New Admin Patch and Hack Alert Hybrid Code

Posted: Fri Apr 23, 2004 7:11 am

Hey all.

Want the all inclusiveness of Zhen-Xjell's new beta patch, WITH the functionality of Raven's Hack Alert script?

Look no further.

Code:

/* Hack Attempt Hybrid thanks to Zhen-Xjell */
/* from http://www.nukecops.com and Raven */
/* from http://www.ravenphpscripts.com/ */
/* To whom the Nuke community owes a lot */
/* Posted by Sting to Nuke Cops on 04/23/2004 */
/* (See http://www.nukecops.com/postp120356.html#120356) */

if (preg_match("/([dnW5uIpb2N4VUJT0iO]{5})/", $_SERVER["QUERY_STRING"])) { //Zhen-Xjell
$loc = $_SERVER['QUERY_STRING'];//Raven
header("Location: hackattempt.php?$loc");//Raven
die();
}

Keep in mind since Zx's code is still in beta, this should be considered a beta hybrid...

Wink

Thanks to these two guys for doing all they have done for the nuke community - and gang, if you are going to use the script, please keep the comments in there so that the authors get the minute amount of credit.
They deserve so much more...

Thanks,
-sting

Posted: Fri Apr 23, 2004 8:54 am

Keep in mind this will also inform you of the false positives...

-sting

Lieutenant Joined: Jul 09, 2003 Posts: 293

Well this routine has already been lambasted in public, but let me do it here too.

Quote:

if (preg_match("/\?admin/", "$checkurl")) {

echo "die";

exit;

This filter suxx, coz we can use urlencoding or POST or
COOKIE variable. But I suggest

Yes, Janek is quite correct in this statment that this filter suxx.

During a POST this filter is not used.

During a cookie session this filter is not used.

ONLY during a uri query string does this filter get used.

Does not prevent sql injection exploits.

Unless the 'fix' looks at all the potential methods of retrieving information either with GET POST or COOKIE, it should not be bypassable, which this is for instance using a POST.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

I've been noticing lately on boards across the net that credit is not being properly assigned and historical data is being wiped out. Seeing that we're all honorable here, I want to ensure things like this survive not only in the public dictionary, but also inside code we all use.

Allevon was the founder of the technology I've seen deliver by Raven's script. Allevon has done a lot of work that has since fallen out of memory.

Myself included... I've released code that is no longer being credited to me. One such piece is the Googletap Karakas book entry. I've asked him to update that to reflect my coining of the term 'googletap' as well as being the guiding force and coder of the project.

Knowing the history of projects is a vital way to lock ourselves into PHP-Nuke. Its not a single person, but a family of developers who contribute to the internal and external code.

I ask everyone to remember this and assign credits appropriately, and to maintain those credits. Its the least one may do for code assigned GNU GPL.

Thanks

With that said... the POST isn't the issue, the GET is. GET has always been a source of contention for developers. It can be used in IMG tags against websites. POST has to be submitted as a form element by the user who has the authority. It is very difficult to hijack.

Cookie sessions is not a big deal either. Nuke already has adequate checks for this.

As to sql injection hacks, if you use all the other preventitive measures I've released you'll be fine. Any sites patched that way have been fine.

Lieutenant Joined: Apr 07, 2003 Posts: 278 Location: USA

I would love to use this hybrid patch because Z-X's code runs before Protector so I don't get automatic notification/banning of UNION injections attempts.

I ran into a problem with the forums, where a registered member attempted to to a search for another member's forum post. I got a hack attempt message when a member was trying to search for another member's post using the forum search. I posted info here:

http://www.nukecops.com/article-1969--0-0.html

My comment is #30 in the list.

I pm'd the member who triggered the hack alert - I wasn't sure if he/she went to the hack alert page or if it was a silent trigger. I have not gotten a reply back yet. A silent trigger doesn't worry me, but I would hate members to get sent to a warning page for looking up a post profile. Lol, yes, I want my cake and eat it too! Very Happy

So is there a solution?

Nuke Soldier Joined: Apr 15, 2004 Posts: 32

I was curious if any of my hackers were actually members of my site or not, so I modified Raven's HackAttempt.php to spit out the contents of the PHPNUKE cookie, it it exists. Probably never help, but maybe once you will get lucky and one of the silly buggers will have a cookie before he hits you, well...then now you have his username and maybe other info.

Take it and enjoy it if you need it. Put my code right under the lines 33 and 34 :

Code:

$reply = '';
$msg = '';

in Raven's original script and then try it out. You SHOULD see your userid, username, etc....

Code:

/***************************************************************************/
/* SPIT OUT CONTENTS OF PHPNUKE COOKIE IF IT EXISTS */
/***************************************************************************/
$msg .= "\n\n[*** PHPNUKE COOKIE: (if one exists) ***]\n";
$userDECODED = base64_decode($user);
$userINFO = explode(":", $userDECODED);
while (list ($key, $val) = each ($userINFO)) {
$msg .= "$key : $val\n";
}
$msg .= "[*** END OF PHPNUKE COOKIE ***]\n\n";
/***************************************************************************/
/* END OF PHPNUKE COOKIE */
/***************************************************************************/

Posted: Fri Apr 23, 2004 10:47 am

Hey LadySilver

Exactly the reason I was wanting the hybrid.

Today I put it on several sites and am getting a lot of what I assume are 'false positives'.

Going to post the info to Zx and see if we can figure out whats going on with it.

-sting

Lieutenant Joined: Apr 07, 2003 Posts: 278 Location: USA

I heard back from the member who ran into the problem with a forum search. If it's any help in tracking the problem, the member told me he wasn't registered when trying to do a forum search for all the posts by a specific member. He was sent to the hack page and thought the problem was because he wasn't a registered member, so he signed up. He didn't have a problem with a search when registered and logged into his account.

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Zhen-Xjell wrote:

I've been noticing lately on boards across the net that credit is not being properly assigned and historical data is being wiped out. Seeing that we're all honorable here, I want to ensure things like this survive not only in the public dictionary, but also inside code we all use.

Allevon was the founder of the technology I've seen deliver by Raven's script. Allevon has done a lot of work that has since fallen out of memory.

Oh give us a break Paul! There is no technology involved here and your insinuations are ridiculous. Glenn did not invent any technology that I am using. The PHP Developers did. My 'code' simply does an stristr() search and performs an action and nothing else! Doing a whois lookup is once again a PHP technology. Do you think that Glenn was the first one to do that? Quit trying to bullshit the novices here with your double-speak. As I said in the article attack by you on the front page, you are stooping to new lows, even for you. What are you so afraid of? Why can't you be and let be?

Major Joined: Jan 15, 2003 Posts: 1269 Location: USA

You know Raven, you were awefully busy shooting your mouth off about how this site is run while there was server issues. If it is run so poorly why do you come here again? Hmmmmm... lets think about for a second.... I know, it's because everytime you ask Paul for help he is there to help you. Let's not forget the people you refer to as "novices" and "newbies" seems to me the last security patch you released was actually fixed several months before with one of Paul's patches, but that didn't stop you from taking credit for it. Lets not get into who is trying to bullshit who.

There was no attack on the front page as you put it. All that happened was Paul post a beta code for something that it never would have occurred to you to even look at, and he pointed out the very obvious flaw in your patch. In point of fact everytime something like this happens, I'm sure you remember the last time, it is you or someone else who used to be on staff here that feels the need to stir the pot a little bit.

You can go into how you were on staff before me if you want to I really don't care. The simple fact of the matter is I know Paul better then you ever will. Everytime you open your mouth up about him it actually shows how childish you are, how jealous you are, and how very little you actually know about him. Hmm... Let's see you mentioned you were in your 50's, then why don't you try acting like an adult instead of resorting to these pathetic attempts at baiting Paul or anyone else into having a pointless finger pointing session.

Posted: Fri Apr 23, 2004 2:14 pm

I see the point ZX is making regarding the historical backround. Alot of times, people have to decompile mods or programs to use certain concepts or codes in other places. I do that alot. When I make code, I try to make it as universal as possible for integrations into the VARIOUS clients I have.

What hes saying by that post, is that the concept AND/OR maybe at the very least, basic code processes, was aggressively put into action by myself before the general public went with it or new ones arose. So some notes of recognition and tools should be added. I keep the notes and copyright crap that I borrowed in the readme with my own instructions and other crap pertaining to the tool for public download.

Mine works similarly in the current ways of all this hybrid stuff. My system recognizes the IP, clears the cookie if any, and emails me automatically all in one. I also manually add the IPs to various firewalls and shithead lists I maintain for destructive purposes when things are slow. I started using it about 2 years ago with ALOT of critisism from the piles of shitheads who thought I was too heavy-handed or over-cautious by banning first and asking questions later. Hence a big reason why I faded for a while and just worked in the back. Because dealing with HackingHomos/TrojanFags/ImpotentSpamFags and their supporters publicly, wasnt worth my time.

When I finally went public with the HackingHomos, All hell broke loose. Then others started to create their own banning modules like Protector and Gay Boobs broken down crapshit ban. Different ways of addresssing the issue, but again, most came after my implementation and controversial debates of hacking homo fags and their tactics.

All ZX is trying to say I believe, is that mentioning of ideas, code snippets etc. should be addressed at some point. That way, newbies and oldtimers, can see the progression of development for either their inspiration or modifications. As any historical studies would attest. Had we/Eisenhower not studied Cochise and his tactics of the 1870's, through historical study, D-Day would have been a Nazi win. right? Nein Sieg Heil Fur Mich, verstehen?

