Some additional information on the krisbarteo avatar attack

confusion · May 14, 2009, 02:25:10 PM

I run several SMF forums and after reading the furor happening here on this forum, I noticed that I had krisbarteo registered on a few of my sites, but none of them had been modified. I noticed that all of the forums that had krisbarteo registered had an avatar in the attachments directory that was stuffed with php code. I assumed it was suhosin that kept me safe.

Well, as I was sitting here I had a chance to see krisbarteo in action, so to speak, on another one of my forums. Here is what I saw:

Code Select


94.142.129.147 - - [14/May/2009:13:40:22 -0400] "GET /forum/index.php?action=register HTTP/1.1" 200 5449 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:13:40:23 -0400] "GET /forum/index.php?PHPSESSID=b7db29cb0e8bbea35d4020d1ad214861&action=verificationcode;rand=32888ea747f7dfa82d4e199d335efc34 HT
TP/1.1" 200 1379 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:13:47:03 -0400] "GET /forum/index.php?action=register HTTP/1.1" 200 5448 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:13:47:04 -0400] "GET /forum/index.php?PHPSESSID=1e5421e61be6abc63c107e1ea285b6d7&action=verificationcode;rand=6b07df804d958893beff87d320f6cd99 HT
TP/1.1" 200 1301 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:13:53:39 -0400] "GET /forum/index.php?action=register HTTP/1.1" 200 5448 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:13:53:39 -0400] "GET /forum/index.php?PHPSESSID=986b5ed8662992b44f3e6cccc7bb8d74&action=verificationcode;rand=19f5566f3c01f6c35be9f53906a9a614 HT
TP/1.1" 200 1537 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:00:02 -0400] "GET /forum/index.php?action=register HTTP/1.1" 200 5444 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:00:02 -0400] "GET /forum/index.php?PHPSESSID=ce6754423eb76bc2eb7609c8dead3b12&action=verificationcode;rand=4660d050cf3add70c3acb5b2eaf1eaaf HT
TP/1.1" 200 1574 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:00:38 -0400] "POST /forum/index.php?action=register2;PHPSESSID=ce6754423eb76bc2eb7609c8dead3b12 HTTP/1.1" 200 2921 "-" "Mozilla/4.0 (compatibl
e; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:25 -0400] "GET /forum/index.php?action=activate;u=38;code=d66cdd038d HTTP/1.1" 200 3273 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP
 Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:26 -0400] "GET /forum/index.php?action=login HTTP/1.1" 200 3198 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:26 -0400] "POST /forum/index.php?action=login2;PHPSESSID=1eb78591bd6c9eb4abf4e58caa1f39f4 HTTP/1.1" 302 26 "-" "Mozilla/4.0 (compatible; MS
IE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:27 -0400] "GET /forum/index.php?PHPSESSID=273a31289ed5c6db9910da07b7873c8f;action=login2;sa=check;member=38 HTTP/1.1" 302 26 "-" "Mozilla/4
.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:29 -0400] "POST /forum/index.php?PHPSESSID=273a31289ed5c6db9910da07b7873c8f;action=login2;sa=check;member=38 HTTP/1.1" 302 26 "-" "Mozilla/
4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:30 -0400] "GET /forum/index.php?PHPSESSID=273a31289ed5c6db9910da07b7873c8f HTTP/1.1" 200 4192 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Wind
ows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:31 -0400] "GET /forum/index.php?action=login HTTP/1.1" 200 11975 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:32 -0400] "POST /forum/index.php?action=login2;PHPSESSID=436946be721269eaf2bc4f8f14db1e66 HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSI
E 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:32 -0400] "GET /forum/index.php?action=login2;sa=check;member=38 HTTP/1.1" 200 9924 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Ser
vice Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:33 -0400] "GET /forum/index.php?action=profile HTTP/1.1" 200 14840 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:34 -0400] "POST /forum/index.php?action=profile2 HTTP/1.1" 200 10271 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:34 -0400] "POST /forum/index.php?action=profile2 HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"
94.142.129.147 - - [14/May/2009:14:01:35 -0400] "GET /forum/index.php?action=theme;sa=pick;u=38;sesc=6309fb9cfa0b03c8d18e219bc2edd442 HTTP/1.1" 200 15788 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows XP Service Pack 2)"

Notice the last line. I had been wondering how he was triggering the avatar to run. I suspect that last line is the trigger. Looking at my /var/log/messages file, I see this message from suhosin:

Code Select


May 14 14:01:34 www2 suhosin[88301]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'options[theme_dir]' (attacker '94.142.129.147', file '/home/nrdx/public_html/forum/index.php')

My guess is that there's some form of weakness in the theme switching code that is allowing krisbarteo to look at and execute the files in the attachments directory.

Also, it's pretty systematic, if you look at the time stamps, which leads me to believe krisbarteo is indeed a script.

This is yet one more reason why I really love suhosin.

Hope that is of some help.

ldk · May 21, 2009, 11:38:28 PM

Fascinating! So nice to have some light shed on how this all has been able to happen. Thanks so much for sharing this.

ldk · May 21, 2009, 11:49:32 PM

P.S.

I've been reading a lot of the threads about this attack and it seems like those who don't allow theme switching have been safe even though the malicious avatar was indeed uploaded. So this bodes well for your theory. I really hope the developers of SMF have looked into the theme switching code as well as whatever they did to tighten up the upload code.

I would also love to know... Is it theoretically possibly to write image upload code that checks the contents of the file very carefully to make sure it's a legit image with no funny business in it?

Bancherd · May 21, 2009, 11:53:12 PM

Two nights ago I had an error in my error log that is similar to your last line, the person caused an index-error while trying to change theme through the backdoor(I do not allow theme-switching).

And yes, there was a blank.gif in my avatar directory.

I have disabled uploading of avatar and will upgrade now(was away from SMF's forum for the past two weeks so I was in the dark about all these

)

massillon · May 22, 2009, 12:48:10 AM

Geez... I found the blank avatar.

I deleted the avatar... any other suggestions?

(Yes, I have upgraded to 1.1.9 now too)

Angie on Dialysis · June 03, 2009, 07:30:28 PM

I thought the blank.gif was normal

how do I tell if there is one embedded with php code?

This person visited today with the IP 94.142.129.147 and user name krisbarteo and email krisbarteo@gmail.com

babjusi · June 03, 2009, 07:38:00 PM

If you are running the latest version then there is nothing to worry about.

DFragmentor · June 03, 2009, 08:18:34 PM

I was hit by krisbarteo and now only in IE when users try to browse the forum they will get a "Internet Explorer cannot display the webpage" hit back and it MAY go into that forum. sometimes not.

I am on the newest. problem still persists.

mashby · June 03, 2009, 08:51:05 PM

Quote from: DFragmentor on June 03, 2009, 08:18:34 PM
I was hit by krisbarteo and now only in IE when users try to browse the forum they will get a "Internet Explorer cannot display the webpage" hit back and it MAY go into that forum. sometimes not.

I am on the newest. problem still persists.

Ban krisbarteo...then...
http://www.simplemachines.org/community/index.php?topic=313201.0

DFragmentor · June 03, 2009, 09:21:32 PM

already been done.

I am restoring from backup to see if that helps.

Angie on Dialysis · June 03, 2009, 10:09:41 PM

Quote from: DFragmentor on June 03, 2009, 09:21:32 PM
already been done.

I am restoring from backup to see if that helps.

It depends if the infected files are still in there .. like php packed images .. you don't want those ..

Hope the back up helps! This is why it is important to regularly back up the database.

I have the latest (1.1.9) and am safe so far but heard of the possibility that someone else might have got attacked by this krisbarteo. I do not know what version they had however.. when that IP visited me I banned just in case..

DFragmentor · June 03, 2009, 10:17:20 PM

This backup is from over a year ago so it better be ok..... I guess I could restore the data base as well.

Shadow1243 · September 01, 2009, 01:38:37 PM

how we can fix this problem? is only banning enough?

i'm using SMF 1.1.10

News:

Some additional information on the krisbarteo avatar attack

babjusi