How did this guy hack into my site?

ajoyprabhu

Joined: 2002-09-26
Posts: 65

Posted: Tue, 2003-12-23 13:50

Hi guys,

A guy registered at my site with a phony name, then there was no activity for 29 minutes (got that from my log file), and THEN proceeded to view a sub-album 2 levels deep!! I have set the permissions on this sub-album set to allow anyone "logged in" since the sub-album 1-level deep has a list of people that can view, I figured that no one would know the EXACT url for the 2-level deep subalbum (WRONG!).

:-?

So, my question is, how can oen figure out the exact URLs of albums you cant even see? FYI, I have not yet figured out how you guys use the .htaccess file. Still learning...

Any hints to secure woudl be greatly apprecaited!!

Thanks,
Ajoy

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Tue, 2003-12-23 15:09

[edited]

I'll improve the securing docs about how to prevent this.

ajoyprabhu

Joined: 2002-09-26
Posts: 65

Posted: Tue, 2003-12-23 15:41

Andrew,

2 questions, how did you figure out that the albums are in the 'albums' directory and...2nd, could you not leave the albums exposed like this and get rid of the url that you posted!!

I know I asked fo rit, but I don't mean present my sites vunerabilty to everyone! :-?

Thanks!

Ajoy

PS: Nevermind, I figured the first part. It is evident from the source code, where the albums reside! Duh! That was dumb! :-?

BUT, BUT, BUT....can I change the albumdb.dat file name to something else??? Will THAT help??

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Tue, 2003-12-23 17:12

No, but try adding a .htaccess file to your albums directory that looks like this:

ajoyprabhu

Joined: 2002-09-26
Posts: 65

Posted: Tue, 2003-12-23 20:32

GREAT. Thanks! as regards .htaccess, do I have to edit the http.conf file in apache AND add the .htaccess file? I am a bit confused about that.

:/

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Tue, 2003-12-23 21:23

No. If you have the correct "AllowOverride" settings on, .htaccess should be fine. If it doesn't work, tell me and I'll walk you through what you need to change in httpd.conf

ajoyprabhu

Joined: 2002-09-26
Posts: 65

Posted: Wed, 2003-12-24 15:36

ok. I am lost. If I try to put ANYTHING in the .htaccess file (in the albums directory), the pages appear without images!

I have set up httpd.conf file as follows:

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory c:\Apache\htdocs>
AllowOverride Options FileInfo
</Directory>

<Directory c:\apache\htdocs\albums>
Options None
AllowOverride All
</Directory>

<Directory c:\apache\htdocs\album>
Options Indexes FollowSymLinks MultiViews
AllowOverride Options FileInfo
</Directory>

Bet something is wrong there, right? Do I need to restart the Apache server, or does it pick up these changes automatically?

Like I said, me still learning...(still, after so many years!!)

Ajoy

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Wed, 2003-12-24 16:11

if you change httpd.conf you gotta restart apache.

ajoyprabhu

Joined: 2002-09-26
Posts: 65

Posted: Wed, 2003-12-24 17:10

ok. I did that, and still all I get is the html page but no images come through

So, this is my .htaccess code..

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.ajoy.no-ip.org/.*$ [NC]
RewriteCond %{REMOTE_HOST} ^.*\.shutterfly.com$ [NC]
RewriteRule ^/albums/.*\.(jpg|gif|avi|png)$ - [F]
</IfModule>

ajoyprabhu Joined: 2002-09-26 Posts: 65	Posted: Tue, 2003-12-23 13:50
	Hi guys, A guy registered at my site with a phony name, then there was no activity for 29 minutes (got that from my log file), and THEN proceeded to view a sub-album 2 levels deep!! I have set the permissions on this sub-album set to allow anyone "logged in" since the sub-album 1-level deep has a list of people that can view, I figured that no one would know the EXACT url for the 2-level deep subalbum (WRONG!). :-? So, my question is, how can oen figure out the exact URLs of albums you cant even see? FYI, I have not yet figured out how you guys use the .htaccess file. Still learning... Any hints to secure woudl be greatly apprecaited!! Thanks, Ajoy
	XUser login Username: * Password: * Create new account Request new password
alindeman Joined: 2002-10-06 Posts: 8194	Posted: Tue, 2003-12-23 15:09
	[edited] I'll improve the securing docs about how to prevent this.

ajoyprabhu Joined: 2002-09-26 Posts: 65	Posted: Tue, 2003-12-23 15:41
	Andrew, 2 questions, how did you figure out that the albums are in the 'albums' directory and...2nd, could you not leave the albums exposed like this and get rid of the url that you posted!! I know I asked fo rit, but I don't mean present my sites vunerabilty to everyone! :-? Thanks! Ajoy PS: Nevermind, I figured the first part. It is evident from the source code, where the albums reside! Duh! That was dumb! :-? BUT, BUT, BUT....can I change the albumdb.dat file name to something else??? Will THAT help??

alindeman Joined: 2002-10-06 Posts: 8194	Posted: Tue, 2003-12-23 17:12
	No, but try adding a .htaccess file to your albums directory that looks like this: <Files "*.dat"> deny from all </Files>

ajoyprabhu Joined: 2002-09-26 Posts: 65	Posted: Tue, 2003-12-23 20:32
	GREAT. Thanks! as regards .htaccess, do I have to edit the http.conf file in apache AND add the .htaccess file? I am a bit confused about that. :/

alindeman Joined: 2002-10-06 Posts: 8194	Posted: Tue, 2003-12-23 21:23
	No. If you have the correct "AllowOverride" settings on, .htaccess should be fine. If it doesn't work, tell me and I'll walk you through what you need to change in httpd.conf

ajoyprabhu Joined: 2002-09-26 Posts: 65	Posted: Wed, 2003-12-24 15:36
	ok. I am lost. If I try to put ANYTHING in the .htaccess file (in the albums directory), the pages appear without images! I have set up httpd.conf file as follows: <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory c:\Apache\htdocs> AllowOverride Options FileInfo </Directory> <Directory c:\apache\htdocs\albums> Options None AllowOverride All </Directory> <Directory c:\apache\htdocs\album> Options Indexes FollowSymLinks MultiViews AllowOverride Options FileInfo </Directory> Bet something is wrong there, right? Do I need to restart the Apache server, or does it pick up these changes automatically? Like I said, me still learning...(still, after so many years!!) Ajoy

valiant Joined: 2003-01-04 Posts: 32509	Posted: Wed, 2003-12-24 16:11
	if you change httpd.conf you gotta restart apache.

ajoyprabhu Joined: 2002-09-26 Posts: 65	Posted: Wed, 2003-12-24 17:10
	ok. I did that, and still all I get is the html page but no images come through So, this is my .htaccess code.. <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://www.ajoy.no-ip.org/.$ [NC] RewriteCond %{REMOTE_HOST} ^.\.shutterfly.com$ [NC] RewriteRule ^/albums/.\.(jpg\|gif\|avi\|png)$ - [F] </IfModule> <Files ".dat"> deny from all </Files>

How did this guy hack into my site?

XUser login