Web-APP.org Articles : Security : Member's Website Hacked - WebAPP Web Automated Perl Portal

About | Contact | Help

Advertisement

View All Advertisements

Topics: Newsletter | FAQ | Announcements | News | Editorials | Perl | Programming | Bugs | Linux | Security | Internet | Viruses | Old News | All

Member's Website Hacked

Published on Mar 26 2007 at 23:47 GMT. Written by bantychick.

Security

A site which will remain unnamed that was running 0.9.9.6 without the Username Hijacking Patch was hacked on the 24th of March, from IP 195.175.37.6 .

We have been on alert for this type of event since reading reports quoted from "Monty53" on another site, where he claimed to have gained unauthorized admin access to two sites running WebAPP version 0.9.9.6. I have seen the logs of these visits to the site that was hacked, and it is apparent that he was indeed able to gain access as "admin" username.

We recommend to install the recently released Username Hijacking Patch to help stop this from happening at your site and to watch for the next release of WebAPP to be released as a more complete solution to that and other security problems that have been uncovered since 0.9.9.6 release.

No one has tried to access this site using that exploit since the 20th when these actions were recorded in our data error log here for the web-app.org site:

code:

 
03/20/07 at 16:37:28 MST Guest 203.144.143.8  
All Recent web-app.org/cgi-bin/index.cgi?action=editprofile&username=$root unknown  
03/20/07 at 16:36:29 MST Guest 203.144.143.8  
All Recent web-app.org/cgi-bin/index.cgi?action=editprofile3&username=admin thepwd=; theuid=$root unknown  
03/20/07 at 16:32:17 MST Guest 203.144.143.8  
All Recent web-app.org/cgi-bin/index.cgi?action=forum thepwd=; theuid=admin%00 http://www.web-app.org/cgi-bin/index.cgi?action=forum

You can see at the end of the recorded string for the visit the cookie values used by a would-be intruder who was caught by the data error in his cookie.

No sign of anything like this here since.

Printer Friendly version - Member's Website Hacked

Log in to use this feature

(3417 reads)

There are 22 articles in this category. See all articles by bantychick or all articles in Security

Comments on this article:

Member's Website Hacked | 7 comments | | Sign Up

The comments are owned by the poster. We aren't responsible for its content.
Only registered members may comment on articles.

IP was a Proxy

Written on 03/26/07 at 23:50:59 GMT by bantychick

This IP 195.175.37.6 has been previously recorded on many occasions, including some near the time and date of this attack, as being used as a proxy for IP 85.164.234.225 visiting web-app.org, where we use special logging tools to record both the proxy and the real IP. The same IP/Proxy has been recorded with various user agent strings, including Google Bot.

Also 203.144.143.8 has been recorded as proxy for that same IP:

code:
03/19/07 at 19:16:01 MST All Recent by: IP username Guest 203.144.143.8 85.164.234.225 - - Visited: /cgi-bin/index.cgi From: http://www.web-app.org/cgi-bin/index.cgi Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Hard to Believe...

Written on 03/27/07 at 20:07:04 GMT by my2cents

all of it, ain't it? I don't see why it doesn't all seem just so clear. Oh well, we're still here, what counts, or should, to us I guess...

just thought I'd remind you, since you reminded me :)
To my site today has been got not authorized admin

Written on 03/28/07 at 17:21:34 GMT by almond

Today from 195.175.37.6 IP-address has been got not authorized administrative access to my site http://konnekt.format-c.ru.
The hacker, at first sight, has not shown any destructive activity.
The files placed in archive Username Hijacking Patch, earlier have been copied by me in a directory user-lib, however it has not assisted.
- re: To my site today has been got not authorized admin
  
  Written on 03/28/07 at 17:42:02 GMT by bantychick
  
  Sorry, almond, about that. We found some more needed to complete the patch and are getting a new release out shortly that will surely cover it. Thank you very much for the report.
  - re: re: To my site today has been got not authorized admin
    
    Written on 03/28/07 at 17:49:27 GMT by almond
    
    In general, whether correctly I have understood, what files of patches simply enough to copy in a directory user-lib?
    Thanks for the answer. With impatience I wait for new release.
    Also excuse for mine not the best English.
    - re: re: re: To my site today has been got not authorized admin
      
      Written on 03/28/07 at 17:53:02 GMT by bantychick
      
      Files were meant to be copied to the user-lib like you did. Thing is, there was something overlooked in the original that was still overlooked in the patch. So we think we have it covered now for the next release. There are many files with security work for the next release - too many to release as a simple patch. It won't be long - it's ready now.
Continuation

Written on 03/28/07 at 18:10:50 GMT by almond

With IP 195.175.37.6 research of structure of my site, however now under a guest login proceeds. Probably, activity of the hacker complicates that a content of a site in Russian a little.

Topics | Articles | Top Reads | Vote for Stories

Main Menu

Support

Translations

Development

News

Log In

Online Now

0 Member(s)
6 Guest(s)
2 Robot(s):
Yahoo!
MSN
Most ever on: 124
Membership: 2431

Welcome to our newest member: yoyo

Recent Discussions

Frontpage.pl - Aug 23 2010 at 21:31 GMT by Jos

Are Family Courts In America Biased? - Aug 20 2010 at 19:07 GMT by Baruti M. Kamau

Should I be concerned about this error message? - Aug 8 2010 at 3:45 GMT by Baruti M. Kamau

Free Posts For Web-APP Users - Aug 8 2010 at 3:34 GMT by Baruti M. Kamau

Pregnant KFC Manager Beat Up - Jul 25 2010 at 16:56 GMT by Baruti M. Kamau

Web-App 1.0 - "to do list" - Jul 24 2010 at 3:35 GMT by foobar

User Authentication System - Jul 24 2010 at 3:28 GMT by foobar

iframe doesn't work in articles version0.9.9.9 - Jul 23 2010 at 10:24 GMT by Jos

Layout of Newsletter - Jul 13 2010 at 22:39 GMT by HeinzEric

what the blank happened? - Jul 2 2010 at 4:59 GMT by Jos

Home Page

Favorites

TO_TOP_ALT

About | Contact | Help | Recommend | Statistics

This site was made with WebAPP - Automated Perl Portal v1.0 Alpha,
a web portal system written in Perl.
WebAPP is free software, and its code is Open Source.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are the responsibility of the Poster.

Template design from "WebAPP Standard" theme (v0.9.9.9, 2008) design by my2cents, as evolved from "WebAPP Standard" (v0.9.6, 2003)