sh89 hacked around Jan 2006?

fhltang · February 10th, 2006, 7:30 PM

I was checking out my webalizer stats via the control panel and noticed that there'd been a huge surge in traffic starting mid Jan to early Feb 2006.

It looked like many of the referers were google search result pages. The requested pages themselves looked like pages with cracked passwords, and porn uploaders.

I checked my filesystem and there appears to be no trace of these files anymore. In any case, the traffic is starting to tail off now.

Looking at the URLs, it looked as if someone had used an exploit in coppermine gallery. However, when I looked more closely, it looked as if they'd also used an exploit in menalto gallery *and* pivot. Admittedly, I've been sloppy about keeping these apps up-to-date on my hosting account, but it does make me suspicious.

Finally, I noticed that most of the pages mentioned in the webalizer pages were just static pages that had been created in certain directories which had 0777 perms. I find it incredibly surprising that a remote user could have discovered all these directories with 0777 perms, even if there were very similar exploits in the coppermine, gallery and pivot apps. I find it surprising because in one case, the hacker seemed to have got past my .htaccess file which disables indexes (even though the containing dir had 0777 perms).

Could it be that someone got shell access to sh89 and then just dropped these pages that way? Can anyone confirm this?

**David** · February 11th, 2006, 12:00 AM

It depends on the exploit itself. Sometimes, the person is able to change the permissions on files and folders. You should contact support and have them look into this.

**twirp** · February 11th, 2006, 1:27 PM

Some scripts don't really check what is being uploaded.
Let's say you allow people to upload files to http://yoursite.com/uploads
if you check extensions of files, that can only go so far,
because let's say you allow .rar's
If I upload php_attacking_your_server.php.rar
I can then type http://yoursite.com/uploads.php_atta...server.php.rar and do what I want (depending on what the script was coded to do)
That's why I've gone to uploading stuff to MySQL, and then the only scripts accessing the data have a header thing to force downloads...

February 10th, 2006, 7:30 PM	#1 (permalink)
fhltang Registered User Fresh Surpasser Joined in May 2005 8 posts Gave thanks: 0 Thanked 0 times	sh89 hacked around Jan 2006? I was checking out my webalizer stats via the control panel and noticed that there'd been a huge surge in traffic starting mid Jan to early Feb 2006. It looked like many of the referers were google search result pages. The requested pages themselves looked like pages with cracked passwords, and porn uploaders. I checked my filesystem and there appears to be no trace of these files anymore. In any case, the traffic is starting to tail off now. Looking at the URLs, it looked as if someone had used an exploit in coppermine gallery. However, when I looked more closely, it looked as if they'd also used an exploit in menalto gallery and pivot. Admittedly, I've been sloppy about keeping these apps up-to-date on my hosting account, but it does make me suspicious. Finally, I noticed that most of the pages mentioned in the webalizer pages were just static pages that had been created in certain directories which had 0777 perms. I find it incredibly surprising that a remote user could have discovered all these directories with 0777 perms, even if there were very similar exploits in the coppermine, gallery and pivot apps. I find it surprising because in one case, the hacker seemed to have got past my .htaccess file which disables indexes (even though the containing dir had 0777 perms). Could it be that someone got shell access to sh89 and then just dropped these pages that way? Can anyone confirm this?

February 11th, 2006, 1:27 PM	#3 (permalink)
twirp DemonicAngel Super #1 Joined in Aug 2004 Lives in Wherever The World Takes Me Hosted on Pass76 1,847 posts Gave thanks: 28 Thanked 35 times	Some scripts don't really check what is being uploaded. Let's say you allow people to upload files to http://yoursite.com/uploads if you check extensions of files, that can only go so far, because let's say you allow .rar's If I upload php_attacking_your_server.php.rar I can then type http://yoursite.com/uploads.php_atta...server.php.rar and do what I want (depending on what the script was coded to do) That's why I've gone to uploading stuff to MySQL, and then the only scripts accessing the data have a header thing to force downloads... __________________ You wear Vans so high school kids will think that you can skate. He wears Vans because he can skate. TwiRp wears Vans because they were on sale. Pass76 wants Vans.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)