Anyone know what this thing is?So far, it appears to only be hitting the Help page. Forum seems okay otherwise.It reads the password dirtectory??? Or attempts to???
Well, I've already spoken to OpaQue and I've done what he told me to do.
We'll see it go off soon! It looks like that it is a backdoor as we can find more information about it from here : http://forums.xisto.com/no_longer_exists/
from what I seen on a bunch of security sites this hack has just been found. it does a sql injection through a xss loop hole and then what ever happens happens next I guess a virus was a payload from what MaineFishing was talking about that happen here but when i click nothing happen so that must have just been random or the payload already happen. But right now this is site is still open since the hack.
so mods pay attention to what happens until further news from opaque.
Of course I have 2 theories it was a mass attack and alot of people got hit or someone who knew about this site and that hack then did this.
No patch has been found yet this this happen to be found in the las 10-15 days invisionbaord has a patch for this most likly since it was Dated on the 25th but someone should found out if that patch is for this kind of attack.
website source http://seclists.org/bugtraq/2006/Apr/445
1. SQL Injection.
Vulnerable script: unsubscribe.php
Parameter user_name is not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
2. Cross-Site Scripting.
Vulnerable Script: subscribe.php
Parameter user_name is not properly sanitized. This can be used to post arbitrary HTML or web script code.
I clicked on r57shell.txt link at the top and my anti-virus raised a flag. I hope I didn't damage any of my apache thingy.Anyway, until I can tell further and receive a reply from OpaQue I have disabled direct link to HELP at the forum header and link to Xisto Readme.
BH and Opaque,
Here is some information that I have been able to track down on this r57shell thing:
If register_globals is activated, a remote attacker could send a specially-crafted URL request to the 'modules/vWar_Account/includes/functions_common.php' script using the 'vwar_root' parameter to specify a malicious PHP file from a remote system, which would allow the attacker to execute arbitrary code on the vulnerable system.
If you don't need the vwar module, remove it, might also consider disabling registers_global