Current time: 12-15-2017, 03:09 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Forums Hacked
04-04-2012, 03:27 AM (This post was last modified: 04-04-2012 03:36 AM by pmeenan.)
Post: #1
Exclamation Forums Hacked
Things are locked down and cleaned up and I've been going over the access logs and don't see any indication that the script kiddie got anything useful but from 3/30 through 4/2 he had a back door on the system that let him execute arbitrary php code.

There is nothing in the logs that shows he got around to doing anything useful or that he managed to grab the database but it would be safer if you assume that he managed to grab a full database dump which would have everyone's account name, email address and encrypted password.

It looks like MyBB salts the md5 hashes for the passwords so even with a full database dump it would be very unlikely that they would be able to crack the password (they would have to brute-force individual passwords since rainbow tables would be useless) but in an abundance of caution it wouldn't be a bad idea to change them (particularly if you use the same password elsewhere).

I will post a full timeline of events and hack details to my blog later this afternoon.

I take security as seriously as I can but with a constant stream of attacks every now and then the script kiddies get lucky.
Visit this user's website Find all posts by this user
Quote this message in a reply
04-04-2012, 05:17 AM
Post: #2
RE: Forums Hacked
As promised, here is the timeline and details: http://blog.patrickmeenan.com/2012/04/an...-hack.html
Visit this user's website Find all posts by this user
Quote this message in a reply
04-04-2012, 07:24 AM
Post: #3
RE: Forums Hacked
Hi Pat,
Really appreciate the transparency.

I came across another breach in the past where the kiddie uploaded shell.php , a very interesting script which almost allowed shell access (sandboxed by the privileges of the webserver user)

Whats scary is that many sites still have the backdoor running : https://www.google.com/search?q=inurl:shell.php

Do you still have the gs.php file? would like to take a look.

cdnplanet.com: We help you select the right CDN
Visit this user's website Find all posts by this user
Quote this message in a reply
04-04-2012, 07:31 AM
Post: #4
RE: Forums Hacked
Yep - sent out of band. The jpeg actually allowed shell access (that was the only thing it could do) - the PHP was a full console - they're getting fancy.
Visit this user's website Find all posts by this user
Quote this message in a reply
04-04-2012, 12:22 PM
Post: #5
RE: Forums Hacked
Let us know if we can be of any help to prevent this in future. WPT is a great place and we can't see it being hacked in any way.

http://www.sphinxconsultant.com/performance-scalability-services/
Visit this user's website Find all posts by this user
Quote this message in a reply
04-05-2012, 07:03 AM (This post was last modified: 04-05-2012 07:04 AM by jarrod1937.)
Post: #6
RE: Forums Hacked
If you could send all files you have from the hack I'd appreciate it. As a developer I'm into security as well (you're not a developer unless you are imo), and the PHP code within the jpeg file is something I haven't seen before. I'd like to take a look at that to make sure none of the systems I've programmed are vulnerable to such an attack.
Find all posts by this user
Quote this message in a reply
04-05-2012, 08:05 AM
Post: #7
RE: Forums Hacked
Ping me offline and I can get them to you (pmeenan@webpagetest.org).

The PHP interpreter will apparently execute anything inside of a <?php ?> pair of tags, even if it is a binary file so the problem isn't unique to images. Jpegs have a fun feature that lets you include arbitrary data in header tags (like the exif data) so it is easy to build an image that looks normal but has executable code within it.

Stripping out all tags or recompressing (without maintaining tags) all user-uploaded images is probably the safest way to secure them (besides making sure php won't be called to execute an image file).
Visit this user's website Find all posts by this user
Quote this message in a reply
10-25-2014, 06:22 PM
Post: #8
RE: Forums Hacked
There is nothing in the logs that shows he got around to doing anything useful or that he managed to grab the database but it would be safer if you assume that he managed to grab a full database dump which would have everyone's account name, email address and encrypted password.



____________
http://www.vcefile.net/vce-mobile.php
Find all posts by this user
Quote this message in a reply
10-29-2014, 10:50 PM
Post: #9
RE: Forums Hacked
Yep (though that was 5 years back). MyBB salts all of the hashes so at least back in the day it was hard enough to make the database useless though these days not so much.

It looks like MyBB moved to a new architecture recently so I'll either have to move the forums to the newer version or to a new platform. I might take a look at vbulletin since I'm going to have to move anyway though keeping accounts intact would be preferred. Moving to OAuth and not storing any credentials at all would be even better.
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)