No harm in spending a few moments with a couple of honorable mentions.

Nuke Soldier Joined: Apr 15, 2004 Posts: 32

Not to interrupt this love fest, but what is wrong with Protector? I have been using it, since I switched over to PHPNuke and if there is some issue with the product could you fill me in please? Not looking for a fight, nor am I defending Protector, I just want to know if I am using a product that has been proven to be pointless/unnecessary/whatever. I *think* that it does a good job for it's purpose but I have hardly had the time to delve into the engine of Nuke thoroughly yet so maybe it doesn't do the job. A little insight s.v.p.

Also, I have institued RavenScript's hack script, along with just about every other script protection that I found that seemed even slightly relevant. Now I know that XZ has stated that it isn't necessary IF you have applied all his other patches. Not to be rude(and I don't know enough of either of the combatants in this little war to take a side either way, so I am not agreeing with anyone), but I don't know if I have every relevant patch or not.

Sure I applied every serious looking(I can actually read the code and regexp's being used so I don't bother with redudant "hackprevention" code) but there might be other links to other hack preventions on this site that I couldn't find. A search for "hacks" brings back pages and pages and pages of hits. The Security forum also has pages of articles to wade through and it takes some doing.

So, for someone using the most current release (7.0/1 for us non-club members) what would you say is the MUSTHAVE patches for a secure system?

Nuke Soldier Joined: Apr 15, 2004 Posts: 32

ladysilver wrote:

I heard back from the member who ran into the problem with a forum search. If it's any help in tracking the problem, the member told me he wasn't registered when trying to do a forum search for all the posts by a specific member. He was sent to the hack page and thought the problem was because he wasn't a registered member, so he signed up. He didn't have a problem with a search when registered and logged into his account.

I ran into this problem, as well, Lady(nice KMA image btw) and I think it has to do with the "sid' for each forum message. The sids are random characters for each post. Odds are that 5 of the characters in that forum post were in the expression being searched for in Paul's script. I made a suggestion, in a comment below that script, about how to get around it(by searching for "query=" in front of the base64 encoded UNION), but I don't know if it is valid or not. (Plus I slapped the expression in without consulting my handy Solaris RegExp guide so the preg is probably wrong. I haven't had to do any actual greps in a long time so I would need to verify the expression first.)

Hopefully we will know soon enough....

Posted: Fri Apr 23, 2004 5:51 pm

Darby_2k4 wrote:

Take it and enjoy it if you need it. Put my code right under the lines 33 and 34 :

Code:

$reply = '';
$msg = '';

in Raven's original script and then try it out. You SHOULD see your userid, username, etc....

Code:

/***************************************************************************/
/* SPIT OUT CONTENTS OF PHPNUKE COOKIE IF IT EXISTS */
/***************************************************************************/
$msg .= "\n\n[*** PHPNUKE COOKIE: (if one exists) ***]\n";
$userDECODED = base64_decode($user);
$userINFO = explode(":", $userDECODED);
while (list ($key, $val) = each ($userINFO)) {
$msg .= "$key : $val\n";
}
$msg .= "[*** END OF PHPNUKE COOKIE ***]\n\n";
/***************************************************************************/
/* END OF PHPNUKE COOKIE */
/***************************************************************************/

Woo hoo! Give the man a cigar!

I added your tweak and attempted a 'UNION' hack without auth. Reports were normal. I attempted a hack with admin auth. Normal again. Then I attempted a hack with user auth. Bingo! My cookie was laid bare...

Nice one!

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Raven wrote:

Zhen-Xjell wrote:

I've been noticing lately on boards across the net that credit is not being properly assigned and historical data is being wiped out. Seeing that we're all honorable here, I want to ensure things like this survive not only in the public dictionary, but also inside code we all use.

Allevon was the founder of the technology I've seen deliver by Raven's script. Allevon has done a lot of work that has since fallen out of memory.

Oh give us a break Paul! There is no technology involved here and your insinuations are ridiculous. Glenn did not invent any technology that I am using. The PHP Developers did. My 'code' simply does an stristr() search and performs an action and nothing else! Doing a whois lookup is once again a PHP technology. Do you think that Glenn was the first one to do that? Quit trying to bullshit the novices here with your double-speak. As I said in the article attack by you on the front page, you are stooping to new lows, even for you. What are you so afraid of? Why can't you be and let be?

You know something Raven. I've read your article on your site saying you'll reveal all that happened in the private staff forums. That there shows your true color. And secondly, you have resorted to calling my wife names:

"Now he has a pit bull with lip stick to do his attacking."

God bless you in your life, I hope that he helps you find peace and the inner beauty you so desperately seek. Being that you are twice my age, yours is an example I will not follow. Farewell.