Hack on my Site :: Archived

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

it was a redirect on my site from webalbania.com to vlora.it

The system has register this..

On /index.php
While executing query "INSERT INTO cms_msanalysis_online ( time, uname, agent, ip_addr, host, domain, modulename, scr_res, referral, ref_query ) values ( '2006-01-31 18:07:02', 'Guest', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Sgrunt|V109|17|S191239928|dial; EnergyPlugIn; dial; XBE|29|S04037620801143; (R1 1.5); snprtz|S04045866603162)', '192.168.203.11', '192.168.203.11', '11', '', '1024x768x24', 'www.webalbania.com', 'name=Your_Account&profile=roni">alert('foo')' )"

the following error occured: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'foo')' )' at line 1

In: /home/httpd/vhosts/webalbania.com/httpdocs/modules/DF_MSAnalysis/mstrack.php on line: 101

Guest information:
User id: 1
Username: Anonymous
Admin: No
IP: 80.105.110.114
Host: host114-110.pool80105.interbusiness.it

This was the first register and the second
On /index.php
While executing query "INSERT INTO cms_msanalysis_online ( time, uname, agent, ip_addr, host, domain, modulename, scr_res, referral, ref_query ) values ( '2006-01-31 18:18:20', 'Guest', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Sgrunt|V109|17|S191239928|dial; EnergyPlugIn; dial; XBE|29|S04037620801143; (R1 1.5); snprtz|S04045866603162)', '192.168.203.11', '192.168.203.11', '11', '', '1024x768x24', 'www.webalbania.com', 'name=Your_Account&profile=anyone">alert('vlora.it_siti_me_i_me_mire')' )"

the following error occured: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'vlora.it_siti_me_i_me_mire')' )' at line 1

On /index.php
While executing query "INSERT INTO cms_msanalysis_online ( time, uname, agent, ip_addr, host, domain, modulename, scr_res, referral, ref_query ) values ( '2006-01-31 18:20:51', 'Guest', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Sgrunt|V109|17|S191239928|dial; EnergyPlugIn; dial; XBE|29|S04037620801143; (R1 1.5); snprtz|S04045866603162)', '192.168.203.11', '192.168.203.11', '11', '', '1024x768x24', 'www.webalbania.com', 'name=Your_Account&profile=anyone">location='http://www.vlora.it/';' )"

the following error occured: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://www.vlora.it/';' )' at line 1

so when i try to open my web site the adress make on vlora.it

now is ok,but for the next they can do anymore time???

musox · Platinum Supporter Offline Joined: Apr 20, 2004 Posts: 325

I'm having a hard time understanding how this is a hack. I am concerned as I maintain DF MSAnalysis and if there is an exploit, I want to know and fix it ASAP.

The error is comming from the double quote after &profile=anyone. That is ending the INSERT query.

- MusOX

DJ Maze · Posted: Tue Jan 31, 2006 8:40 pm Post subject: Re: Hack on my Site

There are 2 exploits here:

SQL: the data inserted into the query is not escape_string()end

XSS: someone links to index.php?name=Your_Account&profile=roni">alert('foo') and tries if that opens up a security exploit.

example: dragonflycms.org/index...ofile=roni">test but as you see it fails here.

musox · Platinum Supporter Offline Joined: Apr 20, 2004 Posts: 325

As long as the issue is not with DFMSA, then I'm happy that we use Dragonfly. Very Happy

- MusOX

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

today they have do the something....

Help me

DJ Maze · Posted: Wed Feb 01, 2006 9:17 am Post subject: Re: Hack on my Site

albanialove wrote:

today they have do the something....

Get rid of MSA

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

i have Get rid msa but the same...

DJ Maze · Posted: Wed Feb 01, 2006 12:13 pm Post subject: Re: Hack on my Site

1. i'm a visitor and don't see your XSS vulnerable block
2. server specs ?
3. browser ?
4. which non-certified add-ons are installed ?

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

I'm on linux server.
Database: MySql
browser: for the moment int.Explorer

The same problem have all users....Is a really redirect on this site.

Today i have speak with director of host where i am and he have see the something..redirect.

The redirect is maket on all the files includes on MySql database so all on DragonFly

The "Hacker" has do a redirect for all the day...

every 30 min he do redirect for 3-5 min.

Probably broadcast?

So we want to know if is a server problem or Dragonfly?

DJ Maze · Posted: Wed Feb 01, 2006 11:20 pm Post subject: Re: Hack on my Site

Dragonfly version ?
User info block version ?
Other block that shows "Who is where" ?

Cos i've tested and the exploit he uses does not work on stock items.

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

are all the newest versions Dragonfly 9.0.6.1

on January 24, 2006 i have update the site because i have change server so this where i am

dragonflycms.org/Forum...14628.html

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

if u try in a few moments you can see the redirect...

www.webalbania.com

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

loock this on my html page:

This are the users online:

2: <a href="index.php?name=Your_Account&profile=KLEOPATRA">KLEOPATRA</a> > <a href="/">Faqa kryesore</a> 
3: <a href="index.php?name=Your_Account&profile=milano">milano</a> > <a href="/">Faqa kryesore</a> 
<img src="images/blocks/visitors.gif" alt="" /> Vizitor(ë): 1: <a href="/index.php"> Faqa kryesore</a> 
2: <a href="/index.php?name=Your_Account&profile=anyone"><script>location='http://www.vlora.it/';</script>"> Your Account</a> 3: <a href="/index.php?name=coppermine&file=displayimage&meta=lastcom&cat=0&pos=7"> Albumet Fotografike</a> 
</td>

DJ Maze · Posted: Thu Feb 02, 2006 11:16 am Post subject: Re: Hack on my Site

Ok i've figured it out.

My firefox encodes the url "> becomes %22%3E but IE and others don't encode it.
Due to this i thought we already covered the issue but it seems we didn't.

Get this fix dragonflycms.org/cvs/h...?v=9.24#85

albanialove · Nice poster Offline Joined: Dec 13, 2004 Posts: 83

I have coppy only this:

PHP:

<?php
function get_uri()
{
    if (ereg('IIS', $_SERVER['SERVER_SOFTWARE']) && isset($_SERVER['SCRIPT_NAME'])) {
        $REQUEST_URI = $_SERVER['SCRIPT_NAME'];
        if (isset($_SERVER['QUERY_STRING'])) {
            $REQUEST_URI .= '?'.$_SERVER['QUERY_STRING'];
        }
    } else {
        $REQUEST_URI = $_SERVER['REQUEST_URI'];
    }
    # firefox encodes url by default but others don't
    $REQUEST_URI = urldecode($REQUEST_URI);
    # encode the url " %22 and <> %3C%3E
    $REQUEST_URI = str_replace('"', '%22', $REQUEST_URI);
    $REQUEST_URI = preg_replace('#([\x3C\x3E])#e', '"%".bin2hex(\'\\1\')', $REQUEST_URI);
    $REQUEST_URI = substr($REQUEST_URI, 0, strlen($REQUEST_URI)-strlen(stristr($REQUEST_URI, '&CMSSESSID')));
    return $REQUEST_URI;
}

Thax DjMaze you are the best on here.

Roni