Funny you should mention this....
I found TWO instances of this... the referrer being alltheweb.com

-"powered by b2evolution" "leave a comment" "Allowed XHTML tags:" -"Enter this code:" -"Captcha code:" -"Enter code:"

I'm interested in any other feedback on this and what files could be considered risky.

I'd recommend deleting or renaming import-mt.php for now. I'm still looking over my error logs, but that appears to be the only file that they went after.

It's amusing to note that they are looking for installations without the captcha plugin installed.

Note that the referrers that I saw yesterday were only looking for "powered by b2evolution 1.8.5", and not the comment form, though earlier referrer searches did contain the comment form portion of the query. The fact that they successfully hacked my install using the import-my.php file and still are looking for comment forms would lead me to believe that in addition to the hack that they used with my installation they also think there is a possibility of exploiting some perceived vulnerability with the comment forms.

if you are happy with this message : I'm just recovering from my hack as well...

also 0.9 blogs were affected..

The only file I always delete is the install file, but based on your post I have also deleted the import-mt.php

I still look forward to what the developers have to say.

Thanks for the heads up, this is currently being looked into

¥

Hi,

xangelusx I emailed you. Thanks again :)

I have issued an alert here:
http://b2evolution.net/news/2006/11/30/security_alert_import_mt_php

Because this thread gives clues as to how to replay the attack whereas the alert only gives minimal curing instructions, I strongly advise everyone to link to the altert instead of this thread when mentioning this issue.

Let's not make it any easier than needed for anyone else to pick up on the exploit.

Thanks for the quick responses everyone. My host informs me that they have just about cleaned everything up.

I sent off emails to Citibank and my domain registrar explaining what happened in case people start recieving fraudulant emails with my domain name as the target.

Hopefully I'll be back up and running by this evening.

Oh, and do you think there is any potential exploit involving the comment form as might be indicated by those versions of the referral search strings?

One final thought - If a patch to import-mt.php is not possible/practicle, then perhaps in a future version you could add a variable to the file that would need to be manually changed (i.e. 0 -> 1) in order to use the import script. This would prevent the attack from being able to occur if people just overlooked the file. You could also add a comment near this variable that would remind people to delete the file or reset the flag after they are done.

With the latest investigation, 0.9.x version appear to NOT be affected. A little relief ;)

I will package secured versions of b2evo later tonight.

Expect these: 1.9.1, 1.8.6.

Dunno if its related to this, but when I accessed the folder to delete the import.php file, I found this error log file in the same folder with this content...

[30-Nov-2006 08:29:11] PHP Fatal error:  Call to undefined function:  is_logged_in() in /home/xxxxx/public_html/donblog/inc/CONTROL/imports/import-mt.php on line 112

[30-Nov-2006 11:08:10] PHP Fatal error:  Call to undefined function:  is_logged_in() in /home/xxxxx/public_html/donblog/inc/CONTROL/imports/import-mt.php on line 112

I've replaced my root folder name above with xxxxx for privacy reasons

I was nowhere near my blog virtually at both the timestamps (IST). Anything relevant ?

(you don't need it. It is only used *during* the import if you have migrated from MT to b2evo).

The above is from FPs Security Alert on b2evo site. Just curious, why not make the import script as an on-demand downloadable plug-in rather than in the default package :?:

I'm using 1.8.5 and checked the: /blogs/inc/CONTROL/imports directory but import-mt.php wasn't there. I did find a file called momix.php with yesterday's date stamp...I didn't put it there, and it's a strange file. I deleted it, do you think I was hacked...my blog seems fine.

Checking the rest of the install directory and so far no other strange files.

TIA

That file name doesn't belong there. Lots of information flew around today. I got confused. Something makes me think you should check your media folders for anything odd. In fact if I were you I'd play it real safe and dump everything on the server and upload them all over again from my local copy. I'd probably be freaked out enough to do the deleting from my host's file manager instead of through my FTP thingie.

EdB;

Yes, hacked real bad...! That file contained: r57shell.php, a php shell program and a spamming tool. Once executed, it allows the hacker to view and modify all files on your account and to execute arbitrary commands on the server.

My hosting company is doing a complete restore right now. Once done, they told me to change all my passwords....what a mess.

Looks like they were able to download most of my site.

EdB wrote:

That file name doesn't belong there. Lots of information flew around today. I got confused. Something makes me think you should check your media folders for anything odd. In fact if I were you I'd play it real safe and dump everything on the server and upload them all over again from my local copy. I'd probably be freaked out enough to do the deleting from my host's file manager instead of through my FTP thingie.

That's what I ended up doing too. Just to be safe.

Is there any list of the files that have been changed/updated from 1.9.0 to the security patched 1.9.1?

I'm about to merge 1.9.1 into my 1.9 editor with Beyond Compare (a G-R-E-A-T file comparison and merging tool by the way. Great for merging b2evo updates into a customized install). I'll make a diff report and PM it to you.

PS: Will the downloads page be updated with the new version soon?

xang>

I'll make a diff report and PM it to you.

Pls send me a copy too. I just UPgraded from Dawn to 1.8.5 and can make use of the changed details to avoid a major reinstall :-)

Btw, Beyond is a great tool which I've been using for a while now. I installed WinMerge about a month back and found it to be actually better in some features.

Donthecat wrote:

Pls send me a copy too. I just UPgraded from Dawn to 1.8.5 and can make use of the changed details to avoid a major reinstall :-)

Sorry, I completely flaked when I go to merging files and forgot to make the report before hand. There was quite a few files that changed, though many of them were just cosmetic changes to the files and small updates not related to the hack.

I got hacked with this exact pfishing exploit tonight using 1.9.2. In the security alert... here:

http://b2evolution.net/news/2006/11/30/security_alert_import_mt_php

it says.

In b2evo versions 1.x, delete this file from your server:
/blogs/inc/CONTROL/imports/import-mt.php

In b2evo versions 0.9.x, you don't need to do anything, you're not affected by this issue.

This was a phishing installation done with this exploit:

/media/blogs/info/confirm/bankofamerica/updateacc/e-online-banking/

I will delete that import-mt.php on all future installations (that whole thing is now deleted by IT manager) , but my question is... since this occured on 1.9.2 is deleting that movable type import file going to fix it?

AFAIK that security hole has been closed since 1.9.1 so it shouldn't be the source of your troubles.

Do you run any other software such as forums ?

¥