Advertisement:

Author Topic: Hacked, script injection  (Read 248019 times)

Offline san2012

  • Newbie
  • *
  • Posts: 3
Re: Hacked, script injection
« Reply #100 on: May 10, 2009, 12:46:32 PM »
Had the same problem.
What about official answer?

Offline daveaite

  • Semi-Newbie
  • *
  • Posts: 88
    • The BuyPoe Network
Re: Hacked, script injection
« Reply #101 on: May 10, 2009, 01:56:55 PM »
I'm screwed. It's only a matter of time before I get hit. Farewell mates. :(


I'll tighten up security as well and make back-ups, but this is just a pain, I have enough coding troubles as is.
« Last Edit: May 10, 2009, 02:01:01 PM by daveaite »
The BuyPoe Network!


http://vBSocial.com: Forum Styles for vBulletin and SMF

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,014
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #102 on: May 10, 2009, 04:17:06 PM »
Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.

I'm just guessing, but I'm betting that the really dangerous ones can learn all they need from the code alone. It's no major feat to get read access to somebody's live files either. Even I know how to do that. Regardless, what are people supposed to do? It's impractical to just not discuss your products in public as I'm sure you realize.

Offline WillyP

  • Jr. Member
  • **
  • Posts: 249
    • Planet Descent
Re: Hacked, script injection
« Reply #103 on: May 10, 2009, 04:49:04 PM »
... however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.



My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

In every file, except for the settings file, there was this at the top, starting on the first line:

Code: [Select]
<?php /**/eval(base64_decode(' [color=red]note, there was a very long string of letters and digits here I removed for clarity[/color]=')); ?>
<?php

The avatar used displayed as a 1x1pixel, white dot.

Offline Relyana

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,994
  • Gender: Female
Re: Hacked, script injection
« Reply #104 on: May 10, 2009, 09:14:33 PM »

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.


What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)

Offline Polymath

  • Jr. Member
  • **
  • Posts: 337
  • Gender: Male
  • NZ Made
    • GameSocket
Re: Hacked, script injection
« Reply #105 on: May 10, 2009, 09:33:31 PM »
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

Offline cowdude

  • Semi-Newbie
  • *
  • Posts: 71
  • Gender: Male
  • Politics for me!
    • The Water Cooler
Re: Hacked, script injection
« Reply #106 on: May 10, 2009, 11:00:15 PM »
That's part of the crap I deleted.  It had no impact.  There is a tool I used that someone refer to on here earlier: ATF-Cleaner @ atribune.org.  I kept cleaning my "temp files" out with this before I uploaded anything.  It worked! 

I have 6 sites tied together on one database.  If it hits one, it nails them all.  I am smarter now than 10 days ago about this stuff.

Just for the record my site is getting as tight as a crabs butt...but for now I am counting on you guys as my "DEPENDS" to help me catch my mistakes!

Thanks everyone I believe I am free of the problem now.

Cowdude
Left or right meet me at THE WATER COOLER to discuss your political views.

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #107 on: May 10, 2009, 11:04:13 PM »
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?

FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline Polymath

  • Jr. Member
  • **
  • Posts: 337
  • Gender: Male
  • NZ Made
    • GameSocket
Re: Hacked, script injection
« Reply #108 on: May 10, 2009, 11:08:39 PM »
Quote
FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 
 

Thats nice.
 Do I remove folder called /32 with all that stuff in it? Is it part of this hacker
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

Offline oakview

  • Semi-Newbie
  • *
  • Posts: 10
Re: Hacked, script injection
« Reply #109 on: May 11, 2009, 01:31:31 AM »
Wouldn't setting the "Method of registration employed for new members" to "Member Approval" act as a tar pit of sorts? If I understand the setting correctly, the person applying for forum membership cannot do anything until approved by an admin.

If this assumption is correct, then wouldn't this be a solution of sorts for forums who typically see a low volume of membership applications? Ours is low enough to make it feasible to examine the IP and email addresses and cull out anything suspicious, or perhaps send a canned query of sorts to the listed email address.

Thoughts anyone? Even with the IP block bans I have in place, I'm still getting applicants that are very suspicious.

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #110 on: May 11, 2009, 01:41:22 AM »
Quote
FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 
 

Thats nice.
 Do I remove folder called /32 with all that stuff in it? Is it part of this hacker

I'm not sure. But I suggest that you get a backup of that folder (if it's not too large) and then delete it.

However, it's possible that your forum has other problems too... I suggest locking down your site until someone with experience can check it.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #111 on: May 11, 2009, 01:44:54 AM »
oakview, Member Approval seems like a good idea, but perhaps it's not enough.

As a precautionary measure, I suggest disabling all kind of uploads, including avatars. If you choose to let members use external avatars via an URL, make sure that you also disable downloading avatars at that URL (it's in Admin > Attachment and Avatars > Avatars).
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline thebofh

  • Semi-Newbie
  • *
  • Posts: 73
    • Huck to Flat
Re: Hacked, script injection
« Reply #112 on: May 11, 2009, 01:52:27 AM »
I moved my attachments directory out of public_html some time ago, would I still be vulnerable? I've just implemented bans on the IP ranges, email addresses & usernames mentioned. I've also locked down the newbies group so that they can't upload anything until they have 11 posts and installed that Stop Spam mod.

Is there anything else I should be doing?

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #113 on: May 11, 2009, 01:56:03 AM »
If anyone uses TinyPortal or any other mod that allows user uploads, disable those too.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline oakview

  • Semi-Newbie
  • *
  • Posts: 10
Re: Hacked, script injection
« Reply #114 on: May 11, 2009, 02:50:01 AM »
Quote
As a precautionary measure, I suggest disabling all kind of uploads...

@Sarge - done! Good advice.

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #115 on: May 11, 2009, 03:48:01 AM »
What about if your are running a gallery  :P
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline san2012

  • Newbie
  • *
  • Posts: 3
Re: Hacked, script injection
« Reply #116 on: May 11, 2009, 04:48:33 AM »
What about if your are running a gallery  :P
I think it has vulnerability too. Because when I went to another infected sites, which links I found in my html, after tag <body>. On some sites I saw smf forum but on another gallery.

Offline san2012

  • Newbie
  • *
  • Posts: 3
Re: Hacked, script injection
« Reply #117 on: May 11, 2009, 04:55:27 AM »
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?
I had the same situation, that's not a part of smf, that's hackers links on another infected sites. But besides delete this you should find avator with <?php  code, style.css.php (May be another name) and clean every php file from  eval(base64_decode( in top.

Offline DirtRider

  • SMF Hero
  • ******
  • Posts: 1,415
  • Gender: Male
  • Just Looking
    • TriumphTalk
Re: Hacked, script injection
« Reply #118 on: May 11, 2009, 06:47:15 AM »
Well I think if you have this mod it should stop a lot of them coming into your site to start with http://custom.simplemachines.org/mods/index.php?mod=1547
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Offline Relyana

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,994
  • Gender: Female
Re: Hacked, script injection
« Reply #119 on: May 11, 2009, 08:23:52 AM »
Few days before krisbarteo registered I noticed some weird error logs in cPanel (someone was trying on and on to get to files that didn't exist in my account like /chat, /phpchat, /phpmychat, /roundcubemail and so on) so I banned that whole IP range. He came back the next day using another Ip (close enough to the banned ones) so I banned that too.

Last night I only found the avatar with the bad code in it but it was enough to convince me to uninstall all mods, remove all files and run the large upgrade script.

Is it true that smf 2.0 RC1 is not affected by this vulnerability ? I was waiting for the stable release but I'm starting to think that it is about time to move on.