Total Commander forum re-opened after hacks

[ghisler(Author)]

Dear users of Total Commander!

Unfortunately the entire posting database of the Total Commander forum was deleted last Friday by a script kiddy (a wannabe hacker who uses other people's exploits). I have restored Thursday morning's daily backup now, so all posts after this time have been lost.

But before re-opening the forum, I wanted to fully understand what was going on, to avoid that the exact same hack could be used again. The hack was possible because of a very bad security hole in some code which the phpbb makers had "borrowed" from someone else, probably without fully understanding it. See below for a detailed analysis. The hole was found in phpbb 2.0.10 and earlier about 2 weeks ago - too short for me to know about it.

You may want to change your forum password, because the hacker may have read it. I didn't find a trace of this in the logs, but it may have happened earlier. I will not inform users by mass mailing, because what you can do with a forum account is very limited. I did check that there are no additional admin accounts.

If you have a phpbb board yourself, you should quickly update to the latest version 2.0.11! You should also look for backdoors on the server - additional phpbb files which shouldn't be there.

Please only post in this thread about this incident. Thanks!

==============================================
Now for those technically interested in the reason of the hack. Please don't read it if you aren't a developer yourself. The following lines in viewtopic.php are the problem:

if ($highlight_match)
{
// This was shamelessly 'borrowed' from volker at multiartstudio dot de
// via php.net's annotated manual
$message = str_replace('\"', '"',substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
"preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')",
'>' . $message . '<'), 1, -1));
}

It took me quite a while to understand this rather unusual regular expression code. It's easier to understand when split into two lines:

$repvalue = "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')";

$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', $repvalue, '>' . $message . '<'), 1, -1));

What happens here is that the entire contents of $highlight_match are pasted AS CODE into the variable $repvalue. On the second code line, this code is then EXECUTED when its regular expression is evaluated, because of the #se flags in the regular expression. This is really a very stupid thing to do! The follwing code also works, but doesn't have the security risk:

$repvalue = "preg_replace('#\b(' . \$highlight_match . ')\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')";
(the second line remains unchanged).

Now what is different with this code? Here we do not paste the contents of the variable $highlight_match, but only its name. Now the variable is only replaced with its contents when the second line is evaluated - so even if it contains malicious injected code, it could never execute it.

[AlleyKat]

The exploit was discovered around nov. 17., and an update released nov. 18. - I notified one of your moderators of this problem a little over a week ago, I think (well maybe 2 - 2½), including a link to the quite small and easy fix. I'm sorry it wasn't fast enough - I did point out how critical this was, maybe I should have notified you directly.

I hope you replaced all files in phpBB, as I've seen quite a few examples of these hacks - some of the more able ones (seen from IPs from Brazil and the Netherlands) actually includes backdoors placed in various files in phpBB - a good pointer is that if the config.php file suddenly contained an include() command, other files are most likely 'infected' too.

I'd like the IPs of the attackers if possible; we're building a 'known hacker IPs' list on the danish phpBB support forum to permanently block out known offenders, scriptkiddies or no scriptkiddies - no presents from Santa to those people no matter what.

[ghisler(Author)]

2AlleyKat
Unfortunately no one informed me, and I'm the only one who has the rights to replace files here. Please notify me directly next time. I have now found an RSS feed for phpbb announcements, so it should be easier to know about security updates.

I downloaded all files and made byte by byte checks, but there were no changes since the files are read-only for the user under which the web browser runs. There were some additional backdoor files in the avatars directory, though, which I have deleted now. Having such a writeable directory is quite a security risk - do you know any mod which stores the avatars in the database instead?

The attacker IPs from the last 24 hours log file are:
199.203.54.66
172.176.178.240
216.247.70.241
69.156.102.188
64.229.20.199
62.254.0.14
212.113.164.99
200.222.215.254
200.161.251.251
212.244.189.170
200.217.145.227
24.163.193.112
201.0.74.110
200.199.133.137
24.163.193.112
66.119.13.4
68.159.65.96
200.40.117.107

Many of these just sent a single 'ls' command, probably to check whether the site was updated or not.

