Page 1 of 2

Mass File Injection Attack?!?

Posted: Tue May 13, 2008 9:07 am
by t0mat0
Found this message almost everywhere - is this a fake or what?


Mass File Injection Attack
Published: 2008-05-11,
Last Updated: 2008-05-11 21:48:56 UTC
by David Goldsmith (Version: 1)
0 comment(s)

We received a report from Mike this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.

If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 12:17 pm
by 3Di
I did submit a security ticket after having had read this. :geek:

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 12:19 pm
by alecrust
It seems to be true, but I'm not sure which version of phpBB this is. Must be 2.

More info: http://computerworld.com/action/article ... rc=hm_list

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 1:28 pm
by ChrisRLG
The team are aware.

I believe these are version 2 - and not the latest version of v2 either - v2.0.23 is at the current time, I believe, to be immune from this attack.

A quote from your last link.
Don't expect the run of site infections to stop anytime soon, said Trend Micro's Ferguson. "As long as attacks are tied to site development and as long as sites don't secure their content, we'll see these attacks," he said.
So if you are fully up to date you should be OK.

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 1:32 pm
by ChrisRLG
Moving to v2 discussion - as this topic should not be in GD.

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 1:52 pm
by t0mat0
ChrisRLG wrote:Moving to v2 discussion - as this topic should not be in GD.
Ok, but let's rewind a second: apart from hints and tips about securing our code, does anybody know how it can be sure that this is ONLY a v2 issue? :?

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 2:26 pm
by 3Di
I believe (right or wrong) it is not an issue at all. :geek:
Anyway it is not related to phpb3 AFAIK.

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 2:37 pm
by ChrisRLG
t0mat0 wrote:Ok, but let's rewind a second: apart from hints and tips about securing our code, does anybody know how it can be sure that this is ONLY a v2 issue?
I have seen no confirmed reports of any v3 forum being hacked.

I have seen no confirmed reports of any v2.0.23 forum being hacked.

I am a member of the anti-malware community, and from my contacts within that, I have had no reports of current versions being hacked (only loads of old version forums). In fact some of my contacts have asked me (because they know I am a phpBB.com moderator) about the situation from the anti-malware perspective.

If anyone knows of a current version (v3.0.1 or v2.0.23) being hacked, please report to the incident tracker so they can get this resolved.

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 2:56 pm
by alecrust
And let us know here so we can all be worried :?

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 3:05 pm
by t0mat0
ChrisRLG wrote:I have seen no confirmed reports of any v3 forum being hacked.
I have seen no confirmed reports of any v2.0.23 forum being hacked
Ok, these facts are way much better than any guess or foresight.. :D

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 4:23 pm
by Marshalrusty
Another discussion about this here.

As I have said in that topic, we currently have no reason to assume that this is being done through the phpBB software itself. The situation is being actively and carefully monitored.

Re: Mass File Injection Attack?!?

Posted: Tue May 13, 2008 10:57 pm
by SneakySimian
In my research, I've found that a few things are happening:

a) It appears that versions up to and including 2.0.22 are affected, but not 2.0.23.
b) It appears that this is SQL injection.
c) It appears that this is a new vulnerability.
d) It appears that there are at least 3 different groups responsible for this, with battles being done for who can deface a page not with just the URIs in question, but also the group name.
e) It appears that a lot of people are still running phpBB versions that are years out of date.

That's a lot more information than the above article could give you. Gotta love FUD. Idjits.

Re: Mass File Injection Attack?!?

Posted: Wed May 14, 2008 12:58 am
by SneakySimian
Just to avoid any confusion, by above article, I am referring to the one that Marshalrusty linked to: http://www.phpbb.com/community/viewtopi ... 8&t=953095

Re: Mass File Injection Attack?!?

Posted: Wed May 14, 2008 3:14 am
by MadScientist
How do we check if we are affected? What tables are altered? What files?

Re: Mass File Injection Attack?!?

Posted: Wed May 14, 2008 4:09 am
by SneakySimian
MadScientist wrote:How do we check if we are affected? What tables are altered? What files?
I don't know if files are affected, but you would first notice by getting messages from your antivirus (you do run antivirus, right?) while visiting your site. In the database, you would check the sitename in phpbb_config.