IntegraMOD

[DjPorkchop]

Your phpBB Version: 2.0.22
phpBB Type: Integramod 141
MODs: No
Your knowledge: Basic Knowledge
Board URL: http://mweva.com

PHP Version:
MySQL Version:


What was done before the problem appeared?
Nothing. Basic plain jane install. Only thing different is the sites banner


What was done to try to solve the problem?
Reset permissions for uploads



De.scription and Message

Hello all. a while back my site was hacked and the ONLY mods installed were activity mod and AUCG.

I uploaded a fresh site, on my server, iturned open base directories OFF, and php safe mode, ON. and register globals OFF

The site is not being used and is basically a sitting duck waiting to be hacked just for finding out how they do it.

Today, i go and see that anonymopus uploaded a c99.php file to the pafiledb screenshots folder. I thought php was supposed to be blocked by default. I go into my acp and double check the blocked extensions and sure enough php is on there yet I STILl got a php file uploaded to my server that we all know we dont want on our servers. Especially c99.php

So far, this has been the only onen that has got by ctracker and phpbb security so far that I know of. Checked all of my logs and etc, and all is fine elsewhere. This was the only file that was uploaded.

Since I saw this, i have once again set permissions how they should be to only allow admin to upload.

I dont know if anyone else has ever had this happen before. I just wanted to get the word out to you all here.

[CaNNon]

This is why I posted this tread.

[url=http]http://www.integramod.com/forum/viewtopic.php?t=4204[/url]

Although this package has good security, you can't ignore the basics.
any folder that you can upload to or just access from the web needs to be protected.

As a example, allowing uploads to your clients is a really nice feature so you should have a htaccess rule in that folder that stops any code the server could run.

Also your right if they did get a php file in that folder it didn't pass the mods filters, they would have needed another way to upload that shell.

** edit **
You Allowed guests to use uploads? Am I rereading that right?

[DjPorkchop]

yes guests were allowed to upload and it was a oversight on my part in all reality. Ordinarily I'd never do that.

But I was more amased that the filters didnt filter out a php file and delete it immediately. Lesson learned. Just because something says so, dosn't exactly mean it's so. Since then I have turned off guest posting, turned off guest and registered uploading as well.

Like I said, i put that site back online due to my love for the Integramod project and wanted to see how and if they got in how they were doing it so I could report back here and get a frew of these things solved and help the community as a whole and just not for myself as a single user.

I have double checked my database and config files and searched everywhere else and found nothing out of the ordinary at all. Also did a double take at my server logs and all is good to go there as well. Ofcourse with a ban of the ip that was used to upload the c99 file.

Now heres where it gets kind of funny. The file that was uploaded went directly to the screenshots folder. there was never actually a file in the downloads fodler at all yet the file still showed up in the downloads category. <img> and it was NEVER validated by an admin as it is set up to use.

Lesons learned.

[CaNNon]

Of course with a ban of the ip that was used to upload the c99 file.

That would probably just be a proxy, still a good choice. Look over the tread I pointed you too. Apache can help especially with those chmod 777 folders.

I wonder if there is a way you can find out what the file was uploaded as?
You know it may have had a different extension like c99.gif and then was renamed to run it, this would bypass the filters on upload.

Code: Select all

# block viewing of the apache htacess files from the web.<Files>order allow,denydeny from all</Files>  # Block indexing of folders and files from the web. IndexIgnore *  

Make sure you have those in your .htaccess file it will block them from seeing your files and folders from the web and that helps.

[DjPorkchop]

yeah I will be doing the actions you stated in that other thred to my IM Portal site as well.

The file name was c99.php.gif

It was only uploaded it was never accessed that I can find anywhere at all.

And thx for pointing that thread out to me much appreciated. <img>

[CaNNon]

That figures, good thing they didn't get to fix up the extension. <img>

[DjPorkchop]

I just found another as well. the funny thing is, it was labeled just plain ol index.php

I knew for a fact there was no index.php supposed to be in that file at all, so I deleted it. BUT I first downloaded it to my pc with ftp and scanned it and sure enough, it was c99 shell. Lovely ehh? Now I know. <img> Im gonna take and make sure every single file has a blank index.html file as well as do your .hta solution that you linked to in prior reply.

[CaNNon]

Lovely ehh? Now I know. Wink Im gonna take and make sure every single file has a blank index.html file .

I'm not sure what your what your thinking is, could give a little more info?

[DjPorkchop]

not a blank html file, I meant a index.html file that just says integramod like all the other files have to help keep prying eyes out as well as Helterskelter suggested to another user in a different thread a while back. That way instead of seeing the directory index, all they see is a web page that says integramod.

[CaNNon]

Or you could just add .html to this line in the .htaccess rules.

AddHandler cgi-.script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgi

This way you would also be blocking them getting any html file to run including a hmtl defacement .script, should the find a way to get one to a covered folder.

That line is very helpful add any file type, once you add it it will no longer run.

also I don't think you be seeing any indexing or index.html files run using the htaccess I posted, as apache will not respond to any requests to a covered folder. it will only answer to local host and to any ip you add to the allow. Every other IP gets denied! don't mater what they ask for. <img>

[DjPorkchop]

Nice. <img> I have dropped in all the .hta files last night. Im going to try and go through everything today and see if all is still good to go after the addition of the .hta files.

[CaNNon]

If you don't add your IP to the allow right a way, you can test this by trying to open a index.html file in a covered folder.

[DjPorkchop]

Well, I havent forgot about this topic. It is still on top of the list. I went back and removed the files temporarily due to my site giving me the pink screen of death every time I click on something.

Once I get it sorted out, Im gonna drop the hta files back in and start checking file functions after that.

I know it sounds stupid to take them out, but I didnt want more errors on my site until I get rid of the pink screens first. Most of the files and folders I would need to check after doing this, I get errors in allready due to Ctracker.

Ill keep posting back. <img>

[ThePlague]

The site is not being used etc etc...

Just a suggestion but I would edit the above paragraph out of your post.
As a user of many CMS's forums and other web software, I am only too aware that hackers do indeed join or read forums to look for people that advertise thier urls to hack as well as search popular search engines for common strings and urls amongst other methods.

Giving them a heads up on what you are up to defeats the object in my oppinion

just an idea!!

[CaNNon]

Like I said, i put that site back online due to my love for the Integramod project and wanted to see how and if they got in how they were doing it so I could report back here and get a frew of these things solved and help the community as a whole and just not for myself as a single user.

I think he knows. <img>

[DjPorkchop]

I have most of my Ctracker mesages debugged now. Im going to go ahead and add the hta files back in now and start testing and see if I get any erros as you suggested previously.

Will report back in here in a little bit.