Sub Menu
Links Menu
Online Users

In total there are 301 users online :: 3 registered, 0 hidden and 298 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot] based on users active over the past 60 minutes

Recent Hacking Discussion (continued...)

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

PostAuthor: Michaelo » Wed Sep 06, 2006 4:21 am

I am looking at the entire function to determine why the code is as is? Once I have determined what was intended I will update the post but for now its for people who are having trouble...

I will also have to rewrite the change style mod as it uses the same strange code... more later...
Mike
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PostAuthor: jwernerny » Wed Sep 06, 2006 11:08 am

"Drop-Forged";p="14891" wrote:...I found a page that seemed to have some good advise for making php more secure with .htaccess.


I have added one more that may or may not actually do something....

Code: Select all
 RewriteEngine onRewriteRule phpbb_root_path hacker_trying_again [L]  


If it does what I think it does, it will rewrite the string "phpbb_root_path" with "hacker_trying_again". I suppose the following would be even more interesting as it would redirect everything containing that string to a web page.

Code: Select all
 RewriteRule (.*)phpbb_root_path(.*) /hacking_attempt.cgi?first=$1&last=$2  


One could even get cleverer and store the first and last parts to see what they were trying.

- John
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: tekguru » Thu Sep 07, 2006 3:37 am

Cheers for the update Mike, waiting on your wisdom <img>
Last edited by tekguru on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]http][/size]
[url=http][img=left]http://www.4winmobile.com/news/MVP_Horizontal_FullColor.png[/img][/url]
User avatar
tekguru
Sr Integra Member
Sr Integra Member
 
Posts: 329
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 28, 2006 10:29 pm
Cash on hand: 0.00

PostAuthor: evolver » Thu Sep 07, 2006 6:46 am

"macarlisle";p="15068" wrote:Hey guys, I have just added the lines of code and I'm now getting this issue.

Parse error: syntax error, unexpected ':' in /home/westtexas/www/www/phpBB2/includes/functions.php on line 29

Any clues?

Yes: functions.php 2 fixes
You've most probably done just one placement...

The only ] I can see is in [b]Find[color=red]]
And that would be on line 29 if you placed it all together...
That's no code, that's where the second fix starts! <img>
Last edited by evolver on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
ImageAlways remember you're unique, just like everyone else.
We are born naked, wet and hungry. Then things get worse.
Don't take life too seriously, you won't get out alive.
User avatar
evolver
Sr Integra Member
Sr Integra Member
 
Posts: 420
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 12:46 pm
Cash on hand: 0.00
Location: Oostende

PostAuthor: macarlisle » Thu Sep 07, 2006 7:15 am

Sorry about that, I didnt pay attiontion to entire line of code.
Last edited by macarlisle on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
macarlisle
Members
Members
 
Posts: 33
Likes: 0 post
Liked in: 0 post
Joined: Tue Apr 11, 2006 6:16 am
Cash on hand: 0.00

PostAuthor: evolver » Thu Sep 07, 2006 7:31 am

"macarlisle";p="15074" wrote:Sorry about that, I didnt pay attiontion to entire line of code.

No Problem
You are not the first, and I'm sure that it happens to many more who don't even dare to ask...

The answer to your problem will help them as well... <img>
Last edited by evolver on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
ImageAlways remember you're unique, just like everyone else.
We are born naked, wet and hungry. Then things get worse.
Don't take life too seriously, you won't get out alive.
User avatar
evolver
Sr Integra Member
Sr Integra Member
 
Posts: 420
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 12:46 pm
Cash on hand: 0.00
Location: Oostende

Re: Recent Hacking Discussion (continued...)

PostAuthor: tekguru » Thu Sep 07, 2006 10:12 am

One other interesting one concerning these changes....

Ref the style change we use a couple of links in QBar on the menu to swap styles between 'full' and 'mobile, such as:

http://www.4winmobile.com/portal.php?s=21

This works great on the PC, but not on any Windows Mobile machine using Pocket Internet Explorer.

Anyone any ideas why?

No matter which style is set that way we end up with the full default style loading.
Last edited by tekguru on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]http][/size]
[url=http][img=left]http://www.4winmobile.com/news/MVP_Horizontal_FullColor.png[/img][/url]
User avatar
tekguru
Sr Integra Member
Sr Integra Member
 
Posts: 329
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 28, 2006 10:29 pm
Cash on hand: 0.00

PostAuthor: Michaelo » Thu Sep 07, 2006 9:05 pm

Can we see the code in QBar?
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PostAuthor: tekguru » Fri Sep 08, 2006 7:34 am

Now that one is easy:

[flash=,:2jizgjxf]http://www.4winmobile.com/news/qbar.png[/flash:2jizgjxf]

Does that help?
Last edited by tekguru on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]http][/size]
[url=http][img=left]http://www.4winmobile.com/news/MVP_Horizontal_FullColor.png[/img][/url]
User avatar
tekguru
Sr Integra Member
Sr Integra Member
 
Posts: 329
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 28, 2006 10:29 pm
Cash on hand: 0.00

PostAuthor: Michaelo » Fri Sep 08, 2006 9:35 pm

You are calling portal with s=2... I assume you have added code to the portal.php at some point...
Can you post a ziped copy of it.

