[K][R][Y][P][T][O][N] wrote:
Someone uploaded a file in one of my accounts. Can someone tell me what it does. Thank you.
[ From the included link:
http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html ]
IkonBoard (http://www.ikonboard.com/) is a comprehensive web bulletin board system, implemented as a Perl/CGI script.
[ Seems you have a webforum based on IkonBoard... if not then no need to worry... I guess. ]
There is a flaw in the Perl code that cleans up user input before
interpolating it into a string which gets passed to Perl's eval() function, allowing an attacker to evaluate arbitrary Perl and hence run arbitrary commands.
[ Hrm... ]
The flaw is in the code that cleans up the value of the 'lang' cookie, in sub LoadLanguage in Sources/Lib/FUNC.pm:
# Make sure the cookie data is legal
if ($iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}) {
$iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/;
}If the cookie contains illegal characters then the s/// operation fails to match and the bad cookie value is left in place, so this code fails to do any validation.
The cookie value is then interpolated into a directory name, which is in turn interpolated into a string passed to the eval function. There is a check that the directory exists, but use of the poisoned null technique allows that check to be bypassed.
[ There's a patch included in the link too... *BUT* if you don't have tripwire or any intrusion detection system running... chances are you've been rooted. So nevermind applying the patch. Even if you patch IkonBoard (assuming you have it running) you've already/prolly been rooted with all kinds of rootkits running. If you don't have any way to check whether your binaries are still what they seem they are (clue: rpm has a verify option, but rpm can also be replaced, so use a new rpm binary from somewhere), then better reinstall. Save all non-executable, important data somewhere and reinstall. Don't just do a tar.gz of home directories -- some dot files might be hiding, or even benign-looking files with their perms altered to the root power, etc, etc.
If you're not running IkonBoard, then prolly someone used you're site as a jump off point to someone who has. Try checking your logs... but if it was me, I'd already alter those logs... but leaving a script behind is really careless... script-kiddie like behaviour...
Good luck in tracing your visitor :) Hope no legalities get in the way :) People nowadays lack the proper sense of humor :D ]
-- __________________________________ ____ _ ___ ____ _____ ____ _____ /__ \/ \ \/ \ /__ \ \ ___/ / /___/ / / /__/ ___/ / /__/ / __/ \ / / / / / __/__ \ /___/ /__/___/____/______/ /___/ \_____ / "Lensmen eat Jedi for breakfast." ___________________________
----- ... Humanity's first sin was faith; the first virtue was doubt.
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
