Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
digibeet
Regular
Regular


Joined: Jul 08, 2004
Posts: 96
Location: Amsterdam, the Netherlands

PostPosted: Fri Sep 17, 2004 9:02 am Reply with quote

Hi,

If you see JackFromWales4u2 in your member account list REMOVE it, it places ads on your site. Evil or Very Mad

The script is for sale on IRC (won't tell anybody where) Twisted Evil

I have put this name in the list of unwanted names so it can't create an account with that name. Twisted Evil

Is there anybody who knows how to resolve this with Sentinel?

Thanks,

Fred

_________________
"Grasp the subject, the words will follow."
Cato the Elder (234 BC - 149 BC)
Roman orator & politician. 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Sep 17, 2004 9:11 am Reply with quote

I am confused by your titling of this post. You state it as if there is an exploit that Sentinel isn't stopping but yet you ask how to resolve with Sentinel Rolling Eyes What exploit isn't Sentinel stopping? Don't you think if there was an exploit that this site and many others would have been hit?
 
View user's profile Send private message
digibeet
PostPosted: Fri Sep 17, 2004 9:23 am Reply with quote

Hi Raven,

They are in a BIG way, believe me do a google on JackFromWales4u2 and you see what i am talking about.

66.219.97.51 - floridadom.com

Pagina's Bekeken A/D Datum A/D
/modules.php?name=News&file=comments 2004-09-08 22:16:46
/modules.php?name=News&file=comments 2004-09-08 22:16:44
/modules.php?name=News&file=comments 2004-09-08 22:16:42
/modules.php?name=News&file=comments 2004-09-08 22:16:41
/modules.php?name=News&file=comments 2004-09-08 22:16:39
/modules.php?name=News 2004-09-08 22:16:35
/modules.php?name=Your_Account&op=activate&username=JackFromWales4u2&check_num=9026a29cfdf5d55e0df55a19f6e60ad2 2004-09-04 16:44:14
/modules.php?name=Your_Account 2004-09-04 11:59:42
/modules.php?name=Your_Account 2004-09-02 06:33:49
/modules.php?name=Your_Account&op=gfx&random_num=994832 2004-09-02 06:33:47
/modules.php?name=Your_Account&op=gfx&random_num=994832 2004-09-02 06:33:47
/modules.php?name=Your_Account&op=new_user

I have removed the account and put his name in the unwanted list so he can't use it again to create an account with that name.

Today he tried again, but I stopt him because his account is blocked (for now)

Thanks,

Fred

I have updated to 2.0.2 after that this happend. I don't know if 2.0.2 stops this 2.0 din't stop it for sure.

Sorry if it is bad news, but I am here to learn from the people who know.
 
Raven
PostPosted: Fri Sep 17, 2004 9:27 am Reply with quote

But you haven't answered my questions. I know he's a problem, but what is the exploit that you are questioning? Every exploit that I know of has been blocked since 1.x. Most of these exploits are because the admin.php is not protected by using HTTP Auth which has always been available in Sentinel and even before that. Please show me 1 site that Sentinel has been broken into when the software was installed correctly and had Chatserv's patches applied.
 
digibeet
PostPosted: Fri Sep 17, 2004 9:47 am Reply with quote

Only registered users can see links on this board! Get registered or login! that is one.. Wink

What I am trying to say, is there a configuration in Sentinel that I missed to prevent this from happening. As far I can tell I have configured Sentinel to Max. security.

modules.php?name=Your_Account&op=activate&username=JackFromWales4u2&check_num=9026a29cfdf5d55e0df55a19f6e60ad2 2004-09-04 16:44:14
At this time Sentinel 2.0 is up and running and my nuke version is the Ravens Customized Distro version 7.3 to be sure that Chatserv pathes have been applied. Mr. Green

It won't create an admin account but just a normal one to write ads.

If there are many sites that won't have this issue I think that I am missing a patch somewhere.. Bang Head wich one? I don't know. Embarassed

My Admin is SAVE.. many have tried the known hack/exploit and are blocked. RavensScripts
 
Doodle
Hangin' Around


Joined: Jan 26, 2004
Posts: 46
Location: 127.0.0.1

PostPosted: Fri Sep 17, 2004 10:10 am Reply with quote

Quote:
modules.php?name=Your_Account&op=activate&username=JackFromWales4u2&check_num=9026a29cfdf5d55e0df55a19f6e60ad2

A script that auto-registers then spams the comments is not a security exploit, at least from the Sentinel point of things. It is someone taking advantage of the portal system through automation. Sentinel won't protect against that, neither should it. That is the function of the $gfx_check() security image.

