Record a real network attack on the fineui official forum! Be an ethical hacker like ice!

It may be the one we recently held in csdn. The fineui forum attracted a large number of onlookers and some hackers, this article will record the network attack on the fineui forum in chronological order, hoping to help other webmasters.

 

Exception Detected

In the morning, as usual, open the fineui official website forum (http://fineui.com/bbs/) to find that can not go in, I thought the server was under DDoS attacks (because two days ago the server was under continuous attacks, occasionally unable to connect), hurry up to QQ to contact the server administrator, but found that the server administrator has left a message for me:

 

Without reading the comments, I had to worry about it. It was really an attack. It was not because I was targeted at the top of the vote recently (and later found that it was not the case). I couldn't help but think about it, is the database data lost ....

 

Calm down and check the trojan:

 

It turned out to be a PHP Trojan. How are these files uploaded to the server?

 

Server administrator analysis document

This time, I really want to thank the server administrator, Xiao fengying, and the server resource he maintains:

14:03:11 w3svc129 115.239.252.29 get/BBS/data/attachment/FORUM/201306/19/Forum-80-115.236.84.185 Mozilla/5.0 + (Windows + nt + 6.2; + wow64) + applewebkit/537.36 + (khtml, + like + gecko) + Chrome/27.0.1453.116 + Safari/537.36 304 0 0 141 62

14:03:11 w3svc129 115.239.252.29 get/BBS/data/attachment/FORUM/201306/19/Forum-80-222.81.215.230 Mozilla/5.0 + (Windows + nt + 5.1) + applewebkit/537.1 + (khtml, + like + gecko) + Chrome/21.0.1180.89 + Safari/537.1 304 0 0 141 1194 95

14:03:11 w3svc129 123.157.149.29 post/demo/upload/0000000080-222.136.235.23 Mozilla/5.0 + (compatible; + MSIE + 9.0; + windows + nt + 6.1; + Trident/5.0) 200 0 0 10497 48738 1008

14:03:11 w3svc129 115.239.252.29 get/BBS/data/attachment/FORUM/201306/19/Forum-80-222.81.215.230 Mozilla/5.0 + (Windows + nt + 5.1) + applewebkit/537.1 + (khtml, + like + gecko) + Chrome/21.0.1180.89 + Safari/537.1 304 0 0 141 1161 98

14:03:11 w3svc129 115.239.252.29 get/BBS/data/attachment/FORUM/201306/19/Forum-80-119.96.106.20.mozilla/5.0 + (Windows + nt + 6.1; + RV: 6.0.1) + Gecko/20100101 + Firefox/6.0 200 0 0 14241 67

14:03:11 w3svc129 115.239.252.29 get/BBS/data/attachment/FORUM/201306/19/Forum-80-222.81.215.230 Mozilla/5.0 + (Windows + nt + 5.1) + applewebkit/537.1 + (khtml, + like + gecko) + Chrome/21.0.1180.89 + Safari/537.1 304 0 0 141 1161 100

This is the operation I found in the log based on the file modification time (the log uses the UTC time:

14:03:11 w3svc129 123.157.149.29 post/demo/upload/0000000080-222.136.235.23 Mozilla/5.0 + (compatible; + MSIE + 9.0; + windows + nt + 6.1; + Trident/5.0) 200 0 0 10497 48738 1008

Apparently, this person, 222.136.235.23, used the upload function on your site to upload An ASPX Trojan to tamper with your homepage file.

/Demo/upload/635074464204358063_ice.aspx

I accidentally found a trojan in the/demo/upload/directory ,,,

There are a lot of files in the directory of upload... It may be people's experienceProgram.

The logs in the past few days are a little abnormal. I don't know if someone is doing something bad ....

I only need to continue to analyze the access logs of that IP address. Import the logs to excel and filter the logs:

View the file row by row and find that the file has been uploaded back and forth on the/demo/form/fileupload. ASPX page.

After a data entry is post from row 3, The aspx Trojan is successfully transferred to your upload directory:

13:08:09	Post	/Demo/form/fileupload. aspx
13:08:13	Get	/Demo/upload/635074456895620028_safer.aspx
13:08:16	Get	/Demo/upload/635074456895620028_safer.aspx

I also tested/demo/form/fileupload. on the ASPX page, you can upload PHP and aspx files. After the files are uploaded, the file path can be obtained in the output image path:

I will send you the analysis and log export results and hope to fix them as soon as possible (verify the uploaded file type ). This may be an entry for uploading a PHP Trojan package.

