Advertisement:

Author Topic: Hacked, script injection  (Read 269620 times)

MrPhil

  • Guest
Re: Hacked, script injection
« Reply #20 on: May 04, 2009, 06:35:15 PM »
Wow, that guy (krisbarteo) sure is busy! Just wondering... would it be simplemachine's business to blast an email to all known SMF installations warning them about this guy? You'd have to careful to phrase the warning in such a way that it's not legally an accusation (libelous) telling boards to dump this guy, but rather a pointer to discussions such as this one. That user name is going on my ban list right away!

That being done, do we yet know what vulnerability he exploited? Was it in a browser? Was it SMF permitting unrestricted file types for avatars?

Add:
I thought about adding code to ban particular user names, but figured that they'd just register under some other name. If the problem is that their avatar image contains some kind of booby trap, what is the nature of the beast? Are they uploading a .php file as the avatar? In that case, a simple check on permitted extensions should fix the problem. Are they uploading a legitimate extension (.jpg, .png, .gif, etc.) and it somehow contains malicious code? Could SMF scan for certain strings in an avatar image before accepting it? If not, could new avatars be uploaded to a different directory and quarantined awaiting Admin inspection and movement into the production directory? I assume that it's not a browser vulnerability to embedded code (I think I recall such a thing a few years back), but somehow code that gets run on the server?

If this information isn't suitable for public dissemination, but you would like to request my help in coding something to fight this attack, please feel free to PM me with details.
« Last Edit: May 04, 2009, 07:22:37 PM by MrPhil »

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #21 on: May 04, 2009, 08:44:41 PM »
<<< I found his avatar, I then downloaded it and opened it in notepad and I found php code. >>>

Are you saying that his avatar was an actual image with an image extension, but with embedded php script?

Offline vHawkeyev

  • Semi-Newbie
  • *
  • Posts: 32
Re: Hacked, script injection
« Reply #22 on: May 05, 2009, 07:18:02 AM »
It wasn't an actual image. It was just like another php file but with .jpg as the extension. I'm guessing it was used to upload other php files to my server.

MrPhil

  • Guest
Re: Hacked, script injection
« Reply #23 on: May 05, 2009, 09:03:56 AM »
So if avatar "images" were scanned for <? and possibly a few PHP keywords, that might detect code sailing under false colors? How about looking for image format keywords (e.g., GIF89a) in the right place, to confirm it's likely a real image file?

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #24 on: May 05, 2009, 09:42:32 AM »
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #25 on: May 05, 2009, 10:15:39 AM »
Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,628
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Hacked, script injection
« Reply #26 on: May 05, 2009, 10:20:14 AM »
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Attachmentnames are encrypted for a reason you know ;)
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #27 on: May 05, 2009, 10:22:37 AM »
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Attachmentnames are encrypted for a reason you know ;)

Well gaaahhlee. Forgot about that  :-[

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #28 on: May 05, 2009, 10:43:49 AM »
I have just countered 730 SMF forums he has registered on ranging from SMF 1.1.1 to RC1  :o
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Hacked, script injection
« Reply #29 on: May 05, 2009, 11:37:06 AM »
Busy little bee huh? he has not attempted mine yet, but he won't get in under that username.
Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=

I would like more info as well. I do understand it may not be a good idea to openly post this, but I will accept a pm gladly with IP, email addie and any other info anyone has on him.

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #30 on: May 05, 2009, 11:46:00 AM »
Yip me as well if possible  ;D
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,159
  • Gender: Male
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #31 on: May 05, 2009, 12:22:37 PM »
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Jason Clemons
Former Lead Customizer/Support Specialist
Twitter | Facebook | Instagram

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,628
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Hacked, script injection
« Reply #32 on: May 05, 2009, 12:34:33 PM »
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,159
  • Gender: Male
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #33 on: May 05, 2009, 12:44:06 PM »
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)

That works too...
Jason Clemons
Former Lead Customizer/Support Specialist
Twitter | Facebook | Instagram

Offline CarlT100

  • Semi-Newbie
  • *
  • Posts: 54
  • Gender: Male
    • Triumph Talk
Re: Hacked, script injection
« Reply #34 on: May 05, 2009, 01:02:55 PM »
Dirtrider, I found this on the first page of this thread:

Quote
As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8
CarlT100


Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Hacked, script injection
« Reply #35 on: May 05, 2009, 02:29:10 PM »
I don't allow avatar uploads anyway. They must be linked to photobucket, etc. The only allowed attachments are by admins, and those are limited and encrypted, so most likely, I have no worries from this guy. I have had over a dozen new members in the last 2 weeks that have gotten past the anti-spam, and confirmed the email address. Once they log on, they only stay about 2 to 5 minutes, log off and do not return. Could be they are looking to upload an avatar or attachment, realize they cant, and then move on somewhere else.

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #36 on: May 05, 2009, 03:33:28 PM »
Would this work?

Code: [Select]
<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>

This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.
« Last Edit: May 05, 2009, 03:43:45 PM by Tiribulus »

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,662
  • Gender: Male
Re: Hacked, script injection
« Reply #37 on: May 05, 2009, 04:27:29 PM »
Would this work?

Code: [Select]
<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>

This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #38 on: May 05, 2009, 04:45:22 PM »
On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

You're saying that since this stops the action based on the file extension that a file with a different extension, but still containing script code would run anyway.

How then do you use .htaccess to block the engine altogether as was suggested above. I also found some info on doing it with httpd.conf.

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,662
  • Gender: Male
Re: Hacked, script injection
« Reply #39 on: May 05, 2009, 04:57:21 PM »
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)