The Song Fight Bulletin Board

For a few days I couldn't visit the Song Fight home page without something attacking my computer. Seems to be better now, but it still does it when I try to view the results from the last fight. I don't see anyone else mentioning it in here, so was it just me having problems?

"Without something attacking my computer" is a liiiiiiiiitle bit vague. Could you try posting a screenshot of what's happening, and maybe the page source?

Actually, Spud was just in the IRC room talking about a malware notice he got yesterday. So this is likely a known issue. Still, a little more specificity couldn't hurt.

We believe that the malware issue has been resolved

I just got the malware, fake antivirus thing again at 2:23 pm. It happened when I clicked on the Beaten Man link under last week's fight. I also received it this morning when I voted.

- Paul

Sorry, I was under the mistaken impression that JB had done something besides change the passwords. I have cleaned up the code tonight. Please continue to post notices of any further problems.

SPUD

Ugh, it just happened again. This time. when I went to the main Songfight.org page.

Spud, it would be really helpful if I could get server access again so that I can diagnose how this exploit apparently keeps happening.

I found a few insidiously well-hidden things that were continuously reinfecting the whole site. They should all be gone now. It also looks like the original exploit was installed via WordPress (songfight.net/blog), which I have now disabled as well. (The server logs indicate that nobody has gained unauthorized login/admin access to the actual hosting account.)

If you're running WordPress, PLEASE PLEASE PLEASE make sure that you're running the latest version of that insecure festering shitpile, because there are some pretty widespread massive exploits going on against it right now. http://blog.sucuri.net/2011/04/mass-inf ... g-com.html has a bit more information.

fluffy wrote:I found a few insidiously well-hidden things that were continuously reinfecting the whole site. They should all be gone now. It also looks like the original exploit was installed via WordPress (songfight.net/blog), which I have now disabled as well. (The server logs indicate that nobody has gained unauthorized login/admin access to the actual hosting account.)

HUZZAH!!!

Do I need to clean up again?

What, did something happen again? I thought I'd cleaned up everything and disabled the obvious points of infection.

Yes, pretty much every php file was infected. Linked or not, in use or not. Html was fine. I just cleaned up again. Will continue to monitor.

fucking hell. must have been another infection I missed. The malware was VERY good at hiding itself, and I thought I found all the places it was coming up.

What was it infected with?

Found a pretty big security hole in songpage and artistpage which is being actively exploited by people. As always it's one of those things that PHP makes WAY too easy to fuck up on. Will put in a fix ASAP.

fill me in off line, if possible, so that I can learn from this.

Thanks.

Well, the main thing is something everyone should know about: include() and fopen() can both take arbitrary URLs as parameters, unless it's explicitly disabled in php.ini. Stupidest language "feature" EVER. My fix was to abort if it detects a :// in a key parameter.

I've audited all of the site-specific PHP and I think I fixed all the places where that could happen, but of course there's always the possibility of other stuff like that.

PHP really is a shitty language from a writing-secure-apps standpoint. Although I'd like to point out that if Songfight were database-driven rather than file-driven, it would be a lot easier to write code in a more secure way. Direct filesystem access is bad news in PHP.