Advertisement:
NameCheap

Author Topic: SMF thread hijack hack!  (Read 9477 times)

Offline societyofrobots

  • Jr. Member
  • **
  • Posts: 192
SMF thread hijack hack!
« on: November 13, 2008, 09:20:27 PM »
Today I noticed two posts on my SMF forum that was obviously spam (paris hilton porn, etc.). But it wasn't normal spam . . .

As soon as you click on the thread link, instead of opening up the post, it immediately opened up the attackers website. It loaded almost immediately, but was fortunately blocked by Firefox as a dangerous site.

So somehow a user was able to run code in the SMF forum to cause an automatic redirect?!

I am running the latest 1.1.7 on a linux machine. The only mod I am running is the YouTube mod.

The spammers IP is 92.113.215.182 and hostname 182-215-113-92.pool.ukrtel.net. He signed up only two user names and made a single post for each using a gmail email account.

I probably should have investigated his code more and saved the link, but I just woke up and wasn't thinking straight before I deleted everything.
« Last Edit: November 23, 2008, 03:19:49 PM by SleePy »

Offline Deprecated

  • SMF Hero
  • ******
  • Posts: 3,192
  • Gender: Male
  • I tried being reasonable ....... I didn't like it.
Re: SMF thread hijack hack!
« Reply #1 on: November 13, 2008, 09:22:21 PM »
you should post a link if it happens again
See a list of my mod packages. No support PMs please!

Offline Spacecdr

  • Newbie
  • *
  • Posts: 5
Re: SMF thread hijack hack!
« Reply #2 on: November 14, 2008, 06:03:55 AM »
I have exactly the same problem... it's a week... everyday i remove about 10 "registered users" (spammers) and their own posts.
I have just removed 2 posts before read this thread.
As you can see in my forum, in the last 10 minutes, some new user registered an account (spammer), and soon some of these, will post spam.
I don't know how to limit this thing...
Now i will not remove spam threads... waiting someone of you could tell me how to resolve.
Bye

P.s. My forum is: hxxp:lnx.htpcpoint.it [nonactive]
« Last Edit: November 14, 2008, 06:06:33 AM by Spacecdr »

Offline Deprecated

  • SMF Hero
  • ******
  • Posts: 3,192
  • Gender: Male
  • I tried being reasonable ....... I didn't like it.
Re: SMF thread hijack hack!
« Reply #3 on: November 14, 2008, 08:12:59 AM »
Well I can't figure out which if any is spam.

I'm looking for one that satisfies this: "As soon as you click on the thread link, instead of opening up the post, it immediately opened up the attackers website."

The idea is to figure out what they're doing, then of course we would delete the threads. What I have in mind is seeing if we can prevent those from working in the future, and working on other sites. Like some settings or something to prevent that type of post from taking them off-site.
See a list of my mod packages. No support PMs please!

Offline s E t H

  • Newbie
  • *
  • Posts: 1
Re: SMF thread hijack hack!
« Reply #4 on: November 14, 2008, 12:08:07 PM »
hxxp:foro.undersecurity.net/read.php?16,252 [nonactive]

Offline Deprecated

  • SMF Hero
  • ******
  • Posts: 3,192
  • Gender: Male
  • I tried being reasonable ....... I didn't like it.
Re: SMF thread hijack hack!
« Reply #5 on: November 14, 2008, 12:09:26 PM »
Well the 1.1.6 exploit is what prompted the release of the 1.1.7 fix.
See a list of my mod packages. No support PMs please!

Offline Bigguy

  • Support Specialist
  • SMF Super Hero
  • *
  • Posts: 11,447
  • Gender: Male
  • Be nice, or else....
    • SMF Helper
Re: SMF thread hijack hack!
« Reply #6 on: November 14, 2008, 12:10:37 PM »
Maybe there putting their link in the thread title. ???

Offline Deprecated

  • SMF Hero
  • ******
  • Posts: 3,192
  • Gender: Male
  • I tried being reasonable ....... I didn't like it.
Re: SMF thread hijack hack!
« Reply #7 on: November 14, 2008, 12:25:32 PM »
Was thinking that, but as far as I recall topic names are filtered to prevent functional HTML. I didn't check, could be wrong...
See a list of my mod packages. No support PMs please!

Offline SleePy

  • Site Team
  • SMF Master
  • *
  • Posts: 28,868
  • Gender: Male
  • Thats his happy face.
    • @jdarwood on Twitter
    • SleePy Code - My personal site
Re: SMF thread hijack hack! <b>html is not allowed</b>
« Reply #8 on: November 14, 2008, 12:56:48 PM »
Html is not allowed in subjects nor messages. Although admins can use the html bbc to post straight html
Jeremy D — Site Team / SMF Developer
Support the SMF Support team!
Profiles:
GitHub
G+

Offline Spacecdr

  • Newbie
  • *
  • Posts: 5
Re: SMF thread hijack hack!
« Reply #9 on: November 15, 2008, 04:48:26 PM »
Now you can see spam on my forum... lnx.htpcpoint.it
First board... amazing, they created threads with on topic the domain name!
I upgraded forum to 1.1.7 three days ago... i don't know how to prevent these spammers!
Hope someone help me how to solve or explain me how do they spam?

Offline Spacecdr

  • Newbie
  • *
  • Posts: 5
Re: SMF thread hijack hack!
« Reply #10 on: November 16, 2008, 08:49:06 AM »
I have raised complexity on visual verify on registration... hope this help to block them to register new accounts.
I will let you know...

Offline das7002

  • Semi-Newbie
  • *
  • Posts: 17
Re: SMF thread hijack hack! [url=http://google.com]Google!~!~!~![/url]
« Reply #11 on: November 16, 2008, 04:14:28 PM »
That is an interesting attack method

Offline Spacecdr

  • Newbie
  • *
  • Posts: 5
Re: SMF thread hijack hack!
« Reply #12 on: November 16, 2008, 07:04:37 PM »
Infact i suppose the problem was that... it's 4-5 hours none register a valid account...

Offline Spacecdr

  • Newbie
  • *
  • Posts: 5
Re: SMF thread hijack hack!
« Reply #13 on: November 18, 2008, 09:03:03 AM »
That do the job. No more spam accounts or spam threads.
Bye

Offline societyofrobots

  • Jr. Member
  • **
  • Posts: 192
Re: SMF thread hijack hack!
« Reply #14 on: November 20, 2008, 10:44:56 AM »
The spammer hasn't attempted the exploit again . . . perhaps because I'm blocking his IP. I'll post what I find if and when I see it again.