Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

Dzonny

Quote from: GOAT15 on May 17, 2009, 07:15:01 AM
I hate this hacker  :-X

pls god protect all SMF Forums  O:)
Lol, God have nothing with that... :)

rosey

ok so if my forum was hacked (thank god only ONE of my forums allowed uploadable avs!) and I installed a fresh install of SMF - is it safe now?  or do I have to still find that user and delete him?  and if so how do I figure out which user it is?

or can I just empty out the attachments directory and then their script won't run anymore?

Dzonny

No, we still waiting for patch to be released...
Read this topic for info:
http://www.simplemachines.org/community/index.php?topic=309717.0

thebofh

I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)

Aleksi "Lex" Kilpinen

Quote from: thebofh on May 17, 2009, 10:46:32 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)
And now to wait for a reply :P
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

thebofh

Quote from: LexArma on May 17, 2009, 10:49:46 AM
Quote from: thebofh on May 17, 2009, 10:46:32 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)
And now to wait for a reply :P
I doubt if he has enough time in the day to reply to all his abusive emails, or even a fraction of them, what a tosspot! I'm sure it's some teenage scumbag Eastern European script kiddie who doesn't even understand what's he's doing apart from following instructions from a real hacker.

Aleksi "Lex" Kilpinen

I wasn't exactly serious there :P Didn't think he would respond...
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

JoeB

My advice is to just:
IGNORE HIM
This kind of internet abusers are the lowest of the low and motley attention seekers & enjoy any replies however abusive they are
Don't give them their treat & just ignore them

MrPhil

Unfortunately, most hackers these days are apparently working (for pay) for spammers, rather than for the thrill and attention. They're cyberterrorists and it would be good to shoot the lot of them. It will eventually come to the point where the Internet has to be handed over to national Post Offices and postage be charged for every packet transmitted. Once it's no longer free, it will not be nearly so lucrative to spam. A side benefit will be that it will be cheaper to buy a legit CD or DVD than to download a pirated copy, thus greatly reducing piracy. The only losers will be hobbyists who download large software projects.

zaphodb777

Your friend (dripping sarcasm on the word "friend") krisbarteo has been seen in these IP blocks.

77.92.88.0 - 77.92.89.255 ... LIMT Group, Suspected RBN
78.129.202.0 - 78.129.203.255 ... LIMT Group, Suspected RBN
78.157.140.0 - 78.157.143.255 ... Known RBN block

It is appearing that this is a major incursion by the RBN (Russian Business Network).

God be with us all against the red menace.

Zap :(

P.S. There are several more ranges the RBN squirts out of. Sorry about tooting my own horn here, but hxxp:www.spambotsecurity.com/zbblock.php [nonactive] does block most of them. You might try it out for the time being, as it's GPL freeware.

ellion

what do i need to do check my database for this hack?

ellion

when i cleaned up my SMF installation i compressed the corrupt public_html directory and downloaded it. i was just going through it now to see how much damage had been done but it does not look like the hack has gotten into too many files. however i tried to rename the folder and i am being denied access to it. is it possible that this contains some kind of virus that is run when the files are open on my own computer?

robone

I had both krisbarteo and stilusmagic try and register early in may but my spam protection got them.

However, I did get caught with SanyaKill in March (before Spam protection) who uploaded an avatar that somehow had C99shell as part of it. He/she then got stuck in and had some fun by adding links to all my php files. I have resolved this by restricting the uploading of avatars or attachments until a member has posted a number of times.

As a rule, I have automatically banned anything with a .ru in it. Sorry Russia

Broken Arrow

can someone tell me which mod stops these things the best? I had tried the Stop Spam mod but it messed up the members list and did not show any of the images it was supposed to. I unistalled it and the list returned to normal

I wouldn't contact this spam guy in any way. I made the mistake of sending out a mass email to alert people to the missing avatar problem before I came here and saw what was causing the problem. I had another window open with my site up and saw that my mass email alerted him to come to my site. He showed up as a member online and then in a matter of minutes my site crashed completely...right before my eyes. I don't know what this guy did but files just disappeared off the server.


robone

He probably used C99shell. Do yourself a favour and look it up on google. Once they get it on your site, they can do things you would not believe. It was on my site as img.php in the attachments folder, and then once they were in the transfered it to my root directory. A friend had it on his site as dir.php. I was in such a hurry to delete, that I never checked the size, but looking it up elsewhere, its about 47,029 bytes.

Worth checking every now and again. I have been looking for something that will scan and compare the files you should have on the server and what is there at present.

Broken Arrow

I looked it up robone.

I am not experienced enough to understand all the talk about codes and scripts. I was reading this site: http://www.webhostingtalk.com/showthread.php?p=4703619 and it all just went over my head. I have taught myself as I go over the past few years. Protecting my site from this kind of attack is out of my league

Zero_Panzer

Quote from: JBlaze™ on May 04, 2009, 04:47:53 PM
Quote from: Agent Orange on May 04, 2009, 04:44:33 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

Quote from: Kat on May 01, 2009, 12:50:54 PMDO NOT OVERWRITE Settings.php
:( I found the same code in my main index file. So I've got to go through all of them to see whats wrong? Dur. Oh well. Better to know whats wrong rather than to go in blindfolded.
I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php?


Forum spam problem?
Wiener pill posts got ya down?
Click my signature, I posted some tips that you may find helpful.

Niklas_

Does anybody know what the Hack does?

It does spread in all the *.php files available but that can'nt really be what krisbarteo is up to, can it?
Do I have to tell my members that I infected their computer?
Did he use my Forum to distribute SPAM ?
Or did he just use my Forum to store 230MB of stuff in my /Themes/default/languages Folder?

Thank you

Aleksi "Lex" Kilpinen

The ultimate purpose seems to be linkspam... The hack adds loads of hidden links on your forum....
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

JBlaze

So far, all we know as of now is that there is code injected into random, or seemingly random, php files. Also, there have been reports of some database tables getting injected as well.

I, personally, have not seen any spam or viruses etc. come from this attack, but that doesn't mean anything.

I'm sure there will be a detailed report on this once the security patch comes out, so keep your eyes peeled.
Jason Clemons
Former Team Member 2009 - 2012

Advertisement: