Previous Thread
Next Thread
Print Thread
Hop To
Security problem in addpost_newpoll.php #128588 05/03/2006 4:00 PM
Joined: May 2006
Posts: 9
RSchiffman Offline OP
stranger
OP Offline
stranger
Joined: May 2006
Posts: 9
We were hit last night. I forgot to remove the ability for the Apache server to be able to write some of the php files on the server. There is a problem in addpost_newpoll.php that allows execution of arbitrary code on the server.
I'm running 6.5.2. I don't believe I've skipped any security upgrades. I've included a couple log traces of the issue.

I restored my original files back. Changed everything to 444 and removed the addpost_newpoll.php and disabled polls on the machine. It's not much of an issue because it is basically an unused feature.

Last edited by Rick Baker; 05/03/2006 4:51 PM.
Re: Security problem in addpost_newpoll.php #128589 05/03/2006 4:51 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Thanks for the info on this. I've removed the logs just to safeguard other forum owners. I'm working on a fix for this as we speak and will get an update put out in the members area ASAP.

Re: Security problem in addpost_newpoll.php #128590 05/03/2006 5:26 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Ok, we're working on a 6.5.3 as I type this. The fix is fairly quick, it only requires 2 files to be changed. Anyone running a version between 6.4 and 6.5.2 will want to apply this:

At the top of addpost.php you'll see this:

require ("./includes/main.inc.php");

right before that, add this:

define('ADDPOST',1);


Then, in addpost_newpoll.php, at the top, you'll see this:

// ------------------------------------
// THIS FILE IS INCLUDED BY ADDPOST.PHP

Right after that, add this:

if (!defined('ADDPOST')) {
exit;
}

Re: Security problem in addpost_newpoll.php #128591 05/03/2006 7:06 PM
Joined: Jun 2006
Posts: 23
misho Offline
stranger
Offline
stranger
Joined: Jun 2006
Posts: 23
The hacker left a backdoor on my system. Shame on me that I realized this 24 hours after the attack.

Check your process list for "bindz".

Re: Security problem in addpost_newpoll.php #128592 05/03/2006 7:11 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
If you have access to your server access logs scan through them for recent gets to addpost_newpoll.php. This will give you an idea of what all they may have done.

Re: Security problem in addpost_newpoll.php #128593 05/03/2006 7:18 PM
Joined: Jun 2006
Posts: 23
misho Offline
stranger
Offline
stranger
Joined: Jun 2006
Posts: 23
<img src="https://www.ubbcentral.com/boards/images/graemlins/frown.gif" alt="" /> This is exactly how I learned about this backdoor. Thanks for the fix!

Re: Security problem in addpost_newpoll.php #128594 05/03/2006 7:26 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
You're welcome. My apologies it was there in the first place. All of the other scripts include ubbt.inc.php at some pont which sanitizes some things to prevent this. This one particular script didn't because it was being included by one that did. The fix basically makes it so the only way the script can be called is if it's been included by another as it is under normal operation.

Re: Security problem in addpost_newpoll.php #128595 05/03/2006 7:59 PM
Joined: Apr 2005
Posts: 6
FredR Offline
stranger
Offline
stranger
Joined: Apr 2005
Posts: 6

Scary stuff. We were hit this morning. Thanks for the quick fix Rick! I will sleep better tonight.

Re: Security problem in addpost_newpoll.php #128596 05/03/2006 9:47 PM
Joined: May 2006
Posts: 9
RSchiffman Offline OP
stranger
OP Offline
stranger
Joined: May 2006
Posts: 9
Thank you for being so quick. I'm thrilled to see such an easy fix. We continue to be very happy users of your products.

Re: Security problem in addpost_newpoll.php #128597 05/03/2006 11:57 PM
Joined: Jun 2006
Posts: 742
JoshPet Offline
enthusiast
Offline
enthusiast
Joined: Jun 2006
Posts: 742
Yeah, this one has been a headache for me all day. Thanks for the quick fix.


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Re: Security problem in addpost_newpoll.php #128598 05/04/2006 1:55 AM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
Too late. We was hit yesterday, 14:36 gmt+1. It comes from Brazil. The script modify every .php file in my Zeus Nutshell, 6 Sites in all. He append an on every php file a iframe wich reload exploits to unpatched browsers and adware.

I was running 6.5.1.1 with the external input validator modification. This mod catch nearly all XXS but due this hole my whole site was defaced.

We close all, replaced all php files from last night backup and on the rest of the night I upgrade a heavy modded 6.5.1.1 to 6.5.2. I hoped, thats all, then I come here and this happend to 6.5.2 too ........ I know several .threads (incl keyhole community on google earth). Lets see what happend there <img src="https://www.ubbcentral.com/boards/images/graemlins/frown.gif" alt="" />


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Security problem in addpost_newpoll.php #128599 05/04/2006 1:59 AM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
[]Ok, we're working on a 6.5.3 as I type this.[/]

will the be free to all license holder without renewing the membership ? I dont renew because any promises was broken. I need only security updates and don't plan to use your new upcomming product. but I still need fixed versions (without enhancedments).


