| Author |
Message |
TheosEleos
Life Cycles Becoming CPU Cycles
Joined: Sep 18, 2003
Posts: 960
Location: Missouri
|
 Posted:
Wed Feb 25, 2004 7:11 pm |
|
| Raven wrote: | | Try removing the trailing slash. |
Got me too.
Thanks for this. |
_________________
Only registered users can see links on this board! Get registered or login! |
|
  
 |
|
Frogger
Worker
Joined: Oct 06, 2003
Posts: 108
|
| Posted:
Wed Feb 25, 2004 11:58 pm |
|
Da Dummy Speaks...
I was hit with the union thingy.....fortunately already had the latest sec-patch from http://nukeresources.com (chatserv)
After adding your hack.....script....and running the exploit the result returned me to my index page.
Just to check. I checked an old beta site (not patched).....added your script and the referring page was the hack....php
What is the correct result.....
Patched = main page
Unpatched = hack warning page
vice/versa
Like I said.......da dummy speaks....
Either way. the unpatched site only returned a page stating ..... (1 word returned) READ
I ran the exploit on web links, sections and reviews to test.
unlike other exploits I've seen...
just trying to understand (although patched) what to expect in an effort to explain to others.......  |
_________________
Only registered users can see links on this board! Get registered or login! |
|
 
|
|
Frogger
|
| Posted:
Thu Feb 26, 2004 12:00 am |
|
oh, yeah.....the script does have xxxx.php/ and i changed it to /xxxx.php to make it work.... |
| |
|
|
|
|
Frogger
|
| Posted:
Fri Feb 27, 2004 12:15 am |
|
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Feb 27, 2004 12:21 am |
|
I don't know. Other than what is mentioned in this thread, there have been no issues at all. There's really nothing else that I can think of. |
| |
|
|
|
|
Darrell3831
Worker
Joined: Feb 18, 2004
Posts: 244
|
| Posted:
Wed Mar 03, 2004 7:24 am |
|
Frogger,
If your running chatserv's latest patches and follow all the instructions provided in ravens installation guide then you will return to the index page.
This is because Raven has you entering this on the first line at the top of the script.
Code:if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php/");
|
Then down around line 16 or 17 for your safety Chatserv has this:
Code:if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php");
|
It took me a full day about two weeks ago, with Ravens help, to learn that if there is not a die(); statement after the header line that program execution continues right on through.
To get Ravens code to work and stop popping back to the index page I commented out Chatserv's code. I don't know if it's appropriate to add the die(); afters Ravens stuff or not in this situation.
Perhaps someone more knowledgeable than me can help you there.
But anyway, commenting out Chatserv's line 16 does work.
Darrell |
_________________
http://www.psy-center.com |
|
|
|
|
Raven
|
| Posted:
Wed Mar 03, 2004 7:27 am |
|
Always a good thing to do . Code it like thisCode:if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
header("Location: hackattempt.php/");
die();
}
|
|
| |
|
|
|
|
ballymuntrev
Hangin' Around
Joined: Mar 22, 2004
Posts: 49
|
| Posted:
Fri Mar 26, 2004 3:32 pm |
|
|
|
|
|
Raven
|
| Posted:
Fri Mar 26, 2004 3:38 pm |
|
Please read the red notice in the download panel about what causes that to happen. You will need to adjust your setup temporarily. |
| |
|
|
|
|
ballymuntrev
|
| Posted:
Fri Mar 26, 2004 3:43 pm |
|
Sorry, my bad, missed the bit about proxies. I'm using Satellite internet and it runs over their proxy service. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Mar 26, 2004 3:46 pm |
|
NP. Contact me via email if you aren't able to get it. |
| |
|
|
|
|
ballymuntrev
|
| Posted:
Sat Mar 27, 2004 5:32 am |
|
I guess I'll send you an email so
I tried with just the dialup on, no proxy, no VPN, no anti virus running but it still says un-authorised. It's the only download that I've had probs with, anything else I've downloaded worked fine. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Mar 27, 2004 6:29 am |
|
Where did you get that address? It's .com not .net (as you already figured out) |
| |
|
|
|
|
ballymuntrev
|
| Posted:
Sat Mar 27, 2004 7:10 am |
|
Not exactly sure now, think it may be that I hadn't your site bookmarked at home, only in work, and was trying to remember the address, but failed  so done a search on google and the .net address for the site came up, I'm actually browsing and logged into the site now via the .net address
Guess I better change it then  |
| |
|
|
|
|
Raven
|
| Posted:
Sat Mar 27, 2004 7:31 am |
|
Actually ... I have the .net address mapped to .com however I wasn't allowing that address into my downloads. I just modified the rules. See if you can get in through the .net address now. |
| |
|
|
|
|
ballymuntrev
|
| Posted:
Sat Mar 27, 2004 9:03 pm |
|
Yep, working through the .net address now too, good stuff !
