• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

WARNING! Znote forum vulnerable of being hacked!

kito2

kito2

www.masteria.net
Joined
Mar 9, 2009
Messages
3,766
Solutions
1
Reaction score
225
Location
Chile, Santiago
Hello,

If you are using Znote engine AAC you should disable forum.php since makes you vulnerable of being hacked.

Today received a log of 150 MB and a error.log of 15 GB from this IP 37.252.102.14.

vYaRAQ_wQ_GjJQS5HIqEQg.png

I recommend you to disable any thing from the engine that lets put "comments" since you may be SQL inyected.

Here a few details of the logs:
Code: 
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10658 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10659 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10658 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
37.252.102.14 - - [29/Nov/2017:15:17:05 -0500] "GET /forum.php?forum=Suggestion%20&%20Ideas=1&cat=7_arachni_trainer_7d94d950540229ca061680739985a6b4%00&thread=342&text=1&type=file%3A%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd HTTP/1.1" 200 10660 "-" "Arachni/v1.5.1"
 
I stopped in time, if I let it run more time, they would get access to database, and do whatever they want.
 
You claim there is a vulnerability but you provide no details about it. Do you actually see someone exploit that in your case or have you found one yourself?
 
As I already said before, I removed the forum. They were trying to get access. 140 mb of logs and 15 gb of error logs.

I am not willing to let them keep trying.

Just feel free of leaving your forum working, I wont expose.

Znote engine works pretty well in basically the rest, but the forum has that vulnerability.
 
Just took a quick look at forum.php in ZnoteAAC and I can't see anything vulnerable here. All POST values are escaped.

To prevent such big logs and block bots from accessing your site so often, you should use mod_evasive for apache, or any other if you're using other distro.
 
slawkens said:
Just took a quick look at forum.php in ZnoteAAC and I can't see anything vulnerable here. All POST values are escaped.

To prevent such big logs and block bots from accessing your site so often, you should use mod_evasive for apache, or any other if you're using other distro.
Click to expand...

A real solution, thanks!

Btw, added page_protected() to forum and also a recaptcha on login, post and create threads on forum.
 
kito2 said:
As I already said before, I removed the forum. They were trying to get access. 140 mb of logs and 15 gb of error logs.

I am not willing to let them keep trying.
Click to expand...

So they were only trying? That happens all the time. That sounds like the forum is not necessarily vulnerable to being hacked.
 
Looks like a website scanner of sorts, a software/bot that tries to scan and click on all links on your website. Looking for vulnerabilities. It seems to have gotten stuck in a loop in the forum page.

The provided log snippet here in particular attempts to fetch the /etc/passwd file, which the software then can use to return a list of user accounts and if they have shell and login access.

In order for this hack to work, I imagine several security issues would have to be broken:
www-data would have access to /etc/passwd, it probably doesn't. or forum.php need to be owned by root and have execute and read permission (this is probably what the bot is going for).

In my PHP code, I would try to use a function that does commands based on file operations, like get a file or an image. (For instance, Znote AAC retrieves flatfiles in the /engine/cache/ directory). However, it would do these operations based on user input (get or post request). Znote AAC does not do this.
The znote forum does not even use the cache system, and I don't think I ever create cache files based on user input, but predeclared strings upon the creation of the cache object.

The get and/or post requests would not be sanitized sufficiently for its purpose.

My conclution based on this data:
This data does not prove any vulnerable of being hacked because of the Znote Forum. Or that you were hacked. But you were attacked by a website exploit scanner, that did not manage to get any useful data out of these requests.

But a 15GB error log is something you should look into. There are probably a few warnings and errors coming out of Znote AAC depending on your PHP version and poorly declared code. I also imagine there are tons of errors that are logged duplicates. Many error logs may contribute to the difficulty of identifying hacking attempts and vulnerabilities on the site.
I am happy to accept pull requests to the Znote AAC repository that resolves PHP error and warning messages.
 
Last edited:
Thanks @Znote, I managed to handle robots.txt and install mod_evasive.

Btw @Cjaker told me he is looking to work on Znote AAC. Maybe you could get in touch ;)
 

Similar threads

potinho
  • Question
OTClient Errors when open client
Replies
1
Views
243
pelek2002
P
Extrodus
Programmer OTClient - Black Squares for viewer on Cast System
Replies
2
Views
525
johnsamir
J
wearetibia
[CANADA] [Custom / 8.0] WeAreDragons SCATHA | F2P REMOVED BOXES | Reborns | 19 MAY 18:00 CET
Replies
3
Views
1K
Shade ~
Shade ~
Back
Top