JoshPet
The artist formerly known as Mr. Bug
Reged: 11/29/01
Posts: 11414
Loc: Charlotte, NC
|
|
If you didn't notice ThreadsDev.net hacked yesterday.....
This was posted today by Rick Baker at UBBCentral:
Quote:
We have released version 6.5.3 to the members area. This release contains a fix for a secury issue we were informed of this afternoon. It also contains a handful of other fixes for a few bugs that have been floating around for awhile.
If you don't want to go through the hassle of downloading 6.5.3 you can apply the security fix yourself. It's a fairly quick fix as it only requires changing 2 files. Anyone running a version between 6.4 through 6.5.2 will want to apply this:
At the top of addpost.php you'll see this:
require ("./includes/main.inc.php");
right before that, add this:
define('ADDPOST',1);
Then, in addpost_newpoll.php, at the top, you'll see this:
// ------------------------------------
// THIS FILE IS INCLUDED BY ADDPOST.PHP
Right after that, add this:
if (!defined('ADDPOST')) {
exit;
}
Many of you know I run vertexhost - I've see what this one can do. It can comprimise the whole server. As a result, I've personally fixed about 50+ threads installs once we were aware. I can't urge you enough to fix this on your sites. 
--------------------
 Josh - Joshua PettitWebsite - For Hire Coding work and Modifications
Feel Better, Look younger - www.BuyTransD.com
Use Coupon Code 1004 to Save $20 Off Your Initial Order of Trans-D Tropin
|
Conrad
Member
Reged: 03/25/02
Posts: 274
|
|
Hi Josh, how much would it cost to run a check (uncompromise) my server? (I can send you the root/whm details in whichever way you deem safe)
|
JoshPet
The artist formerly known as Mr. Bug
Reged: 11/29/01
Posts: 11414
Loc: Charlotte, NC
|
|
I sent you a PM. But I decided I'd also post this here. I'm not the server cleanup expert. If you've been comprimised, I'd recommend these guys:
http://www.configserver.com/cp/recovery.html
--------------------
Josh - Joshua PettitWebsite - For Hire Coding work and Modifications
Feel Better, Look younger - www.BuyTransD.com
Use Coupon Code 1004 to Save $20 Off Your Initial Order of Trans-D Tropin
|
StanCA
Power User
Reged: 07/01/02
Posts: 65
|
|
How does one tell if the server has been compromised?
--------------------
http://IsThereSexAfterDeath.com
http://clubadventist.com
( I like to check out the toys others have added  )
|
Conrad
Member
Reged: 03/25/02
Posts: 274
|
|
Josh, huge thanks! I will send you a reply via PM as well.
StanCA, when I log into WHM and click on "CPU/Memory/MySQL Usage" (under the "Server Status" menu) then I see stuff like "Top Process %CPU 89.0 ./pwned". My server has definitely been hacked.
And this is probably just the tip of the iceberg...
As Josh mentioned I would just go to http://www.configserver.com/cp/recovery.html and have a sweep of the system made. You can probably also have them check out the security status of your server and make any necessary adjustments as a future precaution.
Ultimately your best bet overall is to go with Josh's hosting company: VertexHost.com. If you run a Threads or FusionBB board then this is the best choice you can make. By far...
Josh knows Threads better than the folk at Infopop do, he's created tons of special modifications and knows the software inside out. Having him overlook and manage your server is way better than what I have: also a managed server, but one which is managed by a company that is absolutely clueless about Threads or the server configuration needed to run it (fine-tuning mysql for instance, etc.).
I will definitely be contacting Josh in the coming weeks to try and move my entire site and board to VertexHost.com.
|
Smilesforu
Code Monkey
Reged: 01/25/03
Posts: 668
Loc: NW WA
|
|
wouldn't be so bad if they only comprised just threads.. they tagged every file that has html on the end and the php files.
Josh I need to have my files scanned and the code replaced they put in or use a backup copy of the site. (email not working) They comprised the other pages on the site... ugh
help please
--------------------
Marty
www.steelheader.net
Ok I admit my reading comprehension skills suck... just a second let me read that again.
|
JoshPet
The artist formerly known as Mr. Bug
Reged: 11/29/01
Posts: 11414
Loc: Charlotte, NC
|
|
Yeah, they had some kind of automated script which modified any files that the permissions allowed. Ideally stuff would be set to 755. But some scripts (like the includes in threads etc... ) have to be 777 writable so that you can edit them online. Plus occationally people have stuff with the wrong permissions, thus it was vulnerable.
I fixed your weather and moved your backup directory where you can get at it just in case you find anything else that needs to be restored.
--------------------
Josh - Joshua PettitWebsite - For Hire Coding work and Modifications
Feel Better, Look younger - www.BuyTransD.com
Use Coupon Code 1004 to Save $20 Off Your Initial Order of Trans-D Tropin
|
JoshPet
The artist formerly known as Mr. Bug
Reged: 11/29/01
Posts: 11414
Loc: Charlotte, NC
|
|
And 6.5.4 has been released, another security fix is urgently needed. Details here.
--------------------
Josh - Joshua PettitWebsite - For Hire Coding work and Modifications
Feel Better, Look younger - www.BuyTransD.com
Use Coupon Code 1004 to Save $20 Off Your Initial Order of Trans-D Tropin
|
Conrad
Member
Reged: 03/25/02
Posts: 274
|
|
Darn, another security issue?
