Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
Mesum
Useless


Joined: Aug 23, 2002
Posts: 213
Location: Chicago

PostPosted: Sun Apr 25, 2004 2:41 am Reply with quote

Hi, I was just wondering if there will be a newer version of HackAlert will be coming out soon.
thanks.
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sun Apr 25, 2004 6:54 am Reply with quote

For what purpose? Is there a new exploit?
 
View user's profile Send private message
Mesum
PostPosted: Sun Apr 25, 2004 6:57 am Reply with quote

I am not sure but I saw people were talking about some new (at least for me) encrypted union attacks or something.
 
Raven
PostPosted: Sun Apr 25, 2004 7:02 am Reply with quote

There's a flurry of discussion about it at nukecops but I've yet to see the exploit that it purports to fix. Their 'fix' is breaking more things than it is fixing so if there is an exploit and someone would send it along, I will be happy to look into it.
 
Raven
PostPosted: Tue Apr 27, 2004 8:54 am Reply with quote

There is one MySQL exploit that can be used to 'mask' the union attack. MySQL and a few other rdbms's allow a comment /* */ to be placed in the Query as a hint to MySQL to override it's determined course. In other words, if MySQL would determine to NOT use an index, for whatever reason, you can give it a 'hint' by placing certain code in the query in /* */. Well, the crackers out there have picked up on this and are exploiting it. Here is a proposed fix for my hack alert code in mainfile.php
Code:
$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net

// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20')) {
   $loc = $_SERVER['QUERY_STRING'];
   header("Location: hackattempt.php?$loc");
   die();
}
I am testing it and would like you all to test it too. Once we determine it works I will modify the download. Let me know.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Tue Apr 27, 2004 10:12 am Reply with quote

Testing it but i had to rename the variable as i already use $checkurl in admin.php
 
View user's profile Send private message Visit poster's website
Dogman
New Member
New Member


Joined: Oct 24, 2002
Posts: 1

PostPosted: Tue Apr 27, 2004 11:12 am Reply with quote

Hm,...

this filter worked for "NukeHackerTrap" v1.2 available at Only registered users can see links on this board! Get registered or login! :
[/CODE]
if (stristr($sRQ,'/*')) return $this->detect();
[/CODE]

Dogman Cool
 
View user's profile Send private message
southern
Client


Joined: Jan 29, 2004
Posts: 591
Location: Texas

PostPosted: Tue Apr 27, 2004 11:24 am Reply with quote

I'll put it in mainfile and let you know how it works. Your original hackalert is great and I wouldn't deign to use the NC plagiarization.

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
southern
PostPosted: Tue Apr 27, 2004 12:29 pm Reply with quote

Um, where in mainfile does it go? There doesn't seem a $checkurl in mainfile.
 
chatserv
PostPosted: Tue Apr 27, 2004 12:36 pm Reply with quote

Place the line right after the file credits
 
southern
PostPosted: Tue Apr 27, 2004 1:13 pm Reply with quote

Ok. Just got a bunch of hack attempt alerts from 62.254.64.8, Amsterdam natch. Why don't those little Dutch boys and girls stick their fingers in dykes instead of hacking...? Sad
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Tue Apr 27, 2004 1:19 pm Reply with quote

Seems to catch anything I've thrown at it so far. Just a few variations on the standard %20UNION%20 and %20UN/*%20%20%20%20*/ION%20
So on and so on.
 
View user's profile Send private message
Coldy
Hangin' Around


Joined: Apr 24, 2004
Posts: 43
Location: Austria

PostPosted: Tue Apr 27, 2004 1:30 pm Reply with quote

I´ve testet on two different phpnuke-versions!
I think it works, but i had delete the last fix from sting!

Coldy Cool
 
View user's profile Send private message
southern
PostPosted: Tue Apr 27, 2004 1:31 pm Reply with quote

I put it in mainfile, now I'm going outdoors to tend to my garden...gotta check my possum traps while hack alert traps more Dutch boys and girls.
 
