hacker script

bones · Hangin' Around Joined: Sep 18, 2003 Posts: 36

just wanted to let you know that your 7.0 distro and the hacker script
works perfectly so far the hacker script has stopped the hacker from hacking my site 3 times. Nice job raven.
bob

Raven · Posted: Tue Mar 02, 2004 4:09 pm

I can't tell you the number that have been stopped here also. Thanks for the update!

bones · Hangin' Around Joined: Sep 18, 2003 Posts: 36

your welcome, i am just called you came up with that script. thanks again
bob

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

I added the hacker script and several of the admin interfaces for Add Story DB Backup and Blocks control all disappear, - I did as instructed, - pasted the union code into mainfile.php.

If i remove that code then they show up again. Any ideas whats causing it?
Richard

Raven · Posted: Wed Mar 03, 2004 7:00 am

Please post the first 25 lines or so in your mainfile.php script.

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

<?php
$phpver = phpversion();
if ($phpver >= '4.0.4pl1' && strstr($HTTP_USER_AGENT,'compatible')) {
if (extension_loaded('zlib')) {
ob_end_clean();
ob_start('ob_gzhandler');
}
} else if ($phpver > '4.0') {
if (strstr($HTTP_SERVER_VARS['HTTP_ACCEPT_ENCODING'], 'gzip')) {
if (extension_loaded('zlib')) {
$do_gzip_compress = TRUE;
ob_start();
ob_implicit_flush(0);
//header('Content-Encoding: gzip');
}
}
}

$phpver = explode(".", $phpver);
$phpver = "$phpver[0]$phpver[1]";
if ($phpver >= 41) {
$PHP_SELF = $_SERVER['PHP_SELF'];
}

if (!ini_get("register_globals")) {
import_request_variables('GPC');
}

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("$[^>]*\"?[^)]*$", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

if (eregi("mainfile.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

if ($forum_admin == 1) {
require_once("../../../config.php");
require_once("../../../db/db.php");
} elseif ($inside_mod == 1) {
require_once("../../config.php");
require_once("../../db/db.php");
require_once("../../admin/modules/oscnuke/init.php");
} else {
require_once("config.php");
require_once("db/db.php");
require_once("includes/sql_layer.php");
$dbi = sql_connect($dbhost, $dbuname, $dbpass, $dbname);
include_once("admin/modules/oscnuke/init.php");
}

$mainfile = 1;
$sql = "SELECT sitename, nukeurl, site_logo, slogan, startdate, adminmail, anonpost, Default_Theme, foot1, foot2, foot3, commentlimit, anonymous, minpass, pollcomm, articlecomm, broadcast_msg, my_headlines, top, storyhome, user_news, oldnum, ultramode, banners, backend_title, backend_language, language, locale, multilingual, useflags, notify, notify_email, notify_subject, notify_message, notify_from, footermsgtxt, email_send, attachmentdir, attachments, attachments_view, download_dir, defaultpopserver, singleaccount, singleaccountname, numaccounts, imgpath, filter_forward, moderate, admingraphic, httpref, httprefmax, CensorMode, CensorReplace, copyright, Version_Num, activate_ads, first_ad, next_ads, max_ads, random_ads, hide_ads FROM ".$prefix."_config";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$sitename = $row[sitename];
$nukeurl = $row[nukeurl];
$site_logo = $row[site_logo];
$slogan = $row[slogan];
$startdate = $row[startdate];
$adminmail = $row[adminmail];

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

phpnuke 7.0

Raven · Posted: Wed Mar 03, 2004 7:09 am

I need to see the code you are adding and where you added it, etc.

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

Code:

<?php
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php/");

$phpver = phpversion();
if ($phpver >= '4.0.4pl1' && strstr($HTTP_USER_AGENT,'compatible')) {
if (extension_loaded('zlib')) {
ob_end_clean();
ob_start('ob_gzhandler');
}
} else if ($phpver > '4.0') {
if (strstr($HTTP_SERVER_VARS['HTTP_ACCEPT_ENCODING'], 'gzip')) {
if (extension_loaded('zlib')) {
 $do_gzip_compress = TRUE;
 ob_start();
 ob_implicit_flush(0);
 //header('Content-Encoding: gzip');
}
}
}

$phpver = explode(".", $phpver);
$phpver = "$phpver[0]$phpver[1]";
if ($phpver >= 41) {
$PHP_SELF = $_SERVER['PHP_SELF'];
}

if (!ini_get("register_globals")) {
import_request_variables('GPC');
}

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("$[^>]*\"?[^)]*$", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif> The html tags you attempted to use are not allowed [ <a href=\"javascript:history.go(-1)\">Go Back</a> ]");
}
}

if (eregi("mainfile.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

if ($forum_admin == 1) {
require_once("../../../config.php");
require_once("../../../db/db.php");
} elseif ($inside_mod == 1) {
require_once("../../config.php");
require_once("../../db/db.php");
require_once("../../admin/modules/oscnuke/init.php");
} else {
require_once("config.php");
require_once("db/db.php");
require_once("includes/sql_layer.php");
$dbi = sql_connect($dbhost, $dbuname, $dbpass, $dbname);
include_once("admin/modules/oscnuke/init.php");
}

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

should i put that union code into the header instead maybe?

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

Ive got to go out - back in an hour or so

Raven · Posted: Wed Mar 03, 2004 7:24 am

Look at your error logs (server and php) to see if there are any notes there. Also, remove the trailing /. You can try moving it but I don't know why that would matter.

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

Removing the trailing / worked!

Richard Razz

64bitguy · Posted: Fri Mar 12, 2004 10:58 pm

Hi RavenFolk!

Just wanted to thank Raven for another d*** nice script!

(I hope that my saying the D word doesn't get me banned) Smile

Anyway.. I set this script up in my PHP-Nuke 7.0 (NukeCops 2.2 bundle) and just to let you know, I replaced their

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");

With your

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php");

Please note that this differs from your instructions which show:

Code:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php/");

The TRAILING / HAD TO BE REMOVED in order for this solution to work and in order for the page to come up. Otherwise, I simply got an error and no email was created either.

You may want to update your readme to indicate this minor correction.

As another note, I was happy to see that the NukeCops bundle addressed the issue, but I AM concerned that no effort is made in their solution to notify me that an attempt has been made to comprimise my site. Anyway... this seems to totally fix that problem.

Thanks again!

Raven · Posted: Fri Mar 12, 2004 11:10 pm

Actually, use this code instead:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
}

I have just updated the download and will announce it Smile