Any new update is coming out regarding the HackAlert code?

Mesum · Useless Joined: Aug 23, 2002 Posts: 213 Location: Chicago

Hi, I was just wondering if there will be a newer version of HackAlert will be coming out soon.
thanks.

Raven · Posted: Sun Apr 25, 2004 6:54 am

For what purpose? Is there a new exploit?

Mesum · Useless Joined: Aug 23, 2002 Posts: 213 Location: Chicago

I am not sure but I saw people were talking about some new (at least for me) encrypted union attacks or something.

Raven · Posted: Sun Apr 25, 2004 7:02 am

There's a flurry of discussion about it at nukecops but I've yet to see the exploit that it purports to fix. Their 'fix' is breaking more things than it is fixing so if there is an exploit and someone would send it along, I will be happy to look into it.

Raven · Posted: Tue Apr 27, 2004 8:54 am

There is one MySQL exploit that can be used to 'mask' the union attack. MySQL and a few other rdbms's allow a comment /* */ to be placed in the Query as a hint to MySQL to override it's determined course. In other words, if MySQL would determine to NOT use an index, for whatever reason, you can give it a 'hint' by placing certain code in the query in /* */. Well, the crackers out there have picked up on this and are exploiting it. Here is a proposed fix for my hack alert code in mainfile.php

Code:

$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net
// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
}

I am testing it and would like you all to test it too. Once we determine it works I will modify the download. Let me know.

chatserv · Posted: Tue Apr 27, 2004 10:12 am

Testing it but i had to rename the variable as i already use $checkurl in admin.php

Dogman · New Member Joined: Oct 24, 2002 Posts: 1

Hm,...

this filter worked for "NukeHackerTrap" v1.2 available at

Only registered users can see links on this board!
Get registered or login to the forums!

:
[/CODE]
if (stristr($sRQ,'/*')) return $this->detect();
[/CODE]

Dogman Cool

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

I'll put it in mainfile and let you know how it works. Your original hackalert is great and I wouldn't deign to use the NC plagiarization.

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Um, where in mainfile does it go? There doesn't seem a $checkurl in mainfile.

chatserv · Posted: Tue Apr 27, 2004 12:36 pm

Place the line right after the file credits

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

Ok. Just got a bunch of hack attempt alerts from 62.254.64.8, Amsterdam natch. Why don't those little Dutch boys and girls stick their fingers in dykes instead of hacking...? Sad

sixonetonoffun · Posted: Tue Apr 27, 2004 1:19 pm

Seems to catch anything I've thrown at it so far. Just a few variations on the standard %20UNION%20 and %20UN/*%20%20%20%20*/ION%20
So on and so on.

Coldy · Posted: Tue Apr 27, 2004 1:30 pm

I´ve testet on two different phpnuke-versions!
I think it works, but i had delete the last fix from sting!

Coldy Cool

southern · Client Joined: Jan 29, 2004 Posts: 579 Location: Texas

I put it in mainfile, now I'm going outdoors to tend to my garden...gotta check my possum traps while hack alert traps more Dutch boys and girls.

Johan1982 · New Member Joined: Oct 23, 2003 Posts: 24

Code:

$checkmyurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net
// Raven http://ravenphpscripts.com
if (stristr($checkmyurl,'%20union%20')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
}

sixonetonoffun · Posted: Tue Apr 27, 2004 2:08 pm

$checkmyurl doesn't match if (stristr($checkurl

Johan1982 · New Member Joined: Oct 23, 2003 Posts: 24

Corrected this observation in my past post , thanks Cool

MickP · Posted: Tue Apr 27, 2004 3:01 pm

I have just added to my site and will let you know if there are any problems, I also had to rename $checkurl tho Smile

sixonetonoffun · Posted: Tue Apr 27, 2004 3:14 pm

Yeh Think I'd go for a new name for the variable
Somthing like $union_tap oh wait thats another Paul Laudanski (aka Zhen-Xjell). TM name er let me uhm see here...
How about $no_unions or $union_crap? See the AUP for further details Rolling Eyes

Raven · Posted: Tue Apr 27, 2004 3:20 pm

Have you read the latest announcement over there and some feedback? This could get lively! Hey! I forgot to copyright my code! Doggone it - now it's too late. Oh, that's right. I can wait for a more opportune time and then attack one of you for using it. How silly of me! /me slaps me, or is that YOU ARE SLAPPED BY ME? Bad, bad, bad ....

sixonetonoffun · Posted: Tue Apr 27, 2004 3:37 pm

So far all I've kept up on is the posts at the .org those virtual slaps are so painful. I bet the script kiddies cry every time they get one. I know the union folks are gonna get tired of it in a hurry. Might even go out on strike over the treatment. Wink

Nukeum66 · Posted: Tue Apr 27, 2004 4:57 pm

Out of curiosity I tested Paul's Union Tap beta3 and needless to say, it should be called Union Crap. It stopped only the original exploit.

Now the Raven_Slap Idea

script stopped everything.

Tank863 · New Member Joined: May 29, 2003 Posts: 16

I must say.. I am once again impressed with your hackalert script Raven.

I tested out your script using Janek's exploit and it stopped it dead in its tracks.

Question for Chatserv... I also use $checkurl in admin.php. I added the new hackalert as is posted above.. it worked.

Do I need to change it? Embarassed

chatserv · Posted: Tue Apr 27, 2004 7:28 pm

I only changed it to avoid conflicts with the previous one since mainfile.php gets included by all other files chances are eventually both url checkers might clash.

dean · Worker Joined: Apr 14, 2004 Posts: 193

At the risk of alienating someone (not intentional), whats a noob to do. Does this script provide the same type of protection as the so called Fortress (nc) or the Protector (mister)? I installed the protector prior to finding this site. And I have gleaned and concluded that chatserv's hackalert may provide better protection? From a consumer's standpoint, it's getting difficult to know which path to follow, so please don't take offense at this question. I just would like to know if anyone has compared the three approaches to security.