[NOTICE] How to secure your site against recent attacks

Started by jblazeofek, May 11, 2009, 08:05:23 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 ... 10
User actions

PSNick

#21
May 12, 2009, 11:16:28 AM
Thank, but apparently it's too late for me.
I have done anything that appears here and banned the user, but what can i do to get the theme choose page back? Or whatever problem this exploit causes too?

Thanks.

Dzonny

#22
May 12, 2009, 01:26:06 PM
Ok, but i cant belive this kind of mistake is done with this last stable version... :/
I've disable uploads for now, and i hope that patch will be released soon...

PSNick

#23
May 12, 2009, 01:46:16 PM
Hello,

For the ones that had this code injected, appart from doing everything in this post to prevent future abuse, please take a look here for the solution. At least what you have to do to remove the code.

http://www.simplemachines.org/community/index.php?topic=309957.0

L'AltroWeb

#24
May 12, 2009, 03:15:30 PM Last Edit: May 12, 2009, 03:33:15 PM by Dark-Wolf
Can we test to disable (with .htaccess) php-engine from this directory?
krisbarteo is already registered in more SMF forum:
http://www.google.it/search?source=ig&hl=it&rlz=&=&q=krisbarteo&btnG=Cerca+con+Google&meta=lr%3D&aq=f&oq=
in any case i've put this htaccess in my attachments folder:
Code Select
# Prevent Directory Listing
Options -Indexes

# Prevent Direct Access to Program Files
<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>with this it can't use full url eg: mysite.*/forum/attachments/avatar_xx.*
-
and i've prebanned krisbarteo user.

uncajesse

#25
May 12, 2009, 03:34:57 PM
http://www.google.com/search?q=krisbarteo&lr= [nofollow]
default language for whatever your Google normally is ;)


The exploit appears to be in the EXIF data, and executed after the JPEG is uploaded through the avatar uploading functions.  I wonder if the crap bothers to check where the actual avatars are uploaded to?  For now I changed where the avatars get uploaded to, as well as the location for the rest of the attachments.

What might stop this dead in it's tracks for now is if all avatars are forced to be converted into PNG.  Sort of like this

but gets run on all uploaded avatars.

Another thing that wouldn't hurt is to pre-create a user named krisbarteo on your forum, and then ban it.  You can then also track the IPs that try to use it. :)

Just kicking out some ideas here.

JBlaze

#26
May 12, 2009, 03:37:29 PM
Quote from: uncajesse on May 12, 2009, 03:34:57 PM
http://www.google.com/search?q=krisbarteo&lr=
default language for whatever your Google normally is ;)


The exploit appears to be in the EXIF data, and executed after the JPEG is uploaded through the avatar uploading functions.  I wonder if the crap bothers to check where the actual avatars are uploaded to?  For now I changed where the avatars get uploaded to, as well as the location for the rest of the attachments.

What might stop this dead in it's tracks for now is if all avatars are forced to be converted into PNG.  Sort of like this

but gets run on all uploaded avatars.

Another thing that wouldn't hurt is to pre-create a user named krisbarteo on your forum, and then ban it.  You can then also track the IPs that try to use it. :)

Just kicking out some ideas here.

The best idea now is to just disable avatars and attachments.

Or set it up so that only members with say 5-10 posts or more can upload avatars/attachments.
Jason Clemons
Former Team Member 2009 - 2012

uncajesse

#27
May 12, 2009, 03:45:53 PM Last Edit: May 12, 2009, 04:09:44 PM by uncajesse
http://www.stopforumspam.com/search?q=krisbarteo [nofollow]
http://www.stopforumspam.com/search?q=MagicOPromotion [nofollow]

[edit]
ah nevermind, it's probably just one person, or two friends.  those IPs are very similar.
[/edit]

JBlaze

#28
May 12, 2009, 04:18:03 PM
http://www.stopforumspam.com/search?q=94.142.128

That's how big this attack has gotten.
Jason Clemons
Former Team Member 2009 - 2012

Kenny01

#29
May 12, 2009, 04:54:11 PM
He's a spam bot, not human.

uncajesse

#30
May 12, 2009, 05:04:23 PM
and
http://www.stopforumspam.com/search?q=94.142.129 [nofollow]

and yeah, we know it's not someone MANUALLY doing this.

I'm blocking 94.142.128-129.* right now. :)

Filipina

#31
May 12, 2009, 11:41:29 PM
OMG my forum 1.1.8 has a special avatar upload mod on registration.

JBlaze

#32
May 13, 2009, 12:01:07 AM
Quote from: Filipina on May 12, 2009, 11:41:29 PM
OMG my forum 1.1.8 has a special avatar upload mod on registration.

Just to be safe, install the Stop Spammer mod I referenced in the OP. This will prevent this IP range from regeistering.
Jason Clemons
Former Team Member 2009 - 2012

Filipina

#33
May 13, 2009, 12:43:47 AM
Ok  thanks but it says

This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
Any registrations that check positive will be sent to the Admin approval bin.

Since avatars upload on registration will I not have the infected file already on my server, even if the registration goes to Admin for approval? :)

JBlaze

#34
May 13, 2009, 01:00:27 AM
Actually, that is a good question. I would disable the avatar on registration then until the security patch comes out.
Jason Clemons
Former Team Member 2009 - 2012

Filipina

#35
May 13, 2009, 01:04:03 AM
Ok thanks i just turned regiatration off.  The mod was special made and I do not know how to get it off the registration page :) Hope a patch comes out soon. 

Dzonny

#36
May 13, 2009, 02:50:43 AM
Quote from: JBlaze™ on May 12, 2009, 04:18:03 PM
http://www.stopforumspam.com/search?q=94.142.128

That's how big this attack has gotten.
This is really big list, so prebann of krisbarteo dont have case?

dcmouser

#37
May 13, 2009, 05:54:48 AM
I've made a fairly long post about our findings, which suggest some patches that should be made, here:
http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480
proud member of donationcoder.com (forum)

lars_n

#38
May 13, 2009, 07:13:47 AM
We got hacked as well on 1.1.8

http://www.pclinuxos.de/smf/

Same behaviour - all relevant PHP files were infected with the encrypted codelines. The forum-error-log in the backend was completely full (735 sites) with errors, caused by the base64 encrypted lines. I performed a full recovery last night.

The user "krisbarteo" was registered as well and he uploaded that .gif avatar which contained the code. Perma-banned him now and disabled upload of avatars and attachments for now.

IMHO this warning should be visible in the admin backend of the SMF.


Regards

flid

#39
May 13, 2009, 08:46:48 AM Last Edit: May 13, 2009, 09:44:32 AM by flid
Over the last two weeks my site has been attacked by Phishing files. They were uploaded into various files on my server. I removed them, however my site yesterday was sending out phishing emails somehow. i looked for files that shouldnt be there, but to no avail.

I've now uploaded a complete fresh install of my site, is this to do with this attack? Or do I have a different problem?

**edit**

Looking through my site files (pre clean up) I found two files in the sources folder titled ghana .php and 1.php the 1.php was a phishing mailer.

I have no idea how they got these onto my site. However I havd disabled all attachments and avatars until the patch is released.
Print
Go Up Pages 1 2 3 4 ... 10
User actions
Advertisement: