveat is that this is an entirely unsupported hack. At the same time I will be interested to know if it works for you or anyone else who wants to try it. But please back up your current mysql.php file first and keep an eye on things if you are running it on a production system.
 
floppydrivez
PostPosted: Fri May 18, 2007 2:53 pm Reply with quote

I see what you mean about writing the ip to .htaccess now. This is definitely something that could integrated into sentinel pending it does the job. So far so good.
 
floppydrivez
PostPosted: Fri May 18, 2007 4:04 pm Reply with quote

Hmm.. this dblog has turned up some very interesting results after the instance happened again.

I just can't make sense of all ot it. For security reasons I am gonna send you a PM fkelly. See if it makes sense to you.
 
floppydrivez
PostPosted: Fri May 18, 2007 4:27 pm Reply with quote

Ok somebody try this for me.

ftopic-new-3.html

Change 3 to any private forum id you got. Access directly through url.
 
evaders99
PostPosted: Fri May 18, 2007 4:39 pm Reply with quote

I've tried that as anonymous on my test site, both RavenNuke and Patched phpNuke. I cannot duplicate any attempt to post on private or private [hidden] forums. It will not post, it will just go to the Your_Account login
 
floppydrivez
PostPosted: Fri May 18, 2007 4:45 pm Reply with quote

I hardcoded a check into fucntions_post.php as a simple fix till I can update then. The only thing I could think to do. It returns a good mysql error, but at least it will do the job.
 
floppydrivez
PostPosted: Fri May 18, 2007 4:59 pm Reply with quote

if function_post.php was a little more advanced it would check to make sure that forum had permissions for anonymous to post. This might be a simple fix to posting bots which seem to be a growing issue.
 
fkelly
PostPosted: Mon Jun 11, 2007 11:11 am Reply with quote

Just to update this. I've been running the dblog hack to mysql.php on my production site for almost a month now. It's proving invaluable both in catching hacks and in diagnosing errors in my own code as I develop in. Usually I would catch the errors on my local test system but in a recent case I was testing a Paypal related application where I had to run the new programs on a real domain (cause Paypal posts back to it) and having the SQL errors captured really helped.

I hadn't edited dblog.txt in a while and it had built up to 140k or so, mostly because of hackers trying to put spam into Forums as anonymous. The typical captured post looks like this:

Quote:
June 11, 2007, 11:59 am 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 1181577585, 14, 0, 0, 0)' at line 1
SQL was: INSERT INTO nuke_bbtopics (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type, topic_vote) VALUES ('nnnnnnnnnnnnnnnnnnnnnnn', , 1181577585, 14, 0, 0, 0)
remote addr: 127.0.0.1


This is a test post I did, the more typical topic has something to do with sex and children or viagra or pharmacy stuff or whatever.

Anyway what I was doing was capturing the IP's and putting them over into htaccess as deny froms and then deleting the captured errors from dblog. But with like 100 such messages this morning I decided: "enough". So I spent some time modifying the dblog hack and I'll post it here. Read the caveats after:

Code:
function sql_query($query = '', $transaction = FALSE)

   {
      global $db_error_toscreen;
   // Remove any pre-existing queries
      unset($this->query_result);
      if($query != '')
                {

         $this->query_result = @mysql_query($query, $this->db_connect_id);

      }
      if($this->query_result)
      {
         unset($this->row[$this->query_result]);
         unset($this->rowset[$this->query_result]);
         return $this->query_result;
      }
      else
         {
            $error = $this->sql_error($query);
         if (eregi('bbtopics', $query) ) {
            $fplog = fopen('.htaccess','a');
            $msg = 'deny from ' . $_SERVER['REMOTE_ADDR'];
            fwrite($fplog, "$msg" . "\n");
            fclose($fplog);
         }
              $fplog = fopen('dblog.txt','a');
               $logvar = date("F j, Y, g:i a") . ' ' ;
               $logvar .= $error['code'] . ' : ' .  $error['message'] . "\n";
               $logvar .= 'SQL was: ' . $query . "\n";
               $logvar .= ' remote addr: ' . $_SERVER['REMOTE_ADDR'];
               fwrite($fplog, "$logvar" . "\n");
               fclose($fplog);
         return ( $transaction == END_TRANSACTION ) ? true : false;
      }
   }


Caveats: back up your present mysql.php in case you run into problems. Second, realize that this is going to add to a dblog.txt file that you have created with 666 permissions in your nuke root folder. If you are never going to look at this and not going to maintain it regularly, then don't create it and don't use this hack. Third, you will probably get some false positives. This happens when a "normal" user (not a hacker) tries to post anonymously. With the new version of code they will get banned. I'm finding these at about a 1 percent ratio to hackers so it's tolerable to me.

Eventually I'd like to see some version of this hack get put into a future Ravennuke release but wiser minds should look at it first. The ideal thing might be to put the forum based filter into NS so any anonymous who tries to post gets banned (or so that the admin has the choice over what action to take at least).

I'm also not sure how effective banning these IP's is. It seems like the hackers have access to an unlimited pools of (probably) faked IP's so it could be like trying to remove sand from the beach grain by grain. I don't know.
 
floppydrivez
PostPosted: Mon Jun 11, 2007 11:23 am Reply with quote

I believe this should go into sentinel, but like you said in the right mischievous hands this method may be unaffective. If you don't allow anonymous to post on your board at all. In includes/functions_post.php you check to make sure they are a user.

