We were hit last night. I forgot to remove the ability for the Apache server to be able to write some of the php files on the server. There is a problem in addpost_newpoll.php that allows execution of arbitrary code on the server.
I'm running 6.5.2. I don't believe I've skipped any security upgrades. I've included a couple log traces of the issue.

I restored my original files back. Changed everything to 444 and removed the addpost_newpoll.php and disabled polls on the machine. It's not much of an issue because it is basically an unused feature.

Thanks for the info on this. I've removed the logs just to safeguard other forum owners. I'm working on a fix for this as we speak and will get an update put out in the members area ASAP.

Ok, we're working on a 6.5.3 as I type this. The fix is fairly quick, it only requires 2 files to be changed. Anyone running a version between 6.4 and 6.5.2 will want to apply this:

At the top of addpost.php you'll see this:

require ("./includes/main.inc.php");

right before that, add this:

define('ADDPOST',1);


Then, in addpost_newpoll.php, at the top, you'll see this:

// ------------------------------------
// THIS FILE IS INCLUDED BY ADDPOST.PHP

Right after that, add this:

if (!defined('ADDPOST')) {
exit;
}

The hacker left a backdoor on my system. Shame on me that I realized this 24 hours after the attack.

Check your process list for "bindz".

If you have access to your server access logs scan through them for recent gets to addpost_newpoll.php. This will give you an idea of what all they may have done.

This is exactly how I learned about this backdoor. Thanks for the fix!

You're welcome. My apologies it was there in the first place. All of the other scripts include ubbt.inc.php at some pont which sanitizes some things to prevent this. This one particular script didn't because it was being included by one that did. The fix basically makes it so the only way the script can be called is if it's been included by another as it is under normal operation.

Scary stuff. We were hit this morning. Thanks for the quick fix Rick! I will sleep better tonight.

Thank you for being so quick. I'm thrilled to see such an easy fix. We continue to be very happy users of your products.

Yeah, this one has been a headache for me all day. Thanks for the quick fix.

Too late. We was hit yesterday, 14:36 gmt+1. It comes from Brazil. The script modify every .php file in my Zeus Nutshell, 6 Sites in all. He append an on every php file a iframe wich reload exploits to unpatched browsers and adware.

I was running 6.5.1.1 with the external input validator modification. This mod catch nearly all XXS but due this hole my whole site was defaced.

We close all, replaced all php files from last night backup and on the rest of the night I upgrade a heavy modded 6.5.1.1 to 6.5.2. I hoped, thats all, then I come here and this happend to 6.5.2 too ........ I know several .threads (incl keyhole community on google earth). Lets see what happend there

I found the guy in case anyone is interested
soauker@gmail.com Adivinha seuburro.

He is apparently somewhat active in reporting php vulerabilities too http://securitytracker.com/alerts/2006/Feb/1015624.html

Got fecked over by this a couple of times since the 23rd

[root@box httpd]# grep addpost_newpoll.php net-access_log |wc -l
1060



Thing is Rick, you knew about the problem early on in may and it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days.... If you had a mailing list for errata updates for things like this it might save us all from having to spend a few hours mopping up the various aol and credit card phishing sites that have been installed on our servers.... Just a thought.

now to check for back doors you want to look for any folders that were writable by the user you run your webserver as "apache or httpd usually".. i had /userimages and /attachments. they'll prolly be full of phishing sites now - mine where.

check the contents of /tmp for backdoor proggies.

Then run a 'netstat -npl' to see what ports are accepting connection on your box.

For example i found an "apache" program running on 0.0.0.0:5555 which isn't right.

[root@box httpd]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
:Welcome!psyBNC@ArDaN.or.id NOTICE * syBNC2.3.1

more digging found this in /tmp
Code:

---

 
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 ,----.,----.,-.  ,-.,---.,--. ,-.,----.
 |  O ||  ,-' \ \/ / | o ||   \| || ,--'
 |  _/ _\  \   \  /  | o< | |\   || |__
 |_|  |____/   |__|  |___||_|  \_| \___|
      Version 2.3.1 (c) 1999-2003
        ArDaN Community Chat
      and  the cool lam3rz Group DALNet

`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: ArDaN
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 3036
psyBNC2.3.1-cBtITLdDMSNp started (PID 29821)  

---

nice.

Oh and also look at the crontab for the user your web server runs as (usually 'crontab -u apache -e')

mine was calling various scripts every minute (/var/log/cron should show you that too).

Actually, we sent out a mass mail to all of our customers. Any time someone purchases a license they get put into our buzzcast mailing list. I sent out the email to everyone on that list the same night that the issue was discovered. It appears this got caught in alot of people spam folders, those that I've worked with recently went back and check and found the email we sent out but it was flagged as spam so they missed it.

Yeah, an email was sent back then. I sent out a few thousand emails to members of threadsdev night before last after seeing sites still reporting hacks and not many people updating... hopefully not many got caught in spam filters, those that sent me a rejection, I did what I could to get them on through.

Quote:

---

it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days....

---

That would explain the spike in copy-cat hacks the last few days, I repaired 4-5 myself yesterday :/

buzzcast will be filtered by many spam lists. I found it in my filter with high spam score.

Seems like alot of mailing lists get filtered. For version 7 we're working on a way to get important news to the admin. What we currently have is when an admin goes into the control panel it will list the newest 5 topics from the announcements forum here right on the main control panel page by using RSS. This should help with getting important news out to customers.

Today I check out my webroot on my reseller account and found a bot on my space: but.tgz, installed in directory .m

Its an IIRC bot. Uploaded on 13.5.2006 ..... But I have apply all fixes and we dont left an activ backdoor on the server. Any ideas where it comes from ? Now we investigate all logfiles (take a while) to see what happen. I will report if we found any new details. Be carefull, watch your server !

ok, its not UBB.threads. Its another damm open script ... we found it and close it. sorry for the alarm.