Discussion on the Script Kiddy Thread.

Ok. I'd like a bit more discussion on what's going on with this lol admin thread thing.

Is it possible to get a password so easily as that?
Is the exploit in the vbulletin software or the browser?

The directory where the script is located is open and accessible.
This is the data.txt:

My user id is 15278. Immediately following this is the code:
bbpassword=389a8661a44c76efb18c76e6aa9fa8d4
How would this relate to a password? Anyone figure it out?
I did change my password, by the way, just to be safe.

The thing is that it's difficult to determine where one chunk ends and another begins, but I know that both browser descriptions before and after my userid are mozilla/firefox. I am using IE right now because I'm not on my own computer.

What's the deal?

Somebody check out the directory and figure this out.
[link removed]

 

Log in or Sign up to hide all adverts.

I see this:

utmccn=(organic)|utmcsr=google|utmctr=snotwuh |utmcmd=organic;

I know who uses "snotwuh" but the others? Eh.

 

Log in or Sign up to hide all adverts.

It's a php based sniffer by redworm...
Trying to finger it out now.

Here's the readme.txt:
"Âñå óñòàíîâêè ñíèôôåðà - ñì. â ôàéëå config.php (ñ êîììåíòàðèÿìè).

Íå çàáóäüòå óñòàíîâèòü ïðàâà íà äîñòóï ê ôàéëó (CHMOD):
data.txt 666

Ýòî ìîæíî ïðîäåëàòü â ëþáîì FTP-êëèåíòå.

--
php Based Sniffer [phpBS] v3.0 Personal

 

Log in or Sign up to hide all adverts.

I got it.

The code for the "bbpassword" variable is this:

$bbpassword = substr(md5($password),0,strlen($password));

So, basically he needs to do a lot of cracking to find the password.

 

That or maybe it works out that he just makes a copy of your cookie (which it seems he did) and logs in.

 

Translation of the readme.txt: "All installations of Sniffer - see in a file config.php (with comments).
Do not forget to establish the rights to access in file (CHMOD): data.txt 666
It can be done in any FTP-client.
php Based Sniffer [phpBS] v3.0 Personal"

Not much help.


Absane,

Hmmm.
Trying to find the documentation here.
It can't be that easy to steal passwords, can it?

 

Three ip addresses seem to be logged:

66.255.74.101 (This is the one with Snotwuh. From Indiana apparently.)

65.61.104.81 (Mine.)

74.119.169.170 (From Canada.)

Hmm.
I have the feeling that the last ip address is herr script kiddy...

 

Hmm.
I thought you were from Georgia... Userid=12471. That's you, Absane.

Weird how it's only got three ip addresses... Why not everyone who's viewed the thread? A mystery...

 

Damnit. Who reads russian?

[link deleted]

 

Roman just got tagged:

http://www.sciforums.com/member.php?u=15444

128.239.220.251 Back in Virginia I see...

 

I am at Myrtle Beach right now.

 

Em.... My reading Russian isn't anything to brag about, but from what I can discern it's basically a sales pitch announcing the release of the latest version of 3.11 php based sniffer - highlights the improvements, etc. The rest is a bunch of Russians expressing various sentiments of interest/problems regarding the use of the script in question....

Lord, how the winter nights must simply fly by.

 

Yeah. I sent it through altavista and it really doesn't seem to give any information...
Bah.
The thing is that if this is able to hijack passwords and forum sessions so easily..... Then there is something seriously wrong with this picture.

I guess part of the problem is that I'm not on my own computer and thus am not as secure as I normally am. I bet if I were on my computer, I'd not have got tagged. I did see mention of internet explorer in the thread... I'm still not sure if this is a vbulletin vulnerability or ie vulnerability or what...


Edit:
Killjoy just got tagged.

 

I already tested how to sniff the site (wrote my own script to test it, however I didn't actually "Post" the script on the site). The exploit is a mixture of Sciforums allowing HTML tags in posts and the actual browser.

If you don't want to get caught out with your cookie being stolen then you'd have to disable javascript from your browser (which I don't think would majorly effect sciforums). Like I said, all those that visited that thread, change your password, log out, then log back in.

Technically you don't need to crack the password if you are hijacking a session.

 

Mmmmm. Would you?

Please Register or Log in to view the hidden image!

 

Alright.
So. What I did was set up the restricted sites setting on this computer to medium and disabled active scripting. I then added sciforums to the restricted site list.
I didn't want to disable javascript altogether as this isn't my computer and javascript does come in handy. I first tried setting it to prompt but I was getting a prompt on every page... That's no good.

What a pain in the ass this is.
Seems like a good reason to disable html, eh? Occasionally it comes in handy to be able to post html, but if this is the side effect then I'd rather it be turned off.

Here's what it says: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; MSN 9.0;MSN 9.1; MSNbMSNI; MSNmen-us; MSNcIA)

I guess that's a roundabout way of saying it's Internet Explorer. When I first read it in that data.txt it was difficult to read. I've since found out that the config.php gives the information in an easy to read format.

Looks like our script kiddie calls himself "the maniac" and has put his precious script in another forum too.

What's funny is that no one would ever have known about it if he hadn't been such an idiot in his opening post. That's what is dangerous about this. If this thing really works, then all he has to do is put the script in a post that wouldn't draw attention and wham. He's got you.

I agree that he's most likely looking for admin passwords. But I wouldn't want to lose my account to some douchebag.

Now. There's a problem. By the time I get home, the thread will probably be deleted and I won't be able to tell whether or not my security at home would protect me or not...

Stupid little script kiddie fuckers.


Edit: Bah. And as a result of putting sciforums on the restricted list, it would seem that every time I go to www.sciforums.com my cookies are reset. Sigh. Maybe I'll just disable scripting and remember to turn it back on before leaving....

Stupid script kiddies.

 

Thanks for the heads up.

 

It's possible that he wanted to draw attention to the potential of it being exploited, otherwise I'm sure there could of been more harm caused.

None the less it's something that needs fixing at the earliest opportunity and unforunately that means the HTML feature. The only hope is there is some sort of Hack that can be added to the forum to enable HTML to different groups as apposed to forums, as that would stop low submission users posting such exploits.

 

My pleasure. Here you can follow along:

[Link deleted]

By the way. James R just got tagged. Watch it, James.

edit: Figured I'd erase the link just in case. James beat me to deleting the link in the original post.

 

Do you know if the linked site could also be scripted?