|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
This has happened a couple of times over the past few weeks. Someone is spamming my forum with posts that contain links to (likely) malwar sites that talk about presacription drugs, etc. They are positing in my forums withour registering so they show up as "anonymous". What is even more disturbing, they are posting in forums they are either open only to admin, or forums that are closed. Of course I firewall their IPs, but it is troubling that is is hapenning. I searched my logs and located the offending IPs and this is what I found: (I've x'd out some info, but you'll get the jist):
[18/Mar/2012:14:50:12 -0400] "POST /x/ubbthreads.php HTTP/1.1" 302 -"http://www.xxxxxxxxxxx.com/x/ubbthreads.php/topics/811793/Your_subject_here" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"
Is this some kind of PhP Exploit being used, and if so is there anmything we can do about it?
|
|
|
|
Joined: Jun 2006
Posts: 1,344
veteran
|
veteran
Joined: Jun 2006
Posts: 1,344 |
Seems like you had this issue a few months ago too. Are you running a blog software like wordpress as well? The HTTP/1.0" 302 - should be just a redirect. Would be more concerned if the POST returned a 200 response which means success. Im am far from an expert or really knowledgeable about this but they could be getting in from an exploit on the webserver, other software like a blog, or got in prior to the patch and left a backdoor or all files not cleaned out. Hopefully SD or someone can shed some light on this.
|
|
|
|
Joined: Jun 2006
Posts: 6
stranger
|
stranger
Joined: Jun 2006
Posts: 6 |
I've been seeing an increase in this as well. I've turned on the registration queue, as their accounts are pretty easy to identify when they sign up. I've also banned about 10 IP addresses now.
-------------- Matt Reinfeldt
|
|
|
|
Joined: Dec 2003
Posts: 6,566 Likes: 78
|
Joined: Dec 2003
Posts: 6,566 Likes: 78 |
Basil, your site location as I recall I checked today and your patch is 7.5.6p1 the current security patch is 7.5.6p2 p2 replaced p1 withing a week or so due to another hole found.
Also I am sure you are aware the patch does not repair any existing damage. So even if you are current if someone has hacked the board prior, there is quite a bit of research to do for cleanup.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
Basil, your site location as I recall I checked today and your patch is 7.5.6p1 the current security patch is 7.5.6p2 p2 replaced p1 withing a week or so due to another hole found.
Also I am sure you are aware the patch does not repair any existing damage. So even if you are current if someone has hacked the board prior, there is quite a bit of research to do for cleanup. Thanks - I guess I missed the p2 patch somehow. Not sure if that will fix this particular issue but certainly won't hurt to upgrade! Thanks!
|
|
|
|
Joined: Dec 2003
Posts: 6,566 Likes: 78
|
Joined: Dec 2003
Posts: 6,566 Likes: 78 |
Like I said it will not fix prior attacks only going forward in the future If some intrusion has already happened,then you need to do some homework to find it.
I know SD and Gizmo has done some cleanup.
I assume they used something like beyond compare. To look for extra files or file content that does not match a virgin install.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
More involved than just that (since to do all of that i'd have to download all files in their forum directory which can easily get up there with cache files and other directories which could be filled with files that could be touched bya hack).
Please note though, the hack isn't restricted to the forum, it's your entire userhome with your host that can contain files that a remote hacker placed while your forum was hacked.
|
|
|
|
Joined: Dec 2003
Posts: 6,566 Likes: 78
|
Joined: Dec 2003
Posts: 6,566 Likes: 78 |
Well I was trying to be positive on where the hack might be. But Gizmo is correct. It could be anywhere in any folder.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
1 members (Ruben),
1,277
guests, and
207
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|