Hacking problems

Nuke Cadet Joined: Jan 28, 2003 Posts: 8 Location: USA

I have been hacked twice over the past two weeks using phpNuke as the entrance. I am running phpNuke 5.6 on a Linux server. Can someone give me some advice on how should I CHMOD the files and directories and if there is any other tip that will help me to secure my site?
Thanks

Nuke Soldier Joined: Jan 15, 2003 Posts: 26 Location: USA

I'll let someone else be specific on CHMOD for 5.6... I know that everything previous to 6.x needed some things 777, which create security risks. After 6.x, everything written to the config went to the DB instead of config.php, so you could tighten up permissions. You might consider upgrading if that will solve the problem.

What I did want to ask is, exactly HOW are they hacking you, and what are they doing once they get in? That will help us figure out a possible solution for you.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Welcome to the site. http://computercops.biz focuses on security patches for php-nuke. Take a stroll over there and check out the PHP-Nuke downloads section. Some of which were incorporated into Nuke 6.

Nuke Cadet Joined: Jan 28, 2003 Posts: 8 Location: USA

Wizarium:
I found that they broke in the first time through the pictures subfolder of MyEgallery which was CHMOD 777 to allow users to upload their pictures.
They uploaded a file that allowed them to CHMOD everything to 777. Then they uploaded a file mail.tar which changed the information in the mail folder. So far this is the only information I have been able to gather. What happened after they untar the mail.tar file is still unknown. Finally, they changed muy index.php file to their file showing a devil's face, giving their nicknames and saying "bye admin".

Joined: Jan 31, 2004 Posts: -88

don't you have my_eGallery set up to only allow certain file types????

ArtificialIntel

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

That is a problem. Whenever you allow someone to upload files to your system there is the potential for exploit. I haven't seen my_egallery yet, but if it doesn't have a subroutine to watch for this stuff then you get hacked. Can you post the code section for the upload?

Posted: Tue Jan 28, 2003 9:52 am

Code:

<?
function listcategories($dir){
global
$gallerypath,
$prefix;
$dossier = opendir($dir);
$category = "";
while ($file = readdir($dossier)) {
if ($file != "." && $file != ".." && $file!="thumb"){
   if (is_dir($dir."/".$file)){
      $galloc = substr($dir."/".$file, strlen("$gallerypath/"));
      $result = mysql_query("select gallid from $prefix"._gallery_categories." where galloc='$galloc'");
      if ($result) {
         list($gid) = mysql_fetch_array($result);
         $category .= "$gid ";
      }
      $category .= listcategories("$dir/$file");
   }
}
}
return $category;
}
function upload_file() {
global
   $name,
$font,
$galleryvar,
   $basepath,
   $user,
   $gallerypath,
   $prefix,
   $baseurl;
galleryHeader();
OpenTable();
$size = $maxSize/1000;
$nav = navigationGall();
   echo "
   <table border=\"0\" width=\"100%\">
   <tr>
      <td width=\"100%\" align=\"center\">
         $nav<br>
         <font class=\"".$font['title']."\">"._GALUPLOADMEDIA."</font>
      <br><br>
      </td>
   </tr>
   <tr><td align=\"center\">";
if (is_user($user) || !$galleryvar['anonpostpics']) {
echo " <form enctype=\"multipart/form-data\" action=\"".$baseurl."\" method=\"post\">
   <input type=\"hidden\" name=\"do\" value=\"upload\">
   <table border=\"0\" cellpadding=\"5\" cellspacing=\"0\"><tr>
      <td align=\"left\" valign=\"top\" >
      <font class=\"".$font['normal']."\">"._GALSELECTCATEGORY."</font><br>
   <select name=\"Category\">";
      $categories = listcategories("$gallerypath");
      if (isset($categories) && $categories!="") {
         $categories = explode(" ", trim($categories));
         while(list($key, $val) = each($categories)) {
            if (is_user($user))
               $result = mysql_query("select gallid, gallname, parent from $prefix"._gallery_categories." where visible>0 and gallid=".$val);
            else
               $result = mysql_query("select gallid, gallname, parent from $prefix"._gallery_categories." where visible>1 and gallid=".$val);
            if (mysql_num_rows($result)>0) {
               list($gallid, $gallname, $parent) = mysql_fetch_row($result);
               $nbtabs = indent($gallid);
               $tab = "";
               for($k=0; $k<$nbtabs; $k++)
                  $tab .= "  ";
               echo "<option value=\"$gallid\">$tab$gallname</option>\n";
            }
         }
      }
   echo "
      </select><br><br>
      <font class=\"".$font['normal']."\">"._GALMEDIANAME."<br></font>
         <input type=\"text\" name=\"MediaName\" size=\"14\" value=\"\"><br><br>
      <font class=\"".$font['normal']."\">"._GALFILENAME."</font><br>";
      if ($galleryvar['limitSize'])
         echo "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"$maxSize\">";
      echo "
         <input type=\"file\" name=\"userfile\" size=\"14\"><br><br>
      <font class=\"".$font['normal']."\">"._GALSUBMITTER."</font><br>";
         if (is_user($user)) {
            $userdata=cookiedecode($user);
            echo "<input type=\"hidden\" name=\"Submitter\" value=\"".$userdata[1]."\">\n";
            echo "<b>".$userdata[1]."</b><br><br>";
         }
         else
            echo "<input type=\"text\" name=\"Submitter\" size=\"14\"><br><br>";
      echo "
      </td>
      <td align=\"left\" valign=\"top\"><font class=\"".$font['normal']."\">"._GALDESCRIPTION."</font><br>
   <textarea name=\"Description\" rows=\"10\" cols=\"25\"></textarea>
      </td></tr>
   <tr><td align=\"center\" colspan=\"2\"><input type=\"submit\" value=\"Upload\" name=\"add\"></td></tr>
</table>
</form>
   <table border=\"0\">
   <tr>
      <td align=\"center\">
      <font class=\"".$font['normal']."\">";
      if ($galleryvar['limitSize'])
         echo "".sprintf(_GALMAXSIZEPOST,$size)." <br>";
      echo _GALCLICKONCE."
      </font>
      </td>
   </tr>
   </table>";
}
else
      echo "<p align=\"center\"><font class=\"".$font['normal']."\">"._GALREGISTER2POSTPICS."</font></p>";
echo "
   </td></tr>
</table>
   ";
CloseTable();
galleryFooter();
}
function Add($gid, $file, $submitter, $medianame, $description, $userfile, $userfile_name, $userfile_size) {
global
$user,
$font,
$galleryvar,
$basepath,
$temppath,
$prefix;
$sql = "select img from $prefix"._gallery_pictures." where gid=$gid and img='$file'";
//echo $sql;
$result = mysql_query($sql);
$numrows = mysql_num_rows($result);
$navgall = navigationGall();
if ($file==$galleryvar['GalleryPictureName'] || $numrows>0) {
galleryHeader();
OpenTable();
print '<table border="0" width="100%" align="center" cellpadding="0">'
.'<tr><td>'.$navgall;
echo "<br>";
echo "<center><b>"._GALPICALREADYEXT."</b><br><br>"
   .""._GOBACK."";
print '</td></tr></table>';
CloseTable();
galleryFooter();
}
else {
   if(is_user($user)) {
   $user2 = base64_decode($user);
   $cookie = explode(":", $user2);
   cookiedecode($user);
   $submitter = $cookie[1];
   }
// Check if Media Name exist
   if (!isset($medianame) || $medianame=="") {
   galleryHeader();
   echo "<br>";
   OpenTable();
   print '<table border="0" width="100%" align="center" cellpadding="0">'
.'<tr><td>'.$navgall;
   echo "<br>";
   echo "<center><b>"._GALPICNONAME."</b><br><br>"
      .""._GOBACK."";
   print '</td></tr></table>';
   CloseTable();
   galleryFooter();
   }
   else
// Check if Description exist
   if (!isset($description) || $description=="") {
   galleryHeader();
   echo "<br>";
   OpenTable();
   print '<table border="0" width="100%" align="center" cellpadding="0">'
.'<tr><td>'.$navgall;
   echo "<center><b>"._GALPICNODESC."</b><br><br>"
      .""._GOBACK."";
   print '</td></tr></table>';
   CloseTable();
   galleryFooter();
   }
   else
// Check if Description exist
   if (!isset($submitter) || $submitter=="") {
   galleryHeader();
   echo "<br>";
   OpenTable();
   print '<table border="0" width="100%" align="center" cellpadding="0">'
.'<tr><td>'.$navgall;
   echo "<br>";
   echo "<center><b>"._GALPICNOSUBMITTER."</b><br><br>"
      .""._GOBACK."";
   print '</td></tr></table>';
   CloseTable();
   galleryFooter();
   }
   else {
   $medianame = FixQuotes($medianame);
   $description = FixQuotes($description);
   $wdir = "/";
   $upload_return = UploadFile($temppath, $userfile, $userfile_name, $userfile_size);
   //echo "public uploadFile.php : $upload_return<br>";
   if ($upload_return=="OK") {
      $ext = substr($file, (strrpos($file,'.') + 1));
      list($type) = mysql_fetch_row(mysql_query("select filetype from $prefix"._gallery_media_types." where extension='$ext'"));
      $wdir = "/";

      switch($type) {
         case 1 :
            $size = @getimagesize($temppath.$wdir.$file);
            break;
         case 3 :
            $size[0] = 320;
            $size[1] = 240;
            break;
         default:
            $size[0] = 0;
            $size[1] = 0;
            break;
      }
      $file = traite_nom_fichier($file);
      if ($size!=NULL)
         $sql = "insert into $prefix"._gallery_pictures_newpicture." (pid, gid, img, counter, submitter, date, name, description, votes, rate, extension, width, height) values(NULL, $gid, '$file', 0, '$submitter', now(), '$medianame', '$description', 0, 0, '$ext', ".$size[0].", ".$size[1].")";
      else
         $sql = "insert into $prefix"._gallery_pictures_newpicture." (pid, gid, img, counter, submitter, date, name, description, votes, rate, extension, width, height) values(NULL, $gid, '$file', 0, '$submitter', now(), '$medianame', '$description', 0, 0, '$ext', 0, 0)";
      //echo $sql;
      mysql_query($sql);
   }
   else
      return $upload_return;
   return "OK";
}
}
}
?>

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Do you have the gallery running on a site I can test?

Joined: Jan 31, 2004 Posts: -88

it's on my site

ArtificialINtel

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Ok... I'll test it in a moment.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Ok, tried to upload via this link:

http://the-sci-factor.ods.org/modules.php?op=modload&name=My_eGallery&file=index&do=upload

But I get "Please Register first!". I click the Register hyperlink and get this:

http://the-sci-factor.ods.org/user.php

Looks like that register link needs updating.

Next question I'd like to know is, is there a standard location where uploaded files are placed pending approval?

Posted: Tue Jan 28, 2003 2:22 pm

I have that gallery as well but have disabled it as i prefer Gallery, i do know it has a temp folder but i'm not sure if uploaded files get sent here or directly to the gallery/album_name_dir instead.

Joined: Jan 31, 2004 Posts: -88

yeah, soz, forgot about that. I set that up cause i decided that if it was limited to user uploading only, it'd secure it a bit better.

THe Gallery was originally released for nuke 5.5 so the links should have been right. However, they obviously aren't so I'll take a look @ the code and update it a bit (including hte mod to the new SQL layer)

ArtificialIntel

Joined: Jan 31, 2004 Posts: -88

ur files uploaded to a temp directory. The module needs an extreme re-write of all it's SQL functions.

ArtificialIntel

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

Question is, is that temp directory assigned by you or the system? And if by the system, what is its path?