News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

M-DVD

Quote from: Tiribulus on May 15, 2009, 05:59:07 PM
Quote from: M-DVD on May 15, 2009, 05:53:32 PM
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)

No problem XD

I have found how to make the hack. Now I'm trying replicate in SMF 2 and in other potential sites. Then I will make the fix, and say the fix.

Kindred

Once again, be aware that the SMF development team is working very hard on putting together an official security patch.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sabre™

Someone had a snoop at one of my sites a few weeks back, but since that site is invite only, no glory.
I don't allow attachments/images uploaded, but I'm about to open a music site where upcoming/unknown artists may attach their mp3 files for users to listen to.
So I look forward to your patch team :)
Do NOT give admin and/or ftp details to just anybody, see if they are trust worthy first!!  Do your homework ;)


stardx

Quote from: agridoc on May 15, 2009, 06:54:34 AM
One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded hxxp:www.motobit.com/util/base64-decoder-encoder.asp. [nonactive]

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.


nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} \; -print -exec clear.sh {} \; | grep tmp &


clear.sh:


#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null


you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.

crash56

KrisBarteo tried to register at our forum this morning.  We had the IP banned, so he didn't get in. 

Many thanks to everyone here for all the excellent information, and HUGE thanks to our webhost (GC Solutions) for sending around an e-mail warning all the SMF users about this hacker.  We would not have know about this threat if it weren't for that e-mail. 

*phew*  Disaster averted. 

<Heads back to the forum to continue shoring up defenses>


FataMorgana

Quote from: StarWars Fan on May 16, 2009, 08:53:13 AM
SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

Yes, don't know how long exactly this issue is known but I discovered it just yesterday because my avatar disappeared... And the user krisbarteo allready registered some weeks ago!
I visit my admin page allmost every day so some warning could have prevented the being hacked on the way it happened now.
Groet, Greetings, John

Fata Morgana Forum

WillyP

Quote from: Relyana on May 10, 2009, 09:14:33 PM
Quote from: WillyP on May 10, 2009, 04:49:04 PM

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)

Meaning, the forum functioned fine, although I did not test every single item, it appeared to be working normally. This particular website also has an installation of WikkaWiki, which did not work. When I went to the wiki, instead of the wiki page, there was an error message. He did not register on the wiki, only on the SMF forum. However EVERY php file i looked at on the domain was infected with the "Eval (etc...)" code. EXCEPT the config files, which was set read only. I also had a few files infected that were unrelated to either the forum or the wiki. Uploading the avatar is only the first step in his evil plot ;), the code must then be activated. So step two is infecting the php files, which seemed to be done days later. Someone reported a large number of files uploaded to the server, apparently step three. I did not get these, I discovered the infection about nine hours after it occurred. Who knows what step four would be? World domination? ;)

Sarge

Quote from: WillyP on May 16, 2009, 09:51:37 AM
Who knows what step four would be?

Spam. Apparently that's the whole purpose.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

rthrash

Quote from: Kindred on May 15, 2009, 07:14:14 PM
Once again, be aware that the SMF development team is working very hard on putting together an official security patch.

I'm surprised that this hasn't been broadcast through the admin panel "Live from Simple Machines..." feed yet. Most site owners probably don't check back to the Main SMF site daily and every day that goes by is another chance for more exploits and unhappy forum owners. Not talking about the danger is borderline irresponsible at best. Your forum owners should have been warned IMO the day it was reported and verified, along with a temporary work around (disabling avatars/attachments).

It's a very destructive exploit: every PHP file is compromised even outside of SMF, and in our case every file with "log" in it anywhere was deleted including those named login, logout, blog, logo, etc. Didn't matter the filetype (images, css, php and html files were affected—they were trying to hide their tracks). On less secured systems, it would be possible to install a rootkit and require wiping a server completely including OS reinstall to be sure things are safe again.

Samker

Quote from: StarWars Fan on May 16, 2009, 08:53:13 AM
Quote from: crash56 on May 16, 2009, 08:37:39 AM
thanks to our webhost (GC Solutions) for sending around an e-mail warning all the SMF users about this hacker.  We would not have know about this threat if it weren't for that e-mail. 

SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

I agree that would be great help...

Don't know is that possible before releasing new patched version??

Samker's Computer Forum - SCforum.info

Filipina

#190
I spent about 5 hours last night trying to contact SMF websites that showed the hacker user names on search. If they had any activity at all I signed up just to let them know. I seems unbelievable to me that after this much time has gone by there is no real official warning, patch, news flash, anything official from SMF.

Of course there are threads here with people discussing it, but unless you get the warning out to SMF's users most of them are flying blind. More and more sites are being severely compromised or even destroyed every day. If SMF can send me a news flash in my package manager everytime a new MOD comes available, then I don't understand why at least a warning cannot go out?

zaphodb777

Okay, I am desperately looking for a sample of the URL used to execute this attack, and what, if anything is abnormal to SMF about it.

Why? So i can add a signature to hxxp:www.spambotsecurity.com/zbblock.php [nonactive] to stop it cold. I at least want to protect against everything that needs to be done after they upload the malevolent avatar.

From what I gather, it requires a null truncation (%00) on the filename given to "pop" the .gif/.jpg/.png extention off the top and leave the upload as a .php ? (If so ZB Block allready knows this attack).

Since I am not a user of SMF myself, I could use any input regarding the adding of signatures to ZB Block that would help wrap SMF in a layer of protection.

Zap :)

respar

My site got hacked by krisbarteo too.  He or it registered an account probably about a week ago.  Yesterday I changed by theme to a dark background and noticed his avatar was just a white box, and thought that was weird.  Then my avatar disappeared and some attachments weren't showing up.  I checked my source code, and saw a bunch of spam after the <body> tag and new I had been hacked.  I had to go through all my php files and delete the base64 code at the top.

I'm wondering if this is just a bot, because my site is fairly new and doesn't have an active base, so I'm not sure why "krisbarteo" would waste his time on my site.  As far as attachments, can't we just check the box that checks the file extension against .php?  I just limit attachments with users with 25 posts or more, but I disabled avatars for now.

rthrash

He takes the time because your site now provides a convenient source for installing other malware for anyone that visits with the right browser/OS/click combination.

metallica48423

QuoteSimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

The reason for this change is twofold:
1.) The pattern of the last SMF exploits has been alterations of prior exploits pertaining to poisoned attachments and avatars.  Rather than close one small hole, we are opting to close the possibility of this type of attack coming up again.
2.) IE6 will pretty much run just about anything injected into an image blindly without thinking twice about it.  This could infect your computer (as others alluded to above).

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Sarge

I also recommend disallowing members to select themes. This can be done at Admin > Themes and Layout.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Filipina

Thanks you. Does it make any difference if we are one of the those that changed the upload path for user-uploaded avatars out of the attachment's folder? Just curious if this will make any difference on applying the patch or how useful it will be. Thanks.

Broken Arrow

My entire forum is gone. That hacker got into my forum and just as I was deleting him, the forum disappeared

http://www.brokenarrowspeacepipe.com/forum2/

I have tried to restore the back up file through the cpanel  but I still cannot get the forum to come online


Is my only option to rebuild from scratch?

metallica48423

You could download the "large upgrade" package from our downloads page and use that to completely refresh and overwrite (thus sanitizing) all of your forums files.  Just make sure to delete all the files starting with "upgrade".

However, any custom mod files and such -- php files that aren't part of the default distribution -- will need to be sanitized by hand.

Any such mods would also need to be reinstalled
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Broken Arrow

thanks Metallica

That pretty much leaves me rebuilding it from scratch. I had alot of modifications added to the theme files I had used. Not to mention the mods added

geez, what a nightmare

Advertisement: