View Single Post
  #24  
Old 10-10-2013, 06:09 PM
ice9 ice9 is offline
 
Join Date: Jun 2003
Posts: 34
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It looks like a way to detect which forums have been successfully compromised.

Google for a compromised forum, as described in my last post. Then, append &ech to the url. You should see a blank page that contains only "0101".

So, maybe it goes like this:

1. Use /install directory exploit to add new admin users.
2. Login to admincp interface, and install plugin.
3. Check which forums return "0101" when &ech is appended to their url.
4. Deface the forums that are returning "0101".

--------------- Added [DATE]1381433980[/DATE] at [TIME]1381433980[/TIME] ---------------

Here's the IP and user agent that tried to access my admincp directory on Oct. 9th, and failed about 30 times:

178.158.214.36
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Also, this IP, same user agent: 46.183.218.214 .

It's going like this (I've asterisked out my admincp directory):

178.158.214.36 - - [09/Oct/2013:15:26:43 -0500] "GET /forum/install/upgrade.php HTTP/1.0" 200 13295 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
178.158.214.36 - - [09/Oct/2013:15:26:44 -0500] "POST /forum/install/upgrade.php HTTP/1.0" 200 279 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
178.158.214.36 - - [09/Oct/2013:15:26:45 -0500] "GET /forum/******/index.php HTTP/1.0" 401 401 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like they're testing for the existence of /forum/install/upgrade.php, then POST'ing to it (assumedly adding the new admin username). Then they try to access the admincp directory, but you can see here how they're being denied (401) because of the .htaccess directory protection on the admincp directory.
Reply With Quote
2 благодарности(ей) от:
tbworld
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01092 seconds
  • Memory Usage 1,769KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_box_bit
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete