News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

Ben_S

Err, do you even know what RIPE is, why would RIPE care. Lookup the IP with RIPE and see who its actually allocated to, odds are though it's a zombie anyway.
Liverpool FC Forum with 14 million+ posts.

Antechinus

The IP tracks to Latvia. I checked. Personally I banned a substantial IP range last night. 

Night09

The Idiot tried to register on my forums but were on member approval so i have set this ban for the ip: 94.142.129.*

If he comes back i will change it to the 129 octlet instead.

Faded Glory

Quote from: Ben_S on May 18, 2009, 07:52:21 PM
Err, do you even know what RIPE is, why would RIPE care. Lookup the IP with RIPE and see who its actually allocated to, odds are though it's a zombie anyway.

Yes my dear I do understand what RIPE is. Because I know everyone is under a bit of strain, I won't take offense at being talked down to.

Now if anyone can track it further or make a complaint to them concerning this character, I would love to know how to do it too!

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '94.142.129.128 - 94.142.129.255'
inetnum:         94.142.129.128 - 94.142.129.255
netname:         CSSGROUP-NET
descr:           SIA "CSS GROUP" hosting
org:             ORG-SG55-RIPE
country:         LV
admin-c:         CGN-RIPE
tech-c:          CGN-RIPE
status:          ASSIGNED PA
mnt-by:          CSSGROUP-MNT
source:          RIPE # Filtered
organisation:    ORG-SG55-RIPE
org-name:        SIA "CSS GROUP"
org-type:        LIR
address:         SIA "CSS GROUP"
                Caunas 7A-26
                LV-4101 Cesis
                LATVIA
phone:           +371 67 404544
fax-no:          +371 67 414545
admin-c:         DJ1401-RIPE
mnt-ref:         CSSGROUP-MNT
mnt-ref:         RIPE-NCC-HM-MNT
mnt-by:          RIPE-NCC-HM-MNT
source:          RIPE # Filtered
role:            CSS GROUP NOC
address:         Caunas 7A-26, Cesis, LV-4101, Latvia
phone:           +371 67 404544
fax-no:          +371 67 414545
abuse-mailbox:   [email protected]
admin-c:         DJ1401-RIPE
tech-c:          AC13043-RIPE
nic-hdl:         CGN-RIPE
source:          RIPE # Filtered
% Information related to '94.142.128.0/21AS48662'
route:           94.142.128.0/21
descr:           SIA "CSS GROUP"
origin:          AS48662
mnt-by:          CSSGROUP-MNT
source:          RIPE # Filtered
Collection 2 for Spray sig!

JBlaze

Thanks Faded. But that's as far as we get.

So far, I've been able to track it down to a certain area of Latvia, but that doesn't really help. It could alse very well be a proxy.

Jason Clemons
Former Team Member 2009 - 2012

Aleksi "Lex" Kilpinen

No proxy on 94.142.129.147

IP address: 94.142.129.147
IP country code: LV 
IP address country:  Latvia 
IP address state: Césu 
IP address city: Cesis 
IP address latitude: 57.299999 
IP address longitude: 25.250000 
ISP of this IP: SIA CSS GROUP 
Organization: SIA CSS GROUP hosting
 
Local time in Latvia: 2009-05-19 09:02

organisation: ORG-SG55-RIPE
org-name: SIA "CSS GROUP"
org-type: LIR
address: SIA "CSS GROUP"
Caunas 7A-26
LV-4101 Cesis
LATVIA
phone: +371 67 404544
fax-no: +371 67 414545
admin-c: DJ1401-RIPE
mnt-ref: CSSGROUP-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: CSS GROUP NOC
address: Caunas 7A-26, Cesis, LV-4101, Latvia
phone: +371 67 404544
fax-no: +371 67 414545
abuse-mailbox: [email protected]

:D
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Faded Glory

Thank you JBlaze.

I was one of the lucky ones that had the StopForumSpam on my site and he didn't even get to register.

I feel really bad for all of those he did get to and hit so hard.

Again Let me say I am truly in awe of how much time and effort you and the rest of the team have put into this problem, and helping those that got hit to restore their forums.

I know of no other software operation that goes to such lengths and not get paid for it!

So if someone forgets to say thanks I have just said it for them!
Collection 2 for Spray sig!

thebofh

I just had Fire768 from 115.146.185.14 blocked by the stop spam mod.

mrsax2000

I'd like to review the table in MySQL, but I don't have a tool for viewing the database. What do you recommend?

Aleksi "Lex" Kilpinen

Are you sure you don't have any means to access it?
Most hosts provide you with phpmyadmin as a part of your hosting control panel,
or as a separate script you can access.

If you really don't have any, phpmyadmin is relatively easy to setup by yourself as well,
just make sure to never leave in a web accessible folder for more than you have to - as it can be a major security risk.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

robone

#270
Found the following document : http://209.85.229.132/search?q=cache:jyfd9Npg9dsJ:forum.eviloctal.com/attachment.php%3Faid%3D5197+how+to+find+c99.php+on+website&cd=26&hl=en&ct=clnk

The document is called "The Website Attack Guide" and it goes into some interesting things, but I will extract how they get C99 onto a website. It looks like that is how they got it onto mine:

First of all, what is a 'Null Byte'? A null character/null byte/null terminator is a character with a value of zero that is shown in the ASCII Charest. And, in programming languages (php included) the null byte is used as, what's know as, a 'string terminator'. When the null byte is read the string ends. The null byte is represented with '%00' in php. We are able to harness the 'power' of the null byte to trick a picture upload form into letting us upload our own phpshell. There are allot of websites with image uploading features, so they are not hard to find. You can use the Google dork: "Upload Image" to find some of them. Now that we have a target we are able to start exploiting.

Go to your targets upload page and click the 'Browse' button and navigate to a php shell. Just for the sake of Proof of Concept, try to upload this file normally. You will get an error such as:"We're sorry, but the file you entered is using an extension that is not alloud. Images only please!"We see from this that only images are supported - and a regular php shell will not work.Let's browse to our shell again, but this time we will change the upload bar to look like this, adding in the nullbyte character: C:\c99.php%00.jpg

When the script checks if our file it will see the .jpg and 'say' "Yep, looks like an image to me" and upload it. Fortunately for us, when the file is actually uploaded it is uploaded with the .php extension because the null byte terminates anything after that.

If it worked we will see:"Thank you for uploading your pictures - view your file at /c99.php"This concludes the first null byte exploitation article i will right. The second will be on exploiting cgi files using the null byte


So, it is important to make sure that you restrict access to being able to upload avatars or attachments until you have established that the member is not someone trying to get into your system.


Found this shell php scanner    http://www.darkmindz.com/codebase/php-simple-php-shell-scanner-num508.html

Will someone who knows php tell me if this is okay to use?? And do you think it will work??

demount

It is not neccessary to ban anything, because 94.142.129.147 and other IPs are simple Dedicated servers, working under Win2003(sometimes winxp). There is opened port 3389, MS-terminal service. That guy just launched an attack through(or maybe from) that workstations by remote desktop. Also there is a possibility, that he used a chain of such workstations, so detecting his real IP is a difficult task.

Tiribulus

Quote from: robone on May 19, 2009, 07:49:07 AM
<<< The document is called "The Website Attack Guide" and it goes into some interesting things, but I will extract how they get C99 onto a website. It looks like that is how they got it onto mine: >>>

This sounds like what that zaphodb777 guy was talking about. Has anybody looked at the outfit he linked to? It actually looks legit to me and possibly helpful. Can't fault a guy for pluggin his wares if they're above board.

bri

If you are describing the methods you are using to combat the terrorists, you may want to not link your forum in your sig line... ;)
<*)))><

mghq

Me and my friend did some reseacrhing on kris.
Here is some
He is running Microsoft Windows Server 2003 with Service Pack 2
He has port 3389 which is Microsoft RDP.
And from our scan he breaks into networks


rusgard

#276
Hi,
i've also the krisbarteo in my board (v1.18), registered at 17. May 2009.

I searched for style.css.php and other files too. But i found nothing.
The content of the *.php files looks also fine.

What can i do, to check if i've a clean installation without corruption?

Many Thanks
rusgard

EDIT:
I found krisbarteo in another Board (v2.0 RC1 - hosted by myself) too!!
But nothing changed...no new files,  php-files looking well....

Night09

QuoteI found krisbarteo in another Board (v2.0 RC1 - hosted by myself) too!!
But nothing changed...no new files,  php-files looking well....

Its possible that he has tried to infect so many sites he hasnt had time to actually visit them all to do any damage yet.Although he could have a bot registering it may require him as a human to complete some of the hacking so having him register may not mean an automatic compromise.

It may be you have caught this in time and stopped him before he had chance to infect your site.

Jorin

Quote from: nightbre on May 20, 2009, 08:06:40 AM
It may be you have caught this in time and stopped him before he had chance to infect your site.

Let us hope he banned krisbarteo completely.  ;)

rusgard

Quote from: Jorin on May 20, 2009, 08:11:10 AM
Quote from: nightbre on May 20, 2009, 08:06:40 AM
It may be you have caught this in time and stopped him before he had chance to infect your site.

Let us hope he banned krisbarteo completely.  ;)

I banned him ;)
(i hope it's enough to ban the user...also i deactivated the avatar and theme functions...)

Advertisement: