Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: Help with burning hackers  (Read 3982 times)

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Help with burning hackers
« on: January 31, 2007, 01:53:41 am »

Hi,
Following the direct snews exploit attack, detailed elsewhere on this forum, I thought that after implementing the various security fixes I --my sites rather-- was fairly safe. Ba-ha. It appears that they have switched tactics and are now using an exploit for a vulnerability in another application to, seemingly, gain access to my webmail. Or some other function on my site. I don't know because I can see no result anywhere that indicates success on their part. But the whole thing is annoying anyway. So I thought I'd do something about it.

The exploit is known as "VAMP yesno.phtml" and apparently hackers do their thing by piggybacking a url formulated as "http://www.example.com/wamp_dir/setup/yesno.phtml". If you see this type of url in your stats be aware that it is a hack. Or a hack attempt.

So I thought that I could burn these dickheads that try to use this URL injection by doing a simple redirect through htaccess, but a) I'm not sure how to formulate this correctly and b) I haven't decided which site I should redirect them to. Interpol maybe? Or some really offensive degenerate or boring or eye-scaringly ugly site?

Suggestions?

The VAMP yesno exploit is detailed here: http://www.securityfocus.com/bid/20289/

/* EDIT: Right now I'm testing this
Quote
RedirectPermanent /wamp_dir http://en.wikipedia.org/wiki/Corn_smut
RedirectPermanent ^(.*)/yesno.phtml http://en.wikipedia.org/wiki/Parasites
but of course that only catches the input of "/wamp_dir" (exact match) and it does not catch "any character before a slash followed by yesno.phtml" which I'd obviously like. hmm. wip.
Logged

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Help with burning hackers
« Reply #1 on: January 31, 2007, 03:16:43 am »

So you're still being attacked? Mongrels.  What other applications are they attempting to exploit?  How do you know?

Also, showing my complete server noobness here, how can you tell what people are doing at your site, ie are you looking at log files or something?  I'd be very interested to keep an eye on my own site (altho it is offline at the mo, awaiting new release of sNews).
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Help with burning hackers
« Reply #2 on: January 31, 2007, 04:01:56 am »

Quote from: agentsmith
The VAMP yesno exploit is detailed here: http://www.securityfocus.com/bid/20289/exploithere
Try VAMP Exploit.
Agent... are you or your host actually using VAMP Webmail as a client? The  VAMP Changelog indicates it hasn't had any updating since May 2002. :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Help with burning hackers
« Reply #3 on: January 31, 2007, 04:20:27 am »

that's because the "exploithere" part of that url is sposed to be the clickable link, smithy just buggered up his [url]coding  :D
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Help with burning hackers
« Reply #4 on: January 31, 2007, 08:03:57 am »

pix: it seems so, yes. I guess that once the gnats have found a fleshy body they tend to stick with it, until there's no flesh left on it... or something. The good thing about the "yesno" exploit is that it shows up in your site stats as a visited URL, like any real page that people have visited. I noticed that suddenly a lot of people (more than 100) were entering directly on a page that doesn't exist. So, of course I start to wonder... :D Most server packages that offer a customer panel include some form of stats tool. That's where you catch'em.

Key: no, it has nothing to do with VAMP as such. I guess VAMP might have been the first application that had this vulnerability, and they went after it? Thanks for correcting the link, I couldn't decide whether or not to obfuscate the url so apparently I messed it up, as master Empire points out.

The current redirect isn't doing what I want by the way. I guess I'll have to do an exact match, until I understand how to use wildcards... unless anyone can tell me how? or has a better idea?
Thanks.
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Help with burning hackers
« Reply #5 on: January 31, 2007, 05:37:04 pm »

:D I think I've fixedit. Simply place the following at the end of your .htaccess
Quote
RedirectMatch permanent ^(.*)yesno.phtml http://www.securityfocus.com/
and anyone trying to use a URL with the name "yesno.phtml" in it should get redirected to a better place (read hackerHell). You choose your own redirect destination. I have this running on my affected site so you can test it if you want to, although I won't exactly encourage it...

The solution was stolen from something Dom wrote back in May in this thread -- thanks Dom!
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Help with burning hackers
« Reply #6 on: February 01, 2007, 04:34:26 am »

So... would it be possible to have... say... a half-dozen or so of these strings... each tailored to a specific filename for redirection? I assume so. I would also assume you could create your "hell-page" and re-direct to that page to give your hacker your own custom message. Come to think of it... you could also likely have something dark and shadowy script execute itself on the hacker's own computer... tied to that re-direct string.  :cool:
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Patric Ahlqvist

  • Nobodys perfect, but Im pretty effing close
  • ULTIMATE member
  • ******
  • Karma: 65
  • Posts: 4867
  • I'm a self-made man and worships my creator.
    • p-ahlqvist.com
Help with burning hackers
« Reply #7 on: February 01, 2007, 07:41:28 am »

Hehe, the evil in us appears... I think if Doug's evil master plan was to be an actual occurance, I would like it ;). I remember way back I got to some website, that as soon as I got there started loading IE sessions til my 'puter crashed... That was funny ;)... But I guess there's even more funny stuff out there to send them off to...
Logged
"It's only dead fish that goes with the flow... "
Updated

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Help with burning hackers
« Reply #8 on: February 13, 2007, 01:07:53 pm »

on the topic of server stats, it seems that there was a lot of search activity looking for snews.
this is my search query stats.
Logged
Of all the things I have lost, it is my mind that I miss the most.