Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Donovan
Client


Joined: Oct 07, 2003
Posts: 735
Location: Ohio

PostPosted: Wed Apr 19, 2006 1:07 pm Reply with quote

I have a site that I help out from time to time. I did an overhaul for them to RavenNuke with Sentinal 2.4.2 a couple months ago. I ftp'd to their host and saw a strange .htaccess123 file.

Inside it said the following:


Code:
<!-- saved from url=(0036)http://www.ukleader.org.uk/index.htm -->

<html>

<head>
<title>HACKED By Amfibi-Slayer Hamd Olsun </title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-9">
<meta name="KeyWords" content="Amfibi-Slayer,Hacker,hacked,Hacked By Amfibi-Slayer,galatasaray,cyber-security">

</head>


There is more to this file but I am not posting it.

If this was a hack attempt how did Sentinal not pick this up and how did this file get on the server?
 
View user's profile Send private message Visit poster's website ICQ Number
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Wed Apr 19, 2006 1:28 pm Reply with quote

well thats weird cause the marker ....<!-- saved from url=(etc... --> is usualy inserted in case of copied websites.
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Apr 19, 2006 4:07 pm Reply with quote

The "saved from url" line seems to result from IE. Why its on your server, no idea. But good to check access logs and make sure your software is up-to-date

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Wed Apr 19, 2006 7:10 pm Reply with quote

Quote:
In scenarios where HTML documents are downloaded from the web, you can add a "mark of the Web" comment placed in the HTML file to their Web pages. For example, you might add <!-- saved from url=(0023)http://www.contoso.com/ --> to a Web page, where the (0023) value is the string length of your URL that follows it and Contoso is the name of your Web site. When Internet Explorer loads the file, it looks for a "saved from URL" comment, then reads the URL and uses the zone settings on the computer to determine what security policy to apply to the Web page. This Internet Explorer feature allows the HTML files to be forced into a zone other than the local zone, so that they can be assigned to the Internet zone and, with those reduced security privileges, run the script or ActiveX code.


In other words, that isn't a true .htaccess file. It is a web page. My guess what they are trying to do with the entire file is two fold.

1. Using this
Code:
<!-- saved from url=(0036)http://www.ukleader.org.uk/index.htm -->

will reduce the security zone in IE, thus allowing a script or hack on the page to run through IE that wouldn't normally be allowed to run with your normal security settings.

2. The remainder of the code (that which you did not post) I will bet is some type of IE exploit. Thus when the file is renamed to index.html or index.php and the user visits the site, by default their IE browser security zone is lowered and then a hostile script or code is run on your computer.

I would really do some serious looking into where this file came from. It is quite possible some type of spyware or malware is being added to a visitor's computer via IE.

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
evaders99
PostPosted: Wed Apr 19, 2006 8:48 pm Reply with quote

Interesting, didn't know that. Dumb M$ products Wink

I don't see the exploit there.. I guess he took it out
 
Donovan
PostPosted: Thu Apr 20, 2006 12:27 pm Reply with quote

I can zip this and pm the location for those who want to see.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Fri Apr 21, 2006 8:22 am Reply with quote

Thanks Donovan, I wouldn't mind taking a look at it. I can forward to the others as needed to.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©