Mike
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

Re: Recent Hacking Discussion (continued...)

PostAuthor: tekguru » Fri Sep 08, 2006 11:06 pm

Erm, not sure, I think we did.

http://www.4winmobile.com/portal.zip
Last edited by tekguru on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]http][/size]
[url=http][img=left]http://www.4winmobile.com/news/MVP_Horizontal_FullColor.png[/img][/url]
User avatar
tekguru
Sr Integra Member
Sr Integra Member
 
Posts: 329
Likes: 0 post
Liked in: 0 post
Joined: Tue Mar 28, 2006 10:29 pm
Cash on hand: 0.00

PostAuthor: jwernerny » Sat Sep 09, 2006 4:38 am

"twitchy";p="14471" wrote:Ive got one <img>

it actually only affects my album (so far ) wehn i try to access it it says

Hacking attempt... Details Logged

plz help


I seem to be in the same boat. (http://www.snowtire.info/forum/album.php) I've gone back through the fixes and I have the latest. Any other suggestions? Is it possible that in the initial flurry of patches I still have an old one that should be unpatched?

The other difference may be that I am using an .htaccess rewrite to moved forum directory. Could it be a problem there? (I thought I patched all the paths, etc.)


Thanks,
- John
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: jwernerny » Sat Sep 09, 2006 6:00 am

"jwernerny";p="15144" wrote:
"twitchy";p="14471" wrote:it actually only affects my album (so far ) wehn i try to access it it says
Hacking attempt... Details Logged

I seem to be in the same boat. (http://www.snowtire.info/forum/album.php) I've gone back through the fixes and I have the latest. Any other suggestions? Is it possible that in the initial flurry of patches I still have an old one that should be unpatched?


Found it. It looks like I left in a couple of the early patches. If you are having the same problem, look to see if you still have lines that look like below and remove them. The 2nd post in this topic doesn't have them and they just cause problems.
Code: Select all
 // Hack Fixes  280806 //if(strstr($phpbb_root_path, '"')){     die('Hacking attempt... Details Logged');     exit;}if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){       $phpbb_root_path = './';            die('Hacking attempt... Details Logged'); exit;}// Hack Fixes  280806 //  


- John (Who is learning more about PHP then he really wanted to.)
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: computerz » Sat Sep 09, 2006 9:16 pm

"jwernerny";p="15152" wrote:
"jwernerny";p="15144" wrote:
"twitchy";p="14471" wrote:it actually only affects my album (so far ) wehn i try to access it it says
Hacking attempt... Details Logged

I seem to be in the same boat. (http://www.snowtire.info/forum/album.php) I've gone back through the fixes and I have the latest. Any other suggestions? Is it possible that in the initial flurry of patches I still have an old one that should be unpatched?


Found it. It looks like I left in a couple of the early patches. If you are having the same problem, look to see if you still have lines that look like below and remove them. The 2nd post in this topic doesn't have them and they just cause problems.
Code: Select all
 // Hack Fixes  280806 //if(strstr($phpbb_root_path, '"')){     die('Hacking attempt... Details Logged');     exit;}if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){       $phpbb_root_path = './';            die('Hacking attempt... Details Logged'); exit;}// Hack Fixes  280806 //  


- John (Who is learning more about PHP then he really wanted to.)



I still have those lines in, and I'm not getting any problems. You guys probably distorted the syntax somewhere when doing the updates.

Here's my code, and my site works fine

[quote]<?php
/***************************************************************************
* functions.php
* -------------------
* begin ]
Last edited by computerz on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

computerz
Members
Members
 
Posts: 84
Likes: 0 post
Liked in: 0 post
Joined: Sun Aug 27, 2006 1:21 pm
Cash on hand: 0.00

Re: Recent Hacking Discussion (continued...)

PostAuthor: Michaelo » Sun Sep 10, 2006 3:27 am

computerz, the code is fine but a bit restrictive for some mods...

If someone has a mod installed outside the root path (which can happen) or in an unusual path inside the root the fix will block them unless they add the path to the code...

It is safe to remove the code as IN_PHPHBB cannot be set by the hackers and it would need to be for a hack to work... I added the php_root_path check because several site informed they were still being hacked even after adding the IN_PHPBB... as it turned out they had other security problems...

Mike
Last edited by Michaelo on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Likes: 0 post
Liked in: 0 post
Joined: Sat Mar 11, 2006 5:14 pm
Cash on hand: 0.00
Location: Dublin, Ireland

PreviousNext

Return to Forum Security

Who is online

Registered users: Bing [Bot], Google [Bot], Majestic-12 [Bot]

cron