News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

JBlaze

Jason Clemons
Former Team Member 2009 - 2012

Relyana

Thank you so much !!! That hacker opened 3 accounts already (krisbarteo, MagicOPromotion and stilusmagic).

The "Stop Spammer" mod is simply fabulous (made me laugh too : it blocked the account of one of my Global Mods, someone I know for years :P - his IP and email address are clean but his nickname is in the database - a common name actually).

I can't thank you enough.  O:)


rthrash

1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

JBlaze

Quote from: rthrash on May 11, 2009, 11:17:17 AM
1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0
Jason Clemons
Former Team Member 2009 - 2012

rthrash

Quote from: JBlaze™ on May 11, 2009, 11:19:47 AM
This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0

We've disabled all uploads, and the Stop Spammer mod should prevent most signups but there are definitely ways to get around that quickly. So other than shutting down the functionality there's no additional info? Is the same base code in place in the 2.0 branch?

JBlaze

So far, I have not heard of or seen any attacks that affected the 2.0 version, but that's not to say that it hasn't happened.


What it boils down to is that the avatar that is being uploaded in this attack has php code embedded into it and it is being parsed through the avatar handler.
Jason Clemons
Former Team Member 2009 - 2012

rthrash

Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

JBlaze

Quote from: rthrash on May 11, 2009, 11:49:38 AM
Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

No problem. I'm trying to stay one step ahead of this attack and provide the best support I can :)
Jason Clemons
Former Team Member 2009 - 2012

rthrash

I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

JBlaze

Quote from: rthrash on May 11, 2009, 02:47:35 PM
I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

I will have to look into it as I have had it installed for about a month now and didn't have problems on install. There may have been an update since then. I will post back with my findings.
Jason Clemons
Former Team Member 2009 - 2012

DirtRider

I have just installed it on two of my site with no problems at all
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Polymath

#131
I must say it is very nice. I have deleted a whole folder twice ..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3


And it won't go away.... Very nice.. >:(

Response:   550 Can't remove directory: Directory not empty
Status:   Retrieving directory listing...
Command:   PASV
Response:   227 Entering Passive Mode (209,200,249,149,107,97)
Command:   LIST
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -a -l
Response:   226 29 matches total
Status:   Directory listing successful


Any ideas? Permissions 755 on it drwxr-xr-x

And another question Can I repair the php file and upload as I go, or will it just get written again?
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

djkimmel

If this code were placed in my avatar upload/attachments directory htaccess, would it provide protection against an attack like this (I still can't believe anyone could just upload PHP in a '.jpg' file and get it to run?!?) - it was suggested to me after I explained how this person was able to hack my forum (and all other PHP files in every folder):

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Order Allow,Deny
Deny from all
<Files ~ "\.(jpeg|jpg|png|gif)$">
Allow from all
</Files>


I'm thinking it might cause a problem since regular attachments are encrypted, though I would think the encrypted attachments should keep them from being used the same as an uploaded avatar was used? Would this code in an htaccess file keep any of the encrypted files from being uploaded and used on the forum? Would it stop a graphic file from executing code?

MrPhil

If you have PHP code within a .jpg file, I'm not sure that the .htaccess code is going to catch it (since it's not .php). Have you tried making an "innocent" image file (just says "Hello World") and tested it?

Would it be possible to scan incoming image uploads and blank out all script code (everything between <? and ?>, and everything between <script and script>, and whatever else is needed)?

djkimmel

Haven't tried that yet, but it is a good suggestion.

The 2nd suggestion is beyond my skills at this time... but I'm learning out of necessity :) Might work once I learn how, but maybe the simpler suggestion is to do some limits so members have to be around a while before they can upload or do attachments.

Still can't believe it was so easy for this person to hack SMF and use it on the rest of the site. I've read everything suggested or linked on the few threads regarding this hack and protection in general. I hope that covers any other surprises I might get like this one? No more overconfidence for me. Too much I don't know about this stuff.

GamingTrend

So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

Oh, and when I was allowing uploading of avatars (I've disabled it for now) the avatars would eventually die off and have to be re-uploaded. 
Ron Burke
Director of Gaming Trend

Agafonov

Quote from: GamingTrend on May 12, 2009, 03:01:24 PM
So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

You should remove all files and folders except settings and attachments.
There are number of new files injected as well with "hacker's control panel" code.
Then search and remove all files found by:
Code (sh) Select
grep "<?php" attachments/*

crash56

Theoretical question here, because I'm getting all of this straight in my mind ...

If we were to get hit by this hacker, and we had a recent clean backup of all our files, we could just reupload those ... yes?  Or does this code get into the database in some way so we would have to clean that up as well?

JBlaze

So far, this hack only affects the /Sources and /Themes files as well as the affected avatar. To my knowledge, having worked with members on this hack for the past week or so, I have yet to find any damage done to the database.

The one thing that has saved members was backing up their files by simply downloading the enitre SMF installation, minus the database, to their hard drive once a day.

Then, if you feel you have been hacked, take your forum offline, upload the backed up files making sure the old ones are overwritten  and voila!
Jason Clemons
Former Team Member 2009 - 2012

crash56

Great!  Thanks!  (No, we're not going to drop all defenses. ;) )

Advertisement: