Forum possibly hacked?

[prot]

I just installed SMF a few days ago and have had hardly any visitors yet, but is it possible that someone has hacked into it already?

I first noticed it when a strange popup window started showing up when I click on any link in the forum or try to navigate anywhere in or out of the site.

It says "Are you sure you want to navigate away from this page?  Attention, you have not completed the virus scan.  Please return to antimalware09.net [nofollow] and download Antimalware scanner.... etc.  Click OK to continue or Cancel to stay on the current page."

This looks suspiciously like some kind of virus.  Plus, anytime my forum loads, I see in the status bar, that it's loading something from that antimalware09.net [nofollow] site as well as trying to contact an IP which resolves to addr.datapoint.ru [nofollow].

I have no clue what happened.  There's hardly anything on my forum yet.

Anyone have any ideas?

[SlammedDime]

Link?

[prot]

The main page, which is just a simple html page does the same thing.

That's here:  www.guyzandgalz.com [nofollow]

The forum is here:  www.guyzandgalz.com/forum [nofollow]

[SlammedDime]

There is some extra javascript in there that definitely shouldn't be. I do think your host/account was compromised, but not through SMF.  They got file level access, and there is no way to do that from SMF.  I would clean your files for SMF, open index.php in the main SMF folder and make sure the very last thing in the file is ?>.  Anything after that should be deleted.  Then I'd contact your host and ask them if anyone else has been affected or if they can pinpoint when it happened.

[prot]

Thanks for the info.  A couple questions....

When you say my host/account was compromised, you mean they got in through a backdoor somehow through my host provider?

Where is this extra javascript and how can I see it?

And also, is it a bad idea to have a simple html page that serves as an entry page into the forum?  I mean is that less secure than just doing some kind of redirect straight into the forum?

[Deprecated]

Oh yeah, right there for sure on your top page. Turn of your browser's JavaScript, then view your top page and view source. Here's the start of that line with the hack in it:

Code Select Expand

<script>function c1058032905m48f7a5c31b79e(m48f7a5c31bb9a){  return (parseInt(m48f7a5c31bb9a,16)); ... ... ...

That's a classic obfuscation technique. It can be reverse engineered but it's a PITA. Hardly worth the trouble. You might want to delete that line and the one at the bottom:

Code Select Expand

<script>check_content()</script>

Hey man I don't want to alarm you but you had better fix or get rid of that top page right away. It's causing accesses to http:// stat.antimalware09 .net (intentionally broken up). I don't know what that is but it can't be good. I tracked them to Hong Kong.

It also links to http:// 77.221.133.172 which is located in the Russian Federation.

You can have a whole trip around the hacker world just on your one site!


I had a look at your SMF codes and I couldn't find anything out of place. You need to get that top page fixed or gone right away. I don't know what they're doing but it can't be good.

I agree with Slam. I think your hosting account got hacked from some vantage not related to SMF. You aren't one of those people with an easy to remember cPanel password are you?

[SlammedDime]

The Javascript is on the SMF page as well... its at the very bottom of the HTML source, which normally indicates the code was injected into index.php at the end of the file.

[Deprecated]

Nope, I don't get that here:

Code Select Expand


...
            <br />Theme by <a href="http://www.dzinerstudio.com"><b>DzinerStudio</b></a></span>

<script language="JavaScript" type="text/javascript"><!-- // --><![CDATA[
window.addEventListener("load", smf_codeFix, false);
function smf_codeFix()
{
var codeFix = document.getElementsByTagName ? document.getElementsByTagName("div") : document.all.tags("div");

for (var i = 0; i < codeFix.length; i++)
{
if (codeFix[i].className == "code" && (codeFix[i].scrollWidth > codeFix[i].clientWidth || codeFix[i].clientWidth == 0))
codeFix[i].style.overflow = "scroll";
}
}
// ]]></script>
         </div>
  </div>
       </div>
      </div>
<div id="ajax_in_progress" style="display: none;">Loading...</div>
</div></div></div>
</body></html>

That's all she wrote.

By the way, very nice theme you got there!!! I see it's one from Dziner Studio. Those guys are pretty good and my hat's off to them!

[SlammedDime]

Looks like that one was already removed then.  It was there yesterday.

[prot]

Okay, I removed all the lines from my index.html and index.php you guys told me to remove and that seems to have fixed it.  Thank you very much for that.

I just got off the phone with my host provider and they said they have no other reports of customers' sites getting hacked and the only IP they saw accessing my control panel is my own IP.  So, they said the only way this could have happened was through the site or by gaining access to files through ftp.

Now, my question is -- should my forum be okay now or do I need to take further action?  Should I check permissions on any files or do anything to make the forum more secure?

[SlammedDime]

I would change all of your passwords to at least the following guidelines:
Should be at least 8 characters long
Contain at least one letter and one number
Cannot contain the word password
cannot contain any word from the dictionary
Cannot contain your name, family member names or pet names
Use upper and lowercase characters.

[prot]

Oh, I'm obsessed with keeping my passwords unguessable, so I highly doubt they got in by logging in with one of my access accounts.

[southernlady]

Another thing I would do is use WinSCP [nofollow] as an FTP client. It's far more secure than most FTP clients out there and easier/faster to use. Liz

[SlammedDime]

FTP is FTP... the data is all transmitted the same way... SFTP of course is quite different, but many hosts do not offer SFTP.

[Deprecated]

Nothing like a good password. I use random strings of garbage characters including numbers, letters both upper and lower case, punctuation, whatever is allowed.

Glad you're all fixed up OP. C'mon back if you experience further difficulties.