IntegraMOD

[Ezra]

Hi all,

My board was hacked yesterday and I'm currently in the proces of reuploading my website. But, somehow they managed to upload php-files to some writeable dirs of Integramod. I think the leak is within the software, because other websites on the same server weren't infected.

I'll attach the post-command that I found in my apache-log. Can anyone say anything about this? And, how can I prevent it from happening again? Thanks!

Greetings,
Ezra

[CaNNon]

somehow they managed to upload php-files to some writeable dirs of Integramod.

You allowed uploads it could happen, but you would have had to have removed the upload security block on "php file" type. I can see the "post" command and the server answer "200" or giving permission. also it looks like the used your backup folder and you do need to write to that one as it is needed for just that.

When you finish reloading it make sure the filters on upload don't allow any files that could run on the server.

Also if you still have a copy of the file I would like to see it if possible.

[Ezra]

You allowed uploads it could happen, but you would have had to have removed the upload security block on "php file" type. I can see the "post" command and the server answer "200" or giving permission. also it looks like the used your backup folder and you do need to write to that one as it is needed for just that.

When you finish reloading it make sure the filters on upload don't allow any files that could run on the server.

Also if you still have a copy of the file I would like to see it if possible.

Hi CaNNon,

thanks for your answer. When I go to the "forbidden extensions panel" in ACP, it says that php, php3 and php4 are automatically forbidden extentions and that you're not able to remove them. Where else should or can I block uploading php-files?

And, unfortnunately I don't have the .script-file for you. Next time I wil save it <img>

Ezra

[CaNNon]

If they were disabled.. bad omen!

Next check all your security, Make sure you have everything updated. The latest I have tried for crackerTracker is here [url=http]http://www.integramod.com/forum/viewtopic.php?t=4134[/url]

I would also suggest:
admin > crackertracker > Maintenance and tests >
look at "Security Test" try to update/set as much to safe as Possible.

[Ezra]

Damned! Got hacked again...well, maybe still. I got an email from "RSA Anti-Fraud Command Center" that someone is using the webspace for Phising activities against "Citibank". I think they somehow own the server now, because my website is running and they are just making other directory's with files in it (these contain forms and shit). If I delete them, they just reappear minutes later...

I don't know what to do....

[CaNNon]

Contact your host, shut it down. they must have a shell on the box somewhere.
your .nl exploit showing up since 2007-09-27 on that.
I will pm you the link.

Your "http://www[dot]paradise-cafe[dot]nl/"
site is handing out trojans, do not try to connect tru the web! use extreme caution
with ftp too!

9/28/2007 17:49:46 PM AMON file 47pfq9wd.php PHP/Rst.F trojan quarantined - deleted C:Program FilesMozilla Firefoxfirefox.exe. The file was moved to quarantine.