Previous Thread
Next Thread
Print Thread
Hop To
#248705 03/18/2012 9:50 PM
Joined: Aug 2006
Posts: 583
old hand
old hand
Joined: Aug 2006
Posts: 583
This has happened a couple of times over the past few weeks. Someone is spamming my forum with posts that contain links to (likely) malwar sites that talk about presacription drugs, etc. They are positing in my forums withour registering so they show up as "anonymous". What is even more disturbing, they are posting in forums they are either open only to admin, or forums that are closed. Of course I firewall their IPs, but it is troubling that is is hapenning. I searched my logs and located the offending IPs and this is what I found: (I've x'd out some info, but you'll get the jist):

[18/Mar/2012:14:50:12 -0400] "POST /x/ubbthreads.php HTTP/1.1" 302 -"http://www.xxxxxxxxxxx.com/x/ubbthreads.php/topics/811793/Your_subject_here" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"

Is this some kind of PhP Exploit being used, and if so is there anmything we can do about it?

Basil #248706 03/18/2012 10:31 PM
Joined: Jun 2006
Posts: 1,344
G
veteran
veteran
G Offline
Joined: Jun 2006
Posts: 1,344
Seems like you had this issue a few months ago too. Are you running a blog software like wordpress as well? The HTTP/1.0" 302 - should be just a redirect. Would be more concerned if the POST returned a 200 response which means success.

Im am far from an expert or really knowledgeable about this but they could be getting in from an exploit on the webserver, other software like a blog, or got in prior to the patch and left a backdoor or all files not cleaned out.

Hopefully SD or someone can shed some light on this.

Basil #248707 03/19/2012 12:36 PM
Joined: Jun 2006
Posts: 6
M
stranger
stranger
M Offline
Joined: Jun 2006
Posts: 6
I've been seeing an increase in this as well. I've turned on the registration queue, as their accounts are pretty easy to identify when they sign up. I've also banned about 10 IP addresses now.


--------------
Matt Reinfeldt
Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Basil, your site location as I recall I checked today and your patch is 7.5.6p1 the current security patch is 7.5.6p2
p2 replaced p1 withing a week or so due to another hole found.

Also I am sure you are aware the patch does not repair any existing damage. So even if you are current if someone has hacked the board prior, there is quite a bit of research to do for cleanup.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Ruben #248710 03/19/2012 10:20 PM
Joined: Aug 2006
Posts: 583
old hand
old hand
Joined: Aug 2006
Posts: 583
Originally Posted by Ruben
Basil, your site location as I recall I checked today and your patch is 7.5.6p1 the current security patch is 7.5.6p2
p2 replaced p1 withing a week or so due to another hole found.

Also I am sure you are aware the patch does not repair any existing damage. So even if you are current if someone has hacked the board prior, there is quite a bit of research to do for cleanup.

Thanks - I guess I missed the p2 patch somehow. Not sure if that will fix this particular issue but certainly won't hurt to upgrade! Thanks!

Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Like I said it will not fix prior attacks only going forward in the future
If some intrusion has already happened,then you need to do some homework to find it.

I know SD and Gizmo has done some cleanup.

I assume they used something like beyond compare. To look for extra files or file content that does not match a virgin install.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
More involved than just that (since to do all of that i'd have to download all files in their forum directory which can easily get up there with cache files and other directories which could be filled with files that could be touched bya hack).

Please note though, the hack isn't restricted to the forum, it's your entire userhome with your host that can contain files that a remote hacker placed while your forum was hacked.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Well I was trying to be positive on where the hack might be. But Gizmo is correct. It could be anywhere in any folder.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
0 members (), 744 guests, and 147 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)