 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 92
 Members: 0
 Total: 92
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
my_eGallery exploits, trying to secure |
|
 Posted: Wed Aug 24, 2005 12:14 am |
 |
|
| canadaka |
| Regular user |
 |
|
| Joined: Aug 24, 2005 |
| Posts: 5 |
|
|
|
 |
|
 |
|
I run a fairly large Canadian Content site called "Canada Kicks Rainbow Brite"
www.canadaka.net has been hacked many times over the last 5 years, but just in the past week or so its been hacked 3 times.
The 3 recent hacks were all simular, they added a index.html file to the site root with there hacker tag.
Each hack also did some other stuff, one managed to empty the authors table, one deleted all the site content-tables, modules and block tables.
Luckely I keep pretty good daily backups of things, so wasn't a huge problem.
But i am really wondering how they manage to upload this file to the server. Neither time it never loaded because index.php takes presidence over index.html on my server. The latest hack actualy places this index.html in EVERY www root folder of all the domains I host on my server.
Here are the latst hack index html files I saved:
http://www.canadaka.net/hacks/index_01.html
http://www.canadaka.net/hacks/index_02.html
http://www.canadaka.net/hacks/index_03.html
http://www.canadaka.net/hacks/index_04.html
At the time i was running phpnuke 7.6 and an older NukeSentinel
Today i re-installed phpnuke7.6 patched 3.1, applied my modds, and the newest NukeSentinel.
I know by looking at Sentinel i get TONS of hack attemps specialy author attacks. So it does a good job of stopping that. but this one got through.
I really want to find out how they uploaded files to the site, maybe its a server security issue and not phpnuke.
Server:
Windows Server 2003
IIS 6
PHP Version 5.0.3
MySQL Server 4.1
"Internet Guest Account" has only read permissions to the root folder, only "System" and "Administrators" have write permission. |
|
|
|
|
|
|
|
|
| Posted: Wed Aug 24, 2005 12:14 am |
|
|
| canadaka |
| Regular user |
|
|
| Joined: Aug 24, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Aug 24, 2005 12:16 am |
|
|
| canadaka |
| Regular user |
|
|
| Joined: Aug 24, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
I saw chatserv say this on another site:
"As far as i know MeG has not been patched and its vulnerabilities are of such magnitude that an attacker can hack any site hosted on the same server even if they are not the ones using MeG."
This is what happened to me, all my sites had a file place sin there www. So that hack atleast was probably through my_egallery.
I want to figure out how this was done and try and fix it.
I'm trying this in my php.ini as recommended here:
http://www.webhostingtalk.com/archive/thread/261901-1.html
disable_functions = system, exec, shell_exec
------------------
I also have register_globals enabled in my php.ini, because of some older php scripts i have on some of my sites, i will try and upgrade these to I can turn this off, since everyone says its very unsafe. Can anyone explain why that is so? |
|
|
|
|
|
|
|
|
| Posted: Thu Sep 01, 2005 8:21 pm |
|
|
| canadaka |
| Regular user |
|
|
| Joined: Aug 24, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
bump  |
|
|
|
|
| Posted: Tue Sep 06, 2005 2:36 pm |
|
|
| LINUX |
| Moderator |
 |
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
you need one upload system? only use you ftp account i not recommend upload scripts.
i look your index pages defaced, dont worry is only script kiddies boys, you talk whit you hosting for disable exec functions and check if you hosting have correct rules for close reverse connections. |
|
|
|
|
| Posted: Tue Sep 06, 2005 7:41 pm |
|
|
| canadaka |
| Regular user |
|
|
| Joined: Aug 24, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
thanks for the reply, I kinda need the upload script, I get new picture submissions from visitors/members daily.
I host my own site on my rackserver, I have disabled exec functions and put php in safemode, disable globals.
what is "close reverse connections"? |
|
|
|
|
|
|
|
|
| Posted: Wed Sep 07, 2005 2:37 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
i recomend read this http://www.thc.org/papers/fw-backd.htm
| Code: | | An intelligent hacker will not try to put the backdoors on machines in the firewall segment, because these machines are usually monitored and checked regulary. It's the internal machines which are usually unprotected and without much administration and security checks. |
| Code: | Stateful Filters:
Here a hacker must use programs which initiates the connection from the secure network to his external 0wned server. There are many out there which could be used:
active:
tunnel from Phrack 52.
ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and it encrypts the datastream).
passive:
netcat compiled with the execute option and run with a time option to connect to the hacker machine (ftp.avian.org).
reverse_shell from the thc-uht1.tgz package (see above) does the same.
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
