Edit: Hacked and Defaced through "Pockets" Addon ?!

phreak

Hi all,

One of my 2.0.18.below11 forums has been hacked. There seemed to be no destroying just a little logo defacing. After i uploaded 2.0.18.11 and startet changing passwords and so, suddenly my forum broke. A sign saying "Juicy" was blinking in the middle of a white page, the forum no longer accessible.

I fixed further. Changed passwords, deactivated plugins and now i run into a Smarty Error, i do not really understand. The new login Data for the DB is in the config.php, the Database looks clean and nothing destroyed.

Does anyone have an idea, where else i can start to dig.

Thanx

nd the Smarty Cache got deleted.

phreak

Ok, it seems it has something to do with PHP. My forum is only showing the Smarty Error when running under 5.4. Via my .htaccess i can switch back to 5.3 and 5.2 (and turn of Memcached) where the error goes away.

So there might be an issue with Vanilla 2.0.18.11 in some kind of 5.4 configurations?

Can someone tell me where the Render Asset HEAD is taken from, i seem to have a JS injection in this code. Thank you!

phreak

Alright i found it.

MMh! The Hacker inserted three pockets probably through the "Pockets" Addon or maybe Vanilla 2.0.8.10. By Adding a BODY inside the HEAD he was able to mask/hide the whole page visually, while it was still there in the source code.

So, i have no clue, but UPDATE and maybe also stay away from "Pockets".

hgtonight

Do you have any idea how the attacker got access?

I would hesitate to say that Pockets caused this.

vrijvlinder

The Asset head is a module, it is called class.headmodule.php there is nothing to be written the file is not writable .

You need to check you script library for this sort of thing. You can't add something unless it jquery and you allow jquery in the comments or discussions post.

The Body tag is not the page id body.

In order for someone to insert anything to the body they need access to the files and the files must be writeable.

x00

We you said they inserted three pockets. There were three pockets saved?

Pocket doesn't actually do anything int the head it all body.

x00

You have been hacked more than once I have noticed.

This can be three broad reasons:

1. You general server security is not good making any software vulnerable.
2. Someone who you trust (or yourself) has a computer that is comprised. This can be one of the most annoying things becuase you can do everything right on the server, but as someone trusted is comprised, infections will continue to happen till they sort out their home security, and access is sufficiently restricted.
3. Vanilla specific exploit.

Although it may not be 3 (will need to see some evidence of that). I have to admit I'm getting pretty frustrated at the vanilla team's inconsistent attitude to some known security issues, not dealing with them in a timely matter, or not treating them with seriousness they deserve.

We are supposed to do the "responsible" thing by reporting in confidence. But why bother if they don't keep their side of the responsibility?

Linc

Your server access logs should hold the clues to figuring out how this happened. It would be extremely helpful to get them and pinpoint where the penetration started.

It would be trivially simple to "hack" a Vanilla site via Pockets if the admin account was compromised via password compromise. That's the most likely scenario here unless you can find a different entrance.

We haven't had a security flaw severe enough to escalate permissions or root the forum in a couple versions, iirc. Simply being on 2.0.18.10 wouldn't be enough to cause this based on the patches we made for 2.0.18.11.

x00

We haven't had a security flaw severe enough to escalate permissions or root the forum in many versions. Simply being on 2.0.18.10 wouldn't be enough to cause this based on the patches we made for 2.0.18.11.

You can hijack/pigback an admin's session through xss, and add pockets or anything else. I'm not saying that is what happened but possible.

x00

there is more than one way to cook an egg.

phreak

Thank you for your feedback. I don't know which door the attackers took. Pocket was used by adding a snippet of Javascript and CSS that was sent to the HEAD of the index.php/default.master.php.

I had one or two attemps in the past on different forums. Server security by default should be ok, as it is a managed server and the company hosting it is one of the largest in central europe. Not meaning they can't be faulty but the are ususlly strict and well set up regarding security.

I will have a look at the server logs, and try to fetch some information. For now i deinstalled pockets, and added all pockets manually to my template. I'm currently on mobile, so i'd answer more detailed later.

x00

Pockets doesn't insert to the head in the sense that all pocket are bellow the head (unless the hooks have changed, or pockets has change since I last used it), however that doesn't mean the pocket couldn't be exploited to be used in a way it wasn't intended. Pockets can contain scripting as you know.

Given what you said it does seem like there more involved than just pockets. It is important for you to clarify.

Were any physical files actually written to?

Btw a large server company can only police up to a pointy. Size isn't alway an advantage, and some of that responsibility is your own.

vrijvlinder

Pockets can and does have a $Location Head

One would assume it is the #Head div but it is not. It sends it in the head
so it is entirely possible to insert something in the pocket if the $location is Head.

But only can be added if a person goes in and edits the pocket and saves it.
You can't insert js or css into a pocket unless you do it inside the interface or the pocket dummy which would be hard unless they have access to your server.

This, if it is a hack job, it is an inside job.

x00

I think the less assumptions made the better.

To quote a film:

Assumption is the mother of all fuckups...

https://www.youtube.com/watch?v=wg4trPZFUwc

vrijvlinder

Yes unfounded ones are certainly, but having explored he possible ways to add a pocket and seen that the locationHead is not the Head div but the head module where the meta tags go,

That is how you can add stuff to the head using pockets. If it is not meta data, it is seen as html and it shows above all the content but it is not in the Head div when you inspect the source, it is in the head module area.

I have seen people add bad code in a pocket and it renders their forum and the dashboard useless.

A user here actually got hacked and was able to find the suspicious files in the js library. It kept on happening until he cleaned the database.

The most important thing is to pin down how and what they did.

peregrine

@x00 said:
I think the less assumptions made the better.

To quote a film:

and the old joke Assumptions and to assume

assume makes an

ass-u-me

replace first dash with (out of) and second dash with (and)

vrijvlinder

I found these interseting posts on the subject, you can fin thousands of posts on the net if you google sql ERROR 1045

http://forums.mysql.com/read.php?11,34014,46593

http://forums.mysql.com/read.php?11,600754,600754