_________________
Independent Network Solutions Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
digibeet
PostPosted: Fri Sep 17, 2004 10:51 am Reply with quote

Hi Doodle,

And when the gfx is active? what is on my site when this happend.

The automation only works when it first has created a gfxcode on an empty page, that generated code is used to create an account.

When only the gfx function is called (what is very rear) true automation, this is a security exploit from my point of view, because gfx is never called on itself, it is used only to login or to create an account.
Only registered users can see links on this board! Get registered or login!

So when they call the gfx on it self there is something weird going on, why other than login or creation call this function.
 
Doodle
PostPosted: Fri Sep 17, 2004 11:11 am Reply with quote

I agree with you about the gfx function. That is the area we should be concentrating on. Putting some !eregi code in there to make sure it's not called directly would prolly work.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Fri Sep 17, 2004 11:33 am Reply with quote

First off this is not a xss exploit, second since the lamer always uses the same nick block him through the forum's admin section under disallow names and on the Your Account module by changing:
Code:
if (eregi("^((root)|(adm)|(linux)|(webmaster)|(admin)|(god)|(administrator)|(administrador)|(nobody)|(anonymous)|(anonimo)|(anónimo)|(operator))$",$username)) $stop = "<center>"._NAMERESERVED."</center>";

to:
Code:
if (eregi("^((root)|(adm)|(linux)|(webmaster)|(admin)|(god)|(administrator)|(administrador)|(nobody)|(anonymous)|(anonimo)|(anónimo)|(operator)|(jackfromwales4u2))$",$username)) $stop = "<center>"._NAMERESERVED."</center>";
 
View user's profile Send private message Visit poster's website
digibeet
PostPosted: Fri Sep 17, 2004 11:51 am Reply with quote

Chatserv,

I already blocked that username like you sayd, (first post)

Can you (please) explain me a little bit about the difference on the two possibilities?

Thanks,

Fred

I am just a newbie in php (you already know that Wink ) so Thanks again.
I only have an MCSE thats all.
 
Raven
PostPosted: Fri Sep 17, 2004 11:56 am Reply with quote

digibeet wrote:
I only have an MCSE thats all.

I read recently where they believe they now have a cure for that, although there will be lingering effects. You will have a tendancy to bloat and you will be prone to viruses and turning blue just before you shut down and pass out ROTFL
 
digibeet
PostPosted: Fri Sep 17, 2004 12:23 pm Reply with quote

Raven,

70-270 MCSE has NO! value in the Netherlands whithout a higher degree..
I do NOT pretend to be a programmer (that is why I post sometimes a stupid question), engineer or likewise I did MCSE 70-270 to learn the BASICS of WindowsXP and I won't renew my certification. I don't think highly of myself because of my MCSE cert.
I am stunned and greatfull with the knowledge and help I find here.

Ok, did some ITIL and the rest is just a hobby for 16 years now. started at 22
For the rest I am a newbie, NooB or what ever you want to call it or call me.

I did it at home, ISBN 90 395 1909 9 (exept the exam, that a did somewhere else)

Do you know that the JackFromWales4u2 script is for sale on IRC?
 
Raven
PostPosted: Fri Sep 17, 2004 12:28 pm Reply with quote

Personally I don't care about JFW. I mean no disrespect but I have more important things to do and haven't the time to give him another thought. Script kiddies come and go, and like bad gas, this too will pass Wink As Chat said, his is not an XSS exploit and is freely available on the web. So I doubt that he will get too rich ROTFL
 
digibeet
PostPosted: Fri Sep 17, 2004 12:51 pm Reply with quote

OK, Love a clear answer,

In my first post about this:

I have put this name in the list of unwanted names so it can't create an account with that name. Rolling Eyes

A simple answer like: it's no XSS exploit, ban the name will do it, scriptkiddies are allways around so it could happen again, but don't worry there is no danger. Is a clear answer for me. Wink

Maybe a sticky post about JFW will help you safe time and help others not to worry. RavensScripts
 
Raven
PostPosted: Fri Sep 17, 2004 3:13 pm Reply with quote

Laughing So everyone's happy now?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©