Page Index Toggle Pages: 1
Topic Tools
Unauthorised code execution? (Read 2,366 times)
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,584
Location: UK:Scotland/livingston

None
Re: Unauthorised code execution?
Reply #8 - Dec 3rd, 2013 at 11:15pm
Post Tools
Bill Myers wrote on Dec 3rd, 2013 at 8:26pm:
I can see from loading your forum that a number of files with Russian extensions are being called upon ...

... just in case you weren't aware. Questioning

I see them as well ggn see pic bad_js for them it's in all the js files in the pic

ggn wrote on Dec 3rd, 2013 at 8:02pm:
Hi there and sorry I haven't replied faster - been too busy with other stuff as usual  . In any case, please find the files here.

it's cool yer the files don't look good my av did not like them so had to turn it off to have a look at them.

ggn wrote on Dec 3rd, 2013 at 8:02pm:
Now I should say that I'm still going through other stuff with the server guy as the box is running various other things. But for the part of the box I have access to, by looking at the access logs I can only see IPs accessing Yabb at the time the various files appear. For example, for the CSS folder of the rar I posted above, for the time stamp of its creation dates only the following lines appear on the access log:

sorry ggn I don't think the web server access log will help you much may be better for the server guy to check the ftp logs if they keep them or a file monitoring logs if they run anything for that as I think the server backend has been compromised from the info from you and the info from Bill about  files with Russian extensions are being called upon and me checking on that at this time i recommend you change your login info for hosting control panel and ftp and if that don't work then it is more than likely the server backend being compromised
  

bad_js.jpg ( 94 KB | 16 Downloads )
bad_js.jpg

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,550
Location: Los Angeles

YaBB 2.4
Re: Unauthorised code execution?
Reply #7 - Dec 3rd, 2013 at 8:26pm
Post Tools
I can see from loading your forum that a number of files with Russian extensions are being called upon ...

... just in case you weren't aware. Questioning
  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
ggn
YaBB Newcomer
*
Offline



Posts: 19
Re: Unauthorised code execution?
Reply #6 - Dec 3rd, 2013 at 8:02pm
Post Tools
Hi there and sorry I haven't replied faster - been too busy with other stuff as usual  Smiley. In any case, please find the files here.

Now I should say that I'm still going through other stuff with the server guy as the box is running various other things. But for the part of the box I have access to, by looking at the access logs I can only see IPs accessing Yabb at the time the various files appear. For example, for the CSS folder of the rar I posted above, for the time stamp of its creation dates only the following lines appear on the access log:

Code
Select All
173.208.204.228 - - [30/Nov/2013:11:02:55 +0000] "POST /dbugforums/cgi-bin/yabb2/YaBB.pl?action=register2 HTTP/1.0" 200 12900 "http://dbug.kicks-ass.net/dbugforums/cgi-bin/yabb2/YaBB.pl?action=register" "Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/20100101 Firefox/17.0"

173.208.204.228 - - [30/Nov/2013:11:03:01 +0000] "GET /dbugforums/cgi-bin/yabb2/YaBB.pl?action=register HTTP/1.0" 200 29938 "http://dbug.kicks-ass.net/dbugforums/cgi-bin/yabb2/YaBB.pl?action=register" "Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/20100101 Firefox/17.0"
173.208.204.228 - - [30/Nov/2013:11:03:04 +0000] "GET /dbugforums/cgi-bin/yabb2/YaBB.pl?action=13858093;13858093=aDIyCgkPQfVstilfwfUt5mFwSyUnymrtx6c80xTGRqgAWiBDdJw2VWfhHl01oBTuxQ8n2fCVQBamIpL978Tn4pfAgOnKlyPLHyHEDjX40KbPnQxIEkArz4p3VQfW764quKPw1sCNbyEEs8ZP8rISZjYFIAAXvNj1qyN1g95ZmkxZiZrwIrMDycx9uOyKgT9c3w0K1wNA4IzkUDButmOlbIZbCRnQ0BGwI8UnNF1rytofBUe0WQG HTTP/1.0" 200 6795 "http://dbug.kicks-ass.net/dbugforums/cgi-bin/yabb2/YaBB.pl?action=register" "Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/20100101 Firefox/17.0"
173.208.204.228 - - [30/Nov/2013:11:03:05 +0000] "POST /dbugforums/cgi-bin/yabb2/YaBB.pl?action=register2 HTTP/1.0" 200 12929 "http://dbug.kicks-ass.net/dbugforums/cgi-bin/yabb2/YaBB.pl?action=register" "Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/20100101 Firefox/17.0" 



Now I have no clue what's happening with those huge strings YaBB.pl is passed but if you guys tell me that they're legit and can't possibly lead to executing malicious stuff I'll simply take your word and look elsewhere for the problem Smiley
  
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,584
Location: UK:Scotland/livingston

None
Re: Unauthorised code execution?
Reply #5 - Nov 23rd, 2013 at 12:50am
Post Tools
ggn wrote on Nov 7th, 2013 at 1:50pm:
(i.e. I would delete all offending files and they would appear again).

Huh this is bugging my head and has my curiosity now do you have a copy of the files you deleted that would appear again? if you do can I get a copy of them so I can have a look at them you can send them to my email and then post here that they are sent so I know even if they end up in my spam box.

Thank you
John
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,085
Location: Earth

YaBB 2.6.0
Re: Unauthorised code execution?
Reply #4 - Nov 23rd, 2013 at 12:49am
Post Tools
I'm not a server expert - but I do have one on on a home system. In theory, if the php files are being put into your space by someone with direct access to the computer the server is on (as in shell access), you won't see anything in the server access logs because it wasn't using the server to do anything.

It's also possible your host's SMTP server is not as secure as it could be and could be sending out bulk emails because of somebody else's problem.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
ggn
YaBB Newcomer
*
Offline



Posts: 19
Re: Unauthorised code execution?
Reply #3 - Nov 22nd, 2013 at 9:42pm
Post Tools
Well it's weird because from some glances at the access log, nothing else seems to be going on at the time the html/php files appear at the root dir apart from yabb. I'll keep an eye for more sightings of these files and have a better report next time.
  
Back to top
 
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,085
Location: Earth

YaBB 2.6.0
Re: Unauthorised code execution?
Reply #2 - Nov 18th, 2013 at 1:58am
Post Tools
Okay - the action with a number is legit. The second section of the query is supposed to be a session ID - also legit.  So unless there's evidence to show otherwise, the two examples are of legitimate YaBB query strings coming out of the Registration page. Neither of those queries should lead to YaBB sending out mass mailings - assuming YaBB was what was initiating the mass e-mailings. (If I wasn't so swamped with other things - like getting may main computer fixed) I would have realized this sooner.
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,085
Location: Earth

YaBB 2.6.0
Re: Unauthorised code execution?
Reply #1 - Nov 13th, 2013 at 3:22pm
Post Tools
My guess is those php files are the actual source of the injection - since they're in the same domain they're getting past YaBB's domain checks and calling for YaBB to send out crap.

The action statement in the example is a message number. It's the secondary query that's causing the problem. I think an action statement catcher that catches bad action calls might work. Have to think on that one.
« Last Edit: Nov 18th, 2013 at 1:58am by Dandello »  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
ggn
YaBB Newcomer
*
Offline



Posts: 19
Unauthorised code execution?
Nov 7th, 2013 at 1:50pm
Post Tools
Hi guys,

First of all apologies if what I'm about to post is already taken care of - I just stumbled across it and thought I'd mention it here. I simply don't have enough time to check all bug reports! Anyway...

Lately the server where I host yabb started trying to send mass emails, and some php files were found in the root of the internet directory. After some fiddling around to see who was at fault, I checked the server logs. There I found lines like the following:

178.235.232.3 - - [07/Nov/2013:00:05:02 +0000] "GET /x/cgi-bin/yabb2/YaBB.pl?action=13837827;13837827=I18L8TyhyvXXIefHGv9DR1ysgUaq3I
Rsy3CvHQiEpjzA3lHoOSilTpfeikZM9ruw2QfZll5OFYwqmlSx5mrayl5w2ApmJnGTuxqWq6i6jqq4Rw
by72swxnMdei8LWjC4SlxgCSZdjYM9ZvOK2ThBrFW5kwoco6TppeZUAfDRvXxD8nxwyd0z0vDMxMRQ2G
jwWOflXwlZ4nVddOge5OY54rTGwNpAZVjvxfrfZ9Po3TtPqGufwgP HTTP/1.1" 200 12533 "http://x.x.x.x/cgi-bin/yabb2/YaBB.pl?action=register" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

178.235.232.3 - - [07/Nov/2013:00:05:15 +0000] "GET /x/cgi-bin/yabb2/YaBB.pl?action=13837827;13837827=2sjSTrEYjh9chXlHa8W0dg3Mpaw3og
vaxwIWX6hsmNfgS67uxcleP4VrQsNGrmkjsAtfx2vnHqAo4aXBs3LcMmcw77I5Qybfi6uPUL9NAwGEHQ
bhqGq2351u4IgAaayatv6gDonSKav0nd0nDfM2hMAQiAFeI0YUcTut3igbZyuVerygCETF1l8QIXxpWQ
uG7Nfm6g65mnJeOLyWrs2daqO0TTPQQ1vsN2cyBlqCcjzYsHORSwQ HTTP/1.1" 200 13170 "http://x.x.x.x/cgi-bin/yabb2/YaBB.pl?action=register" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

I dunno much about perl but it really seems some sort of code injection. I upgraded to the 2.5.2 to see if this would be fixed, but alas it seemed that the problem insisted (i.e. I would delete all offending files and they would appear again).

Dishearted, I then had an idea. I went to Yabb.pl. After the lines:

Code
Select All
### Version Info ###
$YaBBversion = 'YaBB 2.5.2';
$YaBBplver = 'YaBB 2.5.2 $Revision: 1.1 $'; 



I added

Code
Select All
if (length($action) > 20 ) {return -1;} 



so all calls to Yabb.pl that have large strings would be discarded, and the problem seems to have gone away (it's been a week now and things have been stable).

Anyway, that's my experiences - hope they're useful to anyone!

Edited:
Removed some site-specific urls
« Last Edit: Nov 7th, 2013 at 1:51pm by ggn »  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1
Topic Tools
 
  « Board Index ‹ Board  ^Top