Sub Menu
Links Menu
Online Users

In total there are 324 users online :: 2 registered, 0 hidden and 322 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot] based on users active over the past 60 minutes

Hacked by php files being uploaded into pafiledb folder

Support for IntegraMOD 140

Moderator: Integra Moderator

Hacked by php files being uploaded into pafiledb folder

PostAuthor: binh.tang » Wed Aug 22, 2007 2:22 am

Your phpBB Version: 2.0.
phpBB Type: Integramod 140
MODs: Yes
Your knowledge: Basic Knowledge
Board URL: http://www.MyMPxPlayer.org

PHP Version:
MySQL Version:


What was done before the problem appeared?



What was done to try to solve the problem?
Deleted the php files



De.scription and Message

Hi all,

In the past two months, I've had two attempts by hackers to hack my site by uploading .php files to the [Downloads] area (pafiledb folder on the web server).

The files are: ch99.php, m6.php, sniper.php and special.php.

I have a copy of them on my computer if anyone wants to take a look at it and use it to find a fix or a way to stop it from working, let me know and I can send it. Otherwise can I upload them in a zip format here to share with everyone else?

Basically, I LOVE IntegraMOD and thank you all for making this available. I thought well, if I'm getting hacking attempts, I might as well tell everyone who uses IntegraMOD about it so they don't have it happening to them.

What would happen is, we have a [Downloads] area where members can upload files, themes etc to our site. They tried to upload the .php files in the "file" location as well as in the "screenshot" location. Luckily I have enabled "admin approval" on all uploads, so was able to check it out before it was executed.

One very important question is, how do I RESTRICT the uploading of file types to a particular folder or through IntegraMOD? I've tried disabling .php files through the ACP but obviously that hasn't worked. Is there a .htaccess file and command we can add to a folder that can restrict the ability to upload a particular file type?

Thanks,
Binh
Last edited by binh.tang on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
binh.tang
Members
Members
 
Posts: 43
Likes: 0 post
Liked in: 0 post
Joined: Tue Feb 06, 2007 12:11 pm
Cash on hand: 0.00

Re: Hacked by php files being uploaded into pafiledb folder

PostAuthor: Helter » Wed Aug 22, 2007 2:04 pm

try adding it to acp/extensions/forbidden extensions
Last edited by Helter on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4167
Likes: 0 post
Liked in: 0 post
Images: 0
Joined: Sat Mar 11, 2006 3:46 pm
Cash on hand: 172.60
Location: Seattle Wa
IntegraMOD version: IM 3

Re: Hacked by php files being uploaded into pafiledb folder

PostAuthor: binh.tang » Wed Aug 22, 2007 8:43 pm

Thanks for that HelterSkelter.

I have tried adding the php extension in acp/extensions/forbidden extensions before but it didn't work. However, since you mentioned it again, I thought I would try putting in ".php" instead (previously it was only just "php" without the "." in front of it).

As it turns out, after adding this, I tried uploading a test .php file and YEH! The forbidden rule worked and it wouldn't allow for the file to be uploaded.

HOWEVER, I was able to upload the test .php file into the [Screenshots] field though. This meant that they are still able to execute the .php .script if they just upload it into the "Screenshot" area instead.

I've attached a screenshot of this.

[flash=,:3gzeza8d]http://img204.imageshack.us/img204/3193/abletouploadphpfileintowj3.png[/flash:3gzeza8d]
Last edited by binh.tang on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
binh.tang
Members
Members
 
Posts: 43
Likes: 0 post
Liked in: 0 post
Joined: Tue Feb 06, 2007 12:11 pm
Cash on hand: 0.00

PostAuthor: jwernerny » Fri Aug 24, 2007 5:27 am

If you are on a shared host, you might want to check to make sure that the files are really being uploaded to your account, not that they are being put in some other way. I know the C99 shell (ch99.php?) is capable of replicating itself to ALL writable directories once it has been put on the server. Thus, on a shared host, it is possible that someone else may have provided the doorway to the server (by using some other portal -- it couldn't be IM:)) and then told the .script to replicate itself in all writable directories (this is a button in the .script).

As another protection to people putting files on your site, you may want to add the following to the .htaccess files in each of the open directories
Code: Select all
Options -MultiViews<Limit>Order Allow,DenyDeny from All</Limit>


I forget who suggested it, but it seems to have helped me in the past. I also don't claim to know much about the magic of the .htaccess file. (Here is a good reference I just dug up]http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#per11[/url])

BTW, I have to hand it to the .script writers of these hacker tools. They are getting pretty powerful and easy to use. Too bad they aren't being used for good purposes.

- John
Last edited by jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
jwernerny
Members
Members
 
Posts: 87
Likes: 0 post
Liked in: 0 post
Joined: Wed Apr 12, 2006 3:58 am
Cash on hand: 0.00
Location: Fairport, NY

PostAuthor: binh.tang » Thu Dec 27, 2007 11:15 pm

Thanks jwernerny for the hint here.

What does your code do specifically?

Options -MultiViews
<Limit>
Order Allow,Deny
Deny from All
</Limit>
Last edited by binh.tang on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
binh.tang
Members
Members
 
Posts: 43
Likes: 0 post
Liked in: 0 post
Joined: Tue Feb 06, 2007 12:11 pm
Cash on hand: 0.00

Re: Hacked by php files being uploaded into pafiledb folder

PostAuthor: CaNNon » Fri Dec 28, 2007 6:23 pm

That controls "Content Negotiation" and most hosts will have it off already so it may not help you.


[url=http]http://www.integramod.com/forum/viewtopic.php?t=4204[/url]

you can apply that to your site just use the folders that are 777 in the install file.
The last code box down has a easy to use/mod rule to stop file types from running.
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

PostAuthor: binh.tang » Fri Dec 28, 2007 7:48 pm

Thanks CaNNon for that. I have replied to your other topic.

Your line of code worked out GREAT!!!!!

Very helpful.
I do hope others will see it and use it on their site as without it, it's a huge security hole for hackers.
Last edited by binh.tang on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
binh.tang
Members
Members
 
Posts: 43
Likes: 0 post
Liked in: 0 post
Joined: Tue Feb 06, 2007 12:11 pm
Cash on hand: 0.00

Re: Hacked by php files being uploaded into pafiledb folder

PostAuthor: CaNNon » Fri Dec 28, 2007 11:54 pm

Your welcome, and i hope they work well for you. <img>
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

PostAuthor: binh.tang » Sat Dec 29, 2007 2:00 am

Yeh, they're working great. I just wished I had known about it earlier (and avoided the site being hacked 4 times).

Take care.
Last edited by binh.tang on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
User avatar
binh.tang
Members
Members
 
Posts: 43
Likes: 0 post
Liked in: 0 post
Joined: Tue Feb 06, 2007 12:11 pm
Cash on hand: 0.00

Re: Hacked by php files being uploaded into pafiledb folder

PostAuthor: CaNNon » Sat Dec 29, 2007 1:36 pm

If you wish a little more protection check this tread too. It tracks web crawlers (bots)
but it also has a security system to help stop a lot of attacks.

I have never run 1.40, but I pretty sure it would work.
[url=http]http://www.integramod.com/forum/viewtopic.php?t=4209[/url]
Last edited by CaNNon on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00


Return to IntegraMOD 140

Who is online

Registered users: Bing [Bot], Google [Bot]

cron