PayPal hijack -- FYI
One of my users was hijacked today. It appears that someone used his website to upload a script named '.pay.php'. It was a PayPal hijacking script.
Here is what the script looked like.
http://www.devtop.com/bad.no
Prevent via mod_security add
SecFilterSelective THE_REQUEST "/.pay\.php"
Last edited by laborspy; 06-07-2006 at 07:32 PM.
With that mod_secuirty filter can't they just change the name of the file???
here are a few sec_mod filters I use to stop repeated abuse attempts against unsecure scripts.
SecFilter pathtoashnews=
SecFilter absolute_path=
SecFilter root_path=
grep your domain logs for the pay.php and then do it for wget and look for the command right before http://remoteip. Then block that so they can't upload any scripts. wget won't show 100% of exploits but its a good start.
All these sites are a result of Coppermine Photo Gallery exploits.
A new one is out now as well
http://www.frsirt.com/english/advisories/2006/2185
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
How to protect against http://www.frsirt.com/english/advisories/2006/2185 with mod_security?
I have contacted the developer for more information regarding this. Without seeing an active attack yet I cannot write a rule set for it at this time.
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
The developers will not provide this, I'm not suprised.
Fantastico sure is doing a great job at keeping our systems secure by updating with the software providers. Latest version on Coppermine website is 1.4.8
Latest stable Fantastico is
New Installation (1.4.2)
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
Latest cpanel version is....Coppermine (1.3.3)Originally Posted by ramprage
LinkBack URL
About LinkBacks
Reply With Quote