IntegraMOD

[Dioncecht]

Please edit your functions.php adding the following code to the start... Should be line 22

Code: Select all

 // Belt //if(strstr($phpbb_root_path, '"')){die('Hacking attempt... Details Logged'); exit;}// Braces //if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){           $phpbb_root_path = './';                     die('Hacking attempt... Details Logged'); exit;  }  

This will fix the second hack using functions.php and php_root_path, I may have gone overboard but who cares <img>

Many thanks to pggar for all the testing on this one...

Note with this fix you do not need register_globals off but to be honest the should be OFF as they will disappear in php6

Mike

This latest fix blocks me out of my main photo album. Putting back original functions.php allows me back in. All other posted fixes are applied without issues.

Ditto... I get "Hacking Attempt... Details Logged" when trying to access Photo Album

[obiku]

Maybe not necessary any more, but I searched in my MODs db and found this MOD

Code: Select all

############################################################# ## MOD Title]http://www.phpbb.com/mods/[/url] for the## latest version of this MOD. Downloading this MOD from other sites could cause malicious code## to enter into your phpBB Forum. As such, phpBB will not offer support for MOD's not offered## in our MOD-Database, located at: [url=http://www.phpbb.com/mods/#]http://www.phpbb.com/mods/#[/url]############################################################# ## Author Notes:## If any MODs have added variables above the place where you## add the code, they can be erased. You can add them to the## $protect_vars array, you can move them after this code, or## you can move this code closer to the start (such as moving## it to extension.inc).## REMEMBER: This is a workaround, and it might not be perfect.## If you are concerned, just disable register_globals entirely.## THERE IS NO SUBSTITUTE FOR KEEPING UP TO DATE WITH NEW PHPBB## VERSIONS.################################################################ MOD History:####   2004-03-27 - Version 0.0.1##      - Initial beta version####   2004-03-27 - Version 0.0.2##      - Beta still: added more variables to $protect_vars,##      to prevent kiddies causing useless but annoying errors.####   2004-03-27 - Version 0.1.0##      - Super furry "from 0.0.1 to 0.1.0 in a day" fun version.##      Rewrote code, removed nuisance bugs (numeric variable##      names).####   2004-03-28 - Version 0.1.1##      - Added inarray for evil PHP 3.####   2004-03-28 - Version 0.1.2##      - More evil stupid PHP 3 fixes.####   2004-03-28 - Version 1.0.0##      - Bugs finally ironed out. Initial stable release.####   2004-04-22 - Version 1.0.1##      - From this point I cease to believe what the##       PHP manual tells me; it just isn't accurate enough ##       for security work. First $_SESSION isn't listed as##       a register globals candidate, and now I notice that##       the new superglobals can in fact be accessed variably##       despite the exact opposite being in the manual.##       Short story: another fix, my fault.####   2004-05-01 - Version 1.0.2##      - My fault :) inarray is defined for the admin panel too.################################################################ ## Before Adding This MOD To Your Forum, You Should Back Up All Files Related To This MOD ##############################################################  # #-----[ OPEN ]---------------------------------------------#extension.inc  ##-----[ FIND ]---------------------------------------------#if ( !defined('IN_PHPBB') ){     die("Hacking attempt");}  ##-----[ AFTER, ADD ]---------------------------------------------#  // assume it's on by default. there was no option to disable// register_globals in PHP3.$register_globals = true;  // ini_get is only in PHP4+if(function_exists('ini_get')){     // We have PHP4, let's find out if register_globals is     // enabled.     $register_globals = ini_get('register_globals');}  if($register_globals){     // Variables to be protected; may     // add automatic detection in the     // future, but probably not worth     // bothering. Just don't set any     // variables (constants are fine)     // above this point.     $protect_vars = array(         'HTTP_ENV_VARS',         'HTTP_GET_VARS',         'HTTP_POST_VARS',         'HTTP_COOKIE_VARS',         'HTTP_POST_FILES',         'HTTP_SERVER_VARS',         'HTTP_SESSION_VARS',         '_ENV',         '_GET',         '_POST',         '_COOKIE',         '_FILES',         '_SERVER',         '_SESSION',         'GLOBALS',         'input_arrays',         'input_array',         'protect_vars',         'phpbb_root_path',         'no_page_header'     );         // Arrays to loop through for input.     // Remember, case sensitive.     // By default these are just the arrays     // register_globals pulls from.     $input_arrays = array(         'HTTP_ENV_VARS',         'HTTP_GET_VARS',         'HTTP_POST_VARS',         'HTTP_COOKIE_VARS',         'HTTP_POST_FILES',         'HTTP_SERVER_VARS',         'HTTP_SESSION_VARS'     );     // Just get the values of each item in $input_arrays;     // they are the names of the input arrays.     while(list(,$input_array) = each($input_arrays))     {         // Just get the key names of each item in the input         // array; they are the names of the possible variables.         while(list($key,) = @each(${$input_array}))         {             // Variable names are case sensitive (in PHP 5             // at least)..but we don't want people having             // variables that get unset just because they             // were capitalised wrong in $protect_vars.             for($i = 0; $i < count($protect_vars); $i++)             {                 if(strtolower($protect_vars[$i]) == strtolower($key))                 {                     continue 2;                 }             }                         unset(${$key});         }         @reset(${input_array});     }     unset($register_globals, $protect_vars, $input_arrays, $input_array, $key, $i);}  ##-----[ SAVE/CLOSE ALL FILES ]------------------------------------------#  # EoM  

The find Part of this mod do you have to add also in your extension.inc, at the beginning.

[Flex]

[quote=""Dioncecht";p="14300""][quote=""Unknown Ranger";p="14293""][quote=""Michaelo";p="14281""]Please edit your functions.php adding the following code to the start... Should be line 22

Code: Select all

 // Belt //if(strstr($phpbb_root_path, '"')){die('Hacking attempt... Details Logged'); exit;}// Braces //if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){           $phpbb_root_path = './';                     die('Hacking attempt... Details Logged'); exit;  }  

This will fix the second hack using functions.php and php_root_path, I may have gone overboard but who cares

[billmcelligott]

Did you come to integraMOD2.com by a link on your site to read about this suggested change?

If so, then this is my suggestion to everyone:
Avoid visiting integraMOD by referal on your site!!!!
Because then it seems clear to me that these hackers are taking advantage of the referals to find your site!!!

Answer no I didn't, I have this site in my favs. So no need to I will go check my profile though in case there is any informantion there.

I have removed the altered files and am rebuilding forums.

[evolver]

Did you come to integraMOD2.com by a link on your site to read about this suggested change?

If so, then this is my suggestion to everyone:
Avoid visiting integraMOD by referal on your site!!!!
Because then it seems clear to me that these hackers are taking advantage of the referals to find your site!!!

Answer no I didn't, I have this site in my favs. So no need to I will go check my profile though in case there is any informantion there.

I have removed the altered files and am rebuilding forums.

My site (not even findable in google, no links on the rootindex) has been hacked this morning...
That's a good thing
I have putted protection on that dir now, and I will investigate it's contents...
I've changed passwords as well.

[gcomfx.com]

My cpanel password is not the same as my integramod admin password. Should I change it anyway?

[evolver]

My cpanel password is not the same as my integramod admin password. Should I change it anyway?

I will leave my site unaccessible, until we find a way to make it hackerproof...
It's no use to put it back before that, because it will be hacked again.

[Fubie]

I will leave my site unaccessible, until we find a way to make it hackerproof...
It's no use to put it back before that, because it will be hacked again.

Ditto, I took everything down yesterday to keep the script kiddies at bay.

[Solomon]

After 4 hacks in 3 days, alls well on my site for the last 24hrs. I have done all the fixes up to the register_globals OFF, magic_quotes ON, functions_portal.php fix. I havent done the latest functions.php fix because of the album issues. They (the silly Turks) are still trying too. Since blocking most foreign search engines in my .htaccess & in the ACP they have resorted to using domestic search engines (which obviously I am not going to block).

Whats even better than my site surving after all the fixes is my counter-political statement/present for them on the front page of my site

[Fubie]

Nice Solomon,

I just feel bad for them. How sad is their life if they have to find pleasure in destroying others hard work.

I have nothing but pity for them.

[Solomon]

Nice Solomon,

I just feel bad for them. How sad is their life if they have to find pleasure in destroying others hard work.

I have nothing but pity for them.

The irony is hackers boast "root to 0 in under 3mins" in this [url=http]video[/url] but it really only takes 1-2mins to restore the site if you got all your ducks in order. I've even lessened that time by having a duplicate directory ready to go with clean files & a new config.php. If hacked, all I have to do is delete the old directory and change the duplicate folder name to "forum". The only loss is new posts/pics, but that only takes an additional minute if I want to preserve the new posts/pics.

So whats the point? There is none other to than to spread their political message. I keep saying, why don't they just register on my site and use my "Politics" forum to post their propaganda. I dont censor and believe in free speech so their message would last longer and reach more people. Obviously I am speaking semi-sarcastically.

[gcomfx.com]

My host shut my account down again. Either the patches didn't work, or I didn't find all the bad files. My forum was set to deactivated, and I removed the index.php file.

[gcomfx.com]

Do we have a place or person we can send information to? I'm not sure what is a BAD idea to post, and I just got some info, from my host about how the information is being obtained.

[Fubie]

Anything about the hacking issues you would not like to post publicly please PM to Michaelo, Teelk, or Helterskelter.

[gcomfx.com]

Thanks Fubie.... sent the PM to the first two.

[evolver]

There is none other to than to spread their political message. I keep saying, why don't they just register on my site and use my "Politics" forum to post their propaganda. I dont censor and believe in free speech so their message would last longer and reach more people. Obviously I am speaking semi-sarcastically.

Propaganda...messages...censoring... <img>

If they are really doing this with a purpose, I don't get it...
Because destroying everything that is for free (like integraMOD), will always be in favor for rich giants like Microsoft and everything else that is commercial...
So, they are supporting those rich companies in a way...

I don't think that they have a purpose at all...
They just act like vandals...and what reason do vandals have to do what they do? Just for fun...because their life isn't...
That's the only reason, nothing else...

To fight for freedom, they would do much better by supporting sites like integraMOD instead of destroying them...
And like Michaelo said before, they do have the skills for that...but they are wasting it...
Maybe they are just completely against freedom...

[Solomon]

There is none other to than to spread their political message. I keep saying, why don't they just register on my site and use my "Politics" forum to post their propaganda. I dont censor and believe in free speech so their message would last longer and reach more people. Obviously I am speaking semi-sarcastically.

Propaganda...messages...censoring... <img>

If they are really doing this with a purpose, I don't get it...
Because destroying everything that is for free (like integraMOD), will always be in favor for rich giants like Microsoft and everything else that is commercial...
So, they are supporting those rich companies in a way...

I don't think that they have a purpose at all...
They just act like vandals...and what reason do vandals have to do what they do? Just for fun...because their life isn't...
That's the only reason, nothing else...

To fight for freedom, they would do much better by supporting sites like integraMOD instead of destroying them...
And like Michaelo said before, they do have the skills for that...but they are wasting it...
Maybe they are just completely against freedom...

I take it you didnt get the 2 anti-Greek, Israeli, & USA front pages my site received.

My host shut my account down again. Either the patches didn't work, or I didn't find all the bad files. My forum was set to deactivated, and I removed the index.php file.

Besides all the folders mentioned prior, I initially missed some files tucked in my "pafiledb/cache/templates/XXXXXX" folder and more in "pafiledb/cache/templates/XXXXXX/admin" folder. Check all your CHMOD: 777 folders.

[Michaelo]

I will install a copy of integramod 1.4.0 to night and try all the know hacks... I will then implement the security fixes and report back...

I know one of the fixes disables the album mod but it is only temporary so please use it... without this fix your site is open to hacking,

Mike

[evolver]

I take it you didnt get the 2 anti-Greek, Israeli, & USA front pages my site received.

I'm not even Israeli, Greek or Amerikan...
These guys are not against these nationalities only,
they are against everyone because IntegraMOD is for everyone, no matter what nationality or religion...
It's funny...because that's what these guys are fighting against... <img>
They don't even realize that they are figthing against themselves...
Because that's what they do if you follow the logic...

There's only one thing that makes sense in all this:
Making integraMOD hackerproof...
And believe it or not, in a way they are helping us with that...
Because even if they wouldn't be hacking us, others can...
And now at least, we are trying to make it more difficult for those others as well...

[Solomon]

I know one of the fixes disables the album mod but it is only temporary so please use it... without this fix your site is open to hacking,

Mike

Will do

I take it you didnt get the 2 anti-Greek, Israeli, & USA front pages my site received.

