Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic


Quote from: StarWars Fan on May 12, 2009, 04:12:31 PM
I have a question - is this hack simply an avatar upload and the forums wrecked?

I mean, can any Joe Shmoe get a hold of this avatar and use it without "skills"?

That's a good question. But for now, it has been limited to only a few usernames such as "krisbarteo" and "MagicOPromotion" among a few others.

But yes, it is a good point to bring up as so far it is a generic 1x1 avatar that is masked with either a .jpg or .gif extension, but contains php code.

I will look into it.
Jason Clemons
Former Team Member 2009 - 2012



Thanks for this topic !
I have this problem whith the member named above (krisbarteo) and his avatar was indeed encapsulated PHP ...

My error was to set CHMOD 777 on the attachement directory ... Shame on me ...


Jason Clemons
Former Team Member 2009 - 2012


yes Jblaze, thx. I read it and applied changes.


Quote from: crash56 on May 12, 2009, 03:50:52 PM
Or does this code get into the database in some way so we would have to clean that up as well?

Analyzing DB dump:
The user (krisbarteo) have set theme_dir to ./attachments/avatar_46455.jpg\0 (note zero code at the end)
Then requests (according to error log) to ?action=theme;sa=pick;u=46455;sesc lead to execution of avatar as php in include() call inside theme handling code.
Quote8: Use of undefined constant php - assumed 'php'<br />File: /nfs/www/ru/forum/htdocs/attachments/avatar_46455.jpg<br />Line: 1

How the value of theme_dir appeared in smf_themes table - is the main question.


I have all the code on top..but I can not find his avatar at all.
* I don't suffer from insanity; I enjoy every minute of it. *


OK. I removed all code up top and now I only get the top half of my website..  :( my back up was the one i removed it from. Is there something I missed. It is the Sources that has caused this. My admin is still there and working but nothing else.
I just removed and uploaded.
Any ideas?
* I don't suffer from insanity; I enjoy every minute of it. *


Make sure that you did not leave a space at the top of each file.

<?php must be the first line
Jason Clemons
Former Team Member 2009 - 2012


Bugger.. I bet I overwrote settings.php..
* I don't suffer from insanity; I enjoy every minute of it. *


Ok so we did some investigating on our forum to see how vulnerable we were to this attack; Agafonov's discovery was a big help in understanding what was going on.

Let me summarize what I think i understand, pieced together from several places and from going through the code.

The attack is a multi-step attack:

FIRST, the user uploads an avatar image (or an attachment on a post), doesn't really matter, and doesn't have to be an image i don't think.
The goal here is for them simply to get their payload php script onto your server.

SECOND, they trick the forum code into INCLUDING their payload php file while it's running other php code.

This second part is the tricky part, and it's what makes some of the potential fixes suggested in this thread useless.

The original method that they use to execute the file payload was described back in november 2008, as can be seen in this thread:

The basic idea is that the evil user tells the smf forum to INCLUDE a file from the CUSTOM theme directory (variable theme_dir).  And then they bring up one of the pages on the forum that actually loads a file in the theme dir.

By setting the themedir to the file path of their malicious fake image file (with a \0 on the end of it as seen above), the malicious user actually tricks the smf forum to parse the fake image file and execute the php in it directly).


Now, the part that makes this a bit messy to fix is that there are NUMEROUS places in smf where a user's custom 'theme_dir' variable can be set, and numerous places where it is used.

It seems to me that most of these were fixed in earlier SMF releases.. *BUT* a few remain(!) and that is how this exploit is still occuring.


[the truth is that users should NEVER be allowed to customize their theme_dir -- this is a flaw in smf and should be remedied]

I'm offering some fixes we did locally, but i'm not guaranteeing this will fix all the risk -- and i hope smf people will follow up.

The first fix will prevent the Theme Picker from using custom user theme_dir variables, which should prevent this particular exploit even in users which previously modified their variable in an effort to hack your forum.  This one is most important quick fix and should solve this particular exploit:

In Themes.php, FIND:
      $request = db_query("
         SELECT ID_THEME, variable, value
         FROM {$db_prefix}themes
         WHERE variable IN ('name', 'theme_url', 'theme_dir', 'images_url')" . (empty($modSettings['theme_default']) && !allowedTo('admin_forum') ? "
            AND ID_THEME IN ('$knownThemes')
            AND ID_THEME != 1" : '') . "
            AND ID_THEME != 0
                                AND ID_MEMBER = 0

The second fix will prevent new changes to users theme_dir variable (but not correct existing changes that evil members already set).
I'll leave it for someone else to go into more details since im running low on sleep but basically
In Profile.php, go into makeThemeChanges function
and inside both loops through $_POST['options'] and $_POST['default_options']
and add a line inside the loops saying:
         if (strpos($opt,'_dir')!==FALSE || strpos($opt,'_url')!==FALSE)


There are 2 more things you can do:
search the smf database, the themes table
for rows where variable=theme_dir

the hits are users who have tried to use this exploit.

DELETE THESE ROWS -- after noting the filenames and userids.

now i'd say don't panic when you find entries there -- but DO go check out the files uploaded by these users (you'll see them listed in these rows), and make sure you don't find really evil php code in any of them..  those tables will also tell you which exact users uploaded the files an attempted to run exploits.  then delete those attachment files.


hope that's at least some use -- sorry it's not explained better but we just spent a few hours on this right before we planned on sleeping, so i'm just rushing to explain what we found in time to be useful to someone.

and note that none of the instructions above will do anything to CLEAN a system that has actually been exploited by this attack by someone who put really malicious code in one of the payloads.
proud member of donationcoder.com (forum)


DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."


Quote from: Kindred on May 13, 2009, 08:18:08 AM
DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.
We kinda suspected it.

Any indication on ETA would be very much appreciated by a lot of people I guess. Uncertainty is one of the worst things, you know...


I have made contact with this hackers ISP here is the reply

thanks for you reporting.

1. Please tell more information about this action, domain name (-s) or IP address (-es) of your website, which has suffered?
2. IP address (-es) who attacked your website?

We investigate this action and we'll do anything to avoid this problem in future.

So if you want to PM me your info I will compile a list and send it along to them for investigation. Also include the time more or less that the hack took place 

"The real question is not whether machines think but whether men do. "


Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....

Ron Burke
Director of Gaming Trend


I'd just like to add that I also had a Hacktool.Rootkit on the pc I use for administrating my website. I solved this first, and then, when the whole site was taken off-air, I asked my webhoster to change the passwords for the ftp and mysql. After that I uploaded the site again and since then the site hasn't been infested by bad php-code anymore.

Btw, I have the idea that Krisbarteo never got to upload an avatar on my site, yet I got all this trouble anyway...


Quote from: GamingTrend on May 13, 2009, 02:27:06 PM
Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....

I deleted them all just to be sure anyway.  I don't like randomly named files that span roughly 3000 different names.  Let's hope that my cleanup worked.
Ron Burke
Director of Gaming Trend


He has hit our forum as well.

I have been cleaning for 2 days. I thought I got all of the code out of the files, but these problems remain:

Some of our members avatars have failed to display as well as the random letter code that is supposed to be displayed on the registration screen.
The members who's avatars have diasppeared are unable to upload a replacement avatar.
The members who's avatars do not display are in the attachment folder. I have physically verifed that they are there.
I have no error logs indicating an issue.

I have RT clicked 2 of the missing avatars->> properties; and this is what is displayed



I have Rt clicked the random letter code box ->> properties: and this is what is displayed.


Of course now, new members cannot register without a verification code. I feel somehow they are related

Can you please tell me where to look for the problem

By the way I have a sample of the 64 code, the infected avatar itself , the IP address Latvia

And the code strings of the avatar if anyone wants a copy or any other info.


1.- Here are some details about krisbarteo. Can somebody give me more data to report in SFS site? (and all the people using this DB will be immune from these users).

2.- If somebody have to "the avatar uploaded" by this user, should give to the Team SMF (and me, XD, I have curiosity). (done, thanks :))

3.- There is another problem, how the spammers run this file once uploaded?


Since I have an avatar upload on registration modification which I do not feel like messing with I have disabled registrations. What if I just say screw it and take my chances, while saving a copy of all the files in me forum directory twice a day. If I get hacked can't I just upload all the clean files from my forum and all will be fine?