Working also over both my satellite internet proxy and VPN too, which is nice |
| |
|
|
|
|
Tank863
New Member
Joined: May 29, 2003
Posts: 16
|
| Posted:
Sat Mar 27, 2004 10:55 pm |
|
awesome code I might add...
It worked to prevent a hack on my site last night...
here is what happened...
I have Protector System Installed, Raven's Hack ALert & Admin Secure Installed on my site... they do work together.. and provide a different level of protection. Anyway... last night err.. this morning when I woke.. I received this email from my Admin Secure.. and from Raven's Hack Alert
Admin Secure detecting external file linking through modules.php inclusion. This is might be a possible suspicious hacking attempt activity on your website. For security consideration, this session has been blocked by Admin Secure to protect your site. Admin Secure collecting these information for your evaluation:
- Date: 27 March 2004, 02:42
- IP Address: 24.1.200.29
- Host: c-24-1-200-29.client.comcast.net
- User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; .NET CLR 1.1.4322)
- URI: /modules.php?name=Forums&file=viewtopi...
- VAR: $file = viewtopi...
Note:
You can turn-off mail notification from Admin Secure configuration setting.
I ran a samspade check on the IP addy...
OrgName: Comcast Cable Communications IP Services
OrgID: CCCIS
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
NetRange: 24.0.0.0 - 24.15.255.255
CIDR: 24.0.0.0/12
NetName: EASTERNSHORE-1
NetHandle: NET-24-0-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.JDC01.PA.COMCAST.NET
NameServer: DNS02.JDC01.PA.COMCAST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
RegDate: 2003-10-06
Updated: 2003-12-23
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: 1-856-317-7272
OrgAbuseEmail: abuse@comcast.net
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: 1-856-317-7200
OrgTechEmail: cips_ip-registration@cable.comcast.com
CustName: Comcast Cable Communications
Address: 3 Executive Campus
Address: 5th Floor
City: Cherry Hill
StateProv: NJ
PostalCode: 08002
Country: US
RegDate: 2003-10-10
Updated: 2003-10-10
NetRange: 24.0.0.0 - 24.1.255.255
CIDR: 24.0.0.0/15
NetName: TEXAS-8
NetHandle: NET-24-0-0-0-2
Parent: NET-24-0-0-0-1
NetType: Reassigned
Comment: NONE
RegDate: 2003-10-10
Updated: 2003-10-10
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: 1-856-317-7272
OrgAbuseEmail: abuse@comcast.net
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: 1-856-317-7200
OrgTechEmail: cips_ip-registration@cable.comcast.com
Here in the log is what he/she did to cause the alarm...
24.1.200.29 - - [27/Mar/2004:02:42:13 -0500] "GET /modules.php?name=Forums&file=viewtopi... HTTP/1.1" 302 39 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; .NET CLR 1.1.4322)"
Anyone know what hack attempt this is?
Tank863 |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
