Nasty, Hidden Virus on Simple Machines

Started by Flavious, October 06, 2011, 04:47:06 PM

Previous topic - Next topic

Flavious

We had a slightly outdated version of 1.something that got infected with a virus called the Blackhole Exploit. We removed it, upgraded the software to 2, and are continually running malware/virus scanners on our server. It keeps coming up clean. We even tried getting different brands of virus scanners and they come up clean.

However, some users are continually telling me their virus software is going off when visiting the site. Today I had a visitor tell me he plugged in a brand new computer, visited a couple sites fine, hit ours and the virus software went off and crashed his browser, eventually it chewed his hard drive until the machine would no longer run at all.

I'm at a loss here. Not sure what to look for or where. But my server host is now suggesting I go through *every single possible line of code* in the website (Literally millions and millions of lines) to look for something out of the ordinary. Since I don't spend a lot of time looking at simple machines code, I'm not sure I would notice what is out of the ordinary...

Any advice? Ideas? Suggestions?

ziycon

First off I would suggest trying to restore a clean backup that you know is not infected, if that's not possible I would suggest backing up the web root directory and database then clear all the files from the SMF root directory and then upload a fresh version of the SMF files and see if that solves it.

Edit: An after thought, if your on shared hosting it could be another hosting account on the server that is infected, I recently saw a very nasty installer virus take hold of a shared hosting environment, affected multiple hosting accounts until properly removed.

Illori

have you changed your passwords? i would suggest that and upload fresh files to override what you have currently. also i would ask your host if they know how this happened, it may be a server side issue.

Flavious

I did change all the passwords.

I did not do a fresh install - I upgraded from the 1.x to the latest 2.x. Then I customized the interface, so I suppose if I do a fresh install, all that will be lost?

Is it possible it's in the database? If so how in the heck does one check for that.

Did I mention this is a VERY active forum, and I cannot lose the posts that are up there now.

I am on a dedicated server.

Illori

if you upload fresh files you will not loose your members/threads etc they are in the database, but you would loose your mods to the code which can be reapplied.

i dont know if a virus can be in the database but i doubt it is possible.

slumdog10

I had a problem with someone hacking my server, they got into all my sites and infected all my files in each site. In the end my hosting account had to be reset fully to how it was when I first got it. You may have to delete all files on your server. If you have more than one site you should check all the other sites. You should change your FTP passwords and see if that helps.

ApplianceJunk

Quote from: slumdog10 on October 07, 2011, 04:27:41 PM
I had a problem with someone hacking my server, they got into all my sites and infected all my files in each site. In the end my hosting account had to be reset fully to how it was when I first got it. You may have to delete all files on your server. If you have more than one site you should check all the other sites. You should change your FTP passwords and see if that helps.

Who is your host?

ziycon

You could have a 'true' virus like and installer or a rootkit, they can be quit nasty to remove, have a look at installing and running the below, there all free amd can be removed after words.

AVG Free - Anti Virus if you dont already have one
Spybot - Anti spyware
Malwarebytes - Anti spyware

You should always use a few programs as one alone never removes everything, keep track of the names of anything the fix/heal or remove.

Flavious

Thanks everyone..

So we do have AVG and I believe another software scanning for stuff, and it comes up with nothing.

This is on a dedicated server, and there is no other sites on the box then this one.

Got an email this AM that one of my users software is detecting last week the site had "MBR viruses"  and now he says his  "Anti-Malware is catching a Fakesysdef trojan and the PDFjsc.rm exploit virus on every visit." Worse, he says his virus software started popping up *After* I upgraded simple machines to 2.0. ?


How can that be if the software we have on the server says it is clean?

The host is asmallorange.com.

I went through the site and deleted any files and folders that are not being used, and looked through a lot of code, but not all of it... and I don't see anything.

Illori

you have managed hosting? ask your host to take a look into the issue that is why you are paying them.

ziycon

#10
If you managed hosting then by all means get your host involved. Have a look at a program called hijackthis, it will tell you everything you need to know about running processes and services and point you to what could be causing your trouble.

Make sure you empty all temp folders.

Also its no harm to google the virus/trojan name followed by 'remover' as if its quite an annoying virus theres most likely a tool that removes it completely.

Let us know how you get on and what your host say.

slumdog10

My host is hosting24 .com . I lost all my sites as it was impossible to search which ones had been tampered with.


Flavious

Thanks Ziycon, that gives me something to tell the host to try...

