Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

MrPhil

#20
Wow, that guy (krisbarteo) sure is busy! Just wondering... would it be simplemachine's business to blast an email to all known SMF installations warning them about this guy? You'd have to careful to phrase the warning in such a way that it's not legally an accusation (libelous) telling boards to dump this guy, but rather a pointer to discussions such as this one. That user name is going on my ban list right away!

That being done, do we yet know what vulnerability he exploited? Was it in a browser? Was it SMF permitting unrestricted file types for avatars?

Add:
I thought about adding code to ban particular user names, but figured that they'd just register under some other name. If the problem is that their avatar image contains some kind of booby trap, what is the nature of the beast? Are they uploading a .php file as the avatar? In that case, a simple check on permitted extensions should fix the problem. Are they uploading a legitimate extension (.jpg, .png, .gif, etc.) and it somehow contains malicious code? Could SMF scan for certain strings in an avatar image before accepting it? If not, could new avatars be uploaded to a different directory and quarantined awaiting Admin inspection and movement into the production directory? I assume that it's not a browser vulnerability to embedded code (I think I recall such a thing a few years back), but somehow code that gets run on the server?

If this information isn't suitable for public dissemination, but you would like to request my help in coding something to fight this attack, please feel free to PM me with details.

Tiribulus

Quote from: vHawkeyev on May 01, 2009, 07:25:53 PM
<<< I found his avatar, I then downloaded it and opened it in notepad and I found php code. >>>

Are you saying that his avatar was an actual image with an image extension, but with embedded php script?

vHawkeyev

It wasn't an actual image. It was just like another php file but with .jpg as the extension. I'm guessing it was used to upload other php files to my server.

MrPhil

So if avatar "images" were scanned for <? and possibly a few PHP keywords, that might detect code sailing under false colors? How about looking for image format keywords (e.g., GIF89a) in the right place, to confirm it's likely a real image file?

Tiribulus

Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

DirtRider

Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Aleksi "Lex" Kilpinen

Quote from: Tiribulus on May 05, 2009, 09:42:32 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Attachmentnames are encrypted for a reason you know ;)
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Tiribulus

Quote from: LexArma on May 05, 2009, 10:20:14 AM
Quote from: Tiribulus on May 05, 2009, 09:42:32 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Attachmentnames are encrypted for a reason you know ;)

Well gaaahhlee. Forgot about that  :-[

DirtRider

I have just countered 730 SMF forums he has registered on ranging from SMF 1.1.1 to RC1  :o
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

busterone

Busy little bee huh? he has not attempted mine yet, but he won't get in under that username.
Quote from: DirtRider on May 05, 2009, 10:15:39 AM
Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=

I would like more info as well. I do understand it may not be a good idea to openly post this, but I will accept a pm gladly with IP, email addie and any other info anyone has on him.

DirtRider

Yip me as well if possible  ;D
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

JBlaze

How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Jason Clemons
Former Team Member 2009 - 2012

Aleksi "Lex" Kilpinen

Quote from: JBlaze on May 05, 2009, 12:22:37 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

JBlaze

Quote from: LexArma on May 05, 2009, 12:34:33 PM
Quote from: JBlaze on May 05, 2009, 12:22:37 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)

That works too...
Jason Clemons
Former Team Member 2009 - 2012

CarlT100

Dirtrider, I found this on the first page of this thread:

QuoteAs for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8
CarlT100


busterone

I don't allow avatar uploads anyway. They must be linked to photobucket, etc. The only allowed attachments are by admins, and those are limited and encrypted, so most likely, I have no worries from this guy. I have had over a dozen new members in the last 2 weeks that have gotten past the anti-spam, and confirmed the email address. Once they log on, they only stay about 2 to 5 minutes, log off and do not return. Could be they are looking to upload an avatar or attachment, realize they cant, and then move on somewhere else.

Tiribulus

#36
Would this work?


<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>


This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

H

Quote from: Tiribulus on May 05, 2009, 03:33:28 PM
Would this work?


<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>


This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Tiribulus

Quote from: H on May 05, 2009, 04:27:29 PM
On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

You're saying that since this stops the action based on the file extension that a file with a different extension, but still containing script code would run anyway.

How then do you use .htaccess to block the engine altogether as was suggested above. I also found some info on doing it with httpd.conf.

H

There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Advertisement: