Advertisement:

Author Topic: Hacked, script injection  (Read 257743 times)

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #120 on: May 11, 2009, 08:40:38 AM »
Please see this topic on how to secure your site.
http://www.simplemachines.org/community/index.php?topic=309717.0

Offline Relyana

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,994
  • Gender: Female
Re: Hacked, script injection
« Reply #121 on: May 11, 2009, 11:08:23 AM »
Thank you so much !!! That hacker opened 3 accounts already (krisbarteo, MagicOPromotion and stilusmagic).

The "Stop Spammer" mod is simply fabulous (made me laugh too : it blocked the account of one of my Global Mods, someone I know for years :P - his IP and email address are clean but his nickname is in the database - a common name actually).

I can't thank you enough.  O:)


Offline rthrash

  • Jr. Member
  • **
  • Posts: 128
Re: Hacked, script injection
« Reply #122 on: May 11, 2009, 11:17:17 AM »
1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #123 on: May 11, 2009, 11:19:47 AM »
1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0

Offline rthrash

  • Jr. Member
  • **
  • Posts: 128
Re: Hacked, script injection
« Reply #124 on: May 11, 2009, 11:23:47 AM »
This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0

We've disabled all uploads, and the Stop Spammer mod should prevent most signups but there are definitely ways to get around that quickly. So other than shutting down the functionality there's no additional info? Is the same base code in place in the 2.0 branch?

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #125 on: May 11, 2009, 11:25:18 AM »
So far, I have not heard of or seen any attacks that affected the 2.0 version, but that's not to say that it hasn't happened.


What it boils down to is that the avatar that is being uploaded in this attack has php code embedded into it and it is being parsed through the avatar handler.

Offline rthrash

  • Jr. Member
  • **
  • Posts: 128
Re: Hacked, script injection
« Reply #126 on: May 11, 2009, 11:49:38 AM »
Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #127 on: May 11, 2009, 11:52:14 AM »
Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

No problem. I'm trying to stay one step ahead of this attack and provide the best support I can :)

Offline rthrash

  • Jr. Member
  • **
  • Posts: 128
Re: Hacked, script injection
« Reply #128 on: May 11, 2009, 02:47:35 PM »
I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #129 on: May 11, 2009, 02:50:49 PM »
I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

I will have to look into it as I have had it installed for about a month now and didn't have problems on install. There may have been an update since then. I will post back with my findings.

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #130 on: May 11, 2009, 03:09:13 PM »
I have just installed it on two of my site with no problems at all
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline Polymath

  • Jr. Member
  • **
  • Posts: 337
  • Gender: Male
  • NZ Made
    • GameSocket
Re: Hacked, script injection
« Reply #131 on: May 12, 2009, 01:03:45 AM »
I must say it is very nice. I have deleted a whole folder twice ..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3


And it won't go away.... Very nice.. >:(

Response:   550 Can't remove directory: Directory not empty
Status:   Retrieving directory listing...
Command:   PASV
Response:   227 Entering Passive Mode (209,200,249,149,107,97)
Command:   LIST
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -a -l
Response:   226 29 matches total
Status:   Directory listing successful


Any ideas? Permissions 755 on it drwxr-xr-x

And another question Can I repair the php file and upload as I go, or will it just get written again?
« Last Edit: May 12, 2009, 07:45:32 AM by Polymath »
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

Offline djkimmel

  • Semi-Newbie
  • *
  • Posts: 68
    • GreatLakesBass.com
Re: Hacked, script injection
« Reply #132 on: May 12, 2009, 01:05:22 AM »
If this code were placed in my avatar upload/attachments directory htaccess, would it provide protection against an attack like this (I still can't believe anyone could just upload PHP in a '.jpg' file and get it to run?!?) - it was suggested to me after I explained how this person was able to hack my forum (and all other PHP files in every folder):

Code: [Select]
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Order Allow,Deny
Deny from all
<Files ~ "\.(jpeg|jpg|png|gif)$">
Allow from all
</Files>

I'm thinking it might cause a problem since regular attachments are encrypted, though I would think the encrypted attachments should keep them from being used the same as an uploaded avatar was used? Would this code in an htaccess file keep any of the encrypted files from being uploaded and used on the forum? Would it stop a graphic file from executing code?

MrPhil

  • Guest
Re: Hacked, script injection
« Reply #133 on: May 12, 2009, 11:08:20 AM »
If you have PHP code within a .jpg file, I'm not sure that the .htaccess code is going to catch it (since it's not .php). Have you tried making an "innocent" image file (just says "Hello World") and tested it?

Would it be possible to scan incoming image uploads and blank out all script code (everything between <? and ?>, and everything between <script and script>, and whatever else is needed)?

Offline djkimmel

  • Semi-Newbie
  • *
  • Posts: 68
    • GreatLakesBass.com
Re: Hacked, script injection
« Reply #134 on: May 12, 2009, 12:45:46 PM »
Haven't tried that yet, but it is a good suggestion.

The 2nd suggestion is beyond my skills at this time... but I'm learning out of necessity :) Might work once I learn how, but maybe the simpler suggestion is to do some limits so members have to be around a while before they can upload or do attachments.

Still can't believe it was so easy for this person to hack SMF and use it on the rest of the site. I've read everything suggested or linked on the few threads regarding this hack and protection in general. I hope that covers any other surprises I might get like this one? No more overconfidence for me. Too much I don't know about this stuff.

Offline GamingTrend

  • Semi-Newbie
  • *
  • Posts: 51
    • Gaming Trend
Re: Hacked, script injection
« Reply #135 on: May 12, 2009, 03:01:24 PM »
So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

Oh, and when I was allowing uploading of avatars (I've disabled it for now) the avatars would eventually die off and have to be re-uploaded. 
Ron Burke
Director of Gaming Trend

Offline Agafonov

  • Newbie
  • *
  • Posts: 8
Re: Hacked, script injection
« Reply #136 on: May 12, 2009, 03:09:09 PM »
So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

You should remove all files and folders except settings and attachments.
There are number of new files injected as well with "hacker's control panel" code.
Then search and remove all files found by:
Code: (sh) [Select]
grep "<?php" attachments/*

Offline crash56

  • Jr. Member
  • **
  • Posts: 206
  • Test Dummy Extraordinaire
Re: Hacked, script injection
« Reply #137 on: May 12, 2009, 03:50:52 PM »
Theoretical question here, because I'm getting all of this straight in my mind ...

If we were to get hit by this hacker, and we had a recent clean backup of all our files, we could just reupload those ... yes?  Or does this code get into the database in some way so we would have to clean that up as well?

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #138 on: May 12, 2009, 03:57:29 PM »
So far, this hack only affects the /Sources and /Themes files as well as the affected avatar. To my knowledge, having worked with members on this hack for the past week or so, I have yet to find any damage done to the database.

The one thing that has saved members was backing up their files by simply downloading the enitre SMF installation, minus the database, to their hard drive once a day.

Then, if you feel you have been hacked, take your forum offline, upload the backed up files making sure the old ones are overwritten  and voila!

Offline crash56

  • Jr. Member
  • **
  • Posts: 206
  • Test Dummy Extraordinaire
Re: Hacked, script injection
« Reply #139 on: May 12, 2009, 03:59:50 PM »
Great!  Thanks!  (No, we're not going to drop all defenses. ;) )