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Security problem in addpost_newpoll.php #128600 05/12/2006 1:39 AM
Joined: May 2004
Posts: 6
patrickegan Offline
stranger
Offline
stranger
Joined: May 2004
Posts: 6
I found the guy in case anyone is interested
[]soauker@gmail.com[/] Adivinha seuburro.

He is apparently somewhat active in reporting php vulerabilities too http://securitytracker.com/alerts/2006/Feb/1015624.html

Re: Security problem in addpost_newpoll.php #128601 05/25/2006 3:56 AM
Joined: Mar 2004
Posts: 1
Digi Offline
stranger
Offline
stranger
Joined: Mar 2004
Posts: 1
Got fecked over by this a couple of times since the 23rd

[root@box httpd]# grep addpost_newpoll.php net-access_log |wc -l
1060

<img src="https://www.ubbcentral.com/boards/images/graemlins/shocked.gif" alt="" />

Thing is Rick, you knew about the problem early on in may and it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days.... If you had a mailing list for errata updates for things like this it might save us all from having to spend a few hours mopping up the various aol and credit card phishing sites that have been installed on our servers.... Just a thought.

now to check for back doors you want to look for any folders that were writable by the user you run your webserver as "apache or httpd usually".. i had /userimages and /attachments. they'll prolly be full of phishing sites now - mine where.

check the contents of /tmp for backdoor proggies.

Then run a 'netstat -npl' to see what ports are accepting connection on your box.

For example i found an "apache" program running on 0.0.0.0:5555 which isn't right.

[root@box httpd]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
:Welcome!psyBNC@ArDaN.or.id NOTICE * <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />syBNC2.3.1

more digging found this in /tmp
Code
 
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 ,----.,----.,-.  ,-.,---.,--. ,-.,----.
 |  O ||  ,-' \ \/ / | o ||   \| || ,--'
 |  _/ _\  \   \  /  | o&lt; | |\   || |__
 |_|  |____/   |__|  |___||_|  \_| \___|
      Version 2.3.1 (c) 1999-2003
        ArDaN Community Chat
      and  the cool lam3rz Group DALNet

`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: ArDaN
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 3036
psyBNC2.3.1-cBtITLdDMSNp started (PID 29821)  


nice.

Oh and also look at the crontab for the user your web server runs as (usually 'crontab -u apache -e')

mine was calling various scripts every minute (/var/log/cron should show you that too).

Re: Security problem in addpost_newpoll.php #128602 05/25/2006 9:53 AM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Actually, we sent out a mass mail to all of our customers. Any time someone purchases a license they get put into our buzzcast mailing list. I sent out the email to everyone on that list the same night that the issue was discovered. It appears this got caught in alot of people spam folders, those that I've worked with recently went back and check and found the email we sent out but it was flagged as spam so they missed it.

Re: Security problem in addpost_newpoll.php #128603 05/25/2006 10:05 AM
Joined: Dec 2003
Posts: 1,796
AllenAyres Offline
Pooh-Bah
Offline
Pooh-Bah
Joined: Dec 2003
Posts: 1,796
Yeah, an email was sent back then. I sent out a few thousand emails to members of threadsdev night before last after seeing sites still reporting hacks and not many people updating... hopefully not many got caught in spam filters, those that sent me a rejection, I did what I could to get them on through.

[]
it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days....
[/]

That would explain the spike in copy-cat hacks the last few days, I repaired 4-5 myself yesterday :/


- Allen
- ThreadsDev | PraiseCafe
Re: Security problem in addpost_newpoll.php #128604 05/25/2006 5:00 PM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
buzzcast will be filtered by many spam lists. I found it in my filter with high spam score.


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Security problem in addpost_newpoll.php #128605 05/25/2006 5:36 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Seems like alot of mailing lists get filtered. For version 7 we're working on a way to get important news to the admin. What we currently have is when an admin goes into the control panel it will list the newest 5 topics from the announcements forum here right on the main control panel page by using RSS. This should help with getting important news out to customers.

Re: Security problem in addpost_newpoll.php #128606 05/29/2006 3:35 PM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
Today I check out my webroot on my reseller account and found a bot on my space: but.tgz, installed in directory .m

Its an IIRC bot. Uploaded on 13.5.2006 ..... But I have apply all fixes and we dont left an activ backdoor on the server. Any ideas where it comes from ? Now we investigate all logfiles (take a while) to see what happen. I will report if we found any new details. Be carefull, watch your server !


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Security problem in addpost_newpoll.php #128607 05/29/2006 3:59 PM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
ok, its not ubb.threads. Its another damm open script ... we found it and close it. sorry for the alarm.


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen

Forum Search
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Followed List v7.7.2 Question
by Ruben - 11/12/2019 12:22 PM
UBB Dev
by JAISP - 11/03/2019 11:01 AM
Exceeded Number of attachments
by rbrtgrmn - 11/02/2019 9:57 PM
Forum New User Registration
by kf6zpl - 10/25/2019 10:45 AM
Having issue with redirects to UBB classic URLs
by amciotola - 10/16/2019 12:11 AM
Who's Online Now
2 registered members (isaac, Ruben), 61 guests, and 408 spiders.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Amusing Terain Scenics
Amusing Terain Scenics
by isaac, August 19
Sky places
Sky places
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Snapshot build 20191023)