News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Quickmod2 exploit

Started by nutn2lewz, February 02, 2008, 07:44:35 PM

Previous topic - Next topic

nutn2lewz

I have a problem with quickmod2 being accessed 5 times a second for minutes at a time from rotating IP's located mostly in Eastern Europe (problem quoted below).

I need to disable quickmod2. What would be the easist way to accomplish this? Can I simply edit the QuickModeration2() function in Sub-boards.php?

Thanks, Barry


Quote from: nutn2lewz on January 30, 2008, 02:07:58 PM
Hello,

My SMF forums are getting hit by thousands and thousands of quickmod2 requests. An ip will make 1000 quickmod2 requests in a couple minutes and then another ip will make 50 requests and then another ip will make 200 requests ...

/index.php?action=quickmod2;topic=6634.0
Http Code: 200 Date: Jan 30 13:06:29 Http Version: HTTP/1.0 Size in Bytes: 12299
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


I receive no forum errors other than a dozen of these per day, which I have been receiving for a year or two ...

Guest   Today at 12:26 
38.xxx.xxx.156     21aa53247701459e44b0980ffcd8c08c 
http://forums.homepokertourney.com/index.php?amp;action=quickmod2;topic=10495.0 [nofollow] 
Unable to verify referring url. Please go back and try again.

   
I am using SMF 1.14 with the default theme.
Mods installed ...
1. SMF Gallery Pro Upgrade 1.3.1
2. SMF Gallery Pro Profile Link 1.0
3. Spell Check Custom Words 1.0.1
4. SMF Gallery Pro 1.1.2
5. Mark Selected Topics As Read 1.0
6. SMF 1.1.2 Update Package 1.1.2
7. SMF 1.0.11 / 1.1.3 Update 1.1
8. SMF 1.0.12 / 1.1.4 / 2.0 b1.1 Update 1.0
9. SMF Gallery Pro SSI 1.1
10. Spoiler Tag 0.3.1 


Top Process %CPU 38.0 httpd [forums.homepokertourney.com] [/index.php?actionquickmod2;topic6312.20]
Top Process %CPU 21.0 httpd [forums.homepokertourney.com] [/index.php?actionquickmod2;topic150.0]
Top Process %CPU 16.0 httpd [forums.homepokertourney.com] [/index.php?actionquickmod2;topic4028.80]


MySql was crashing every 15 minutes. I was using a customized forum theme and reverted back to the default theme. MySql has not crashed since reverting back to the dfault theme.

Could someone have been exploiting quickmod2 in my customized theme? Reverting back to the default theme has not eliminated the server load, but it has stabalized mysql which has not crashed since.

Any help would be appreciated ...

Thanks, nutN2Lewz


-----------------
Basic Information
January 30, 2008, 02:04:39 PM
Operating System: CentOS release 4.4 (Final) 
Processor: Intel® Pentium® 4 CPU 3.00GHz (3001.494MHz)
Load averages: 0.21, 0.37, 0.61
Current processes: 139 (138 sleeping, 1 running, 0 zombie)
Processes by CPU: httpd (38) 23.9%, mysqld (1) 1.8%, (other) (55) 0.0% 
Memory usage: 79.845% (813104k / 1018348k)
Swap: 6.398% (134132k / 2096472k) 

MySQL processes
Total processes: 5 (4 sleeping, 1 running, 0 locked)

MySQL Statistics
MySQL 5.0.x
Connections per second:  3.3751 
Kilobytes received per second:  11.1075 
Kilobytes sent per second:  47.7427 
Queries per second:  47.4989 
Percentage of slow queries:  0 
Opened vs. Open tables:
(table_cache)  92.625 (should be <= 80) 
Table cache usage:
(table_cache)  1 (should be >= 0.5 and <= 0.9) 
Key buffer read hit rate:
(key_buffer_size)  0.0058 (should be <= 0.01) 
Key buffer write hit rate:
(key_buffer_size)  0.3192 (should be <= 0.5) 
Thread cache hit rate:
(thread_cache_size)  1 (should be >= 30 ) 
Thread cache usage:
(thread_cache_size)  0 (should be >= 0.7 and <= 0.9) 
Temporary table disk usage:
(tmp_table_size)  0.4734 (should be <= 0.5) 
Sort merge pass rate:
(sort_buffer)  0 (should be <= 0.001) 
Query cache enabled:
(query_cache_type)  1 (should be >= 1 and <= 1) 
Query cache miss rate:
(query_cache_limit)  1 (should be <= 0.5) 
Query cache prune rate:
(query_cache_size)  0 (should be <= 0.05) 

nutn2lewz

I definitely have someone exploiting my SMF software. I put my forum into maintenance mode and the quickmod2 requests kept coming - 300 quickmod2 requests a minute from rotating IP's mostly in Eastern Europe. This was overloading my server ... even in maintenance mode.

I altered the quickmod2 function in Subs-Boards ...


