sNews Forum

Website Talk => Web Programming => Topic started by: Fred K on January 31, 2007, 01:53:41 am

Title: Help with burning hackers
Post by: Fred K on January 31, 2007, 01:53:41 am
Hi,
Following the direct snews exploit attack, detailed elsewhere on this forum, I thought that after implementing the various security fixes I --my sites rather-- was fairly safe. Ba-ha. It appears that they have switched tactics and are now using an exploit for a vulnerability in another application to, seemingly, gain access to my webmail. Or some other function on my site. I don't know because I can see no result anywhere that indicates success on their part. But the whole thing is annoying anyway. So I thought I'd do something about it.

The exploit is known as "VAMP yesno.phtml" and apparently hackers do their thing by piggybacking a url formulated as "http://www.example.com/wamp_dir/setup/yesno.phtml". If you see this type of url in your stats be aware that it is a hack. Or a hack attempt.

So I thought that I could burn these dickheads that try to use this URL injection by doing a simple redirect through htaccess, but a) I'm not sure how to formulate this correctly and b) I haven't decided which site I should redirect them to. Interpol maybe? Or some really offensive degenerate or boring or eye-scaringly ugly site?

Suggestions?

The VAMP yesno exploit is detailed here: http://www.securityfocus.com/bid/20289/

/* EDIT: Right now I'm testing this
Quote
RedirectPermanent /wamp_dir http://en.wikipedia.org/wiki/Corn_smut
RedirectPermanent ^(.*)/yesno.phtml http://en.wikipedia.org/wiki/Parasites
but of course that only catches the input of "/wamp_dir" (exact match) and it does not catch "any character before a slash followed by yesno.phtml" which I'd obviously like. hmm. wip.
Title: Help with burning hackers
Post by: piXelatedEmpire on January 31, 2007, 03:16:43 am
So you're still being attacked? Mongrels.  What other applications are they attempting to exploit?  How do you know?

Also, showing my complete server noobness here, how can you tell what people are doing at your site, ie are you looking at log files or something?  I'd be very interested to keep an eye on my own site (altho it is offline at the mo, awaiting new release of sNews).
Title: Help with burning hackers
Post by: Keyrocks on January 31, 2007, 04:01:56 am
Quote from: agentsmith
The VAMP yesno exploit is detailed here: http://www.securityfocus.com/bid/20289/exploithere
Try VAMP Exploit (http://www.securityfocus.com/bid/20289).
Agent... are you or your host actually using VAMP Webmail as a client? The  VAMP Changelog (http://thegraveyard.org/vamp/changelog.php) indicates it hasn't had any updating since May 2002. :)
Title: Help with burning hackers
Post by: piXelatedEmpire on January 31, 2007, 04:20:27 am
that's because the "exploithere" part of that url is sposed to be the clickable link, smithy just buggered up his [url]coding  :D
Title: Help with burning hackers
Post by: Fred K on January 31, 2007, 08:03:57 am
pix: it seems so, yes. I guess that once the gnats have found a fleshy body they tend to stick with it, until there's no flesh left on it... or something. The good thing about the "yesno" exploit is that it shows up in your site stats as a visited URL, like any real page that people have visited. I noticed that suddenly a lot of people (more than 100) were entering directly on a page that doesn't exist. So, of course I start to wonder... :D Most server packages that offer a customer panel include some form of stats tool. That's where you catch'em.

Key: no, it has nothing to do with VAMP as such. I guess VAMP might have been the first application that had this vulnerability, and they went after it? Thanks for correcting the link, I couldn't decide whether or not to obfuscate the url so apparently I messed it up, as master Empire points out.

The current redirect isn't doing what I want by the way. I guess I'll have to do an exact match, until I understand how to use wildcards... unless anyone can tell me how? or has a better idea?
Thanks.
Title: Help with burning hackers
Post by: Fred K on January 31, 2007, 05:37:04 pm
:D I think I've fixedit. Simply place the following at the end of your .htaccess
Quote
RedirectMatch permanent ^(.*)yesno.phtml http://www.securityfocus.com/
and anyone trying to use a URL with the name "yesno.phtml" in it should get redirected to a better place (read hackerHell). You choose your own redirect destination. I have this running on my affected site (http://www.frdk.com/snews/) so you can test it if you want to, although I won't exactly encourage it...

The solution was stolen from something Dom wrote back in May in this thread (http://www.solucija.com/forum/viewtopic.php?pid=7837#p7837) -- thanks Dom!
Title: Help with burning hackers
Post by: Keyrocks on February 01, 2007, 04:34:26 am
So... would it be possible to have... say... a half-dozen or so of these strings... each tailored to a specific filename for redirection? I assume so. I would also assume you could create your "hell-page" and re-direct to that page to give your hacker your own custom message. Come to think of it... you could also likely have something dark and shadowy script execute itself on the hacker's own computer... tied to that re-direct string.  :cool:
Title: Help with burning hackers
Post by: Patric Ahlqvist on February 01, 2007, 07:41:28 am
Hehe, the evil in us appears... I think if Doug's evil master plan was to be an actual occurance, I would like it ;). I remember way back I got to some website, that as soon as I got there started loading IE sessions til my 'puter crashed... That was funny ;)... But I guess there's even more funny stuff out there to send them off to...
Title: Help with burning hackers
Post by: philmoz on February 13, 2007, 01:07:53 pm
on the topic of server stats, it seems that there was a lot of search activity looking for snews.
this is my search query stats.
(http://www.fiddlenfolk.com/images/stats-1.png)