problems with a Redirect Exploit on my site (mod related?)

Gaming4JC · January 19, 2011, 04:33:27 PM

I am using shared hosting, but I don't have access to others peoples files. (Not to say they didn't use privilege escalation techniques.)

I had the following mods installed on the "Day Relax" theme.

If you do think the host is at fault (and they keep telling me they aren't) you might want to give me some ideas on how to communicate that to them.

On the other sub-domains I have a wordpress and joomla installation. Both of which seem to be untampered.

Kindred · January 19, 2011, 04:51:56 PM

I don't see anything there that is a suspect mod...

I would actually take a closer look at WordPress and Joomla.
As popular scripts, there are many hackers who target them (especially some of the add-ons which are not as carefully checked as SMF)

Gaming4JC · January 20, 2011, 12:30:17 AM

Well, the rest of the site is still coming up clean thankfully. I did do a free scan with SecurityMonitor, however, and it identified several flaws on the current RC4 index.php... 10 Blind SQL/XPath injection and 2 PHPSESSID session fixation vulnerabilities... :s

I'll continue to inspect things to be sure nothing else pops up.

TheListener · January 20, 2011, 12:38:04 AM

Do any errors show in the error log?

Kindred · January 20, 2011, 07:29:26 AM

Quote from: Gaming4JC on January 20, 2011, 12:30:17 AM
I did do a free scan with SecurityMonitor, however, and it identified several flaws on the current RC4 index.php... 10 Blind SQL/XPath injection and 2 PHPSESSID session fixation vulnerabilities...

ORLY?

please send the details as a security report.... but I tend to think that the free scan may be incorrect.

Arantor · January 20, 2011, 08:19:36 AM

I'm just about to do a similar scan against my site which is a specifically modded RC3 (contains the security changes in RC4) once I set my email up properly (since my email is not with arantor.org and the Site Security Monitor tool requires email and site use the same domain)

Gaming4JC · January 20, 2011, 01:18:28 PM

@Kindred: Submitted their report to your security page here at SMF.

@Brack1: Nothing in the server logs nor the SMF error logs that I can see out of the ordinary.

@Arantor: I'd be interested in hearing back from your test results as well.

I also found my host is running some outdated things on the backend, might have been a security flaw there too.

Arantor · January 20, 2011, 04:13:08 PM

Well, though I got the email hours ago I haven't heard anything yet...

Arantor · January 21, 2011, 07:03:32 PM

OK, got the response.

On a very lightly modded 2.0 RC3, I get two issues flagged up of 'moderate' security. Firstly, there is an index.php~ backup file (from a mod install) and secondly it claims there is a session fixation bug in PHPSESSID. I can't reproduce that even with the request sample they use so I'm inclined to disregard it.

Bill Lehecka · January 28, 2011, 08:34:18 PM

Just wanted to pipe in to say I too had this exploit happen to me. It seems to affect all PHP files in your message board root directory. I removed all instances in the root directory of my message board, and that did the trick, no hanging code or anything.

I'm concerned it happened in the first place, though. I think the reason why Gaming4JC and I found out about it was because of a happy accident. Since the mods we installed had references to Google, the code thought the site was being referred to by Google.

Luckily, no harm no foul.... But that code could've been a heck of a lot worse.

News:

problems with a Redirect Exploit on my site (mod related?)

TheListener