| Author |
Message |
anthonyaykut
Lieutenant
Joined: Mar 26, 2003
Posts: 182
Location: Europe
|
 Posted:
Wed Mar 26, 2003 2:38 am |
  |
A "Wood" or "Mourning Woode" from mywood.kicks-Rainbow Brite.org has attempted numerous times to exploit our php-nuke 6.0 based web site at www.frame4.com in conjunction with a self-modified version of Nikto scanner and has left various defamatory messages on our Splatt 4.0 forums. We have since then contacted the various organisations and since yesterday this domain has been terminated by the registrar.
More info on our web site here...
http://www.frame4.com/php/modules.php?name=News&file=article&sid=378
What Wood has tried also is to try exploit the well-known XSS holes but as we do try to keep up with the patches, he didn't succeed too well but managed to insert <script>alert..</script> into the forums which causes the popup message to show up and a lot of blank messages ... I have the patches in place to strip out the <script> tags in php-nuke but doesn't this apply to the Splatt Forums??
But what is really interesting though is that when i go and look at the web based logs of our site, a message box pops up (along with a lot of errors), showing login = admin; pw=*** , where *** is the GOD ADMIN ACTUAL PASSWORD. I am GUESSING this is read from the cache but I am not sure so i got a bit worried...can anybody shed some light on this?? Can Nikto or similar tools be blocked?? I have the logs if anyons interested...
Regards,
Anthony |
|
|
     |
|
sixonetonoffun
Major
Joined: Jan 13, 2003
Posts: 892
|
| Posted:
Wed Mar 26, 2003 7:00 am |
|
web based logs of our site, a message box pops up (along with a lot of errors), showing login = admin; pw=*** , where *** is the GOD ADMIN ACTUAL PASSWORD. I am GUESSING this is read from the cache but I am not sure so i got a bit worried...can anybody shed some light on this??
Do you mean webalizer or something like that?? Or the PHPNuke statistics?? or a Nuke addon???
Nikto you could block the user agent but of course its easy enough to change. But it would be a start. |
_________________
www.netflake.com
www.glowoptics.com |
|
|
|
anthonyaykut
Lieutenant
Joined: Mar 26, 2003
Posts: 182
Location: Europe
|
| Posted:
Wed Mar 26, 2003 8:03 am |
|
The messages pop up when I am viewing the web based logs of the web site via the on-line "control panel". In theory it is just a text dump in an HTML page...
As far as blocking Nikto - what would be the line in .htaccess, do you know?? I have already the other measures in place, ie
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Alexibot [OR]
...
is it just
RewriteCond %{HTTP_USER_AGENT} ^Nikto ??
Thanks
Anthony |
|
|
|
|
sixonetonoffun
Major
Joined: Jan 13, 2003
Posts: 892
|
| Posted:
Wed Mar 26, 2003 8:40 am |
|
Yeah I'd use NC too.
Ask your host to update to the latest version of CPanel if thats whats your using there was a recent exploit published for stealing passwords from that.
You should also be sure to use the no User Agent block too.
Really important to find out if they have accessed your control panel. Since they could change/upload files so anything they wanted to your site.
I'm going on a limb though and thinking they aren't real experienced or they'd have used less noisy methods then Nikto. |
_________________
www.netflake.com
www.glowoptics.com |
|
|
|
anthonyaykut
Lieutenant
Joined: Mar 26, 2003
Posts: 182
Location: Europe
|
| Posted:
Thu Mar 27, 2003 12:24 am |
|
Sorry, I'm having a "duh" moment ... 
1. What is NC?
2. Is this way of blocking Nikto OK for the time being
RewriteCond %{HTTP_USER_AGENT} ^Nikto
3. You should also be sure to use the no User Agent block too.
Err... how??
Thanks,
Anthony |
|
|
|
|
sixonetonoffun
Major
Joined: Jan 13, 2003
Posts: 892
|
| Posted:
Thu Mar 27, 2003 4:56 am |
|
|
|
|
anthonyaykut
Lieutenant
Joined: Mar 26, 2003
Posts: 182
Location: Europe
|
| Posted:
Thu Mar 27, 2003 5:03 am |
|
Thanks six, I really appreciate it!
Regards,
Anthony |
|
|
|
|
|
|
