Advertisement:
NameCheap

Author Topic: Quickmod2 exploit  (Read 6902 times)

Offline nutn2lewz

  • Semi-Newbie
  • *
  • Posts: 22
Quickmod2 exploit
« on: February 02, 2008, 07:44:35 PM »
I have a problem with quickmod2 being accessed 5 times a second for minutes at a time from rotating IP's located mostly in Eastern Europe (problem quoted below).

I need to disable quickmod2. What would be the easist way to accomplish this? Can I simply edit the QuickModeration2() function in Sub-boards.php?

Thanks, Barry


Hello,

My SMF forums are getting hit by thousands and thousands of quickmod2 requests. An ip will make 1000 quickmod2 requests in a couple minutes and then another ip will make 50 requests and then another ip will make 200 requests ...

 /index.php?action=quickmod2;topic=6634.0
 Http Code: 200 Date: Jan 30 13:06:29 Http Version: HTTP/1.0 Size in Bytes: 12299
 Referer: -
 Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


I receive no forum errors other than a dozen of these per day, which I have been receiving for a year or two ...

Guest   Today at 12:26 
38.xxx.xxx.156     21aa53247701459e44b0980ffcd8c08c 
http://forums.homepokertourney.com/index.php?amp;action=quickmod2;topic=10495.0 [nofollow] 
Unable to verify referring url. Please go back and try again.

   
I am using SMF 1.14 with the default theme.
Mods installed ...
1. SMF Gallery Pro Upgrade 1.3.1
2. SMF Gallery Pro Profile Link 1.0
3. Spell Check Custom Words 1.0.1
4. SMF Gallery Pro 1.1.2
5. Mark Selected Topics As Read 1.0
6. SMF 1.1.2 Update Package 1.1.2
7. SMF 1.0.11 / 1.1.3 Update 1.1
8. SMF 1.0.12 / 1.1.4 / 2.0 b1.1 Update 1.0
9. SMF Gallery Pro SSI 1.1
10. Spoiler Tag 0.3.1 


Top Process %CPU 38.0 httpd [forums.homepokertourney.com] [/index.php?actionquickmod2;topic6312.20]
Top Process %CPU 21.0 httpd [forums.homepokertourney.com] [/index.php?actionquickmod2;topic150.0]
Top Process %CPU 16.0 httpd [forums.homepokertourney.com] [/index.php?actionquickmod2;topic4028.80]


MySql was crashing every 15 minutes. I was using a customized forum theme and reverted back to the default theme. MySql has not crashed since reverting back to the dfault theme.

Could someone have been exploiting quickmod2 in my customized theme? Reverting back to the default theme has not eliminated the server load, but it has stabalized mysql which has not crashed since.

Any help would be appreciated ...

Thanks, nutN2Lewz


-----------------
Basic Information
January 30, 2008, 02:04:39 PM
Operating System: CentOS release 4.4 (Final) 
Processor: Intel® Pentium® 4 CPU 3.00GHz (3001.494MHz)
Load averages: 0.21, 0.37, 0.61
Current processes: 139 (138 sleeping, 1 running, 0 zombie)
Processes by CPU: httpd (38) 23.9%, mysqld (1) 1.8%, (other) (55) 0.0% 
Memory usage: 79.845% (813104k / 1018348k)
Swap: 6.398% (134132k / 2096472k) 

MySQL processes
Total processes: 5 (4 sleeping, 1 running, 0 locked)

MySQL Statistics
MySQL 5.0.x
Connections per second:  3.3751 
Kilobytes received per second:  11.1075 
Kilobytes sent per second:  47.7427 
Queries per second:  47.4989 
Percentage of slow queries:  0 
Opened vs. Open tables:
(table_cache)  92.625 (should be <= 80) 
Table cache usage:
(table_cache)  1 (should be >= 0.5 and <= 0.9) 
Key buffer read hit rate:
(key_buffer_size)  0.0058 (should be <= 0.01) 
Key buffer write hit rate:
(key_buffer_size)  0.3192 (should be <= 0.5) 
Thread cache hit rate:
(thread_cache_size)  1 (should be >= 30 ) 
Thread cache usage:
(thread_cache_size)  0 (should be >= 0.7 and <= 0.9) 
Temporary table disk usage:
(tmp_table_size)  0.4734 (should be <= 0.5) 
Sort merge pass rate:
(sort_buffer)  0 (should be <= 0.001) 
Query cache enabled:
(query_cache_type)  1 (should be >= 1 and <= 1) 
Query cache miss rate:
(query_cache_limit)  1 (should be <= 0.5) 
Query cache prune rate:
(query_cache_size)  0 (should be <= 0.05) 
« Last Edit: February 03, 2008, 02:16:30 PM by nutn2lewz »

Offline nutn2lewz

  • Semi-Newbie
  • *
  • Posts: 22
Re: Quickmod2 exploit
« Reply #1 on: February 03, 2008, 02:17:44 PM »
I definitely have someone exploiting my SMF software. I put my forum into maintenance mode and the quickmod2 requests kept coming - 300 quickmod2 requests a minute from rotating IP's mostly in Eastern Europe. This was overloading my server ... even in maintenance mode.

I altered the quickmod2 function in Subs-Boards ...

Code: [Select]
// In-topic quick moderation.
function QuickModeration2()
{
global $sourcedir, $db_prefix, $topic, $board, $ID_MEMBER, $modSettings, $context;


// Added next two lines due to excessive server connections via quickmod2
    if ($context['user']['is_guest'])
redirectexit('topic=' . $topic . '.' . $_REQUEST['start']);

// Check the session = get or post.
checkSession('request');

I added two lines of code to see if the user is a guest. This has not stopped the excessive requests but it has resulted in file sizes of zero being sent (instead of file sizes of about 15000-20000). So it appears that guests were accessing the quickmod2 function without even visiting my forum. These rotating IP's have found an exploit in the quickmod2 function and have set up bots to make excessive connections to this exploit.

Here is an example of the type of connection I am receiving. You can see that a file size of 0 is now being sent after I made the code change ...

/index.php?action=quickmod2;topic=134.0
 Http Code: 302 Date: Feb 03 13:44:46 Http Version: HTTP/1.0 Size in Bytes: 0
 Referer: -
 Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Can anyone offer any advice here? Is there cleaner code than this to prevent guests from accessing the quickmod2 function? ...

Code: [Select]
    if ($context['user']['is_guest'])
redirectexit('topic=' . $topic . '.' . $_REQUEST['start']);

Is there any way that I can filter out all the quickmod2 requests at the server level rather than letting them in to exploit my forum?

Any help would be appreciated.

Thanks, nutn

Offline Grudge

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 10,743
  • Gender: Male
  • Unofficial nuisance
Re: Quickmod2 exploit
« Reply #2 on: February 03, 2008, 02:22:06 PM »
To reduce problems further. In index.php find:
Code: [Select]
loadUserSettings();

Add after:
Code: [Select]
if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();
I'm only a half geek really...

Offline nutn2lewz

  • Semi-Newbie
  • *
  • Posts: 22
Re: Quickmod2 exploit
« Reply #3 on: February 03, 2008, 02:30:49 PM »
I will try that. Thank you.

I forgot to mention that before making the coding change to quickmod2 I was accumulating numerous MySQL open processes and this was crashing MySQL. After making the coding change to Quickmod2, I no longer have multiple MySQL processes opening up.

So the exploit is allowing guests to access the quickmod2 function, even when the forum is in maintenance mode, and open a MySQL process.

Thanks, Barry
« Last Edit: February 03, 2008, 02:44:10 PM by nutn2lewz »

Offline nutn2lewz

  • Semi-Newbie
  • *
  • Posts: 22
Re: Quickmod2 exploit
« Reply #4 on: February 03, 2008, 02:35:41 PM »
Maybe...

RewriteEngine On
RewriteCond %{QUERY_STRING} ^quickmod2$
RewriteRule ^.* - [F,L]

If I did this correctly, it would give an error 403 (forbidden) if anyone used "quickmod2" - don't enable "rewriteengine on" if it's already on :)


Would this also prevent legitimate quickmod2 requests?

Offline DavidCT

  • Sophist Member
  • *****
  • Posts: 1,239
  • Gender: Male
  • $$$ This $pace For Rent $$$
    • Home Plate Network's Ballpark
Re: Quickmod2 exploit
« Reply #5 on: February 03, 2008, 02:38:46 PM »
Of course, but it didn't work so I deleted the message... I should have tried it locally first ;)

Offline DavidCT

  • Sophist Member
  • *****
  • Posts: 1,239
  • Gender: Male
  • $$$ This $pace For Rent $$$
    • Home Plate Network's Ballpark
Re: Quickmod2 exploit
« Reply #6 on: February 03, 2008, 03:00:17 PM »
RewriteCond %{QUERY_STRING} quickmod [NC]
RewriteRule ^.* - [F,L]

This works.  I suggested it as if you think it's dangerous, why risk it?  Give them a 403 error.

Offline nutn2lewz

  • Semi-Newbie
  • *
  • Posts: 22
Re: Quickmod2 exploit
« Reply #7 on: February 03, 2008, 04:01:18 PM »
The rewrite works like a charm ... 403 them as soon as they arrive. Thank you!

I also added the suggested code to my index.php, checking for is_guestand action=quickmod2.

Everything is working so sweet right now that I can go watch the Superbowl!

Thanks, Barry

Offline DavidCT

  • Sophist Member
  • *****
  • Posts: 1,239
  • Gender: Male
  • $$$ This $pace For Rent $$$
    • Home Plate Network's Ballpark
Re: Quickmod2 exploit
« Reply #8 on: February 03, 2008, 04:04:07 PM »
The rewrite works like a charm ... 403 them as soon as they arrive. Thank you!

I also added the suggested code to my index.php, checking for is_guestand action=quickmod2.

Everything is working so sweet right now that I can go watch the Superbowl!

Go Patriots!!!

The check for is_guest is really the better way to go.  I just suggested the 403 route for the truely paranoid :)

Offline Dark-Wolf

  • Jr. Member
  • **
  • Posts: 344
  • Gender: Male
    • DarkWolf
Re: Quickmod2 exploit
« Reply #9 on: May 02, 2008, 10:50:55 AM »
Hi!
Today i have see the same error on my log.
Now i have upgrade with last 1.1.5.
With release 1.1.5 is necessary to edit index.php:
To reduce problems further. In index.php find:
Code: [Select]
loadUserSettings();

Add after:
Code: [Select]
if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();
?
Thanks in advance, DarkWolf :)
-
Edit:
with release 1.1.5 this error still remain, now i have maked this change:
To reduce problems further. In index.php find:
Code: [Select]
loadUserSettings();

Add after:
Code: [Select]
if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();
;)
« Last Edit: May 03, 2008, 08:12:19 AM by Dark-Wolf »
Tutto su adsl, networking, sicurezza e web
RSS Dynamic Signature

Offline Sverre

  • Sr. Member
  • ****
  • Posts: 748
Re: Quickmod2 exploit
« Reply #10 on: May 04, 2008, 11:43:44 PM »
I had one of those show up in our Error Log last night too. I didn't notice any related performance issues though, and I've yet to check the Access Log to see if it was just a single hit or a large scale attack like what nutn2lewz experienced. Good to know that there already is a solution if this becomes a problem though :)

Offline Theodore

  • Semi-Newbie
  • *
  • Posts: 35
Re: Quickmod2 exploit
« Reply #11 on: July 01, 2008, 02:08:56 AM »

Had that attack with 1.1.5 as well starting at june, the 27th till july the 1st (wasn't able to check the logs in that time because i wasn't online). 182 attempts to gain access in that period. Added the codesnippet from Dark-Wolf now ...

In index.php search for:
Code: [Select]
loadUserSettings();


Add after:
Code: [Select]
if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();


Will keep checking the logs now permanently to see if there'll be a change.


Kind regards ;)

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,489
  • Gender: Male
  • One of the french SMF translators
Re: Quickmod2 exploit
« Reply #12 on: September 20, 2008, 04:04:43 AM »
Noted.

No changes for 1.1.6? cause this ******îng exploit is tried lots of time on my smf forums...
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Offline GravuTrad

  • Senior Translator
  • SMF Hero
  • *
  • Posts: 8,489
  • Gender: Male
  • One of the french SMF translators
Re: Quickmod2 exploit
« Reply #13 on: September 20, 2008, 04:25:29 AM »
unchanged. solution ok for it. ;)
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.