Topic: Hacked, script injection

[MrPhil]

Wow, that guy (krisbarteo) sure is busy! Just wondering... would it be simplemachine's business to blast an email to all known SMF installations warning them about this guy? You'd have to careful to phrase the warning in such a way that it's not legally an accusation (libelous) telling boards to dump this guy, but rather a pointer to discussions such as this one. That user name is going on my ban list right away!

That being done, do we yet know what vulnerability he exploited? Was it in a browser? Was it SMF permitting unrestricted file types for avatars?

Add:
I thought about adding code to ban particular user names, but figured that they'd just register under some other name. If the problem is that their avatar image contains some kind of booby trap, what is the nature of the beast? Are they uploading a .php file as the avatar? In that case, a simple check on permitted extensions should fix the problem. Are they uploading a legitimate extension (.jpg, .png, .gif, etc.) and it somehow contains malicious code? Could SMF scan for certain strings in an avatar image before accepting it? If not, could new avatars be uploaded to a different directory and quarantined awaiting Admin inspection and movement into the production directory? I assume that it's not a browser vulnerability to embedded code (I think I recall such a thing a few years back), but somehow code that gets run on the server?

If this information isn't suitable for public dissemination, but you would like to request my help in coding something to fight this attack, please feel free to PM me with details.

[Tiribulus]

<<< I found his avatar, I then downloaded it and opened it in notepad and I found php code. >>>

Are you saying that his avatar was an actual image with an image extension, but with embedded php script?

[vHawkeyev]

It wasn't an actual image. It was just like another php file but with .jpg as the extension. I'm guessing it was used to upload other php files to my server.

[MrPhil]

So if avatar "images" were scanned for <? and possibly a few PHP keywords, that might detect code sailing under false colors? How about looking for image format keywords (e.g., GIF89a) in the right place, to confirm it's likely a real image file?

[Tiribulus]

Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

[DirtRider]

Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=

[Aleksi "Lex" Kilpinen]

Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

Attachmentnames are encrypted for a reason you know

[Tiribulus]

Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

Attachmentnames are encrypted for a reason you know

Well gaaahhlee. Forgot about that 

[DirtRider]

I have just countered 730 SMF forums he has registered on ranging from SMF 1.1.1 to RC1 

[busterone]

Busy little bee huh? he has not attempted mine yet, but he won't get in under that username.

Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=

I would like more info as well. I do understand it may not be a good idea to openly post this, but I will accept a pm gladly with IP, email addie and any other info anyone has on him.

[DirtRider]

Yip me as well if possible 

[JBlaze]

How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?

[Aleksi "Lex" Kilpinen]

How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?

Or with an apache server use .htaccess that turns php engine off for a custom avatar folder.

[JBlaze]

How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?

Or with an apache server use .htaccess that turns php engine off for a custom avatar folder.

That works too...

[CarlT100]

Dirtrider, I found this on the first page of this thread:

As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8

[busterone]

I don't allow avatar uploads anyway. They must be linked to photobucket, etc. The only allowed attachments are by admins, and those are limited and encrypted, so most likely, I have no worries from this guy. I have had over a dozen new members in the last 2 weeks that have gotten past the anti-spam, and confirmed the email address. Once they log on, they only stay about 2 to 5 minutes, log off and do not return. Could be they are looking to upload an avatar or attachment, realize they cant, and then move on somewhere else.

[Tiribulus]

Would this work?

Code: [Select]

<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>
This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

[H]

Would this work?

Code: [Select]

<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>
This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

[Tiribulus]

On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

You're saying that since this stops the action based on the file extension that a file with a different extension, but still containing script code would run anyway.

How then do you use .htaccess to block the engine altogether as was suggested above. I also found some info on doing it with httpd.conf.

[H]

There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess