Log in

View Full Version : MASM Forum, check your email carefully

Silver
December 17th, 2004, 12:32
Hi guys,

Everyone that's registered an email addr with MASMForum, take a look in your mailbox please. I just got the following mail sent to me from the MASMForum site itself (ie: through what would be the admin console to send all members a message). So either Hutch has been hacked again, or something wasn't solved the first time. Look at the headers I pasted below, namely the userid etc. And of course checking the main masmforum site shows... well. You'll see.

Quote:
The following is an email sent to you by an administrator of "www.masmforum.com". If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:

hutch@movsd.com

Include this full email (particularly the headers).

Message sent to you follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

www.y4hoo.net | PORN | Forum | Yahoo | MSN | AIM | Crackers | Exploits | 1000s of Downloads | Movies | Full Games | ~Check us out~


Code:
Return-Path: <masmforum@www05.powweb.com>

X-Original-To: xxxxxxxxxxx

Delivered-To: xxxxxxxxxxxxxxxx

Received: from localhost (localhost [127.0.0.1])

	by xxxxxxxxx (Postfix) with ESMTP id 3CA60500C

	for <ssssssssss>; Fri, 17 Dec 2004 17:38:51 +0100 (CET)

Received: from ssssssssss ([127.0.0.1])

 by localhost (sss [127.0.0.1]) (amavisd-new, port 10024) with ESMTP

 id 29741-08 for <xxxxxxxxx>;

 Fri, 17 Dec 2004 17:38:46 +0100 (CET)

Received: from xxxxxxxxx (mx0.123-reg.co.uk [212.67.202.214])

	by xxxxxxxxxx(Postfix) with ESMTP id E3D13500A

	for <xxxxxxxxxxx>; Fri, 17 Dec 2004 17:38:43 +0100 (CET)

Received: from [66.152.98.105] (helo=www05.powweb.com)

	by xxxxxxxxxxxxx with esmtp (Exim 3.36 #5)

	id 1CfL7m-00072V-00

	for xxxxxxxxxx; Fri, 17 Dec 2004 16:38:38 +0000

Received: by www05.powweb.com (Postfix, from userid 62510)

	id D7964A8B51; Fri, 17 Dec 2004 08:38:38 -0800 (PST)

To: hutch@movsd.com

Subject: www.y4hoo.net

MIME-Version: 1.0

Content-type: text/plain; charset=iso-8859-1

Date: Fri, 17 Dec 2004 16:38:38 UT

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: PHP

From: hutch@movsd.com

X-AntiAbuse: Board servername - masmforum.com

X-AntiAbuse: User_id - 99999

X-AntiAbuse: Username - ze3lock

X-AntiAbuse: User IP - 68.37.26.27

Message-Id: <20041217163838.D7964A8B51@www05.powweb.com>

Content-Transfer-Encoding: quoted-printable

X-Spam-Status: No, hits=3.233 tagged_above=-999 required=5 tests=BAYES_50,

 MISSING_MIMEOLE, NO_REAL_NAME, URIBL_OB_SURBL

X-Spam-Level: ***

X-UIDL: OW7!!fIA"!eN""!@ZW!!

Status: U
nikolatesla20
December 17th, 2004, 12:59
I found this meta refresh tag in the main page source

<meta http-equiv="refresh" content="1;url=http://www.y4hoo.net"><br />


it was here:

Code:




 <tr>

	<td class="row1" align="center" valign="middle" height="50"><img src="templates/subSilver/folder_big.gif" width="46" height="25" alt="No new posts" title="No new posts" /></td>

	<td class="row1" width="100%" height="50"><span class="forumlink"> <a href="viewforum.php?f=3" class="forumlink">The Workshop</a><br />



	  </span> <span class="genmed">The Workshop is where general purpose questions and answers are posted. Any assembler programming topic is welcome and discussion is encouraged as long as its friendly.<meta http-equiv="refresh" content="1;url=http://www.y4hoo.net"><br />

	  </span><span class="gensmall">Moderators <a href="profile.php?mode=viewprofile&amp;u=6">donkey</a>, <a href="profile.php?mode=viewprofile&amp;u=9">sluggy</a>, <a href="profile.php?mode=viewprofile&amp;u=74">P1</a>, <a href="profile.php?mode=viewprofile&amp;u=429">pbrennick</a></span></td>

	<td class="row2" align="center" valign="middle" height="50"><span class="gensmall">298</span></td>



	<td class="row2" align="center" valign="middle" height="50"><span class="gensmall">1909</span></td>

	<td class="row2" align="center" valign="middle" height="50" nowrap="nowrap"> <span class="gensmall">Fri Dec 17, 2004 12:03 am<br /><a href="profile.php?mode=viewprofile&amp;u=2">hutch--</a> <a href="viewtopic.php?p=32596#32596"><img src="templates/subSilver/icon_latest_reply.gif" border="0" alt="View latest post" title="View latest post" /></a></span></td>

  </tr>


Looks like some inject stuff into the forum description or something. (XSS). But I think they would have to still have admin rights to do it. Should go thru the SQL database and check all who have admin rights, since a user could have added themselves to the admin list and no one would ever know.

Looks like as well PHPBB does not filter HTML elements like it should from forum topic descriptions.

Also, the page title was modified as well.

-nt20
dELTA
December 18th, 2004, 07:39
There was a new remote root vulnerability for phpBB reported a few days ago. I warned all the other boards as soon as it was released, but apparently hutch didn't listen very well...
Zero
December 19th, 2004, 07:39
Where can I find infos about this vulnerability ?
dELTA
December 19th, 2004, 08:31
In the email I sent you the same day it was released? Aren't you using your old anticrack.de address anymore? Please contact me by PM or email for more info...
JMI
December 19th, 2004, 12:49
Certainly when it comes to security vulnerabilities, one would be well advised to listen to young master dELTA. He does know his server security and stays up late at night, eating rice pudding, and keeping up on all the latest news on the subject and warning us to get our sh*t together or pay the price. As we have seen recently, sometimes that price is high.

Regards,