I'm not even Israeli, Greek or Amerikan...
These guys are not against these nationalities only,
they are against everyone because IntegraMOD is for everyone, no matter what nationality or religion...
It's funny...because that's what these guys are fighting against... :ra: http://www.geobytes.com/IpLocator.htm?GetLocation

[Master Dwarf]

I have installed google analytics on my site within the last couple nights. Going through the stats now and found 1 visitor hailing from Turk Telekom using a search for integramod portal. Nice.

So much for flying under the radar. I have not been hacked, yet, after applying all the code tweak so far. Just a fyi.

[Michaelo]

I installed 140 and proceeded to hack into it. The following four security holes were identified and fixed.

[align=center:smpw5f2q]Code in this post has been update... See first post in this thred[/align]


File: functions.php
Exploit: phpbb_root_path remote script vulnerability

Fix: Add the following code to beginning of file
This should also fix the album issue

Code: Select all

 ...  

File]  ...  [/code]

File: functions_mods_settings.php
Exploit: phpbb_root_path remote script vulnerability

Fix: Add the following code to beginning of file

Code: Select all

 ...  

File] (used to pass script)

Fix: file to edit = functions.php around line 838

Code: Select all

        type casting (int) STYLE_URL allow only integers...  

Mike

[Michaelo]

I will be locking this post soon and moving all discussion to a members only forum...
Mike

[Master Dwarf]

Hey good work Mike! I'm sure we all appreciate it.

Last fix, it doesn't state where to place hacked code. Should it too be in the beginning of index.php?

edit: Doh! For some reason I can't get into my admin panel now. hmmm...I have not applied the last tweak because it prevented users going to forums page if I inserted it into the beginning of index.php

edit2: I think I just have to undo my changes to a couple files, I'm sure its something I am doing and not something Mike has implemented.

[Solomon]

I installed 140 and proceeded to hack into it. The following four security holes were identified and fixed.

File: functions.php
Exploit: phpbb_root_path remote script vulnerability

Fix: Add the following code to beginning of file
This should also fix the album issue

Code: Select all

 // Hack Fixes  280806 //if(strlen($phpbb_root_path == 0)) $phpbb_root_path = './';if(strstr($phpbb_root_path, '"')){die('Hacking attempt... Details Logged'); exit;}if($phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '/' || $phpbb_root_path[0] != '.' && $phpbb_root_path[1] != '.'){           $phpbb_root_path = './';               die('Hacking attempt... Details Logged'); exit;  }// Hack Fixes  280806 //  

Yes, this does solve the album issue.

File] (used to pass script)

Fix:

Code: Select all

        type casting (int) STYLE_URL allow only integers     // BEGIN Style Select MOD     if ( isset($HTTP_POST_VARS[STYLE_URL]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )     {         (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if($style == 0 || $style > 49) { die('Hacking attempt'); exit; }         if ( $theme = setup_style($style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }  

Mike

Can you supply the Filename(s) & FIND?

[Unregistered]

i think the last fix is for functions.php

am also not sure where to apply or replace the last fix..

[Unregistered]

hi mike, do we need to undo this
http://integramod.com/forum/viewtopic.php?p=14127#14127
for the last fix?

and replace

Code: Select all

       if ( isset($HTTP_POST_VARS[STYLE_URL]) || isset($HTTP_GET_VARS[STYLE_URL]) )    {       $style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );       if ( $theme = setup_style($style) )       {          setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);          return;       }    }  

with

Code: Select all

    if ( isset($HTTP_POST_VARS[STYLE_URL]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )    {       (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );       if($style == 0 || $style > 49) { die('Hacking attempt'); exit; }       if ( $theme = setup_style($style) )       {          setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);          return;       }    }

Please correct me if am wrong...

[Michaelo]

Yep the new one is an update... replace the old one!

[Michaelo]

The last edit is in functions.php around line 838...
Sorry guys I should have been more explicit...

[Pggar]

File: functions_mods_settings.php
Exploit: phpbb_root_path remote script vulnerability

Fix: Add the following code to beginning of file

Code: Select all

 // Hack Fixes  280806 //if ( !defined('IN_PHPBB') ){     die('Hacking attempt');}$phpbb_root_path = "./";// Hack Fixes  280806 //  

Should my functions_mods_settings.php file use phpbb_root_path somewhere or am I missing something?

File] (used to pass script)

Fix:

Code: Select all

        type casting (int) STYLE_URL allow only integers     // BEGIN Style Select MOD     if ( isset($HTTP_POST_VARS[STYLE_URL]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )     {         (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if($style == 0 || $style > 49) { die('Hacking attempt'); exit; }         if ( $theme = setup_style($style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }  

Mike

Does this mean we can get the style block back to life?

[Unregistered]

one more thing...

ive put a .htaccess (creating a password to access the folder) file in my INCLUDES dir..

now wil it give any difficulties for my site or wil it cause trouble?

[Michaelo]

Hi Pggar, try adding it, I don't think it will break anything and could add some more security but I did not need it to fix the hack...

Unregistered, this will protect against people viewing the files in a directory and should be fine. [url=http]See here for more info...[/url]

[color=red]As per Fubie's suggestion <!-- s]

Attachment removed due to a minor edit required... ACP problem back soon!

[Unregistered]

Michaelo, thanks for been here with us thru out this attack.. and also other ppl who helped to find fix.. great work.. hope this wud be the last fix regardin this hack..

[gcomfx.com]

I have a request.... I know it's a lot of work, but can you add all this into a fresh install of 1.4? I've got hacker files all over the place. I'm going to wipe out the whole cpanel account and start from scratch to guarentee I get them all. I'm hoping to do a clean install of 1.4 and upload my database and be back on track. I can manually put all the images back into the album and smilie and avatar sections.

[jwernerny]

Great work on these fixes Michaelo, evolver, and everyone else who helped.

Let's hope they hold.

[Michaelo]

Thanks only wish we could have been a little more ready for this...

I play some future update to reduce the risks of hacks spreading where hackers use google search... Including one of which Healter has already completed...

Other possible additions:
Some method of removing files that don't belong...
Renaming of some crucial file via ACP is a possibility...
And whatever other ideas come along...

[Unregistered]

I have a request.... I know it's a lot of work, but can you add all this into a fresh install of 1.4? I've got hacker files all over the place. I'm going to wipe out the whole cpanel account and start from scratch to guarentee I get them all. I'm hoping to do a clean install of 1.4 and upload my database and be back on track. I can manually put all the images back into the album and smilie and avatar sections.

why not release 141? it wil be much less work i guess.. <img>

[Vadar]

After applying all four of Michaelo's fixes, I now find I can't log on to my ACP. All I get is the following error: Template->make_filename(): Error - template file not found: includes/cache_tpls/def_words_def.tpl

Any idea what could have caused this?

[Dr. Bantham]

The original file is off-site this is just the cache copy

eval() evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution and that could be doggy...
Take the site down and chmod the root directory to 600
Mike

With my case, if I install the suggested modifications am I still in jeopardy from the potential of my SQL database being infected? What keywords should I search for in the text version of the database?

[Unregistered]

After applying all four of Michaelo's fixes, I now find I can't log on to my ACP. All I get is the following error: Template->make_filename(): Error - template file not found: includes/cache_tpls/def_words_def.tpl

Any idea what could have caused this?

have u enabled the "style select" block?
(if so, desable it..)

[Master Dwarf]

Yeah, I am getting errors trying to get into Admin.

Warning: main(././includes/functions_categories_hierarchy.php): failed to open stream: No such file or directory in /xxx/xxx/xxx/grumblingdwarf.com/forums/includes/functions.php on line 35

Warning: main(): Failed opening '././includes/functions_categories_hierarchy.php' for inclusion (include_path='.:/usr/local/lib/php') in /xxx/xxx/xxx/grumblingdwarf.com/forums/includes/functions.php on line 35

Warning: main(./includes/db.php): failed to open stream: No such file or directory in /xxx/xxx/xxx/grumblingdwarf.com/forums/common.php on line 198

Warning: main(./includes/db.php): failed to open stream: No such file or directory in /xxx/xxx/xxx/grumblingdwarf.com/forums/common.php on line 198

Warning: main(): Failed opening './includes/db.php' for inclusion (include_path='.:/usr/local/lib/php') in /xxx/xxx/xxx/grumblingdwarf.com/forums/common.php on line 198

Fatal error: Call to a member function on a non-object in /xxx/xxx/xxx/grumblingdwarf.com/forums/common.php on line 241

I do not have the style block active.

