News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

Sarge

In general, after uploading the SMF upgrade package, you should verify every file that is not part of the SMF distribution; this includes verifying all avatars, attachments, custom theme files etc.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Sarge

Quote from: StarWars Fan on May 16, 2009, 03:10:42 PM
Can anybody confirm or not whether disabling users to choose their own theme will stop this hack?

It's possible that disabling theme selection is enough, but I would disable all kinds of uploads as well, at least until the patch comes out.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Tiribulus

Quote from: metallica48423 on May 16, 2009, 02:35:34 PM
<<< also make sure there are no rows for themes in the themes table that should not exist.

I don't mean to sound dopey, but what SHOULD be there so we I (we) know when something is out of place. Near as I can tell this @$$hat hasn't gotten into my site, but I'm not sure what rows are supposed to be there in the first place. To me it doesn't look like anything out of place is there, but you guys would know better than I would.

Sarge

Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

zaphodb777

One would have to wonder if just adding a delete command to the upload task, that would delete all *.php files in the upload directory would be good enough...

Or, perhaps upload to a directory other than the normal avatar directory, then have the whole of the directory copied into the accessible one, but only coping *.jpg, *.gif, and *.png files, and skipping pre-existing ones at the end of upload.

Good luck folks,
Zap

Tiribulus

Quote from: Sarge on May 16, 2009, 03:23:56 PM
Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).

Mine looks clean. I've had it torqued down pretty good for quite a while, but I'm wondering if the fact that I never had user selectable themes enabled at all might be the clincher. Also have recaptcha, are you human, puzzle and clock mods along with stop spammer and Unrecognizable Form. Not to mention having the PHP engine disabled for avatar and attachment directories. Password protected docroot too. I also killed all the ip info that's come up with this guy on my router.

Kindred

Zaphod,

The point is that we alreayd sanitize uploads and do not allow php files.   What this hacker is doing is uploading a .jpg file that contains php code...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

zaphodb777

K, I thought they were using a null truncator (%00) to slice off the .jpg (or whatever) when it hit the filesystem.

Nevermind. Still hoping there is a record somewhere of the URL they use to launch this, and if there's anything in it that is unique enough it can be added as a hostile action to my pre-parser script.

Thanks,
Zap.

crash56

Quote from: metallica48423 on May 16, 2009, 02:35:34 PM
We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

I can't begin to imagine how much work this entails ... especially the 'debugging' process.  I know from working with some other automation that spotting, chasing down, and remedying the bugs can be both infuriating and the most time consuming portion of the process.  I appreciate all the effort that goes into coming up with a reliable, stable patch. 

As someone said earlier (I think it was JBlaze), I've got the three forums I run locked up tighter than a crab's ass.  Pre-banning KrisBarteo and his IP has gone a long way in terms of defenses.  As of this evening, he has tried to register at all three forums now, and has been turned away.  I can wait quite patiently for the patch.  ;) 


Broken Arrow

I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name


ConquerorOfMankind

So avatars linked from other image hosters are still safe? Did I understand that correctly?


And has anyone planned to do legal actions against that hacker, i.e. make a criminal complaint at the local police station?

Sarge

Quote from: ConquerorOfMankind on May 16, 2009, 07:51:12 PM
So avatars linked from other image hosters are still safe? Did I understand that correctly?

Yes, but uncheck "Download avatar at given URL" in Admin > Attachments and Avatars > Avatar Settings tab.

From the help text: "With this option enabled, the URL given by the user is accessed to download the avatar at that location. On success, the avatar will be treated as uploadable avatar." So I don't recommend enabling it.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

ConquerorOfMankind

Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

JBlaze

Quote from: ConquerorOfMankind on May 16, 2009, 08:34:49 PM
Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

It is also a problem in 2.0 but so far I have not seen an infected 2.0 version. (knock on wood)
Jason Clemons
Former Team Member 2009 - 2012

metallica48423

All three branches of SMF are currently affected by this
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Samker

Quote from: Broken Arrow on May 16, 2009, 07:39:25 PM
I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name




I have them also (blocked) in a member base but with diferent IP than krisbarteo 78.157.140.2 and this mail address: [email protected]

Just a info., so you can check and block this IP ASAP.  ;)
Samker's Computer Forum - SCforum.info

agridoc

Thank you for the reply.  :)

It seems that I have to remember my old days  ;D

Quote from: stardx on May 16, 2009, 08:04:31 AM
Quote from: agridoc on May 15, 2009, 06:54:34 AMI am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.


nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} ; -print -exec clear.sh {} ; | grep tmp &


clear.sh:


#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null


you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

(.:Al-Pacino:.)

When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!
I fot an SMF 1.1.9!
With a lot of Mods.
And a cool ommunity xDD
http://gold-community.tk/ [nofollow]

Samker

Quote from: GOAT15 on May 17, 2009, 05:07:03 AM
When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!



I was find exactly 670 indexed entries, if we add some % of no indexed forums... it's obvious that this Exploit become worst with every new min.


Samker's Computer Forum - SCforum.info

(.:Al-Pacino:.)

I hate this hacker  :-X

pls god protect all SMF Forums  O:)
I fot an SMF 1.1.9!
With a lot of Mods.
And a cool ommunity xDD
http://gold-community.tk/ [nofollow]

Advertisement: