Sub Menu
Links Menu
Online Users

In total there are 318 users online :: 2 registered, 0 hidden and 316 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot] based on users active over the past 60 minutes

Recent Hacking Discussion (continued...)

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

Recent Hacking Discussion (continued...)

PostAuthor: Michaelo » Tue Aug 29, 2006 4:09 am

Continue all discussion here... During the next few days I will move pertinent post from the open discussion to this members discussion forum...

For latest fixes and updates See next post... [Note the Date and Revision Number] at bottom of this post.

Mike
Last edited by Michaelo on Tue Aug 29, 2006 4:43 am, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: All discussion re latest hacking of IntegraMod

PostAuthor: Michaelo » Tue Aug 29, 2006 4:10 am

Patch: To protect from a recent remote hack please add the following patches...

Look here for the latest updates. Note I have added a revision number to this post so keep a eye on it

Note Setting register_globals Off is advisable... register_globals will disappear in php6...

By adding the standard check to determine if IN_PHPBB has been set you can remove the php_root_path testing and rely on this simple test... This will correct a few problems for people.
The only concern that remain is the php_root_path variable is not set if this file is called directly and while it could allow php_root_path it to be set to another external file the IN_PHPBB can not be set, this will result in 'die hacking'... This should be enough protection...


functions.php 2 fixes Rev 06
Code: Select all
 Open]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )     {         (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if($style == 0) { die('Hacking attempt'); exit; }         if ( $theme = setup_style((int)$style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }         if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )     {         $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];         if ( $theme = setup_style((int)$style) )         {             return;         }     }// Security update 02 September 2006 B ends //    


function_portal.php 1 fix Rev 05
[code]  Open]

functions_mods_settings 1 fix Rev 05
[code]  Open]

If you have been hacked, remove all unknown files, change you passwords for main admin, admins and moderators and upload files again from original source making sure the above fixes are added.

I am aware that people may have the above files with 2.0.21 updates installed so I am not attaching updates as my files probably wont match everyones...

Mike
Updated]Rev 006[/b]
Last edited by Michaelo on Sat Sep 02, 2006 7:17 am, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PostAuthor: Unregistered » Tue Aug 29, 2006 5:12 am

anymore hacking reported after the final fix?
Last edited by Unregistered on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
J O N H | P L A Y E R

Unregistered
Sr Integra Member
Sr Integra Member
 
Posts: 254
Likes: 0 post
Liked in: 0 post
Joined: Wed Jun 07, 2006 1:51 pm
Cash on hand: 0.00

PostAuthor: Michaelo » Tue Aug 29, 2006 6:45 am

None so far... I hope every who was hacked does a proper cleanup else we wont know where we stand...
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PostAuthor: twitchy » Tue Aug 29, 2006 7:10 am

Ive got one <img>

it actually only affects my album (so far ) wehn i try to access it it says

Hacking attempt... Details Logged

plz help
Last edited by twitchy on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http]Twitchythumbs.co.uk - Games, Reviews, Gaming news, Competitions etc.[/url]
User avatar
twitchy
Members
Members
 
Posts: 63
Likes: 0 post
Liked in: 0 post
Joined: Sat Apr 22, 2006 7:21 am
Cash on hand: 0.00

Re: Recent Hacking Discussion (continued...)

PostAuthor: Michaelo » Tue Aug 29, 2006 8:10 am

First:
Check you are using the edits above (post #2) remember they were updated to fix this type of problem....

Next: (if the above has been completed)
What are clicking? Hold cursor over the link and read the link property at bottom of browser... I need to know which file is being called.. you should see the link info including http://your_site_name/forum_name/album_ ... xxxxxxxxxx


Also you sig has a comma in the link should be a dot :?:
Mike
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: Recent Hacking Discussion (continued...)

PostAuthor: BMD » Tue Aug 29, 2006 8:58 am

I was hit again...this makes 6 times....

I was implementing the patches and went to upload via FTP and my entire site is gone this time.

not only that, but when I try to ftp a simple index to let my users know what is going on etc, i get a "critical transfer error"

I can't upload anything...

I called my host provider tech support and THEY can't even access anything

even a list command is giving them an error.

I just got off the phone with Tech Support....

something has wiped everything down to the root directory.
Last edited by BMD on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

BMD
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Thu Aug 24, 2006 4:12 am
Cash on hand: 0.00

Re: Recent Hacking Discussion (continued...)

PostAuthor: BMD » Tue Aug 29, 2006 9:05 am

I just checked my MySQL database via Navicat....

Everything appears to be ok there as far as I can tell.

Thank God for small miricles.
Last edited by BMD on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

BMD
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Thu Aug 24, 2006 4:12 am
Cash on hand: 0.00

Re: Recent Hacking Discussion (continued...)

PostAuthor: BMD » Tue Aug 29, 2006 9:13 am

Quick question

Can I make the edits for the security patches BEFORE I do the install again?

Will it cause a problem with the install?

I'd like to get all this done off line if possible, so that when the Techs get me on line again I can upload and deal with cosmetics of the site.

My site has an aviation weather forecaster that my users use to make flight go-no go decisions, and this is killing me.

Oh...
Since I'm starting pretty much from scratch again...
would i be better served installing phpBB2.0.21 and then doing a manual install of IM1.4.0 and the security patches?... Or IM and the manual upgrades of phpBB?
Last edited by BMD on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

BMD
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Thu Aug 24, 2006 4:12 am
Cash on hand: 0.00

PostAuthor: Fubie » Tue Aug 29, 2006 9:35 am

BMD,

Yes, do the edits before uploading to the server.
Last edited by Fubie on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.myhorrorstories.com/files/bannerexchange.gif[/img][/url]

[url=http][img=left]http://www.fubie.net/images/geekstufflarge.jpg[/img][/url]

Fubie
Dev Team
Dev Team
 
Posts: 742
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 6:52 pm
Cash on hand: 0.00

PostAuthor: Fubie » Tue Aug 29, 2006 9:38 am

BMD,

Another thing. Change the name of your forum while doing the upload. If your forum directory is forum change it to pleasework, Then after every file is uploaded change the directory name to forum.
Last edited by Fubie on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.myhorrorstories.com/files/bannerexchange.gif[/img][/url]

[url=http][img=left]http://www.fubie.net/images/geekstufflarge.jpg[/img][/url]

Fubie
Dev Team
Dev Team
 
Posts: 742
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 6:52 pm
Cash on hand: 0.00

PostAuthor: BMD » Tue Aug 29, 2006 10:15 am

"Fubie";p="14490" wrote:BMD,

Another thing. Change the name of your forum while doing the upload. If your forum directory is forum change it to pleasework, Then after every file is uploaded change the directory name to forum.


Fubie

I know how to do a safe install.... what I need to know is phpBB first and then the IM overlay?

Or

IM and upgrade the phpBB to 2.0.21

I really wish that they'd do the IM premod with the 2.0.21

The one on the site now still shows 2.0.17

that means multiple upgrades to get up to 2.0.21

VERY time consuming.
Last edited by BMD on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

BMD
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Thu Aug 24, 2006 4:12 am
Cash on hand: 0.00

PostAuthor: Fubie » Tue Aug 29, 2006 10:31 am

BMD,

Please create a new thread for this topic. In it let me know if you are doing a clean install or upgrading from a live phpbb forum.
Last edited by Fubie on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.myhorrorstories.com/files/bannerexchange.gif[/img][/url]

[url=http][img=left]http://www.fubie.net/images/geekstufflarge.jpg[/img][/url]

Fubie
Dev Team
Dev Team
 
Posts: 742
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 6:52 pm
Cash on hand: 0.00

PostAuthor: computerz » Tue Aug 29, 2006 2:13 pm

I'm going to attempt these patches now, and change my album and avatar folders to 777 so that they can work. Prior to doing so I will update my full backup.

I will update everyone here in a few days to let you know if I've been hacked again. It usually happens wthin a day or two after setting my avatar and album upload folders to 777. So we'll see.
Last edited by computerz on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

computerz
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Sun Aug 27, 2006 1:21 pm
Cash on hand: 0.00

PostAuthor: computerz » Tue Aug 29, 2006 2:21 pm

Michaelo I see what your first patch is doing. Its preventing access to root level folders above the public_html.

However, I think you're missing the fact that they're not writing directly to the root folders until they first have access to write to the "upload" folders: (album_mod/upload & images/avatars)

These are folders, which when set to 777, the hackers upload Perl scripts (eggdrop IRC bots). Once they connect to the scripts in these folders, they then use suExec or some other means to assume root level priviledges.

So as you can see, I really believe these patches are futile, because once they get the perl scripts in the upload directories and connect to them and assume root priviledges, they can then bypass the integramod scripts altogether and destroy, rewrite, or whatever they want to do on the server as root.

We need a means to not only filter them from the root, but also from the upload directories.

I'm still going to apply these patches, but I'm not going to change my folder permissions just yet though.
Last edited by computerz on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

computerz
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Sun Aug 27, 2006 1:21 pm
Cash on hand: 0.00

Next

Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot]

cron