Update: PHPUGPH’s SMF maliciously attacked. Now back online
I’ve done an audit on the files of phpugph.com’s SMF board and found that a certain user who’s only identity is krisbarteo@gmail.com using the IP 94.142.129.147 appended spam links to the Settings.php of SMF.
I’m no security expert, but I think what he did was he uploaded an avatar with a PHP code inside it, found a server/script exploit and ran it. I opened up the avatar (after looking for it for hours) and found this code (see below screenshot). Then he launched the attack from there appending malicious links on a file that is being included everytime SMF draws a page.
A quick Diff on SMF’s base files and our SMF files revealed that a new readme.php was created. And it contained the following:
Decoding that garbled texts reveals that readme.php was run on the browser and that was the main cause of appending links on the Settings.php.
I am still baffled by the fact that some people would do such things. Disrupt service for profit? Well, as for krisbarteo, yes you’ve succeeded in doing that. Then what? Happy now? If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.
To all PHPugers, we hope that this thing doesn’t happen again even if we all know that the Internet isn’t safe from these crackers. It’s all good. For now.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically each day to your feed reader.
Trackbacks & Pingbacks
[...] would never have known it sooner until an organization I’m involved with in the Philippines got cracked 2 days ago. Good thing I had my Google Alerts set up for that website and quickly reacted to the [...]
[...] but if your forum is on (Simple Machines) SMF read how PHPUGPH’s forum was hacked in here but is now backed [...]
[...] For forums, SMF has been on top of my options. Today i received an email from PHP User-Group Philippines announcing an malicious attack on their forum. If you happen to be using SMF on one of your sites. This is something that you should be aware read how PHPUGPH’s forum was hacked in here. [...]
Comments
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Good thing you emailed us quickly about this thing.. Thank you..
Are all SMF installations susceptible with this kind of attack? Or is it the PHPUGPH’s server setup that has gone a little permissive on this attack?
How do a *.gif be parsed in PHP API (or FastCGI) if the server’s config allow only *.php, *.inc, or other related php files?
I don’t know the server’s setup but it seems that a weak spot in the server’s config allowed this exploit to happen.
http://www.simplemachines.org/community/index.php?topic=309717.msg2053979#msg2053979
Thank you for posting the details! This could help other site administrators.
You said you’re not a security expert. I think you are better than most of them.
Cheers
Thanks for the info!
Comment on
“If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.”
First it’s not smart any idiot can do that. remember how hard to create a wondeful flowerbase. and how easy to destroy it. even a 1 month child can do it.
Especially yung gumawa ng “tagalipa ere” grade 3 na College student sa isang IT school grade 4 lang ang gumaga ng cure in 3 hours. nakakahiya…
Actualy di pala cure kasi script lang ginawa para mag clean ng registry. nakakahiya talaga mga oblak