Can someone please send me a PM with the details? I'm running the sub-forum hack so I need to check out the exact changes.
|
DLWebmaestro
Addict
Reged: 01/16/03
Posts: 1696
Loc: North Carolina
|
|
I wouldn't mind the details either, since I haven't had access to their members' area for some time now.
--------------------
ThreadsDev 2003 Member Spotlight Winner
JoshPet was here.
Miserable Failure
|
Medar
Code Monkey
Reged: 07/13/00
Posts: 609
|
|
Same.
--------------------
Medar
Bladekeep Forums • Bicenet Design
|
backupguy
Lurker
Reged: 05/23/06
Posts: 3
|
|
I am hoping you can offer some insight.
my site http://forums.dantz.com was hacked yesterday by a crazy turkish hacker and my webteam is working on the resolution.
I saw the following post today: http://www.threadsdev.net/forum/showflat.php?Cat=&Number=129985
Do you think this patch would have prevented being hacked? We are still on 6.4.2 of threads.
The error we are now getting is:
SQL ERROR: Database error only visible to forum administrators
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/forums/htdocs/ubbthreads-6.4.2/mysql.inc.php on line 133
Warning: Cannot modify header information - headers already sent by (output started at /home/forums/htdocs/ubbthreads-6.4.2/config.inc.php:27) in /home/forums/htdocs/ubbthreads-6.4.2/ubbt.inc.php on line 274
Warning: send_header(/languages//online.php): failed to open stream: No such file or directory in /home/forums/htdocs/ubbthreads-6.4.2/ubbt.inc.php on line 325
Thank you
Robin Mayoff
Senior Manager, Technical Support
EMC Insignia (Dantz Development)
|
JoshPet
The artist formerly known as Mr. Bug
Reged: 11/29/01
Posts: 11414
Loc: Charlotte, NC
|
|
This hack caused your files to become modified and the server comprimised. It shouldn't have anything to do with the database. Unless your configuration files just got messed up, then you'd have SQL errors. The telltale sign of this hack is an iframe embeded at the bottom of all your pages (usually in the footer, or header etc....) which loads popups, spyware and viruses.
--------------------
Josh - Joshua PettitWebsite - For Hire Coding work and Modifications
Feel Better, Look younger - www.BuyTransD.com
Use Coupon Code 1004 to Save $20 Off Your Initial Order of Trans-D Tropin
|
StanCA
Power User
Reged: 07/01/02
Posts: 65
|
|
This guy got me good, was still recovering from the last hack
Quote:
Yesterday the Turkish cracker going by the handle "Iskorpitx", succesfully hacked 21,549 websites in one shot (plus 17,000 as our last update) and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it) and reporting:
"HACKED BY iSKORPiTX
(TURKISH HACKER)
--------------------
http://IsThereSexAfterDeath.com
http://clubadventist.com
( I like to check out the toys others have added )
|
Twisty
Code Monkey
Reged: 09/26/03
Posts: 546
|
|
Holy #$&* that's unbelievable damage.
Vulnerable:
UBBCentral UBB.threads 6.5.2 Beta2
UBBCentral UBB.threads 6.5.2
UBBCentral UBB.threads 6.5.1 .1
UBBCentral UBB.threads 6.5.1
UBBCentral UBB.threads 6.5
UBBCentral UBB.threads 6.2.3
UBBCentral UBB.threads 6.0
UBBCentral UBB.threads 3.5
UBBCentral UBB.threads 3.4
Thank goodness I'm still using 6.3.2 (with security upgrades of course and disabled globals)
Scanning through the log files, they *tried* to get me bigtime but the addpost_newpoll.php doesn't even exist in my install 
However I'm more than happy to redirect their requests via .htaccess to an evil script I made 
RedirectMatch \.php([a-z0-9])([a-z0-9]+)$ /evil.php
RedirectMatch newpoll.php /evil.php
RedirectMatch r57shell.txt /evil.php
RedirectMatch rar.cc$ /evil.php
--------------------
Twisty 
MAMEWorld
|
JoshPet
The artist formerly known as Mr. Bug
Reged: 11/29/01
Posts: 11414
Loc: Charlotte, NC
|
|
LOL Good one.
--------------------
Josh - Joshua PettitWebsite - For Hire Coding work and Modifications
Feel Better, Look younger - www.BuyTransD.com
Use Coupon Code 1004 to Save $20 Off Your Initial Order of Trans-D Tropin
|
StanCA
Power User
Reged: 07/01/02
Posts: 65
|
|
How does that script work? How would I install it? and does it affect anyone else?
Yeah, I pretty much know nothing
|
Twisty
Code Monkey
Reged: 09/26/03
Posts: 546
|
|
I really can't release it publically, sorry. It can and surely would be used by others who are up to no good.
It's very dangerous and can crash a PC in a couple of seconds by simply loading a webpage!
--------------------
Twisty
MAMEWorld
|
Medar
Code Monkey
Reged: 07/13/00
Posts: 609
|
|
6.4.4 for the win.
With additional security snippets installed via here and UBBCentral.
6.5 and up were always crap.
--------------------
Medar
Bladekeep Forums • Bicenet Design
|
mcguijo
Lurker
Reged: 12/04/03
Posts: 8
|
|
I'm running 6.3.2 and was thinking about upgrading this afternoon. However, after reading these threads, I'm wondering if I should make that leap.
Should I upgrade to another version? If not, I can't recall if I've had the security upgrades on 6.3.2. What's an easy way to check?
Cheers
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
