Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: societyofrobots on November 13, 2008, 09:20:27 PM

Title: SMF thread hijack hack!
Post by: societyofrobots on November 13, 2008, 09:20:27 PM
Today I noticed two posts on my SMF forum that was obviously spam (paris hilton porn, etc.). But it wasn't normal spam . . .

As soon as you click on the thread link, instead of opening up the post, it immediately opened up the attackers website. It loaded almost immediately, but was fortunately blocked by Firefox as a dangerous site.

So somehow a user was able to run code in the SMF forum to cause an automatic redirect?!

I am running the latest 1.1.7 on a linux machine. The only mod I am running is the YouTube mod.

The spammers IP is 92.113.215.182 and hostname 182-215-113-92.pool.ukrtel.net. He signed up only two user names and made a single post for each using a gmail email account.

I probably should have investigated his code more and saved the link, but I just woke up and wasn't thinking straight before I deleted everything.
Title: Re: SMF thread hijack hack!
Post by: Deprecated on November 13, 2008, 09:22:21 PM
you should post a link if it happens again
Title: Re: SMF thread hijack hack!
Post by: Spacecdr on November 14, 2008, 06:03:55 AM
I have exactly the same problem... it's a week... everyday i remove about 10 "registered users" (spammers) and their own posts.
I have just removed 2 posts before read this thread.
As you can see in my forum, in the last 10 minutes, some new user registered an account (spammer), and soon some of these, will post spam.
I don't know how to limit this thing...
Now i will not remove spam threads... waiting someone of you could tell me how to resolve.
Bye

P.s. My forum is: http://lnx.htpcpoint.it
Title: Re: SMF thread hijack hack!
Post by: Deprecated on November 14, 2008, 08:12:59 AM
Well I can't figure out which if any is spam.

I'm looking for one that satisfies this: "As soon as you click on the thread link, instead of opening up the post, it immediately opened up the attackers website."

The idea is to figure out what they're doing, then of course we would delete the threads. What I have in mind is seeing if we can prevent those from working in the future, and working on other sites. Like some settings or something to prevent that type of post from taking them off-site.
Title: Re: SMF thread hijack hack!
Post by: s E t H on November 14, 2008, 12:08:07 PM
maybe this related (http://foro.undersecurity.net/read.php?16,252)
Title: Re: SMF thread hijack hack!
Post by: Deprecated on November 14, 2008, 12:09:26 PM
Well the 1.1.6 exploit is what prompted the release of the 1.1.7 fix.
Title: Re: SMF thread hijack hack!
Post by: Bigguy on November 14, 2008, 12:10:37 PM
Maybe there putting their link in the thread title. ???
Title: Re: SMF thread hijack hack!
Post by: Deprecated on November 14, 2008, 12:25:32 PM
Was thinking that, but as far as I recall topic names are filtered to prevent functional HTML. I didn't check, could be wrong...
Title: Re: SMF thread hijack hack! <b>html is not allowed</b>
Post by: SleePy on November 14, 2008, 12:56:48 PM
Html is not allowed in subjects nor messages. Although admins can use the html bbc to post straight html
Title: Re: SMF thread hijack hack!
Post by: Spacecdr on November 15, 2008, 04:48:26 PM
Now you can see spam on my forum... lnx.htpcpoint.it
First board... amazing, they created threads with on topic the domain name!
I upgraded forum to 1.1.7 three days ago... i don't know how to prevent these spammers!
Hope someone help me how to solve or explain me how do they spam?
Title: Re: SMF thread hijack hack!
Post by: Spacecdr on November 16, 2008, 08:49:06 AM
I have raised complexity on visual verify on registration... hope this help to block them to register new accounts.
I will let you know...
Title: Re: SMF thread hijack hack! [url=http://google.com]Google!~!~!~![/url]
Post by: das7002 on November 16, 2008, 04:14:28 PM
That is an interesting attack method
Title: Re: SMF thread hijack hack!
Post by: Spacecdr on November 16, 2008, 07:04:37 PM
Infact i suppose the problem was that... it's 4-5 hours none register a valid account...
Title: Re: SMF thread hijack hack!
Post by: Spacecdr on November 18, 2008, 09:03:03 AM
That do the job. No more spam accounts or spam threads.
Bye
Title: Re: SMF thread hijack hack!
Post by: societyofrobots on November 20, 2008, 10:44:56 AM
The spammer hasn't attempted the exploit again . . . perhaps because I'm blocking his IP. I'll post what I find if and when I see it again.