I’ve done an audit on the files of phpugph.com’s SMF board and found that a certain user who’s only identity is krisbarteo@gmail.com using the IP 94.142.129.147 appended spam links to the Settings.php of SMF.
I’m no security expert, but I think what he did was he uploaded an avatar with a PHP code inside it, found a server/script exploit and ran it. I opened up the avatar (after looking for it for hours) and found this code (see below screenshot). Then he launched the attack from there appending malicious links on a file that is being included everytime SMF draws a page.
A quick Diff on SMF’s base files and our SMF files revealed that a new readme.php was created. And it contained the following:
Decoding that garbled texts reveals that readme.php was run on the browser and that was the main cause of appending links on the Settings.php.
I am still baffled by the fact that some people would do such things. Disrupt service for profit? Well, as for krisbarteo, yes you’ve succeeded in doing that. Then what? Happy now? If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.
To all PHPugers, we hope that this thing doesn’t happen again even if we all know that the Internet isn’t safe from these crackers. It’s all good. For now.
Pingback: Get an email alert from Google when your website is being used for spam links « Online Marketing at Canada’s Web Shop
Good thing you emailed us quickly about this thing.. Thank you..
Are all SMF installations susceptible with this kind of attack? Or is it the PHPUGPH’s server setup that has gone a little permissive on this attack?
How do a *.gif be parsed in PHP API (or FastCGI) if the server’s config allow only *.php, *.inc, or other related php files?
I don’t know the server’s setup but it seems that a weak spot in the server’s config allowed this exploit to happen.
http://www.simplemachines.org/community/index.php?topic=309717.msg2053979#msg2053979
Thank you for posting the details! This could help other site administrators.
You said you’re not a security expert. I think you are better than most of them.
Cheers
Pingback: SMF vulnerability discovered by PHPUGPH « GREATWEBHOST.COM.PH
Pingback: SMF vulnerability exploited from PHPUGPH | Dione Domingo
Thanks for the info!
Comment on
“If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.”
First it’s not smart any idiot can do that. remember how hard to create a wondeful flowerbase. and how easy to destroy it. even a 1 month child can do it.
Especially yung gumawa ng “tagalipa ere” grade 3 na College student sa isang IT school grade 4 lang ang gumaga ng cure in 3 hours. nakakahiya…
Comment on
“If you only have used that smarts and skills on the good stuff, you’d probably be rich by now.”
First it’s not smart any idiot can do that. remember how hard to create a wondeful flowerbase. and how easy to destroy it. even a 1 month child can do it.
Especially yung gumawa ng “tagalipa ere” na College student sa isang IT school grade 4 lang ang gumaga ng cure in 3 hours. nakakahiya…
Actualy di pala cure kasi script lang ginawa para mag clean ng registry. nakakahiya talaga mga oblak
wonderful share, great article, very usefull for me…thanks