Previous Thread
Next Thread
Print Thread
Hop To
Joined: May 2006
Posts: 9
R
stranger
stranger
R Offline
Joined: May 2006
Posts: 9
We were hit last night. I forgot to remove the ability for the Apache server to be able to write some of the php files on the server. There is a problem in addpost_newpoll.php that allows execution of arbitrary code on the server.
I'm running 6.5.2. I don't believe I've skipped any security upgrades. I've included a couple log traces of the issue.

I restored my original files back. Changed everything to 444 and removed the addpost_newpoll.php and disabled polls on the machine. It's not much of an issue because it is basically an unused feature.

Last edited by Rick Baker; 05/03/2006 5:51 PM.
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Thanks for the info on this. I've removed the logs just to safeguard other forum owners. I'm working on a fix for this as we speak and will get an update put out in the members area ASAP.

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Ok, we're working on a 6.5.3 as I type this. The fix is fairly quick, it only requires 2 files to be changed. Anyone running a version between 6.4 and 6.5.2 will want to apply this:

At the top of addpost.php you'll see this:

require ("./includes/main.inc.php");

right before that, add this:

define('ADDPOST',1);


Then, in addpost_newpoll.php, at the top, you'll see this:

// ------------------------------------
// THIS FILE IS INCLUDED BY ADDPOST.PHP

Right after that, add this:

if (!defined('ADDPOST')) {
exit;
}

Joined: Jun 2006
Posts: 23
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 23
The hacker left a backdoor on my system. Shame on me that I realized this 24 hours after the attack.

Check your process list for "bindz".

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
If you have access to your server access logs scan through them for recent gets to addpost_newpoll.php. This will give you an idea of what all they may have done.

Joined: Jun 2006
Posts: 23
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 23
<img src="https://www.ubbcentral.com/boards/images/graemlins/frown.gif" alt="" /> This is exactly how I learned about this backdoor. Thanks for the fix!

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
You're welcome. My apologies it was there in the first place. All of the other scripts include ubbt.inc.php at some pont which sanitizes some things to prevent this. This one particular script didn't because it was being included by one that did. The fix basically makes it so the only way the script can be called is if it's been included by another as it is under normal operation.

Joined: Apr 2005
Posts: 6
F
stranger
stranger
F Offline
Joined: Apr 2005
Posts: 6

Scary stuff. We were hit this morning. Thanks for the quick fix Rick! I will sleep better tonight.

Joined: May 2006
Posts: 9
R
stranger
stranger
R Offline
Joined: May 2006
Posts: 9
Thank you for being so quick. I'm thrilled to see such an easy fix. We continue to be very happy users of your products.

Joined: Jun 2006
Posts: 742
enthusiast
enthusiast
Joined: Jun 2006
Posts: 742
Yeah, this one has been a headache for me all day. Thanks for the quick fix.


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
Too late. We was hit yesterday, 14:36 gmt+1. It comes from Brazil. The script modify every .php file in my Zeus Nutshell, 6 Sites in all. He append an on every php file a iframe wich reload exploits to unpatched browsers and adware.

I was running 6.5.1.1 with the external input validator modification. This mod catch nearly all XXS but due this hole my whole site was defaced.

We close all, replaced all php files from last night backup and on the rest of the night I upgrade a heavy modded 6.5.1.1 to 6.5.2. I hoped, thats all, then I come here and this happend to 6.5.2 too ........ I know several .threads (incl keyhole community on google earth). Lets see what happend there <img src="https://www.ubbcentral.com/boards/images/graemlins/frown.gif" alt="" />


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
[]Ok, we're working on a 6.5.3 as I type this.[/]

will the be free to all license holder without renewing the membership ? I dont renew because any promises was broken. I need only security updates and don't plan to use your new upcomming product. but I still need fixed versions (without enhancedments).


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: May 2004
Posts: 6
P
stranger
stranger
P Offline
Joined: May 2004
Posts: 6
I found the guy in case anyone is interested
[]soauker@gmail.com[/] Adivinha seuburro.

He is apparently somewhat active in reporting php vulerabilities too http://securitytracker.com/alerts/2006/Feb/1015624.html

Joined: Mar 2004
Posts: 1
D
stranger
stranger
D Offline
Joined: Mar 2004
Posts: 1
Got fecked over by this a couple of times since the 23rd

[root@box httpd]# grep addpost_newpoll.php net-access_log |wc -l
1060

<img src="https://www.ubbcentral.com/boards/images/graemlins/shocked.gif" alt="" />

Thing is Rick, you knew about the problem early on in may and it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days.... If you had a mailing list for errata updates for things like this it might save us all from having to spend a few hours mopping up the various aol and credit card phishing sites that have been installed on our servers.... Just a thought.

now to check for back doors you want to look for any folders that were writable by the user you run your webserver as "apache or httpd usually".. i had /userimages and /attachments. they'll prolly be full of phishing sites now - mine where.

check the contents of /tmp for backdoor proggies.

Then run a 'netstat -npl' to see what ports are accepting connection on your box.

For example i found an "apache" program running on 0.0.0.0:5555 which isn't right.

[root@box httpd]# telnet localhost 5555
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
:Welcome!psyBNC@ArDaN.or.id NOTICE * <img src="https://www.ubbcentral.com/boards/images/graemlins/tongue.gif" alt="" />syBNC2.3.1

more digging found this in /tmp
Code
 
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 ,----.,----.,-.  ,-.,---.,--. ,-.,----.
 |  O ||  ,-' \ \/ / | o ||   \| || ,--'
 |  _/ _\  \   \  /  | o&lt; | |\   || |__
 |_|  |____/   |__|  |___||_|  \_| \___|
      Version 2.3.1 (c) 1999-2003
        ArDaN Community Chat
      and  the cool lam3rz Group DALNet

`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: ArDaN
Language File: psyBNC Language File - English
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 3036
psyBNC2.3.1-cBtITLdDMSNp started (PID 29821)  


nice.

Oh and also look at the crontab for the user your web server runs as (usually 'crontab -u apache -e')

mine was calling various scripts every minute (/var/log/cron should show you that too).

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Actually, we sent out a mass mail to all of our customers. Any time someone purchases a license they get put into our buzzcast mailing list. I sent out the email to everyone on that list the same night that the issue was discovered. It appears this got caught in alot of people spam folders, those that I've worked with recently went back and check and found the email we sent out but it was flagged as spam so they missed it.

Joined: Dec 2003
Posts: 1,796
Pooh-Bah
Pooh-Bah
Joined: Dec 2003
Posts: 1,796
Yeah, an email was sent back then. I sent out a few thousand emails to members of threadsdev night before last after seeing sites still reporting hacks and not many people updating... hopefully not many got caught in spam filters, those that sent me a rejection, I did what I could to get them on through.

[]
it only just found its way onto the likes of checksum.org and secuirtyfocus.com in the last couple of days....
[/]

That would explain the spike in copy-cat hacks the last few days, I repaired 4-5 myself yesterday :/


- Allen
- ThreadsDev | PraiseCafe
Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
buzzcast will be filtered by many spam lists. I found it in my filter with high spam score.


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Seems like alot of mailing lists get filtered. For version 7 we're working on a way to get important news to the admin. What we currently have is when an admin goes into the control panel it will list the newest 5 topics from the announcements forum here right on the main control panel page by using RSS. This should help with getting important news out to customers.

Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
Today I check out my webroot on my reseller account and found a bot on my space: but.tgz, installed in directory .m

Its an IIRC bot. Uploaded on 13.5.2006 ..... But I have apply all fixes and we dont left an activ backdoor on the server. Any ideas where it comes from ? Now we investigate all logfiles (take a while) to see what happen. I will report if we found any new details. Be carefull, watch your server !


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
ok, its not ubb.threads. Its another damm open script ... we found it and close it. sorry for the alarm.


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)