// In-topic quick moderation.
function QuickModeration2()
{
global $sourcedir, $db_prefix, $topic, $board, $ID_MEMBER, $modSettings, $context;


// Added next two lines due to excessive server connections via quickmod2
    if ($context['user']['is_guest'])
redirectexit('topic=' . $topic . '.' . $_REQUEST['start']);

// Check the session = get or post.
checkSession('request');


I added two lines of code to see if the user is a guest. This has not stopped the excessive requests but it has resulted in file sizes of zero being sent (instead of file sizes of about 15000-20000). So it appears that guests were accessing the quickmod2 function without even visiting my forum. These rotating IP's have found an exploit in the quickmod2 function and have set up bots to make excessive connections to this exploit.

Here is an example of the type of connection I am receiving. You can see that a file size of 0 is now being sent after I made the code change ...

/index.php?action=quickmod2;topic=134.0
Http Code: 302 Date: Feb 03 13:44:46 Http Version: HTTP/1.0 Size in Bytes: 0
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Can anyone offer any advice here? Is there cleaner code than this to prevent guests from accessing the quickmod2 function? ...


    if ($context['user']['is_guest'])
redirectexit('topic=' . $topic . '.' . $_REQUEST['start']);


Is there any way that I can filter out all the quickmod2 requests at the server level rather than letting them in to exploit my forum?

Any help would be appreciated.

Thanks, nutn

Grudge

To reduce problems further. In index.php find:

loadUserSettings();


Add after:

if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();
I'm only a half geek really...

nutn2lewz

#3
I will try that. Thank you.

I forgot to mention that before making the coding change to quickmod2 I was accumulating numerous MySQL open processes and this was crashing MySQL. After making the coding change to Quickmod2, I no longer have multiple MySQL processes opening up.

So the exploit is allowing guests to access the quickmod2 function, even when the forum is in maintenance mode, and open a MySQL process.

Thanks, Barry

nutn2lewz

Quote from: DavidCT on February 03, 2008, 02:27:48 PM
Maybe...

RewriteEngine On
RewriteCond %{QUERY_STRING} ^quickmod2$
RewriteRule ^.* - [F,L]

If I did this correctly, it would give an error 403 (forbidden) if anyone used "quickmod2" - don't enable "rewriteengine on" if it's already on :)


Would this also prevent legitimate quickmod2 requests?

DavidCT

Of course, but it didn't work so I deleted the message... I should have tried it locally first ;)

DavidCT

RewriteCond %{QUERY_STRING} quickmod [NC]
RewriteRule ^.* - [F,L]

This works.  I suggested it as if you think it's dangerous, why risk it?  Give them a 403 error.

nutn2lewz

The rewrite works like a charm ... 403 them as soon as they arrive. Thank you!

I also added the suggested code to my index.php, checking for is_guestand action=quickmod2.

Everything is working so sweet right now that I can go watch the Superbowl!

Thanks, Barry

DavidCT

Quote from: nutn2lewz on February 03, 2008, 04:01:18 PM
The rewrite works like a charm ... 403 them as soon as they arrive. Thank you!

I also added the suggested code to my index.php, checking for is_guestand action=quickmod2.

Everything is working so sweet right now that I can go watch the Superbowl!

Go Patriots!!!

The check for is_guest is really the better way to go.  I just suggested the 403 route for the truely paranoid :)

L'AltroWeb

#9
Hi!
Today i have see the same error on my log.
Now i have upgrade with last 1.1.5.
With release 1.1.5 is necessary to edit index.php:
Quote from: Grudge on February 03, 2008, 02:22:06 PM
To reduce problems further. In index.php find:

loadUserSettings();


Add after:

if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();

?
Thanks in advance, DarkWolf :)
-
Edit:
with release 1.1.5 this error still remain, now i have maked this change:
Quote from: Grudge on February 03, 2008, 02:22:06 PM
To reduce problems further. In index.php find:

loadUserSettings();


Add after:

if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();

;)

Sverre

I had one of those show up in our Error Log last night too. I didn't notice any related performance issues though, and I've yet to check the Access Log to see if it was just a single hit or a large scale attack like what nutn2lewz experienced. Good to know that there already is a solution if this becomes a problem though :)

lars_n


Had that attack with 1.1.5 as well starting at june, the 27th till july the 1st (wasn't able to check the logs in that time because i wasn't online). 182 attempts to gain access in that period. Added the codesnippet from Dark-Wolf now ...

In index.php search for:

loadUserSettings();



Add after:

if ($GLOBALS['user_info']['is_guest'] && isset($_GET['action']) && $_GET['action'] == 'quickmod2')
redirectexit();



Will keep checking the logs now permanently to see if there'll be a change.


Kind regards ;)

GravuTrad

Noted.

No changes for 1.1.6? cause this ******îng exploit is tried lots of time on my smf forums...
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

GravuTrad

unchanged. solution ok for it. ;)
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

Advertisement: