Mass File Injection Attack?!?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
t0mat0
Registered User
Posts: 3
Joined: Thu Apr 03, 2008 8:04 am

Mass File Injection Attack?!?

Post by t0mat0 » Tue May 13, 2008 9:07 am

Found this message almost everywhere - is this a fake or what?


Mass File Injection Attack
Published: 2008-05-11,
Last Updated: 2008-05-11 21:48:56 UTC
by David Goldsmith (Version: 1)
0 comment(s)

We received a report from Mike this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.

If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

User avatar
3Di
Former Team Member
Posts: 14071
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Mass File Injection Attack?!?

Post by 3Di » Tue May 13, 2008 12:17 pm

I did submit a security ticket after having had read this. :geek:
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
alecrust
Registered User
Posts: 348
Joined: Thu Mar 27, 2008 11:24 am
Location: London, UK
Contact:

Re: Mass File Injection Attack?!?

Post by alecrust » Tue May 13, 2008 12:19 pm

It seems to be true, but I'm not sure which version of phpBB this is. Must be 2.

More info: http://computerworld.com/action/article ... rc=hm_list

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Mass File Injection Attack?!?

Post by ChrisRLG » Tue May 13, 2008 1:28 pm

The team are aware.

I believe these are version 2 - and not the latest version of v2 either - v2.0.23 is at the current time, I believe, to be immune from this attack.

A quote from your last link.
Don't expect the run of site infections to stop anytime soon, said Trend Micro's Ferguson. "As long as attacks are tied to site development and as long as sites don't secure their content, we'll see these attacks," he said.
So if you are fully up to date you should be OK.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Mass File Injection Attack?!?

Post by ChrisRLG » Tue May 13, 2008 1:32 pm

Moving to v2 discussion - as this topic should not be in GD.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

t0mat0
Registered User
Posts: 3
Joined: Thu Apr 03, 2008 8:04 am

Re: Mass File Injection Attack?!?

Post by t0mat0 » Tue May 13, 2008 1:52 pm

ChrisRLG wrote:Moving to v2 discussion - as this topic should not be in GD.
Ok, but let's rewind a second: apart from hints and tips about securing our code, does anybody know how it can be sure that this is ONLY a v2 issue? :?

User avatar
3Di
Former Team Member
Posts: 14071
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Mass File Injection Attack?!?

Post by 3Di » Tue May 13, 2008 2:26 pm

I believe (right or wrong) it is not an issue at all. :geek:
Anyway it is not related to phpb3 AFAIK.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: Mass File Injection Attack?!?

Post by ChrisRLG » Tue May 13, 2008 2:37 pm

t0mat0 wrote:Ok, but let's rewind a second: apart from hints and tips about securing our code, does anybody know how it can be sure that this is ONLY a v2 issue?
I have seen no confirmed reports of any v3 forum being hacked.

I have seen no confirmed reports of any v2.0.23 forum being hacked.

I am a member of the anti-malware community, and from my contacts within that, I have had no reports of current versions being hacked (only loads of old version forums). In fact some of my contacts have asked me (because they know I am a phpBB.com moderator) about the situation from the anti-malware perspective.

If anyone knows of a current version (v3.0.1 or v2.0.23) being hacked, please report to the incident tracker so they can get this resolved.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

User avatar
alecrust
Registered User
Posts: 348
Joined: Thu Mar 27, 2008 11:24 am
Location: London, UK
Contact:

Re: Mass File Injection Attack?!?

Post by alecrust » Tue May 13, 2008 2:56 pm

And let us know here so we can all be worried :?

t0mat0
Registered User
Posts: 3
Joined: Thu Apr 03, 2008 8:04 am

Re: Mass File Injection Attack?!?

Post by t0mat0 » Tue May 13, 2008 3:05 pm

ChrisRLG wrote:I have seen no confirmed reports of any v3 forum being hacked.
I have seen no confirmed reports of any v2.0.23 forum being hacked
Ok, these facts are way much better than any guess or foresight.. :D

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29251
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Mass File Injection Attack?!?

Post by Marshalrusty » Tue May 13, 2008 4:23 pm

Another discussion about this here.

As I have said in that topic, we currently have no reason to assume that this is being done through the phpBB software itself. The situation is being actively and carefully monitored.
Last edited by drathbun on Tue May 13, 2008 4:54 pm, edited 1 time in total.
Reason: Fixed URL formatting
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

SneakySimian
Registered User
Posts: 31
Joined: Fri Apr 11, 2008 12:31 am

Re: Mass File Injection Attack?!?

Post by SneakySimian » Tue May 13, 2008 10:57 pm

In my research, I've found that a few things are happening:

a) It appears that versions up to and including 2.0.22 are affected, but not 2.0.23.
b) It appears that this is SQL injection.
c) It appears that this is a new vulnerability.
d) It appears that there are at least 3 different groups responsible for this, with battles being done for who can deface a page not with just the URIs in question, but also the group name.
e) It appears that a lot of people are still running phpBB versions that are years out of date.

That's a lot more information than the above article could give you. Gotta love FUD. Idjits.

SneakySimian
Registered User
Posts: 31
Joined: Fri Apr 11, 2008 12:31 am

Re: Mass File Injection Attack?!?

Post by SneakySimian » Wed May 14, 2008 12:58 am

Just to avoid any confusion, by above article, I am referring to the one that Marshalrusty linked to: http://www.phpbb.com/community/viewtopi ... 8&t=953095

MadScientist
Registered User
Posts: 1
Joined: Mon Jun 30, 2003 10:04 pm
Contact:

Re: Mass File Injection Attack?!?

Post by MadScientist » Wed May 14, 2008 3:14 am

How do we check if we are affected? What tables are altered? What files?

SneakySimian
Registered User
Posts: 31
Joined: Fri Apr 11, 2008 12:31 am

Re: Mass File Injection Attack?!?

Post by SneakySimian » Wed May 14, 2008 4:09 am

MadScientist wrote:How do we check if we are affected? What tables are altered? What files?
I don't know if files are affected, but you would first notice by getting messages from your antivirus (you do run antivirus, right?) while visiting your site. In the database, you would check the sitename in phpbb_config.

Locked

Return to “2.0.x Discussion”