Here's a message I just got from a user.. this is what is virus software is telling him:

" Danger: Surf-Shield has detected active threats on this page and has blocked access for your protection.
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: 65.75.175.149/Home/index.php
Name: Blackhole Exploit Kit (type 1889)"

One problem with that: That is NOT the IP of my server or website? WHat the hell?


ziycon

It looks like the virus is redirecting visitors to a malicious url. Do a google for 'how to remove black hole exploit', follow one or two of the results, tbis should point you in the right direction.

Flavious

We thought we found it. It probably came from not having the simple machines upgraded. We deleted it, did a ton of checking through files for anything that should not be there, and were just starting to feel confident that we killed it. Then some users started reporting that again, their virus software keeps popping up on different parts of the site saying we have a virus, but then it shows the virus on their computer and an IP to another computer (same IP every time).

I'm losing visitors and traffic over this, and now their are people all over facebook saying "Don't go to that site it's full of viruses!". Not good.

It only affects SOME IE users.

Hosting company is not helping much. I may need to find a really qualified 3rd party to hunt it down and kill it once and for all. Then I got this email today, as I have another site running vBulletin:

"A recent vBulletin 4 (all versions, Suite & Classic) report indicated that if an installation had been hacked previously, the attacker could hide malicious code to allow a repeated attack. To further strengthen vBulletin's security - additional security checking and query cleaning were added to thwart such attacks.
"

Is it possible Simple machines has NOT been patched sufficiently to stop this thing?

Please note I did a clean install last week. That stopped it for a few days, then it started up again.

Anyone know of a good 3rd party to help?

Illori

if another application you are running might have been hacked it is possible they can use that a backdoor into hacking your other applications. make sure all apps you use are updated and check for added files on your server and file last modified date/time.

青山 素子

Keep in mind that sometimes, attackes (automated or manual) will upload scripts on a webserver to allow a backdoor into the system. If you only just did an overwrite of the files and didn't do a full clearing of the website, it is likely that a backdoor script remains. There are two ways to check for this: look at every directory and compare with what should be in there, or do a "scorched earth" re-load. The later is easier, but requires some preparation.

First, backup your database. It contains all the posts, members, and other forum data. You should be taking backups normally.
Next, if you allow uploads (avatars, attachments), you'll need to backup the attachments directory. If you do make backups of this, you will also need to check it for suspicious files.
Also, grab a copy of the Settings.php file. This holds connection information for your forum to talk to the database. Make sure to open it and check for any suspicious lines of code.

Now that you have the important things, delete the entire SMF directory. When this is done, upload the contents of the SMF install archive. Delete the install.php file and all the .sql files. Upload the backed-up Settings.php. If you made a backup of it, also upload the Attachments directory.

This should give you a stock SMF install with fully clean files.

If you have other website files on your server, you will need to check them in some way or another as well, or you could run into issues again.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


ziycon

Its extreme but I would recommend backing up all sites and databases and them deleting all sites(flat files) then put a temporary page in place for all sites, now get users that are reporting virus warnings to visit this temporary page and see if they get a warning, if so then its not your websites and the server is infected.

You can then take it from there as the next course of action.

Flavious

Quote from: 青山 素子 on November 01, 2011, 11:52:04 AM
Keep in mind that sometimes, attackes (automated or manual) will upload scripts on a webserver to allow a backdoor into the system. If you only just did an overwrite of the files and didn't do a full clearing of the website, it is likely that a backdoor script remains. There are two ways to check for this: look at every directory and compare with what should be in there, or do a "scorched earth" re-load. The later is easier, but requires some preparation.

First, backup your database. It contains all the posts, members, and other forum data. You should be taking backups normally.
Next, if you allow uploads (avatars, attachments), you'll need to backup the attachments directory. If you do make backups of this, you will also need to check it for suspicious files.
Also, grab a copy of the Settings.php file. This holds connection information for your forum to talk to the database. Make sure to open it and check for any suspicious lines of code.

Now that you have the important things, delete the entire SMF directory. When this is done, upload the contents of the SMF install archive. Delete the install.php file and all the .sql files. Upload the backed-up Settings.php. If you made a backup of it, also upload the Attachments directory.

This should give you a stock SMF install with fully clean files.

If you have other website files on your server, you will need to check them in some way or another as well, or you could run into issues again.

That's what I did.. but we are still getting the virus warnings... so we've now looked through all the databases, and the only thing we found was a lot of HTML in the Simple Machine DB in the posts. It's an insane amount of posts to check, so it will take a while to see if any of them are malicious.

Sir Osis of Liver


Just a thought, if you can write a script that strips html/php tags and run it on a copy of the database, install the stripped copy, and see if the problem persists, it might tell you something useful.

http://php.net/manual/en/function.strip-tags.php

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Advertisement: