Subject: Anonymous users posting comments

Posted on: 29/05/04 07:05pm
By: Marites

Over this last few days I have had a number of comment postings usually ....

Nice thread

Enjoyed reading your comments

Following the few opening words are four or five small lines of broken dots and dashes.

I deleted them but here lies the problem the site has comments turned off for anonymous users I have double checked and the overall setting is 1 for login required. (I have added a '1' to commentsloginrequired.

// this lets you select which functions are available for registered users only
$_CONF['loginrequired'] = 1; // all of them, if set to 1 will override all else
$_CONF['submitloginrequired'] = 0;
$_CONF['commentsloginrequired'] = 1;
$_CONF['linksloginrequired'] = 0;
$_CONF['pollsloginrequired'] = 0;
$_CONF['calendarloginrequired'] = 0;
$_CONF['statsloginrequired'] = 0;
$_CONF['searchloginrequired'] = 0;
$_CONF['profileloginrequired'] = 0;
$_CONF['emailuserloginrequired'] = 0;
$_CONF['emailstoryloginrequired'] = 0;


We have tested with a number of users and no one has succeeded in adding a comment without logging in.

Has anyone else experienced this it seems some clever idoit has found a back door especially as the dots and dashes seem to be code when viewed in the database.
We are running Linux (BSD) not Windows.

Regards

Marites

Anonymous users posting comments

Posted on: 29/05/04 07:13pm
By: Dirk

Which version of Geeklog are you running?

Geeklog 1.3.8-1sr3 fixed a bug where it was possible to post comments anonyously even when that was not allowed.

bye, Dirk

Anonymous users posting comments

Posted on: 29/05/04 07:43pm
By: Marites

1.3.9 Dirk Marites

Anonymous users posting comments

Posted on: 30/05/04 03:21pm
By: Marites

Dirk

How do I disable the comments without a major hack I had to hand delete well over 200 this morning. Can you tell me how this spam site, menace or whatever - is posting as all I get when clicking comments when not logged in is only registered users are allowed to post comments.

I disabled the link on the story 'Add Your Comments' still 3 more have been added in the last hour.

It seems obvious that there is a hole or back dor in 1.3.9 that is allowing this.



Marites

Anonymous users posting comments

Posted on: 30/05/04 03:34pm
By: Dirk

Sorry to hear that, but I am at a loss here. I have stared at the source for the comment posting for the better part of an hour today and can't see a way around the code that blocks anonymous posts (when that's enabled in config.php).

The only thing that is missing is an additional check for the speed limit in function savecomment(). Vinny added that to CVS recently (the first code block, with a blue background - ignore the other changes). That should at least slow them down a bit.

Someone probably found a way to send an HTTP POST request directly, therefore removing links, etc. won't really help.

If you can provide any more information (webserver log entries, suspicious entries from error.log, whatever), please send them to geeklog-security@lists.geeklog.net

bye, Dirk

Anonymous users posting comments

Posted on: 30/05/04 04:02pm
By: Marites

Many thanks Dirk will see what the logs bring up. In the meantime I have renamed the comment.php to .bak and made a copy of index.php naming it comment.php which just loops the user if they click the add comments link. Not ideal but will do as a stop gap.

I have also disabled for users other than admin the What's New block so only I can see if anything is added.

Regards

Tess


Anonymous users posting comments

Posted on: 30/05/04 09:43pm
By: keystone430

I am getting the same thing on about 6 geeklog sites I have. When you take the dots and dashes and put them in a text editor they are links to a drug spammer in Russia. http://www.01j.com The last 50 or so also included porn links. I am trying to have my server company block them at server level.

I have spent 4 days deleting as fast as they are posting. One thing I have noticed is that their access does not show up in the access logs. How can that be?

I have also found a user named automoddm12 on all but 1 of the sites getting hit. Instead of deleting the user I took away all the check marks for access on one of the sites. Since I did that there have been no comments added in 12 hours.

Is it possible they have some kind of back door that adds a user name that shows up as anonymous when they post? Could they have added a user?

I am not a code writer but I use Geeklog and find it excellent. I am going crazy with this problem because all together I have 14 sites that use Geeklog. All have a kid friendly rating so I cannot get caught with the porn links in the comments or it will compromise that rating.


Anonymous users posting comments

Posted on: 30/05/04 09:55pm
By: keystone430

I just did a Google search on that user name automoddm12. It shows up 29 times in Google and every one of them is a geeklog site. It is also in my sports sites, military sites and a publishing site I built for someone else.


Anonymous users posting comments

Posted on: 30/05/04 10:47pm
By: drkrum

[QUOTE BY= keystone430] I just did a Google search on that user name automoddm12. It shows up 29 times in Google and every one of them is a geeklog site. It is also in my sports sites, military sites and a publishing site I built for someone else.

[/QUOTE]

What uid do the automoddm12 accounts have? Anything suspicious in the gl_users row for that user?

Anonymous users posting comments

Posted on: 31/05/04 01:49am
By: n4th4n

I am the unfortunate victim of this particular spam as well. I was running a modified version of 1.3.8sr2 which was supposedly susceptible to anonymous comment injection (even when disallowed in config.php) so i have done a complete upgrade to 1.3.9 tonight (not my usual incremental piece-work upgrade, this time I renamed the old directories and uploaded all new code). I'll post again if it continues to get by the setting even after this upgrade. The IP address of the poster hasn't changed for 2 days. My server log shows only the following:
69.5.72.104 - - [29/May/2004:08:20:14 -0400] "POST /comment.php HTTP/1.1" 200 140 "http://mysite.net/article.php?story=20030905093936588" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

Anonymous users posting comments

Posted on: 31/05/04 07:30am
By: Marites

We do not openly solicit members with no registration offered on the front page - however if you click 'comments' then you are told comments are only available to registered users only then are they offered to register.

These postings are anonymous and I have noticed that they are posted within seconds of each other on one of four linked sites. All these sites run from 1.3.9 and share one installation (set up as per instructions in FAQ and modified to suit).

I have checked the username quoted but there is noone of that name registered with us.

We have checked the logs and cannot find anything out of the usual.

What we have noticed is that the comments are related to articles posted in 2003 i.e. the older stories. In fact they are related to articles referenced on search engines.

I have also noticed that the dots and dashes are URL's which assumes this person has admin type access as I feel sure GL does not allow URL's in user comments unless specificially set up by the individual site.

I read and understand what Dirk said about 1.3.8 and the possibility of posting when unregistered but reiterate that the site/s run on 1.3.9.

For us this is a worrying aspect as our users like to comment on the aricles posted.

We are looking at the possiblity of linking our comments to an outside BB - GLForum will not work in this instance for us at least.

Saddened ...

Marites

Anonymous users posting comments

Posted on: 31/05/04 07:56am
By: Marites

I am getting the same thing on about 6 geeklog sites I have. When you take the dots and dashes and put them in a text editor they are links to a drug spammer in Russia. http://www.01j.com The last 50 or so also included porn links. I am trying to have my server company block them at server level.


We have checked 66.117.44.106 (01j.com) against our logs and can find no record of access ... means nothing as it could be using another IP.

Tess

Anonymous users posting comments

Posted on: 31/05/04 08:18am
By: Dirk

Vinny identified what was (probably) the cause of the problem in comment.php. It seems the spammers are using an account (i.e. they are registered with your site), but use a manipulated POST request to send anonymous posts while being logged in.

Can those suffering from the spamming attacks please download and try this version of comment.php. It's a drop-in replacement for Geeklog 1.3.9.

If this fixes the problem, we'll be releasing proper security updates for 1.3.9 (and 1.3.8-1) ASAP, so please give us some feedback on this.

Thanks and sorry again for the nuisance.

bye, Dirk

Anonymous users posting comments

Posted on: 31/05/04 09:46am
By: Marites

I have added it here will let you know. All the logins I have around the time of posting are from

151122.cps.virtua.com.br

and they seem to be using uid=2 which is one of my logins. We ban yahoo, msn and free mail servers from registering and most of our registered users are know to us and are regular posters ... reiterate people only register if they want to post.

151122.cps.virtua.com.br - - [29/May/2004:16:59:08 +0000] "GET /gl/public_html/comment.php?sid=20040226154633960&pid=0&type=article HTTP/1.1" 200 16629 "-" "aol xgiy1vciadyxwsngwympgtod1at yy"


Will Vinny's updated comment.php cover this what is the string at the end.

Forgot to add we do approve manually all registrations also.

Marites

Anonymous users posting comments

Posted on: 31/05/04 10:11am
By: Dirk

[QUOTE BY= Marites] they seem to be using uid=2 which is one of my logins.[/QUOTE]
uid=2 is the default Admin account. But it looks like they faked the uid and got away with it due to a bug in Geeklog's comment code. The new version of comment.php should catch that.

151122.cps.virtua.com.br - - [29/May/2004:16:59:08 +0000] "GET /gl/public_html/comment.php?sid=20040226154633960&pid=0&type=article HTTP/1.1" 200 16629 "-" "aol xgiy1vciadyxwsngwympgtod1at yy"


The string at the end is usually where the user agent string is located, i.e. the browser's name and version number. It looks like the script or whatever they're using is simply inserting random characters here.

That is not a problem. Actually, it could be used to block these requests on the server: Check if the user agent matches any of the usual browsers, and if it doesn't, block it. Although I wouldn't really advise you to use this, as you may accidentally block legit requests from exotic user agents ...

From your description, this looks like a slightly different attack than the one that Jesse (drkrum) described. They both seem to be exploiting the same bug in Geeklog, though.

bye, Dirk

Anonymous users posting comments

Posted on: 31/05/04 10:26am
By: Marites

Dirk

Many thanks for your comment I added the comment.php to one of the affected sites you get this error when calling comments from the story.

Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465

Should there be a revised file some otherplace also.

Marites

Anonymous users posting comments

Posted on: 31/05/04 10:43am
By: Dirk

[QUOTE BY= Marites] Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465[/QUOTE]
COM_applyFilter is a new function in Geeklog 1.3.9 (but does not exist in 1.3.8-1). It can be found in lib-common.php ...

bye, Dirk

[edit: A fixed comment.php for Geeklog 1.3.8-1sr4 can be found here|

Anonymous users posting comments

Posted on: 31/05/04 10:45am
By: keystone430

I will give the new comment.php a try and let you know what happens.

Just as a point of reference the site that I disabled the questionable account on stlii has had no comment attacks. I disabled rather than deleted to prevent the same name from being used again.

Anonymous users posting comments

Posted on: 31/05/04 11:00am
By: Marites

Dirk Version check from Admin reports 1.3.9 - I will try the other version and see what happens.

I have asked our server manager to reinstall GL tomorrow using individual setup in place of shared as we have now.

Will report back on finding.

Tess


[QUOTE BY= Dirk] [QUOTE BY= Marites] Fatal error: Call to undefined function: com_applyfilter() in /html/public_html/comment.php on line 465[/QUOTE]
COM_applyFilter is a new function in Geeklog 1.3.9 (but does not exist in 1.3.8-1). It can be found in lib-common.php ...

bye, Dirk

[edit: A fixed comment.php for Geeklog 1.3.8-1sr4 can be found here|[/QUOTE]

Anonymous users posting comments

Posted on: 31/05/04 12:52pm
By: Marites

Our log for yesterday 30 May was 390,000 lines so I took a 3 hour period and checked comment postings with the relevant entry in the access log. These are the IP addresses noted in that time. It looks to me as if the person is using proxies as the log from the 29th is using a different list of IP's.

To those who run sites aimed at family audiences I suggest you dump the database and delete the messages
from there (if you feel confident) as the items that list in the 'What's New' only show some of the postings.

When examining my database I found many porno, iffy postings, some with code and so on. Luckily we do have a custom script and can delete field content.

My concern is all these items seem to have been poted with uid 2.

With the speed that multiple items are posted to 4 domains within 2 seconds of each other it does seem like there is a script out there that can do this for them.

I have also found that the items choosen have all been listed by Google.

It is a very worrying situation.

I find that 3 of our sites are running 1.3.9 and 1 1.3.8, stangely the 1.3.8 site has had the least attacks - I have updated the comment.php in each as suggested by Dirk.

I will not waiting and see what happens.

Tess


69.5.72.104 epocketworks.com - 41 postings
dsl81-215-3442.adsl.ttnet.net.tr a IIS site under construction - 21 postings
117_pc6.ntcb.edu.tw - 18 postings
80.58.9.44.proxycache.rima-tde.net - 112 postings
200.48.218.178 - 6 postings
alfaproxy.pai.net.pl - 11 postings
216.157.225.37 - 3 postings
207.230.66.18 - 86 postings
host194-206.pool8016.interbusiness.it - 41 postings
203.162.3.146 - 12 postings
194.27.49.2 - 2 postings
12.36.104.2 - 61 postings
22.47.30.61.isp.tfn.net.tw - 91 postings
68.152.252.74 - 7 postings

Anonymous users posting comments

Posted on: 31/05/04 01:08pm
By: keystone430

They now have about 120 on one of my sites and are posting faster than I can delete. I have applied the patch and it is not working but my site is on 1.3.7. It is a custom version and I am nervous about upgrading it.

I have noticed the attacks are worse since I started posting here. Could be coincidence or they could monitor this forum.

Do you think it would help if I took the site off line for an hour or so? I hate to do it because we are a military support site and this is a big military holiday but I am at a loss for any other solutions right now.




Anonymous users posting comments

Posted on: 31/05/04 01:24pm
By: Dirk

[QUOTE BY= keystone430] I have applied the patch and it is not working but my site is on 1.3.7.[/QUOTE]
The patch for the missing speed limit will not work in 1.3.7, since speed limits are working differently in 1.3.7. But the check for the proper uid should work, I would hope.

bye, Dirk

Anonymous users posting comments

Posted on: 31/05/04 01:24pm
By: krove

I just deleted the better part of 80+ spam comments on Team MacNN. Although I am still running a version of GL 1.3.8, I have disabled comment posting altogether and upped the time limit to 5 minutes. I was hoping 1.3.9 would have a fix to which I could upgrade.



Hopefully, soon.

Anonymous users posting comments

Posted on: 31/05/04 01:26pm
By: keystone430

Patch does not work at all for 1.3.7. I have it installed and they are posting at the rate of 3 sets of comments per minute. I have already deleted over 500.

Anonymous users posting comments

Posted on: 31/05/04 01:35pm
By: n4th4n

I have changed several things so I'm not sure which has been the effective measure, but I have had no spam posts since last night.
Here's what I have done so far:
[when still on 1.3.8sr2]
a) Deleted a suspicious new user (the last one) - was still getting the posts.
b) Disabled anonymous posting - no help

[drastic measures]
1. Disabled the site which refreshed visitors to a static index.html page
2. After about 6 hours of time (spent drinking beer and barbequeing) I finally got around to upgrading. backed up the entire site, and dumped the sql. Deleted the entire site and uploaded 1.3.9 files. Reconfigured the config.php and lib-common.php files.
3. Disabled anonymous posting in config.php
4. Uploaded the new comment.php "fix"
As I said, so far, so good.

Anonymous users posting comments

Posted on: 31/05/04 02:06pm
By: keystone430

I have disabled the site and will wait for an hour or so to try it again.

Anonymous users posting comments

Posted on: 31/05/04 03:05pm
By: keystone430

If it is using the User 2 ID what about creating a new admin user and disabling the old one? Would that stop it?
I had the site down for an hour and it looks like they were still posting comments while it was down. Here is my stats list:

Stories(Comments)- in the System 257 (38866)

I know we are busy but 38000 comments is a bit much.
The patch has also caused all my articles to show 179 comments but none show up on the stories.

Anonymous users posting comments

Posted on: 31/05/04 06:37pm
By: keystone430

It seems to be working now. Thanks Dirk. I am now helping all those on our sports network install the patch.

Anonymous users posting comments

Posted on: 31/05/04 06:55pm
By: ascott

Hey guys, I have a site that is seeing this.

I actually have four sites running geeklog right now with four different versions of geeklog:
1.3.8-1, 1.3.8-sr2, 1.3.8-sr3, and1.3.9. Only the 1.3.8-1 is seeing this behaviour.

It started last week with 3 posts over two days. I deleted those from the db yesterday once my client informed me of them and checked to make sure anonymous posting was off, it was. Then just last night I got over one hundred, each about a minute or two apart and most from different host IP addresses.

I deleted these and applied the comment.php patch for 1.3.8 and no new ones yet.

Right now I'm running nmap on each host IP to determine if it is a virus or script that is taking advantage of this exploit. It seems that predominantly, so far, the marjority of the boxes are Windows servers that look to be wide open and already set up for script-kiddy relaying. However, I'm also seeing weird results like a Sharp Zaurus fingerprint result. I know nmap is sometimes kind of shaky, but if that result is correct then my guess is that it is a script-kiddy attack (thinking some leet punk walking around the city hopping from wireless access points), and there may be a version of the exploit strapped onto an MS viral hack.

I wish I knew what they were doing to post anonymously, it seems to be scriptable. Do you think it might have something to do with the UID hack from 2003? http://seclists.org/lists/fulldisclosure/2003/Oct/1147.html

Anonymous users posting comments

Posted on: 31/05/04 07:19pm
By: Marites

Dirk thinks there are two exploitations using the same hole if that is the right word. As far as our exploitation goes all POSTS are being made using uid 2 but others it seems it is a a (bad) registered user.

We have had limited success with the patch nothing on the site running the highest version of 1.3.8 but the other 3 sites share an installation with 1.3.9 and they are still being hit albeit at a slow rate than the previous two days. A total of 6 postings.

Whether these 'hits' are made direct or with a bit of code I don't know - whatever it is we have to find a total resolve soon as we run family sites and sites visited by NGO's and they have not taken lightly to the porn messages.

Tess

Anonymous users posting comments

Posted on: 31/05/04 07:36pm
By: keystone430

It still seems to me that if it is using the same User ID for the attacks then you should be able to create a new user with admin/root access and disable the original one or delete it. If the attacker can't find the user then it can't access, correct?

Anonymous users posting comments

Posted on: 01/06/04 06:43am
By: Marites

[QUOTE BY= keystone430] It still seems to me that if it is using the same User ID for the attacks then you should be able to create a new user with admin/root access and disable the original one or delete it. If the attacker can't find the user then it can't access, correct?
[/QUOTE]

Certainly in theory that seems a sensible solution although before jumping I must find out id uid 2 is significant and altering Admin to another uid will work without problems. It could be the script/s look for Admin as 2.

If I were to delete Admin uid 2 all stories posted by Admin (4500 plus) on one site would become orphaned.

Dirk what do you suggest.

Marites

Anonymous users posting comments

Posted on: 01/06/04 06:58am
By: Dirk

The patch should actually protect against spoofing the uid for comment posts. So if you're still seeing posts by user #2, it may be because they are really logged in as that user.

In which case the obvious things to do would be to change the password for that account and drop its session from the gl_sessions table. This would force them to log in again which, hopefully, they can't do without the new password.

If you haven't already done so, it may also be a good idea to "downgrade" that user to a normal user without any admin privileges (at least for the time being).

bye, Dirk

Anonymous users posting comments

Posted on: 01/06/04 10:28am
By: Marites

Dirk

Since the problem we have been changing all users with Admin access on a daily basis. Additionally our php programmers has today added various lines of code to expand on the data given in the logs.

We will also take your advice to downground the actual Admin user to an ordinary user.

If anything untoward happens in coming weeks I will keep the group informed.

Thanks for everyones help and advice it is appreciated.

Regards

Marites


[QUOTE BY=
Dirk] The patch should actually protect against spoofing the uid for comment posts. So if you're still seeing posts by user #2, it may be because they are really logged in as that user.

In which case the obvious things to do would be to change the password for that account and drop its session from the gl_sessions table. This would force them to log in again which, hopefully, they can't do without the new password.

If you haven't already done so, it may also be a good idea to "downgrade" that user to a normal user without any admin privileges (at least for the time being).

bye, Dirk[/QUOTE]

Geeklog - Forum
https://www.geeklog.net/forum/viewtopic.php?showtopic=35417