Code:
function submit_post($mode, &$post_data, &$message, &$meta, &$forum_id, &$topic_id, &$post_id, &$poll_id, &$topic_type, &$bbcode_on, &$html_on, &$smilies_on, &$attach_sig, &$bbcode_uid, $post_username, $post_subject, $post_message, $poll_title, &$poll_options, &$poll_length)

{
   global $board_config, $lang, $db, $phpbb_root_path, $phpEx;
   global $userdata, $user_ip;

        include_once("includes/functions_search.php");

        $current_time = time();
        if ($mode == 'newtopic' || $mode == 'reply' || $mode == 'editpost')
        {


Change to

Code:
function submit_post($mode, &$post_data, &$message, &$meta, &$forum_id, &$topic_id, &$post_id, &$poll_id, &$topic_type, &$bbcode_on, &$html_on, &$smilies_on, &$attach_sig, &$bbcode_uid, $post_username, $post_subject, $post_message, $poll_title, &$poll_options, &$poll_length)

{
   global $board_config, $lang, $db, $phpbb_root_path, $phpEx;
   global $userdata, $user_ip;

        include_once("includes/functions_search.php");

        $current_time = time();
if($userdata['user_id'] != "1"){
        if ($mode == 'newtopic' || $mode == 'reply' || $mode == 'editpost')
        {


Don't forget to add the close brace at the end

Find
Code:
}

        return false;


Change To
Code:
}

        return false;
}else{
   die("HAHA STUPID!");
}


Simple and Effective for boards that don't allow anonymous post anywhere.
 
fkelly
PostPosted: Mon Jun 11, 2007 11:44 am Reply with quote

I have held off on modifying any forums code because of the complications involved when we get a new integration package. I can't keep track of a lot of mods; I'm just not disciplined enough. Right now if anonymous tries to post on my system they see a SQL error right on the posting screen and it doesn't get posted. With my hack they also now get banned. I can see where your modification would be helpful too, they'd never even get a chance to TRY to post. Actually, on second thought, where you have the die (haha stupid) you could instead write to htaccess or both.
 
floppydrivez
PostPosted: Mon Jun 11, 2007 11:46 am Reply with quote

Yeah the mod could also check to see if anonymous had the rights to post even check by forum.

Could be a great combination of the two. I am big fan of core hacking, but I keep decent records, but it doesn't make updating too much easier lol.
 
fkelly
PostPosted: Mon Jun 11, 2007 6:26 pm Reply with quote

Quote:
I am big fan of core hacking, but I keep decent records, but it doesn't make updating too much easier lol.


At the risk of taking this totally off-topic, one of the major reasons I'm involved with Ravennuke is that I want to see any "good" ideas I have become part of the core. Otherwise they are essentially dead-ends. I don't know how many times, for instance, I've eliminated that subscription code from Your Account but it keeps coming back with each revision. And that's trivial. On the other hand, changes I made to the themes to make them compliant and more efficient will be there for every succeeding version of RN and I won't have to reinvent them either. Or sit here with Beyond Compare or some other tool figuring out exactly what lines got changed and how to make what I want to do compatible ... again.

And getting slightly back to being on-topic, that's why I'm so reluctant to hack the Forum code. It's just not Nuke versus Ravennuke but it involves PHPBB and PHPBB integration code and whoever does that.
 
fkelly
PostPosted: Thu Jul 12, 2007 9:34 am Reply with quote

I wonder. I am seeing tons of attempts to inject Forum spam that look something like this:

Quote:
/yourpath/modules.php?name=Forums&username=ringosd&subject=he nice download world&addbbcode18=0;&addbbcode20=7&helpbox=Tip: Styles can be applied quickly to selected text.&message=he love ringtone site Only registered users can see links on this board! Get registered or login! you love link ass? &mode=newtopic&sid=42788fae206090308d1f97385c1ea886&f=12&post=Submit 2007-07-11


The common denominator is a username that is not registered at your site.

NukeSentinel, if I am not mistaken, parses every such get string with the code:


Code:
if (!isset($_COOKIE['admin']) OR !is_admin($_COOKIE['admin'])) {

  // Check for SCRIPTING attack
  // Copyright 2004(c) ChatServ
  $blocker_row = $blocker_array[4];
  if($blocker_row['activate'] > 0) {
    foreach($_GET as $sec_key => $secvalue) {
      if((eregi("<[^>]script*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]style*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
      (eregi("<[^>]body*\"?[^>]*>", $secvalue)) ||
      (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
      (eregi("\"", $secvalue)) ||
      (eregi("forum_admin", $sec_key)) ||
      (eregi("inside_mod", $sec_key))) {
        block_ip($blocker_row);
      }


Which can be found at line 305 of the latest release. I guess I could experiment on my own systems but I thought I would ask first: would it be feasible to test for the string username. If that's present, take what it's equal to and do a SQL find on the users table for the value on the right of the = sign (ringosd in this case). If numrows is = 0 then do the block_ip function. I would love to see these suckers get automatically banned and I'd love to see it built right into the security product we all know and love and have it be part of Ravennuke from some point on out.

Comments?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©