[Unregistered]

Thanks only wish we could have been a little more ready for this...

actually, i did warn abt this more then a month back <img>

[gcomfx.com]

The original file is off-site this is just the cache copy

eval() evaluates the string given in code_str as PHP code. Among other things, this can be useful for storing code in a database text field for later execution and that could be doggy...
Take the site down and chmod the root directory to 600
Mike

With my case, if I install the suggested modifications am I still in jeopardy from the potential of my SQL database being infected? What keywords should I search for in the text version of the database?

Good question.... <img>

[Vadar]

Thanks Unregistered, but I had already disabled it so that isn't the problem.

Troubleshooting.........

[jwernerny]

I'm seeing the warning about includes going into ACP too. I tried to hard code teh phpbb_root_path to the absolute path, but it still is trying to do something relative.

Here is an excerpt from my functions.php

Code: Select all

$phpbb_root_path='/home/<someuserid>/public_html/forum/';  // Hack Fixes  280806 //  include_once( $phpbb_root_path . 'includes/functions_categories_hierarchy.' . $phpEx );

Here is what I see

Warning]: failed to open stream: No such file or directory in /home/<someuserid>/public_html/forum/includes/functions.php on line 743

Warning: include_once() [function.include]: Failed opening './includes/mods_settings/mod_categories_hierarchy.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/<someuserid>/public_html/forum/includes/functions.php on line 743

It looks like I can't set phpbb_root_path. I also have added "php_flag register_globals off" to my .htaccess file. I am pretty sure I tried turning it off without changing the results.

[Vadar]

Well, it appears to be related to the functions_mods_settings.php fix. whenever I have placed that code at the top of the file, my ACP crashes with Template->make_filename(): Error - template file not found: includes/cache_tpls/def_words_def.tpl.

If I replace that file with a saved copy, it works fine. For now I have the other three fixes in place and am holding off on that one.

[Solomon]

nm...

[Michaelo]

I've been over protective so there is a problem accessing the ACP... will check this out and report back...

[jwernerny]

Well, it appears to be related to the functions_mods_settings.php fix.

I agree. I replaced the hard coded phpbb_root_path of "./" with my own path and everything works fine now. In many ways, using a hard coded path on my site should make it more secure against the redirect trick.

[Unregistered]

hi, i got a hacking attempt a while back ...

IP Adress : 222.165.176.xxx
Caught For : Clike Attempt
Caught On : 29 Aug 2006 03:40 am
Attempts : 1

/login.php?procesa=si&usuario_nkads_admin='%20or%20isnull.....

<img>

[Flex]

Does anyone have a copy of functions.php with all the fixes applied?, last fix broke it <img> and I need the original and even better with the fixes applied.

I'm not at home so I can't just replaced it atm.

If anyone can attach it here, would be greatly appreciated.

Thanks

[Dr. Bantham]

Can we get a dedicated forum directory titled Hacking Reports, Security Reports or something similar? There have been 150 replies to this thread in two days and not only is it extremely hard to follow but important questions and answers are getting buried. I carefully detailed my hacking experience with no reply, as a flurry of other panic member posts followed. Since it appears that there may be several hacking methods at work here, I think it would help both admins and members to organize the types into separate threads. A central locked sticky could keep the known solutions handy and uncluttered. This community is being very supportive of members with this situation, but I strongly feel that everyone can benefit from organizing the content into a coherent structure.

[Flex]

I think I've fixed up my issue, but I think someone should put together all these fixes and attach the correspondent files for a straight replacement to ease the confusion. As suggested above putting all this fixes together in a single place would help a lot.

[Solomon]

I applied the fixes and everything was fine except for the ACP issue. I reverted back to the bak files and it seemed to worsen the ACP issue.

[Michaelo]

Guys I did not have time to test files with ACP... Since then I have and updates are available...

There are three files in the update, remember testing needed but we should have things ironed out or almost nearly...

The attached file were for 140 without any updates from 2.0.20 and 2.0.21...
just in case you guys have more recent updates I am only going to post the fixes again in the first post... See this for all updates...

Due to continual changes I will not post updates in threads just i the first post...

Mike

[Solomon]

Very nice

Thanks a million!

[Unregistered]

actually we should thank the hackers who just made us secured <img>

[Solomon]

Can we re-enable the Style Select block after we apply the fix?

[Unregistered]

yes u can..

also undo this
http://integramod.com/forum/viewtopic.php?p=14127#14127

[Solomon]

yes u can..

also undo this
http://integramod.com/forum/viewtopic.php?p=14127#14127

Cool thanks and it looks like Michaelo already did it in the file package he posted.

[Unregistered]

yup, he's the man.. but dont overright those files.. find the codes and insert ..

[Solomon]

yup, he's the man.. but dont overright those files.. find the codes and insert ..

winmerge ftw

[Solomon]

BUG: ACP/Security/

/forum/admin/admin_security.php
/forum/admin/admin_security.php?mode=gd_info
/forum/admin/admin_security.php?mode=php_info
/forum/admin/admin_security.php?mode=members
/forum/admin/admin_security.php?mode=search
/forum/admin/admin_security.php?mode=special

I get: "Hacking attempt... Details Logged" in the right window

[Flex]

BUG: ACP/Security/

/forum/admin/admin_security.php
/forum/admin/admin_security.php?mode=gd_info
/forum/admin/admin_security.php?mode=php_info
/forum/admin/admin_security.php?mode=members
/forum/admin/admin_security.php?mode=search
/forum/admin/admin_security.php?mode=special

I get: "Hacking attempt... Details Logged" in the right window

<img> same here.

Edit: same with ACP/Attachments, extensions and FTR management

[Unregistered]

did u both downloaded the hack_update2.rar ? and overrighted them?

[Flex]

did u both downloaded the hack_update2.rar ? and overrighted them?

I did.

[Unregistered]

its not ok to overight those files.. u need to replace with ur old files..either ways, am gettin the same "Hacking attempt... Details Logged" as well.. some pages can access.. others cant..

[Solomon]

BUG: ACP/Security/

/forum/admin/admin_security.php
/forum/admin/admin_security.php?mode=gd_info
/forum/admin/admin_security.php?mode=php_info
/forum/admin/admin_security.php?mode=members
/forum/admin/admin_security.php?mode=search
/forum/admin/admin_security.php?mode=special

I get: "Hacking attempt... Details Logged" in the right window

More:
ACP/AMOD+Admin :ra: Manage, Quota Limit, Shadow Attachments, Sync Attachments
ACP/Extensions/Extension management,Extension Group Management, Forbidden Extensions, Special Categories
ACP/Forum Admin :ra: FTR configuration, FTR users
ACP/General Admin :ra: Add New
ACP/Links :ra: PCP Wizard
ACP/Photo Album :ra: Package module
ACP/Style Admin :ra: IPN Log, Configuration
ACP/Tools/PCP Info
ACP/User Admin <img> Junior Admin, Points Configuration, Private Messages, Private Messages Archive, Prune Users, Subscription,

[Flex]

So I shouldn't have replaced the files that got attached as a fix?, Should I replaced them back from my last good backup?

[Solomon]

did u both downloaded the hack_update2.rar ? and overrighted them?

yes downloaded them
no I used winmerge for the code edits shown on the first post
doesnt matter, doing code edits manually resulted in same problem

[Unregistered]

open ur admin_security.php

FIND

$phpbb_root_path = '../';

REPLACE WITH

$phpbb_root_path = "./../";


... let me know how it goes..maybe we might have to open all the files and edit this ? <img>

[Michaelo]

Guys some of you have different versions and additional mods added... It is impossible to deal with these individually...

All edit will always relate to 140 default install... If you have over-written these three files replace them with you backup and do the edits one file at a time checking to see if thinks work...

The latest edits (in first post) only alter the php_root_path if it contains illegal links i.e. it must be either ./ or ./../ or blank and its length must be less that 5 characters. This way it should not effect the path for other files...

Note is has been necessary to edit the fixes three or four time as fixes become available so alway make sure you have the latest files and remember to save before editing especially if you have added mods.
Mike

[Solomon]

BTW in functions.php there is two instances of "// BEGIN Style Select MOD"

Lines 663-665

Code: Select all

      // BEGIN Style Select MOD     global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;     // END Style Select MOD  

You should update the instructions in the first post to find the instance around line 820.

[Unregistered]

mike, i can access the Security / Sepecial - after i replaced $phpbb_root_path = '../'; to $phpbb_root_path = "./../"; in admin_security.php

do i have to replace all the files which i cant access?

[Unregistered]

Solomon, i knew someone wil ask that quesation..

FIND

Code: Select all

    //         // Set up style         //     // BEGIN Style Select MOD  

[Solomon]

mike, i can access the Security / Sepecial - after i replaced $phpbb_root_path = '../'; to $phpbb_root_path = "./../"; in admin_security.php

do i have to replace all the files which i cant access?

same here

[Flex]

Well, question is... Do we have to replaced as (as unregistered mentioned) all files with $phpbb_root_path = "./../"; ?

[Unregistered]

we need a YES from an admin.. so we can start workin on it and its been a long day so far <img>

[Michaelo]

Unregistered, you have to replace the code between these comments
// BEGIN Style Select MOD
and
// END Style Select MOD

... is used to represent code rather that writing all of it

[color=red]New update to fix the ./ and ../ problem in ACP...
This edit is no longer required]

[Flex]

Dont go to sleep, we need you!!! and it's only 13:08!!! he he he I know I know.

[Unregistered]

Yea u need a rest mike.. also its been secured for the time been.. thanks mate..


cheers..

[gcomfx.com]

[quote=""Michaelo";p="14413""]I am currently working of a copy of 1.4.0 with updates 2.0.21 but I need a little sleep so I will report any changes tomorrow...

[Michaelo]

One more edit (in first post) to fix the ACP path problem... better than having to edit more files... Now it's time for bed

[Unregistered]

mike, we stil needs to edit every single file.. which we cant access...

[Solomon]

mike, we stil needs to edit every single file.. which we cant access...

I think he just edited the functions.php edit instructions to reflect the path. Testing now.

[Michaelo]

Unregistered, no the latest edit fixed the problem! I'll wait for Solomon test results... then bed <img>

[Solomon]

mike, we stil needs to edit every single file.. which we cant access...

I think he just edited the functions.php edit instructions to reflect the path. Testing now.

Yes he did. I already edited half my admin/ files and they all work after the applying the most recent first functions.php edit.

[Solomon]

[quote=""Michaelo";p="14420""]Unregistered, no the latest edit fixed the problem! I'll wait for Solomon test results... then bed

[Unregistered]

now i need a smoke hehe.. wat a releaf.. Michaelo, i need half of ur brain.. <img>

[Flex]

mike, we stil needs to edit every single file.. which we cant access...

I think he just edited the functions.php edit instructions to reflect the path. Testing now.

Yes he did. I already edited half my admin/ files and they all work after the applying the most recent first functions.php edit.

I edited all the files except for one, if I apply that last fix, will it cause any problems?

[Solomon]

mike, we stil needs to edit every single file.. which we cant access...

I think he just edited the functions.php edit instructions to reflect the path. Testing now.

Yes he did. I already edited half my admin/ files and they all work after the applying the most recent first functions.php edit.

I edited all the files except for one, if I apply that last fix, will it cause any problems?

No it won't cause any problems. He just added the extra path so it will recognize those files whichever path you have. I had half & half and all worked perfect after that latest update. I since reverted back all my files to original to keep them organized. If you used an editing program like editPlus then just use the ".bak" files.

[Flex]

No I did them all manually and I think I'll leave them like that if it's not going to cause any issues in the future.

[Solomon]

I've asked Michaelo to do the following:

One simple request, can you include a revision number or timestamp the edits on the first post when you make them so we know when the individual sections have been ammended.

[Flex]

Sorry Solomon I must be going blind, Where exactly is the fix for ACP on the first post? i don't see it.

[Solomon]

Sorry Solomon I must be going blind, Where exactly is the fix for ACP on the first post? i don't see it.

Its the first part of the functions.php edit fix.
[code]  Open]

He just updated it to include an additonal "$phpbb_root_path". Just copy the code fix over your previous fix.

[Flex]

Ahh, silly me. I did look at that and thought I already had it and now I noticed the difference

Thanks again guys and good work!

[Solomon]

Ahh, silly me. I did look at that and thought I already had it and now I noticed the difference

Thanks again guys and good work!

Didnt you make backups before you did the edits? <img>

I did them manually too, I just used [url=http]editPlus[/url] instead of Notepad or Word because editPlus automatically makes original backups when you save the file. editPlus also has nice search & replace features and is nice for trimming those extra spaces (square blocks).

[Flex]

Yeah, I also have a good editor, but I'm at work at the moment and was under the pump to get it fixed <img>

[MrGrim]

I'm lost..so this is for people using 2.0.21/1.40 right?

[Michaelo]

Continue all discussion [url=http]Security, Members Forum...[/url]

I am locking this so we can move discussion into a members forum... <img>