Announcement

**Solver** · September 10, 2013, 10:54

Good to see you remember me

Does anyone know if the site is supposed to run ads/scripts from some linkbucks place? Those do look suspiciously like the results of an injection, but I am not entirely sure.

**Robert** · September 10, 2013, 11:00

Implementing some stuff Solver is suggesting right now.
linkbucks doesn't ring a bell and it is not mentioned anywhere in my mail conversations with Martin Gühmann (who did organize the ad deals) so I guess it's indeed an injection.

As far as I know we're just only using the vB options for advertisement, so any direct PHP advertisement would be an injection.

**Ming** · September 10, 2013, 11:01

Sorry... can't help you. I'm retired and no longer in the advertising mix here

**Solver** · September 10, 2013, 11:07

OK. Next thing you can do quickly to close some holes is edit the /etc/php.ini file on the server and then restart Apache. You should set the disable_functions variable to disable some PHP functions which are mainly used as backdoors.

The line is

Code:

disable_functions=

and should be like

Code:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open

Google for "php disable_functions" for more info.

It also looks like you're still running the same versions of the software you had when you took ownership. You're on PHP 5.3.3 and Apache 2.2.15. That's several versions skipped, which in practical terms means there are dozens of exploits floating around ready to be used against the server. But of course upgrading that stuff isn't something you can immediately do, but the php.ini thing you can fix.

Also, people have had days to execute arbitrary commands with the privileges of the apache user on the server. Fortunately Apache runs as apache and not root, but that is still not a good thing.

**Solver** · September 10, 2013, 11:13

I am pretty sure this is not related to the security problems but my posts seem to always become double posts.

Yes, the linkbucks thing is an injection. It's a malicious script to redirect people to their ads up to 14 times if said people aren't admins. Sneaky. It's scattered around a few places in the forum, I've removed a couple, but I have to head out now. I'll get back to the rest of those in about an hour.

**Sava** · September 10, 2013, 11:30

Solver

**Robert** · September 10, 2013, 12:01

Originally posted by Solver View Post

I am pretty sure this is not related to the security problems but my posts seem to always become double posts.

Yes, the linkbucks thing is an injection. It's a malicious script to redirect people to their ads up to 14 times if said people aren't admins. Sneaky. It's scattered around a few places in the forum, I've removed a couple, but I have to head out now. I'll get back to the rest of those in about an hour.

You're amazing!

**Solver** · September 10, 2013, 13:04

Okay, typing these up as I go.

* You know about the front page already. No idea what it ran on so I don't know if restoring from a backup is sufficient. That's the place where I am unsure as to how it was broken.

* People have had the ability to upload files to the server. You need to check for strange files which should not be there. The illustrious "Gaza hacker" has been using a shell on the server. Shell means a hacker's hidden control panel

* Check the contents of the file vb/profilecustomize.php. It's been modified. Restore it from a known good version or just ensure it's not malicious.

Crap, there might be something much worse on here. Back soon!

Yeah, I think you're largely SOL :/ Rob, you got Skype?

**Sava** · September 10, 2013, 13:26

**Buster Crabbe's Uncle** · September 10, 2013, 14:11

Originally posted by Solver View Post

* People have had the ability to upload files to the server. You need to check for strange files which should not be there. The illustrious "Gaza hacker" has been using a shell on the server. Shell means a hacker's hidden control panel

Any reason to not just delete any new files on the server from the 28th on?

**Solver** · September 10, 2013, 14:38

Originally posted by Buster's Uncle View Post

Any reason to not just delete any new files on the server from the 28th on?

Well, some for instance just turned out to date back to the 26th. If a time can be established when the server was secure, rolling back to that date is of course an option, but the solution will be up to Martin in the end.

**Solver** · September 10, 2013, 16:10

So, update on the status of the site.

I cleaned out the ad injections, and it also turned out every page of the forums was silently linking to a Russian web-dev site. That's done. Malicious code from the forums is probably gone, and if any remains I am quite certain it is not active now. The main security hole people were using to deface the site every 5 minutes is closed.

On the downside, hackers also managed to upload - on several occasions - some so-called shells to the server, granting them a considerable level of access. At least once, a root privilege escalation was attempted. Acquiring root privileges means full access to every detail of the server (that's what the server owners normally have). I can't say if this attempt to acquire root privileges succeeded or not, but even if not, some people have had access to many parts of the server.

That means that, even outside the forum, anything might have been compromised, and some significant repairs will be needed. Martin will presumably take care of that, but this is understandably a bad situation.

**Nikolai** · September 10, 2013, 16:12

So I guess we all should change passwords then? Anything else we should be wary of?

**Robert** · September 10, 2013, 16:35

Thanks for your help Solver!!!
Nice chatting with you as well!

**Buster Crabbe's Uncle** · September 10, 2013, 16:58

Originally posted by Nikolai View Post

So I guess we all should change passwords then?

I would think there's no use until all the holes are closed, is there?

Announcement

The Apolyton hacking pool

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment