Advertisement:

Author Topic: Hacked, script injection  (Read 269342 times)

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #200 on: May 16, 2009, 03:11:09 PM »
In general, after uploading the SMF upgrade package, you should verify every file that is not part of the SMF distribution; this includes verifying all avatars, attachments, custom theme files etc.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #201 on: May 16, 2009, 03:12:54 PM »
Can anybody confirm or not whether disabling users to choose their own theme will stop this hack?

It's possible that disabling theme selection is enough, but I would disable all kinds of uploads as well, at least until the patch comes out.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #202 on: May 16, 2009, 03:20:04 PM »
<<< also make sure there are no rows for themes in the themes table that should not exist.

I don't mean to sound dopey, but what SHOULD be there so we I (we) know when something is out of place. Near as I can tell this @$$hat hasn't gotten into my site, but I'm not sure what rows are supposed to be there in the first place. To me it doesn't look like anything out of place is there, but you guys would know better than I would.

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #203 on: May 16, 2009, 03:23:56 PM »
Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline zaphodb777

  • Newbie
  • *
  • Posts: 4
Re: Hacked, script injection
« Reply #204 on: May 16, 2009, 04:02:42 PM »
One would have to wonder if just adding a delete command to the upload task, that would delete all *.php files in the upload directory would be good enough...

Or, perhaps upload to a directory other than the normal avatar directory, then have the whole of the directory copied into the accessible one, but only coping *.jpg, *.gif, and *.png files, and skipping pre-existing ones at the end of upload.

Good luck folks,
Zap

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,016
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #205 on: May 16, 2009, 04:03:10 PM »
Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).

Mine looks clean. I've had it torqued down pretty good for quite a while, but I'm wondering if the fact that I never had user selectable themes enabled at all might be the clincher. Also have recaptcha, are you human, puzzle and clock mods along with stop spammer and Unrecognizable Form. Not to mention having the PHP engine disabled for avatar and attachment directories. Password protected docroot too. I also killed all the ip info that's come up with this guy on my router.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,430
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #206 on: May 16, 2009, 04:16:50 PM »
Zaphod,

The point is that we alreayd sanitize uploads and do not allow php files.   What this hacker is doing is uploading a .jpg file that contains php code...
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline zaphodb777

  • Newbie
  • *
  • Posts: 4
Re: Hacked, script injection
« Reply #207 on: May 16, 2009, 04:36:42 PM »
K, I thought they were using a null truncator (%00) to slice off the .jpg (or whatever) when it hit the filesystem.

Nevermind. Still hoping there is a record somewhere of the URL they use to launch this, and if there's anything in it that is unique enough it can be added as a hostile action to my pre-parser script.

Thanks,
Zap.

Offline crash56

  • Jr. Member
  • **
  • Posts: 207
  • Test Dummy Extraordinaire
Re: Hacked, script injection
« Reply #208 on: May 16, 2009, 04:46:21 PM »
We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

I can't begin to imagine how much work this entails ... especially the 'debugging' process.  I know from working with some other automation that spotting, chasing down, and remedying the bugs can be both infuriating and the most time consuming portion of the process.  I appreciate all the effort that goes into coming up with a reliable, stable patch. 

As someone said earlier (I think it was JBlaze), I've got the three forums I run locked up tighter than a crab's ass.  Pre-banning KrisBarteo and his IP has gone a long way in terms of defenses.  As of this evening, he has tried to register at all three forums now, and has been turned away.  I can wait quite patiently for the patch.  ;) 


Offline Broken Arrow

  • Jr. Member
  • **
  • Posts: 185
  • Gender: Female
    • Broken Arrow's Peace Pipe
Re: Hacked, script injection
« Reply #209 on: May 16, 2009, 07:39:25 PM »
I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name


Offline ConquerorOfMankind

  • Semi-Newbie
  • *
  • Posts: 11
Re: Hacked, script injection
« Reply #210 on: May 16, 2009, 07:51:12 PM »
So avatars linked from other image hosters are still safe? Did I understand that correctly?


And has anyone planned to do legal actions against that hacker, i.e. make a criminal complaint at the local police station?

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #211 on: May 16, 2009, 08:02:11 PM »
So avatars linked from other image hosters are still safe? Did I understand that correctly?

Yes, but uncheck "Download avatar at given URL" in Admin > Attachments and Avatars > Avatar Settings tab.

From the help text: "With this option enabled, the URL given by the user is accessed to download the avatar at that location. On success, the avatar will be treated as uploadable avatar." So I don't recommend enabling it.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline ConquerorOfMankind

  • Semi-Newbie
  • *
  • Posts: 11
Re: Hacked, script injection
« Reply #212 on: May 16, 2009, 08:34:49 PM »
Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,158
  • Gender: Male
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #213 on: May 16, 2009, 08:41:55 PM »
Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

It is also a problem in 2.0 but so far I have not seen an infected 2.0 version. (knock on wood)
Jason Clemons
Former Lead Customizer/Support Specialist
Twitter | Facebook | Instagram

Offline metallica48423

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,842
  • Gender: Male
  • Professional Multislacker!
    • Zentendo
Re: Hacked, script injection
« Reply #214 on: May 17, 2009, 01:14:58 AM »
All three branches of SMF are currently affected by this
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

Quote
Microsoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"

Useful Links:
Online Manual!
How to Help us Help you   
Search
Settings Repair Tool
     

Offline Samker

  • Jr. Member
  • **
  • Posts: 145
  • Gender: Male
  • "Whatever doesn't kill us makes us stronger."
    • SCforum.info - Samker's Computer Forum
Re: Hacked, script injection
« Reply #215 on: May 17, 2009, 03:25:20 AM »
I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name




I have them also (blocked) in a member base but with diferent IP than krisbarteo 78.157.140.2 and this mail address: stilusmagic@googlemail.com

Just a info., so you can check and block this IP ASAP.  ;)
Samker's Computer Forum - SCforum.info

Offline agridoc

  • SMF Hero
  • ******
  • Posts: 3,274
  • Gender: Male
    • Aeromodelling GR - Aeromodelling in Greece
Re: Hacked, script injection
« Reply #216 on: May 17, 2009, 03:43:59 AM »
Thank you for the reply.  :)

It seems that I have to remember my old days  ;D

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.

Code: [Select]
nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} ; -print -exec clear.sh {} ; | grep tmp &

clear.sh:

Code: [Select]
#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null

you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

Offline (.:Al-Pacino:.)

  • Semi-Newbie
  • *
  • Posts: 19
Re: Hacked, script injection
« Reply #217 on: May 17, 2009, 05:07:03 AM »
When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!
I fot an SMF 1.1.9!
With a lot of Mods.
And a cool ommunity xDD
http://gold-community.tk/ [nofollow]

Offline Samker

  • Jr. Member
  • **
  • Posts: 145
  • Gender: Male
  • "Whatever doesn't kill us makes us stronger."
    • SCforum.info - Samker's Computer Forum
Re: Hacked, script injection
« Reply #218 on: May 17, 2009, 05:55:13 AM »
When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!



I was find exactly 670 indexed entries, if we add some % of no indexed forums... it's obvious that this Exploit become worst with every new min.


Samker's Computer Forum - SCforum.info

Offline (.:Al-Pacino:.)

  • Semi-Newbie
  • *
  • Posts: 19
Re: Hacked, script injection
« Reply #219 on: May 17, 2009, 07:15:01 AM »
I hate this hacker  :-X

pls god protect all SMF Forums  O:)
I fot an SMF 1.1.9!
With a lot of Mods.
And a cool ommunity xDD
http://gold-community.tk/ [nofollow]