[Lefteous]

2ghisler(Author)

There were some additional backdoor files in the avatars directory, though, which I have deleted now. Having such a writeable directory is quite a security risk - do you know any mod which stores the avatars in the database instead?

I have found this:
http://www.phpbbhacks.com/download/3306
http://www.phpbbhacks.com/download.php?id=3306 (Download)

I hope it's what you are looking for.

[SanskritFritz]

I think i can speak for everyone here: thank you for having such frequent backups! This is again a proof for Christian's very careful mind and one more reason to trust TC in our daily work!

[bollino]

I think i can speak for everyone here: thank you for having such frequent backups! This is again a proof for Christian's very careful mind and one more reason to trust TC in our daily work!

True words!

Bo*

[Helix751]

How bad can the password security compromise issue you mentioned be?

Can the forum's passwords list be read/decrypted as easily as you mention? In other words: Aren't they stored in an encrypted form on the server like *nix passwords are (one way encryption like MD5, SHA1 or the like)?

[Lefteous]

2AlleyKat
I have asked all other moderators and they confirm that they haven't received any notifications about the phpbb exploit. I haven't received a notification about the phpbb exploit either.

[ghisler(Author)]

2Villampiro
Yes, phpbb stores only the md5 hashes of the passwords. You cannot get the password directly this way, but you can use a brute force attack to try 100'000s of passwords (lexicon attack) offline, something which you can't do so quickly online. Therefore if you have a strong password this should be no problem.

[Clo]

2Lefteous
Hello Christian !
- I can confirm about myself : not any message received from AlleyKat, sorry.

V G
Claude
Clo

[Hacker]

Christian,

you can use a brute force attack

Does phpbb not add any kind of salt to the passwords?

Roman

[ghisler(Author)]

No, it uses a check like this:
if (md5($password) == $row['user_password']) ...

But a salt wouldn't help in this case either, because it would have to be stored somewhere, so the attacker could download it with the md5 checksums of the passwords.

[AlleyKat]

ghisler(Author) > I'll mail you directly if something like this comes up again; however, I doubt it will as general security in the system should be pretty well worked over now. Thanks for the IP list, I'll add those to the danish list of known phpBB hacker sources.

Other known 'bad ips' that we've been notified about:

Code: Select all

200.161.251.121
200.142.180.4
62.139.87.152
66.105.104.36
59.104.51.64
195.225.246.100
212.120.187.202
217.17.191.77

(Brazil, Brazil, Egypt, US, Taiwan, Moldova, Russia, Russia)


Lefteous > I mailed either you, Ghisler or Hacker with this info, and did receive the copy of the mail myself. I deleted it over a week ago, thou, so I can't quite be sure which of you I sent it to - but I think it was Hacker; I imagined you guys have a private moderator forum for this kind of thing and I think I didn't want to bother Ghisler with it, he probably receives tons of mail already. Won't make that mistake again thou.
The mail contained a warning of how critical this update is, mentioned that especially brazillian hackers were using the script, and that the script used to hack phpBB was 'in the wild'. It also contained a pointer to this quick-fix which would have prevented the hackers from using the exploit.

Villampiro > phpBB passwords in the DB are oneway MD5-hashed - they cannot under any circumstances be decrypted. BUT! In one of the hacked boards I've assisted in restoring, we found an include() command linked to a brazilian site in a file related to the login.php file (login procedure), which very well could have stored the username and password on a remote location for users logging in to the board after it was hacked - we suspect they wanted to use this for stealing the admins password and thus have full control over the forum even after a thorough cleanup. We closed the board, cleaned the files, then changed passwords for users with rights.

[ghisler(Author)]

No .php files were modified in my board (also not login.php) because the web server had to write rights to them. So no passwords should have been logged.

[AlleyKat]

In the mentioned case, the hackers had gained root & FTP access to the server, unfortunately. Many webhosts use same password for several types of access, which made it easy I guess. The primary indicator was the edited config.php file.

Glad you're safe from that.