Sub Menu
Links Menu
Online Users

In total there are 304 users online :: 4 registered, 0 hidden and 300 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Helter, Majestic-12 [Bot] based on users active over the past 60 minutes

CrackerTracker Exploit False Positives

Support for IntegraMOD 141

Moderator: Integra Moderator

Re: CrackerTracker Exploit False Positives

PostAuthor: Allen » Wed May 14, 2008 8:00 am

This morning I found a debug in the viewtopic.php
Attack-Time: 14.05.2008 8:49 am
------------

Request-Method: GET

Matching rule: php_
In variable: a

Possible solution:
------------------

#
#-----[ OPEN ]------------------------------------------
#
/viewtopic.php

#
#-----[ FIND ]------------------------------------------
#
include($phpbb_root_path . 'common.'.$phpEx);

#
#-----[ BEFORE, ADD ]------------------------------------------
#
define('CT_SECLEVEL', 'MEDIUM');
$ct_ignoregvar = array('a');

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM



Can someone provide me with a complete string for the viewtopic.php page.

Here is what I have so far.

define('CT_SECLEVEL', 'MEDIUM');
$ct_ignoregvar = array('highlight','a');


I think I saw a post that someone had a webpage with all their ctracker patches, but I forgot and didnt save the page. I think it was cannon who posted it. Can I get the list?
Last edited by Allen on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
Allen
Integra Member
Integra Member
 
Posts: 100
Likes: 0 post
Liked in: 0 post
Joined: Tue Apr 22, 2008 9:08 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: CaNNon » Wed May 14, 2008 10:56 am

I'd like to but i don't have any in viewtopic.php, I've never had CT go off on that one either.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: Allen » Wed May 14, 2008 11:56 am

I have found that CT does not go off on the first second maybe even third time using a function. But once you hit 3-4 it can go off.
Last edited by Allen on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
Allen
Integra Member
Integra Member
 
Posts: 100
Likes: 0 post
Liked in: 0 post
Joined: Tue Apr 22, 2008 9:08 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: MWE_001 » Thu May 15, 2008 4:47 pm

I will let everyone know, One day before I was messing around trying to setoff CTracker on purpose and I noticed everytime I used any word that contained the letters O and R in consecutive order, CTracker would go off.

For example the words

For
Or
word
hord

Catch my drift? <img> Look for that when giving downloads, KB Articles and forums any de.scription or title with those tow letters in it. It almost will allways certainly set off CTracker.
Last edited by MWE_001 on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Don't gain the world and lose your soul, wisdom is better than silver and gold" -Bob Marley

If you build it, I can break it! ~ Whispered in the tone of the movie Field of Dreams.
User avatar
MWE_001
Sr Integra Member
Sr Integra Member
 
Posts: 1265
Likes: 0 post
Liked in: 0 post
Images: 12
Joined: Fri Apr 21, 2006 6:59 pm
Cash on hand: 0.00
Location: Illinois

Re: CrackerTracker Exploit False Positives

PostAuthor: Allen » Thu May 15, 2008 10:02 pm

I just got this and I am not sure of it. Is this an actuall attack or should I correct this .script in the files??

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Script-Filename: /index.php
----------------

Attack-Time: 15.05.2008 12:12 pm
------------

Request-Method: GET

Matching rule: cmd
In variable: phpbb

Possible solution:
------------------

#
#-----[ OPEN ]------------------------------------------
#
/index.php

#
#-----[ FIND ]------------------------------------------
#
include($phpbb_root_path . 'common.'.$phpEx);

#
#-----[ BEFORE, ADD ]------------------------------------------
#
define('CT_SECLEVEL', 'MEDIUM');
$ct_ignoregvar = array('phpbb');

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM

Last edited by Allen on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
Allen
Integra Member
Integra Member
 
Posts: 100
Likes: 0 post
Liked in: 0 post
Joined: Tue Apr 22, 2008 9:08 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: CaNNon » Fri May 16, 2008 8:41 am

usualy its in the logs trough ACP > CrackerTracker > Logmanager > Worm & Exploit Protection > View.

IF you could match the time and date to the log entries, I think you should find something like when not in debug mode! "/phpBB2/index.php?phpbb=<real>/~beogor/news/cmd??"

If your leaving that on just looking for debugs, be real care full what you debug you could easily allow a .script. <img>

*EDIT*
Sorry worded it better!
Last edited by CaNNon on Fri May 16, 2008 9:02 am, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: Allen » Fri May 16, 2008 8:55 am

This is why I have asked here. I do not have any log of attack in the ACP > CrackerTracker > Logmanager > Worm & Exploit Protection > View.

Just the debug entry. Yes I am still debugging and debug is on. I do not want to allow a .script attack by adding the ignore .script so I came here and asked if what this is...

Let me know please I am waiting to do anything until I know from you.
Last edited by Allen on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
Allen
Integra Member
Integra Member
 
Posts: 100
Likes: 0 post
Liked in: 0 post
Joined: Tue Apr 22, 2008 9:08 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: CaNNon » Fri May 16, 2008 8:57 am

Don't add it. It's in the debug log and not the attack log when its in debug mode.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

PostAuthor: unknown25 » Sat Jul 26, 2008 5:58 pm

i have an error....but i cant fix it

Marquee up: [marq=up]++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Script-Filename: /forum/admin/admin_forums_extend.php
----------------

Attack-Time: 26.07.2008 12:41 pm
------------

Request-Method: POST

Matching rule: ls
In variable: desc

Possible solution:
------------------

#
#-----[ OPEN ]------------------------------------------
#
/forum/admin/admin_forums_extend.php

#
#-----[ FIND ]------------------------------------------
#
include($phpbb_root_path . 'common.'.$phpEx);

#
#-----[ BEFORE, ADD ]------------------------------------------
#
define('CT_SECLEVEL', 'MEDIUM');
$ct_ignorepvar = array('desc');

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Script-Filename: /forum/admin/admin_forums_extend.php
----------------

Attack-Time: 26.07.2008 13:13 pm
------------

Request-Method: POST

Matching rule: ls
In variable: desc

Possible solution:
------------------

#
#-----[ OPEN ]------------------------------------------
#
/forum/admin/admin_forums_extend.php

#
#-----[ FIND ]------------------------------------------
#
include($phpbb_root_path . 'common.'.$phpEx);

#
#-----[ BEFORE, ADD ]------------------------------------------
#
define('CT_SECLEVEL', 'MEDIUM');
$ct_ignorepvar = array('desc');

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM

/marq]



i cant find the line:include($phpbb_root_path . 'common.'.$phpEx);

i searched the whole thing...pls help fast
Last edited by unknown25 on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

unknown25
Newbie
Newbie
 
Posts: 2
Likes: 0 post
Liked in: 0 post
Joined: Sat Jul 26, 2008 5:45 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: JohnYD » Sun Jul 27, 2008 9:24 am

unknown25: I dont have quite the same problem, but it came up with similar results and could not find the line specified.

I decided to add the information just below require($phpbb_root_path . 'extension.inc'); and it worked just fine for me.

This is what my few lines look like:
Code: Select all
//// Load default header//$phpbb_root_path = "./../";require($phpbb_root_path . 'extension.inc');define('CT_SECLEVEL', 'MEDIUM');$ct_ignorepvar = array('desc','create','delete','name','icon');require('./pagestart.' . $phpEx);include($phpbb_root_path . 'includes/functions_admin.'.$phpEx);  include_once($phpbb_root_path . 'includes/lite.'.$phpEx);$options = array(     'cacheDir' => $phpbb_root_path . 'var_cache/',);  
Last edited by JohnYD on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
JohnYD
Newbie
Newbie
 
Posts: 1
Likes: 0 post
Liked in: 0 post
Joined: Tue Jan 01, 2008 8:50 pm
Cash on hand: 0.00
Location: cleveland

Re:

PostAuthor: zuerston » Fri Sep 19, 2008 7:49 am

"Dick Dynamite" wrote:Also, now I can't even change those settings at all. [Avatar/Sig, ect.]. I'm tempted to just uninstall ctracker until something is made to work. <img>



How do you uninstall this trash program anyway?? its really a sorry ass joke "ctracker"
User avatar
zuerston
Newbie
Newbie
 
Posts: 2
Likes: 0 post
Liked in: 0 post
Joined: Sat Sep 13, 2008 12:14 am
Cash on hand: 0.00
Location: Florida

Re: CrackerTracker Exploit False Positives

PostAuthor: AliasWeird » Thu Oct 09, 2008 1:00 pm

Where is this Knowledge Base showing me how to fix these false messages. As far as I can tell, there are no KB on this site.. I can't add/edit Categories to the forum.

AliasWeird
Newbie
Newbie
 
Posts: 1
Likes: 0 post
Liked in: 0 post
Joined: Mon Jan 22, 2007 6:02 am
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: xero419 » Thu Oct 09, 2008 1:58 pm

"AliasWeird" wrote:Where is this Knowledge Base showing me how to fix these false messages. As far as I can tell, there are no KB on this site.. I can't add/edit Categories to the forum.


Agreed. I'm trying to put my CTmod in debug mode. I've done it before, but I forgot how.. it's not in the KB

xero419
Newbie
Newbie
 
Posts: 1
Likes: 0 post
Liked in: 0 post
Joined: Thu Sep 11, 2008 7:37 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: Allen » Sun Jan 18, 2009 10:10 pm

I am having a tough time with the search function also. Since the new portal it has not been the same. It seems to ignore the smaller word when I am searching for a specific statement. I get results for just the larger word it seems. I am sure the box "Search for all terms or use query as entered" is checked.
User avatar
Allen
Integra Member
Integra Member
 
Posts: 100
Likes: 0 post
Liked in: 0 post
Joined: Tue Apr 22, 2008 9:08 pm
Cash on hand: 0.00

Re: CrackerTracker Exploit False Positives

PostAuthor: pangor » Tue Apr 21, 2009 10:10 am

Is there a comprehensive patch pack for all known failings of the poorly tested cracker tracker integration. Even with sites that have been running for years now, honest site members are being visited by that dreaded message effectively calling them criminals. Why has there been no such upgrade to say 1.4.2 been released with all such fixes already installed?

pangor
Newbie
Newbie
 
Posts: 2
Likes: 0 post
Liked in: 0 post
Joined: Tue Jan 30, 2007 6:00 pm
Cash on hand: 0.00

PreviousNext

Return to IntegraMOD 141

Who is online

Registered users: Bing [Bot], Google [Bot], Helter, Majestic-12 [Bot]