To prevent someone from using this vulnerability to pass in Trojans or tamper with data, I will rename it for you now ..

/Demo/form/fileupload. aspx->/demo/form/fileupload _. aspx

The IP address of this person should be the IP address I mentioned above. He should have obtained the MySQL password and entered the database to modify the permissions.

 

Malicious hackers

After the above analysis, it is obvious that the hacker's intrusion path is roughly as follows:

1. Upload a trojan PHP file through the http://fineui.com/demo/#/demo/form/fileupload.aspx;

2. Use this Trojan Horse to obtain Forum permissions and tamper with the homepage;

3. Set yourself as the forum administrator.

 

In fact, I am most worried about whether he will suddenly delete all users or perform other batch operations after obtaining the Administrator permission, which is troublesome.

 

Later, I found that the hacker did not do this. I just changed myself to an administrator, and I was not so worried, because this is:

 

Ethical hacker: Ice

 

 

 

Fix attacked websites

Next, my approach is:

1. Disable the user's ice from logging on to the Forum;

2. Modify fineui's official example. Users can only upload image files, but cannot upload any other files.

 

AddedCodeAs follows:

 
1:Protected Readonly StaticList <String> Valid_file_types =NewList <String> {"Jpg","BMP","GIF","Jpeg","PNG"};
 

 
2: 
 

3:Protected Static BoolValidatefiletype (StringFilename)
 

 
4:{
 

 
5:StringFiletype = string. empty;
 

 
6:IntLastdotindex = filename. lastindexof (".");
 

 
7:If(Lastdotindex> = 0)
 

 
8:{
 

 
9:Filetype = filename. substring (lastdotindex + 1). tolower ();
 

 
10:}
 

 
11: 
 

12:If(Valid_file_types.contains (filetype ))
 

 
13:{
 

 
14:Return True;
 

 
15:}
 

 
16:Else
 

 
17:{
 

 
18:Return False;
 

 
19:}
 

 
20:}
 

 
1:Protected VoidBtnsubmit_click (ObjectSender, eventargs E)
 

 
2:{
 

 
3:If(Filephoto. hasfile)
 

4:{
 

 
5:StringFilename = filephoto. Specify filename;
 

 
6: 
 

 
7:If(! Validatefiletype (filename ))
 

 
8:{
 

 
9:Alert. Show ("Invalid file type! ");
 

 
10:Return;
 

 
11:}
 

 
12: 
 

 
13: 
 

14:Filename = filename. Replace (":","_"). Replace ("","_"). Replace ("\\","_"). Replace ("/","_");
 

 
15:Filename = datetime. Now. ticks. tostring () + "_"+ Filename;
 

 
16: 
 

 
17:Filephoto. saveas (server. mappath ("~ /Upload/"+ Filename ));
 

 
18: 
 

 
19: 
 

20:Labresult. Text = "<p> User Name:"+ Tbxuseraname. Text +"</P>"+
 

 
21:"<P> Avatar: <br/> <IMG src = \""+ Resolveurl ("~ /Upload /"+ Filename) +"\"/> </P>";
 

 
22: 
 

 
23: 
 

 
24:// Clear the form field
 

 
25:Simpleform1.reset ();
 

 
26:}
 

 
27:}
 

 

 

I am still careless!

It may be that this ice is very good. I forgot to change the administrator password that may have been cracked. This was not found until the evening!

 

Because ice has set itself as an administrator, and sent a post to tell me that "the password is 12345", I am sorry to have deleted this post, or else I posted it to a broad family and smiled!

 

I was helpless to log on to my own website with the password 12345 that someone told me, and re-delete all ice information. At that time, I still had no idea how ice re-obtained the administrator privilege!

 

Later, through the discuz log, I found my own error:

 

You can see the following process:

1. At a.m., after logging in, I set ice to prohibit access;

2. In the past hour, at, ice used my account to log in and unban ice and set it as administrator;

3. I found this problem at and deleted all the information about ice again.

 

Then I changed all the related passwords!

 

 

Conclusion

First, you must ensure that your code is free from vulnerabilities. Pay special attention to the areas involving user input and user uploads!

The second is to hope that every hacker can learn from ice and become a moral hacker (it's okay to be nice and never destroy others' data )!

 

 

 

Like this articleArticleDon't forget to click the [recommendation] button in the lower right corner of the page.