By a group calling themselves “The Hole Seekers”. Visitors to the forum were greeted with this when visiting the site. A full video capture of the hack can be found here.
The payloads involved in this hack can be found below:
HTML source: https://gist.github.com/super3/6802799
Javascript payload: https://gist.github.com/super3/6802808
According to several people who have browsed over the source, nothing malicious was involved in the payload. However, it unknown is whether or not any user data was compromised. Stay tuned for more information.
UPDATE FROM THEYMOS:
It’s unfortunately worse than I thought. There’s a good chance that the attacker(s) could have executed arbitrary PHP code and therefore could have accessed the database, but I’m not sure yet how difficult this would be. I’m sending out a mass mailing to all Forum users about this.
Summary: The forum will be down for a while. Backups exist and are held by several people. At this time I feel that password hashes were probably not compromised, but I can’t say for sure. If you used the same password on bitcointalk.org as on other sites, you may want to change your passwords. Passwords are hashed using sha256crypt with 7500 rounds (very strong). The JavaScript that was injected into bitcointalk.org seems harmless.
Here’s what I know: The attacker injected some code into $modSettings[‘news’] (the news at the top of pages). Updating news is normally logged, but this action was not logged, so the update was probably done in some roundabout way, not by compromising an admin account or otherwise “legitimately” making the change. Probably, part of SMF related to news-updating or modSettings is flawed. Possibly, the attacker was somehow able to modify the modSettings cache in /tmp or the database directly.
Also, the attacker was able to upload a PHP script and some other files to the avatars directory.
Figuring out the specifics is probably beyond my skills, so 50 BTC to the first person who tells me how this was done. (You have to convince me that your flaw was the one actually used.) The forum won’t go back up until I know how this was done, so it could be down for a while.
UPDATE TWO:
Theymos has been spotted in IRC saying that bitcointalk is soon to come back online. More Information.
Thank you for the updates.
Googling a little reveals this vulnerability
http://www.cvedetails.com/vulnerability-list/vendor_id-9338/product_id-16560/version_id-110955/year-2011/opxss-1/Simplemachines-SMF-1.1.8.html
Бля, это печально
Это шутка такая?
What version of SMF were you using? Any custom plugin? Particular customization?
Web server software/version? PHP version? DB Version? We definitely need more infos about this.
Did they use a malicious .gif containing PHP code? If your server is not configured correctly, a web request such as “bad.gif/filename.php” will get passed to the PHP handler which will execute the contents of the .gif file.
check mod_security to avoid php code injection in future…
Thanks very much for the warning