Johan1982
New Member
New Member


Joined: Oct 23, 2003
Posts: 24

PostPosted: Tue Apr 27, 2004 2:06 pm Reply with quote

Code:
$checkmyurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net 

// Raven http://ravenphpscripts.com
if (stristr($checkmyurl,'%20union%20')) {
   $loc = $_SERVER['QUERY_STRING'];
   header("Location: hackattempt.php?$loc");
   die();
}


Question Question Question


Last edited by Johan1982 on Tue Apr 27, 2004 2:27 pm; edited 1 time in total 
View user's profile Send private message
sixonetonoffun
PostPosted: Tue Apr 27, 2004 2:08 pm Reply with quote

$checkmyurl doesn't match if (stristr($checkurl
 
Johan1982
PostPosted: Tue Apr 27, 2004 2:44 pm Reply with quote

Corrected this observation in my past post , thanks Cool
 
MickP
Hangin' Around


Joined: Sep 17, 2003
Posts: 31
Location: Australia

PostPosted: Tue Apr 27, 2004 3:01 pm Reply with quote

I have just added to my site and will let you know if there are any problems, I also had to rename $checkurl tho Smile
 
View user's profile Send private message Visit poster's website
sixonetonoffun
PostPosted: Tue Apr 27, 2004 3:14 pm Reply with quote

Yeh Think I'd go for a new name for the variable
Somthing like $union_tap oh wait thats another Paul Laudanski (aka Zhen-Xjell). TM name er let me uhm see here...
How about $no_unions or $union_crap? See the AUP for further details Rolling Eyes
 
Raven
PostPosted: Tue Apr 27, 2004 3:20 pm Reply with quote

Have you read the latest announcement over there and some feedback? This could get lively! Hey! I forgot to copyright my code! Doggone it - now it's too late. Oh, that's right. I can wait for a more opportune time and then attack one of you for using it. How silly of me! /me slaps me, or is that YOU ARE SLAPPED BY ME? Bad, bad, bad ....
 
sixonetonoffun
PostPosted: Tue Apr 27, 2004 3:37 pm Reply with quote

So far all I've kept up on is the posts at the .org those virtual slaps are so painful. I bet the script kiddies cry every time they get one. I know the union folks are gonna get tired of it in a hurry. Might even go out on strike over the treatment. Wink
 
Nukeum66
Life Cycles Becoming CPU Cycles


Joined: Jul 30, 2003
Posts: 551
Location: Neurotic, State, USA

PostPosted: Tue Apr 27, 2004 4:57 pm Reply with quote

Out of curiosity I tested Paul's Union Tap beta3 and needless to say, it should be called Union Crap. It stopped only the original exploit.

Now the Raven_Slap Idea script stopped everything.

_________________
Scott Johnson MIS Ubuntu/Linux 11.10 
View user's profile Send private message Visit poster's website
Tank863
New Member
New Member


Joined: May 29, 2003
Posts: 16

PostPosted: Tue Apr 27, 2004 7:12 pm Reply with quote

I must say.. I am once again impressed with your hackalert script Raven.

I tested out your script using Janek's exploit and it stopped it dead in its tracks.

Question for Chatserv... I also use $checkurl in admin.php. I added the new hackalert as is posted above.. it worked.

Do I need to change it? Embarassed
 
View user's profile Send private message
chatserv
PostPosted: Tue Apr 27, 2004 7:28 pm Reply with quote

I only changed it to avoid conflicts with the previous one since mainfile.php gets included by all other files chances are eventually both url checkers might clash.
 
dean
Worker
Worker


Joined: Apr 14, 2004
Posts: 193

PostPosted: Thu Apr 29, 2004 2:00 pm Reply with quote

At the risk of alienating someone (not intentional), whats a noob to do. Does this script provide the same type of protection as the so called Fortress (nc) or the Protector (mister)? I installed the protector prior to finding this site. And I have gleaned and concluded that chatserv's hackalert may provide better protection? From a consumer's standpoint, it's getting difficult to know which path to follow, so please don't take offense at this question. I just would like to know if anyone has compared the three approaches to security.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©