Recent files
Site explioted !
Problem has been recordedIssue description
Someone has managed to expliot my site and modify a link:
http:www.ngr78.co.uk/articles/71
Notice the date and username are missing.
I am getting hold of the server logs.
http:www.ngr78.co.uk/articles/71
Notice the date and username are missing.
I am getting hold of the server logs.
Comments
Bernard from nearby-an-airport Associate, 6581 posts |
Nick, I suppose you had installed 7.6.3 before the exploit? Whatever response, please send me your logs by e-mail for further analysis. |
| Bernard from nearby-an-airport Associate, 6581 posts |
Also, please change the password or suppress user profiles member, editor and subscriber, which have well-known passwords, and should be used only on private development servers. |
| Bernard from nearby-an-airport Associate, 6581 posts |
As an associate, you should edit the alien link to identify the nick name that has been used to post it. |
NickR from West Yorkshire, UK 327 posts |
" Nick, I suppose you had installed 7.6.3 before the exploit? Whatever response, please send me your logs by e-mail for further analysis. " Yup 7.6.3 installed. We suspect it was a server specific attack, rather than YACS specific. ----- Nick |
| NickR from West Yorkshire, UK 327 posts |
" As an associate, you should edit the alien link to identify the nick name that has been used to post it. " "Last edition by" is not displayed. ----- Nick |
| NickR from West Yorkshire, UK 327 posts |
" Also, please change the password or suppress user profiles member, editor and subscriber, which have well-known passwords, and should be used only on private development servers. " My password has been changed already. ----- Nick |
| Bernard from nearby-an-airport Associate, 6581 posts |
" "Last edition by" is not displayed. From the Control Panel, click on the Links in the database overview to get a list of recent links with contributors. |
| NickR from West Yorkshire, UK 327 posts |
" From the Control Panel, click on the Links in the database overview to get a list of recent links with contributors. Still not shown !-----Nick |
| Bernard from nearby-an-airport Associate, 6581 posts |
Is it specific to this link? i mean, do you have other links showing nick names or not? |
| NickR from West Yorkshire, UK 327 posts |
" Is it specific to this link? i mean, do you have other links showing nick names or not? " No its just one link. ----- Nick |
| Bernard from nearby-an-airport Associate, 6581 posts |
NickR: You are confirming, then, that this is a hack since no regular nick name has been recorded with the link. |
| NickR from West Yorkshire, UK 327 posts |
" NickR: You are confirming, then, that this is a hack since no regular nick name has been recorded with the link. Yes. Will find out more when we get the server logs. ----- Nick |
| NickR from West Yorkshire, UK 327 posts |
Well no server logs as we just had the server upgraded and logging was turned off. Anyhow, someones updated it again today, so logging is back on and will let you know next time it happens. Nick. ----- Nick |
| Bernard from nearby-an-airport Associate, 6581 posts |
NickR: What about the database engine? Is it safe enough? |
| NickR from West Yorkshire, UK 327 posts |
" NickR: What about the database engine? Is it safe enough? The link today is a new link, not a changed one. Apart from this one link, everything else checks out fine, I changed yacs and server passwords and backed up everything. Nick |
| NickR from West Yorkshire, UK 327 posts |
Finally logged it... This corresponds with when the link was updated: [20/Oct/2007:05:14:17 +0100] "POST /links/trackback.php/article/48 HTTP/1.1" 200 78And is an isolated line of code. I also noticed this same url being posted to many times (by a different IP address) POST http:www.ngr78.co.uk/links/trackback.php/article/links/trackback.php HTTP/1.1" 200 8569----- Nick |
| NickR from West Yorkshire, UK 327 posts |
Having looked more closely at the issue, I realise that they have simply used the trackback form... Basically trackback spam >  This is not a bug, but I will look into how we can combat such bad practices. ----- Nick |
| NickR from West Yorkshire, UK 327 posts |
Here is my first improvement, a reverse IP lookup. This makes sure that the ip of the url sent for trackback matches the ip address that sends the http post. NOT TESTED. I placed this function in links\link.php
function verifyurlip($url, $ip) {
$ip = preg_replace('/[^0-9.]/', '', $ip );
$items = @parse_url($url);
//sent by the form so cannot verify
if (gethostbyaddr($ip) = $context['host_name'])
return TRUE;
$reverseip = gethostbyname($items['host']);
if ($reverseip != $ip) {
return FALSE;
}else{
return TRUE;
}
}
It is then called in links\trackback.php at line 138 (7.6.3) after we check we have an anchor, before we check the source does not already exist. I reused a fault code, so I guess a real code would need to be used.
elseif(Link::verifyurlip($anchor, $_SERVER['REMOTE_ADDR']))
$response = array('faultCode' => 16, 'faultString' => 'IP address does not match source');
The other improvement I suggest is implementing a captcha for the form. |
| Bernard from nearby-an-airport Associate, 6581 posts |
Based on your suggestion, I have added a captcha on the trackback form, and additional tests on originating hosts for remote requests. Hope this will help stop trackback spammers for a while... This will be part of the 8.1 release. Thanks for the trick. |
| NickR from West Yorkshire, UK 327 posts |
Cheers, BTW since I implemented that code on my site I have had no further problems. Nick My Website: NGR78 |
Reply
Quote
20 comments · 
Add a comment
Rate this page
Posted by NickR on Oct. 9 2007, commented by NickR on Jan. 18, (popular)
