Advertisement:

Author Topic: Hacked, script injection  (Read 178778 times)

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,023
  • Gender: Male
    • jasonclemons on GitHub
    • XboxLeaders.com
Re: Hacked, script injection
« Reply #140 on: May 12, 2009, 04:16:23 PM »
I have a question - is this hack simply an avatar upload and the forums wrecked?

I mean, can any Joe Shmoe get a hold of this avatar and use it without "skills"?

That's a good question. But for now, it has been limited to only a few usernames such as "krisbarteo" and "MagicOPromotion" among a few others.

But yes, it is a good point to bring up as so far it is a generic 1x1 avatar that is masked with either a .jpg or .gif extension, but contains php code.

I will look into it.
Jason "JBlaze" Clemons
Former Support & Customization     
Current Projects
Xbox LIVE API
Simple Avatar Rotator     
Important Links
Please, no PMs for support.
Unmanaged VPS Starting at $20/mo

Offline matthieu

  • Semi-Newbie
  • *
  • Posts: 46
  • Gender: Male
  • Veni, vidi ... Lumpy !
    • Cours Anatomie
Re: Hacked, script injection
« Reply #141 on: May 12, 2009, 04:22:56 PM »
Hi,

Thanks for this topic !
I have this problem whith the member named above (krisbarteo) and his avatar was indeed encapsulated PHP ...

My error was to set CHMOD 777 on the attachement directory ... Shame on me ...

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,023
  • Gender: Male
    • jasonclemons on GitHub
    • XboxLeaders.com
Re: Hacked, script injection
« Reply #142 on: May 12, 2009, 04:29:52 PM »
I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0
Jason "JBlaze" Clemons
Former Support & Customization     
Current Projects
Xbox LIVE API
Simple Avatar Rotator     
Important Links
Please, no PMs for support.
Unmanaged VPS Starting at $20/mo

Offline matthieu

  • Semi-Newbie
  • *
  • Posts: 46
  • Gender: Male
  • Veni, vidi ... Lumpy !
    • Cours Anatomie
Re: Hacked, script injection
« Reply #143 on: May 12, 2009, 04:37:49 PM »
yes Jblaze, thx. I read it and applied changes.

Offline Agafonov

  • Newbie
  • *
  • Posts: 8
Re: Hacked, script injection
« Reply #144 on: May 12, 2009, 06:02:29 PM »
Or does this code get into the database in some way so we would have to clean that up as well?

Analyzing DB dump:
The user (krisbarteo) have set theme_dir to ./attachments/avatar_46455.jpg\0 (note zero code at the end)
Then requests (according to error log) to ?action=theme;sa=pick;u=46455;sesc lead to execution of avatar as php in include() call inside theme handling code.
Quote
8: Use of undefined constant php - assumed 'php'<br />File: /nfs/www/ru/forum/htdocs/attachments/avatar_46455.jpg<br />Line: 1

How the value of theme_dir appeared in smf_themes table - is the main question.

Offline Polymath

  • Jr. Member
  • **
  • Posts: 337
  • Gender: Male
  • NZ Made
    • GameSocket
Re: Hacked, script injection
« Reply #145 on: May 12, 2009, 09:00:07 PM »
I have all the code on top..but I can not find his avatar at all.
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

Offline Polymath

  • Jr. Member
  • **
  • Posts: 337
  • Gender: Male
  • NZ Made
    • GameSocket
Re: Hacked, script injection
« Reply #146 on: May 12, 2009, 10:54:39 PM »
OK. I removed all code up top and now I only get the top half of my website..  :( my back up was the one i removed it from. Is there something I missed. It is the Sources that has caused this. My admin is still there and working but nothing else.
I just removed and uploaded.
Any ideas?
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,023
  • Gender: Male
    • jasonclemons on GitHub
    • XboxLeaders.com
Re: Hacked, script injection
« Reply #147 on: May 12, 2009, 11:11:26 PM »
Make sure that you did not leave a space at the top of each file.

<?php must be the first line
Jason "JBlaze" Clemons
Former Support & Customization     
Current Projects
Xbox LIVE API
Simple Avatar Rotator     
Important Links
Please, no PMs for support.
Unmanaged VPS Starting at $20/mo

Offline Polymath

  • Jr. Member
  • **
  • Posts: 337
  • Gender: Male
  • NZ Made
    • GameSocket
Re: Hacked, script injection
« Reply #148 on: May 12, 2009, 11:18:34 PM »
Bugger.. I bet I overwrote settings.php..
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

Offline dcmouser

  • Jr. Member
  • **
  • Posts: 185
    • donationcoder.com
Re: Hacked, script injection
« Reply #149 on: May 13, 2009, 05:53:42 AM »
Ok so we did some investigating on our forum to see how vulnerable we were to this attack; Agafonov's discovery was a big help in understanding what was going on.

