IntegraMOD

Your phpBB Version: 2.0.
phpBB Type: Integramod 140
MODs: Yes
Your knowledge: Basic Knowledge
Board URL: http://www.MyMPxPlayer.org

PHP Version:
MySQL Version:


What was done before the problem appeared?



What was done to try to solve the problem?
Deleted the php files



De.scription and Message

Hi all,

In the past two months, I've had two attempts by hackers to hack my site by uploading .php files to the [Downloads] area (pafiledb folder on the web server).

The files are: ch99.php, m6.php, sniper.php and special.php.

I have a copy of them on my computer if anyone wants to take a look at it and use it to find a fix or a way to stop it from working, let me know and I can send it. Otherwise can I upload them in a zip format here to share with everyone else?

Basically, I LOVE IntegraMOD and thank you all for making this available. I thought well, if I'm getting hacking attempts, I might as well tell everyone who uses IntegraMOD about it so they don't have it happening to them.

What would happen is, we have a [Downloads] area where members can upload files, themes etc to our site. They tried to upload the .php files in the "file" location as well as in the "screenshot" location. Luckily I have enabled "admin approval" on all uploads, so was able to check it out before it was executed.

One very important question is, how do I RESTRICT the uploading of file types to a particular folder or through IntegraMOD? I've tried disabling .php files through the ACP but obviously that hasn't worked. Is there a .htaccess file and command we can add to a folder that can restrict the ability to upload a particular file type?

Thanks,
Binh

try adding it to acp/extensions/forbidden extensions

Thanks for that HelterSkelter.

I have tried adding the php extension in acp/extensions/forbidden extensions before but it didn't work. However, since you mentioned it again, I thought I would try putting in ".php" instead (previously it was only just "php" without the "." in front of it).

As it turns out, after adding this, I tried uploading a test .php file and YEH! The forbidden rule worked and it wouldn't allow for the file to be uploaded.

HOWEVER, I was able to upload the test .php file into the [Screenshots] field though. This meant that they are still able to execute the .php .script if they just upload it into the "Screenshot" area instead.

I've attached a screenshot of this.

[flash=,:3gzeza8d]http://img204.imageshack.us/img204/3193/abletouploadphpfileintowj3.png[/flash:3gzeza8d]

If you are on a shared host, you might want to check to make sure that the files are really being uploaded to your account, not that they are being put in some other way. I know the C99 shell (ch99.php?) is capable of replicating itself to ALL writable directories once it has been put on the server. Thus, on a shared host, it is possible that someone else may have provided the doorway to the server (by using some other portal -- it couldn't be IM:)) and then told the .script to replicate itself in all writable directories (this is a button in the .script).

As another protection to people putting files on your site, you may want to add the following to the .htaccess files in each of the open directories

Code: Select all

Options -MultiViews<Limit>Order Allow,DenyDeny from All</Limit>

I forget who suggested it, but it seems to have helped me in the past. I also don't claim to know much about the magic of the .htaccess file. (Here is a good reference I just dug up]http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#per11[/url])

BTW, I have to hand it to the .script writers of these hacker tools. They are getting pretty powerful and easy to use. Too bad they aren't being used for good purposes.

- John

Thanks jwernerny for the hint here.

What does your code do specifically?

Options -MultiViews
<Limit>
Order Allow,Deny
Deny from All
</Limit>

That controls "Content Negotiation" and most hosts will have it off already so it may not help you.


[url=http]http://www.integramod.com/forum/viewtopic.php?t=4204[/url]

you can apply that to your site just use the folders that are 777 in the install file.
The last code box down has a easy to use/mod rule to stop file types from running.

Thanks CaNNon for that. I have replied to your other topic.

Your line of code worked out GREAT!!!!!

Very helpful.
I do hope others will see it and use it on their site as without it, it's a huge security hole for hackers.

Your welcome, and i hope they work well for you. <img>

Yeh, they're working great. I just wished I had known about it earlier (and avoided the site being hacked 4 times).

Take care.

If you wish a little more protection check this tread too. It tracks web crawlers (bots)
but it also has a security system to help stop a lot of attacks.

I have never run 1.40, but I pretty sure it would work.
[url=http]http://www.integramod.com/forum/viewtopic.php?t=4209[/url]