Topic: Urgent Security Patch for album.pl

[Mike Bobbitt]

Due a vulnerability, versions of album.pl prior to 6.2 may allow your web site to be hacked.

Here is the BugTraq note:

http://www.securityfocus.com/archive/1/319763/2003-04-20/2003-04-26/0

To patch earlier album versions, simply open album.pl in an editor, and search for a block of code that looks like this:

Code: [Select]

# Check to see if a configfile override was passed in
if ($form->param('configfile'))
{
   $::configfile=$form->param('configfile');
   $::configfilepassed=1;
}
Replace this entire block with the following code:

Code: [Select]

# Check to see if a configfile override was passed in
if ($form->param('configfile'))
{
   $::configfile=$form->param('configfile');

   if ($::configfile=~/[\/\\ @]/ || $::configfile=~/%20/ || $::configfile=~/%2f/ || $::configfile=~/%5c/)
   {
      error(__LINE__,"sanity","Invalid configuration file...");
   }

   if (!-e $::configfile)
   {
      error(__LINE__,"sanity","Invalid configuration file...");
   }

   $::configfilepassed=1;
}
That's it, you're fixed up. I'd still encourage you to upgrade, as there are numerous new features and bug fixes in V6.2.

[Dino]

I got a dir called bnc that enabled a bash via php. It was installed on 4/29/03 at 11AM.

I got hacked, I guess. No damage, as far as I can tell so far.

It's serious, since it doesn't affect just the photo directory, it affects the entire website.

And since I have multiple domains on my server (customers as well as personal), this is VERY serious.

Thanks for the heads up.

Anybody know the IP address(es) of the hackers, so I can make the server reject them altogether?

[Dino]

Not working. Asking me to download album.pl after changes. Not ready to upgrade to 6.2. Too many custom templates.

[Dino]

Also, my code looks a little different:

Code: [Select]

# Check to see if a configfile override was passed in
if ($form->param('configfile'))
{
   $configfile=$form->param('configfile');
   $configfilepassed=1;
}

I tried replacing it with your code, minus the double colons, and it still didn't work.

If I just delete album.pl, and upgrade later, will I be safe?

[Mike Bobbitt]

Damn! Sorry to hear you were hit. These guys are fast and they're not fooling around.

It's asking you to download album.pl? Sounds like your web server isn't handling the filetype correctly. But when you revert back it works? (Same file?) That's bizzarre! What happens if you run the modified file from a shell?

The double colons are a convention meaning "global var" and shouldn't be a problem. (I should habe been using them from the start...)

If you have log files, check them for any occurrances of "configfile" in the URL and you'll be able to trace the origins of the hacks.

So far, blacklisted IPs are:

24.175.21.132
80.84.237.140
200.14.64.143
202.77.97.33
202.159.10.155
202.169.227.63
211.9.194.185
212.78.70.221

Please feel free to add to this list.

P.S. Just heard of another defacement. I now have a good handle on who is doing this, and am taking action accordingly...

[Dino]

Mike, I've added those IP's to our server's blacklist. Hopefully this will keep rougues out.

Got this from my brother:

Originally posted by Peter Filias:
[QB]What was installed was BNC or Bounce.

Here is a newsgroup thread with some info on it. At first glance, it doesn't appear to be too threatening...just a server for people to bounce their IRC chats through.

Thread[/QB]

So hopefully nothing else was changed on my server. I did notice a text file added to the root, which gave full access to user "nobody", along with a BNC dir with a file called shell.php, and some config files.

I'm checking all my directories to make sure nothing else was "slipped in".

I guess I'm forced to upgrade to v 6.2.

[Mike Bobbitt]

Muhahah! My plan has worked!

Thanks for the extra info about the hack. I bet I know what was in the PHP script (I think I've seen it already).

Your web logs should tell you a lot about what was hacked, since the commands are actually in the URL so you can see what happened... (At least until they got a shell on the system, then you'll have to rely on history - which is typically wiped...)

If you need a hand with the upgrade, just let me know...

[Dino]

Just wanted to let everybody know to be on the lookout for these files on your servers:

shell.php (bash)
ucing.txt (nobody permission to server)
syzwx.txt ()
sluth.html (shows server dirs and files with owners)

and

index.html (overwrites your index with a file that says sluth@DAL.net)

[michael]

I didn't hear about this in time, unfortunately. 212.108.197.19 was my attacker, however they seem to have had no malicious intent, only leaving behind a ".lol" directory with my old album.pl and replacing it in its original locaiton with a version patched to fix this hole, as well as a couple miscellaneous files - "yoyo.html," "log", and "b," as well as a "php.php" file containing the PHP shell script and a "php.tgz" file. I've deleted everything left behind and uploaded my own patched version of album.pl and will search through to make sure they haven't left anything else behind.

[Mike Bobbitt]

Sorry to hear about the hack, I had hoped they were pretty much over. I had sent a message out to everyone who registered album.pl with an e-mail address (on the config screen) but probably should have sent it out to all members of these forums too...

Glad to hear no real damage was done...

[Dino]

Thanks for the update, Michael. I've blocked that IP from the server as well.

All these malicious hack attempts seem to be coming from the RIPE network, which generally comes from the Netherlands.

If anybody has a list of other IP addresses, please post them here. I'd like to block them all.

[fivepin]

I got hacked too!!  omg, I should have checked for updates sooner.  

How do I tell if there is a shell installed on my server, and more importantly, how do I get RID of it?

will simply upgrading to 6.2 solve all my problems, or is there more cleanup to do?

[Mike Bobbitt]

Sorry to hear that.

Depending on what they did, there may be more cleanup than just upgrading.

If you have web access logs (most servers do) search them for "configfile" and then you'll see exactly what the attackers did to your site. If they managed to get shell access, then it'll be a lot harder to figure out what they did.

If you want to post the "configfile" log lines (or e-mail them to me if you want to be more discreet) then I can help figure out what went on.

[fivepin]

hmmm... you know what... I think I will take this opportunity to install Win2003, after I format the drive.

I have been wanting to do it anyway....

[Mike Bobbitt]

Cool, that'll definitely cure the problem. Sorry to have cause so much work...