Let me summarize what I think i understand, pieced together from several places and from going through the code.

The attack is a multi-step attack:

FIRST, the user uploads an avatar image (or an attachment on a post), doesn't really matter, and doesn't have to be an image i don't think.
The goal here is for them simply to get their payload php script onto your server.

SECOND, they trick the forum code into INCLUDING their payload php file while it's running other php code.

This second part is the tricky part, and it's what makes some of the potential fixes suggested in this thread useless.

The original method that they use to execute the file payload was described back in november 2008, as can be seen in this thread:
http://www.simplemachines.org/community/index.php?topic=272393.20

The basic idea is that the evil user tells the smf forum to INCLUDE a file from the CUSTOM theme directory (variable theme_dir).  And then they bring up one of the pages on the forum that actually loads a file in the theme dir.

By setting the themedir to the file path of their malicious fake image file (with a \0 on the end of it as seen above), the malicious user actually tricks the smf forum to parse the fake image file and execute the php in it directly).

---

Now, the part that makes this a bit messy to fix is that there are NUMEROUS places in smf where a user's custom 'theme_dir' variable can be set, and numerous places where it is used.

It seems to me that most of these were fixed in earlier SMF releases.. *BUT* a few remain(!) and that is how this exploit is still occuring.

---

[the truth is that users should NEVER be allowed to customize their theme_dir -- this is a flaw in smf and should be remedied]

I'm offering some fixes we did locally, but i'm not guaranteeing this will fix all the risk -- and i hope smf people will follow up.

The first fix will prevent the Theme Picker from using custom user theme_dir variables, which should prevent this particular exploit even in users which previously modified their variable in an effort to hack your forum.  This one is most important quick fix and should solve this particular exploit:

In Themes.php, FIND:
      $request = db_query("
         SELECT ID_THEME, variable, value
         FROM {$db_prefix}themes
         WHERE variable IN ('name', 'theme_url', 'theme_dir', 'images_url')" . (empty($modSettings['theme_default']) && !allowedTo('admin_forum') ? "
            AND ID_THEME IN ('$knownThemes')
            AND ID_THEME != 1" : '') . "
            AND ID_THEME != 0
AND ADD AT THE END
                                AND ID_MEMBER = 0



The second fix will prevent new changes to users theme_dir variable (but not correct existing changes that evil members already set).
I'll leave it for someone else to go into more details since im running low on sleep but basically
In Profile.php, go into makeThemeChanges function
and inside both loops through $_POST['options'] and $_POST['default_options']
and add a line inside the loops saying:
         if (strpos($opt,'_dir')!==FALSE || strpos($opt,'_url')!==FALSE)
            continue;


---

There are 2 more things you can do:
search the smf database, the themes table
for rows where variable=theme_dir

the hits are users who have tried to use this exploit.

DELETE THESE ROWS -- after noting the filenames and userids.

now i'd say don't panic when you find entries there -- but DO go check out the files uploaded by these users (you'll see them listed in these rows), and make sure you don't find really evil php code in any of them..  those tables will also tell you which exact users uploaded the files an attempted to run exploits.  then delete those attachment files.

---

hope that's at least some use -- sorry it's not explained better but we just spent a few hours on this right before we planned on sleeping, so i'm just rushing to explain what we found in time to be useful to someone.

and note that none of the instructions above will do anything to CLEAN a system that has actually been exploited by this attack by someone who put really malicious code in one of the payloads.
« Last Edit: May 13, 2009, 05:58:35 AM by dcmouser »
proud member of donationcoder.com (forum)

Online Kindred

  • The Mean One
  • Project Manager
  • SMF Master
  • *
  • Posts: 40,123
  • Gender: Male
    • wagner999 on Facebook
    • Kindred-999 on GitHub
    • www.linkedin.com/in/wdwagner/ on LinkedIn
    • @Kindred_999 on Twitter
Re: Hacked, script injection
« Reply #150 on: May 13, 2009, 08:18:08 AM »
DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support forums.  Thank you.

Offline kwah

  • Newbie
  • *
  • Posts: 3
Re: Hacked, script injection
« Reply #151 on: May 13, 2009, 09:09:44 AM »
DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.
We kinda suspected it.

Any indication on ETA would be very much appreciated by a lot of people I guess. Uncertainty is one of the worst things, you know...

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #152 on: May 13, 2009, 10:14:24 AM »
I have made contact with this hackers ISP here is the reply

Quote
thanks for you reporting.

1. Please tell more information about this action, domain name (-s) or IP address (-es) of your website, which has suffered?
2. IP address (-es) who attacked your website?

We investigate this action and we'll do anything to avoid this problem in future.

So if you want to PM me your info I will compile a list and send it along to them for investigation. Also include the time more or less that the hack took place 
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline GamingTrend

  • Semi-Newbie
  • *
  • Posts: 51
    • Gaming Trend
Re: Hacked, script injection
« Reply #153 on: May 13, 2009, 02:27:06 PM »
Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....

Ron Burke
Director of Gaming Trend

Offline Edvard

  • Semi-Newbie
  • *
  • Posts: 17
Re: Hacked, script injection
« Reply #154 on: May 13, 2009, 02:41:42 PM »
I'd just like to add that I also had a Hacktool.Rootkit on the pc I use for administrating my website. I solved this first, and then, when the whole site was taken off-air, I asked my webhoster to change the passwords for the ftp and mysql. After that I uploaded the site again and since then the site hasn't been infested by bad php-code anymore.

Btw, I have the idea that Krisbarteo never got to upload an avatar on my site, yet I got all this trouble anyway...

Offline GamingTrend

  • Semi-Newbie
  • *
  • Posts: 51
    • Gaming Trend
Re: Hacked, script injection
« Reply #155 on: May 13, 2009, 02:45:28 PM »
Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....



I deleted them all just to be sure anyway.  I don't like randomly named files that span roughly 3000 different names.  Let's hope that my cleanup worked.
Ron Burke
Director of Gaming Trend

Offline justjim

  • Semi-Newbie
  • *
  • Posts: 44
    • SpywareHammer.com
Re: Hacked, script injection
« Reply #156 on: May 13, 2009, 03:41:17 PM »
He has hit our forum as well.

I have been cleaning for 2 days. I thought I got all of the code out of the files, but these problems remain:

Some of our members avatars have failed to display as well as the random letter code that is supposed to be displayed on the registration screen.
The members who's avatars have diasppeared are unable to upload a replacement avatar.
The members who's avatars do not display are in the attachment folder. I have physically verifed that they are there.
I have no error logs indicating an issue.

I have RT clicked 2 of the missing avatars->> properties; and this is what is displayed

http://sh.com/simplemachinesforum/index.php?action=dlattach;attach=270;type=avatar

http://sh.com/simplemachinesforum/index.php?action=dlattach;attach=813;type=avatar

I have Rt clicked the random letter code box ->> properties: and this is what is displayed.

http://sh.com/simplemachinesforum/index.php?action=verificationcode;rand=2157f0db0a2cbf8323e7f0fee5ee2fd1

Of course now, new members cannot register without a verification code. I feel somehow they are related

Can you please tell me where to look for the problem

By the way I have a sample of the 64 code, the infected avatar itself , the IP address 94.142.129.147 Latvia

And the code strings of the avatar if anyone wants a copy or any other info.

Offline M-DVD

  • SMF Hero
  • ******
  • Posts: 1,650
  • Gender: Male
  • Step by step will update the mods to SMF 2RC2
Re: Hacked, script injection
« Reply #157 on: May 13, 2009, 11:23:37 PM »
1.- Here are some details about krisbarteo. Can somebody give me more data to report in SFS site? (and all the people using this DB will be immune from these users).

2.- If somebody have to "the avatar uploaded" by this user, should give to the Team SMF (and me, XD, I have curiosity). (done, thanks :))

3.- There is another problem, how the spammers run this file once uploaded?
« Last Edit: May 13, 2009, 11:27:47 PM by M-DVD »

Offline Filipina

  • Full Member
  • ***
  • Posts: 454
  • Gender: Female
Re: Hacked, script injection
« Reply #158 on: May 14, 2009, 12:05:54 AM »
Since I have an avatar upload on registration modification which I do not feel like messing with I have disabled registrations. What if I just say screw it and take my chances, while saving a copy of all the files in me forum directory twice a day. If I get hacked can't I just upload all the clean files from my forum and all will be fine?