News:

Wondering if this will always be free?  See why free is better.

Main Menu

SMF thread hijack hack!

Started by societyofrobots, November 13, 2008, 09:20:27 PM

Previous topic - Next topic

societyofrobots

Today I noticed two posts on my SMF forum that was obviously spam (paris hilton porn, etc.). But it wasn't normal spam . . .

As soon as you click on the thread link, instead of opening up the post, it immediately opened up the attackers website. It loaded almost immediately, but was fortunately blocked by Firefox as a dangerous site.

So somehow a user was able to run code in the SMF forum to cause an automatic redirect?!

I am running the latest 1.1.7 on a linux machine. The only mod I am running is the YouTube mod.

The spammers IP is 92.113.215.182 and hostname 182-215-113-92.pool.ukrtel.net. He signed up only two user names and made a single post for each using a gmail email account.

I probably should have investigated his code more and saved the link, but I just woke up and wasn't thinking straight before I deleted everything.

Deprecated

you should post a link if it happens again

Spacecdr

#2
I have exactly the same problem... it's a week... everyday i remove about 10 "registered users" (spammers) and their own posts.
I have just removed 2 posts before read this thread.
As you can see in my forum, in the last 10 minutes, some new user registered an account (spammer), and soon some of these, will post spam.
I don't know how to limit this thing...
Now i will not remove spam threads... waiting someone of you could tell me how to resolve.
Bye

P.s. My forum is: hxxp:lnx.htpcpoint.it [nonactive]

Deprecated

Well I can't figure out which if any is spam.

I'm looking for one that satisfies this: "As soon as you click on the thread link, instead of opening up the post, it immediately opened up the attackers website."

The idea is to figure out what they're doing, then of course we would delete the threads. What I have in mind is seeing if we can prevent those from working in the future, and working on other sites. Like some settings or something to prevent that type of post from taking them off-site.

s E t H

hxxp:foro.undersecurity.net/read.php?16,252 [nonactive]

Deprecated

Well the 1.1.6 exploit is what prompted the release of the 1.1.7 fix.

Bigguy

Maybe there putting their link in the thread title. ???

Deprecated

Was thinking that, but as far as I recall topic names are filtered to prevent functional HTML. I didn't check, could be wrong...

SleePy

Html is not allowed in subjects nor messages. Although admins can use the html bbc to post straight html
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Spacecdr

Now you can see spam on my forum... hxxp:lnx.htpcpoint.it [nonactive]
First board... amazing, they created threads with on topic the domain name!
I upgraded forum to 1.1.7 three days ago... i don't know how to prevent these spammers!
Hope someone help me how to solve or explain me how do they spam?

Spacecdr

I have raised complexity on visual verify on registration... hope this help to block them to register new accounts.
I will let you know...

das7002


Spacecdr

Infact i suppose the problem was that... it's 4-5 hours none register a valid account...

Spacecdr

That do the job. No more spam accounts or spam threads.
Bye

societyofrobots

The spammer hasn't attempted the exploit again . . . perhaps because I'm blocking his IP. I'll post what I find if and when I see it again.

Advertisement: