Advertisement:

Author Topic: Hacked, script injection  (Read 247783 times)

Offline Ratiomaster

  • Newbie
  • *
  • Posts: 7
Re: Hacked, script injection
« Reply #340 on: May 26, 2009, 10:27:02 AM »
I used it on my own server :)
Because this hack infects not only php in the forum directory , but also all php files in other directories up to root, it was not realistic for me to try and clean it by hand.
I've attached cleanup_test.php. This file will only scan all php's and report infected files with "INFECTED" line without actually removing anything. So you can see if you are clean or not.

Offline Ratiomaster

  • Newbie
  • *
  • Posts: 7
Re: Hacked, script injection
« Reply #341 on: May 26, 2009, 10:46:07 AM »
Also, i just noticed, simple machines released official clean up tool in this thread :
http://www.simplemachines.org/community/index.php?topic=313201.0

Keep in mind that it only cleans files in your forum directory. If you want to clean all server, then you need to copy :
settings.php. SBI.php and kb_scan.php to your root folder.
And then type in the browser hxxp:www.yoursite.com/kb_scan.php [nonactive] and wait a few minutes :)

I was clean also according to official tool, so i feel much safer now :)

Good luck.

Offline Ratiomaster

  • Newbie
  • *
  • Posts: 7
Re: Hacked, script injection
« Reply #342 on: May 26, 2009, 11:07:39 AM »
Thats actually an oversight. The whole site is compromised due to attack, not only forum. I hope they fix it soon.
You can still avoid that check, but running script in the same window (same session) after you logged into your forum, and then manually changing url.


Offline Dzonny

  • Lead Localizer
  • SMF Super Hero
  • *
  • Posts: 11,609
  • Gender: Male
  • No sleep...
    • dzontra.nikola on Facebook
    • Dzonny on GitHub
    • dzontranikola on LinkedIn
    • @opusteniforum on Twitter
    • Samo opusteno
Re: Hacked, script injection
« Reply #343 on: May 26, 2009, 11:12:21 AM »
Thanks for info, this is great tool, i'm glad this is released too.. :D

Offline aly22

  • Semi-Newbie
  • *
  • Posts: 39
Re: Hacked, script injection
« Reply #344 on: May 26, 2009, 11:20:47 AM »
ran cleanup_test.php and it just lists a ton of files. I see no "infected" tag on them so does that mean I'm clean or did something wrong?

Offline Ratiomaster

  • Newbie
  • *
  • Posts: 7
Re: Hacked, script injection
« Reply #345 on: May 26, 2009, 11:55:19 AM »
What's cool about Ratiomaster's script is that it can catch any "base64_decode" injection in all directories - am I correct?

You can drop it in any directory and it will search it and all subdirectories.

Official tool is more user friendly and comprehensive, it looks in 'php', 'phtml', 'php3' for pattern. But it requires that you drop this tool in your forum folder.
Also trying to look something in database - not found anything on my site and it slightly suspicious, because i didnt touched database and if exploit does change database, then it means the backdoor is still there...
I dont suggest to run official tool on the whole site (on the forum only its probably OK), because it can corrupt one of your valid files .
I'd wait until official team fix those issues first.

Offline Ratiomaster

  • Newbie
  • *
  • Posts: 7
Re: Hacked, script injection
« Reply #346 on: May 26, 2009, 11:59:26 AM »
ran cleanup_test.php and it just lists a ton of files. I see no "infected" tag on them so does that mean I'm clean or did something wrong?

If you didnt manually cleaned up infections , then it definitely means you're not infected. If you cleaned them up before running either tool, it just confirms that you dont have most obvious traces of it. But considering sophistication of the exploit, i'm afraid that it installed some backdoors which neither of tools really cleans.

Offline glennk

  • Sr. Member
  • ****
  • Posts: 899
Re: Hacked, script injection
« Reply #347 on: May 26, 2009, 03:17:16 PM »
Hi There,

Theres quite a lot oftopics on this and a lot of posts here. I dont really know where to start. I have (Did have) a forum member called Krisbarteo. I have now banned him. I have been experiencing problems for a few weeks. My forum members tell me that their antivirus is warning of problems in the site. Namely

exploit javascript obfuscation type(501)

j.s.cruzer-c (trj) trojan horse

It appears to have effected a lot of things even the spellchecker.

It apparently is also present in my coippermine gallery and my wordpress sites which are all on the same domain in subfolders.

Can someone advise on what to do. Do I overwrite everyfile or is their a simpler solution here ??

Many thanks for your time - Glenn

Offline Antechinus

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 24,136
  • Master of BBC Abuse
Re: Hacked, script injection
« Reply #348 on: May 26, 2009, 09:17:28 PM »
Grab the cleanup script and run it. http://www.simplemachines.org/community/index.php?topic=313201.0
This one has been looked at by the SMF team. As far as I know Ratiomaster's script has not, so at the moment I'm not in a position to recommend it. However if other members are getting good results with it this is a good sign, and we may be able to incorporate the best features of both scripts in one tool. 

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • Fustrate on GitHub
    • @Fustrate on Twitter
    • Fustrate
Re: Hacked, script injection
« Reply #349 on: May 27, 2009, 12:05:17 AM »
FYI, you can change the path to SSI.php at the top of the file in order to use it from a lower directory.

Both Ratiomaster's and my scripts do the same thing for the infected files, but kb_scan.php also scans the database and looks for files such as those that could be added by the exploit. By what I see in cleanup.php, it's safe and should do the just as well for any infected files :)
Steven Hoffman
Former Team Member, 2009-2012

Offline Anhinga

  • Semi-Newbie
  • *
  • Posts: 54
Re: Hacked, script injection
« Reply #350 on: May 27, 2009, 12:05:54 AM »
I’m a member of a forum running SMF 1.1.4 where users can upload there own avatars, and krisbarteo is registered there, although as far as I can tell he hasn’t attacked it yet.  I hope I can get the administrator to delete this guy’s account and update the forum.

The forum is http://tyrantkingforums.net/ .  I don’t see any spam links in the forum’s source code; is there anything else I should look for to determine whether he’s used this exploit there?

Offline Fustrate

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,474
  • Gender: Male
  • Controller of the rum budget
    • Fustrate on GitHub
    • @Fustrate on Twitter
    • Fustrate
Re: Hacked, script injection
« Reply #351 on: May 27, 2009, 12:06:49 AM »
You should point them towards http://www.simplemachines.org/community/index.php?topic=313201.0 so that they can check everything themself :)
Steven Hoffman
Former Team Member, 2009-2012

Offline kassie

  • Semi-Newbie
  • *
  • Posts: 25
  • Gender: Female
Re: Hacked, script injection
« Reply #352 on: June 01, 2009, 05:06:24 AM »
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

Hi had this member on my forum & so I deleted them & all the code that was at the top of site when in profile to change themes is now gone. I left my computer for an hour & now I can't see my site any more. I get this message.

"Not Found

The requested URL /smf/index.php was not found on this server."

I've gone into Cpanel & all the files are there. I don't have a backup either. What can I do?

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #353 on: June 01, 2009, 05:08:05 AM »
Have you tried using the exploit utility released especially for this hack?

http://www.simplemachines.org/community/index.php?topic=313201.0

Offline kassie

  • Semi-Newbie
  • *
  • Posts: 25
  • Gender: Female
Re: Hacked, script injection
« Reply #354 on: June 01, 2009, 05:26:26 AM »
No I haven't, thanks.
Oh can I use that with 1.1.9? I had updated before knowing about this.

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,152
    • @fragicide on Twitter
Re: Hacked, script injection
« Reply #355 on: June 01, 2009, 05:30:06 AM »
Yes, you can use it on any version from the 1.0.x series, 1.1.x series as well as 2.0

Offline kassie

  • Semi-Newbie
  • *
  • Posts: 25
  • Gender: Female
Re: Hacked, script injection
« Reply #356 on: June 01, 2009, 05:30:51 AM »
Thank you JBlaze :)

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,660
  • Gender: Male
Re: Hacked, script injection
« Reply #357 on: June 01, 2009, 07:57:30 AM »
The hack that caused the issue prompting this topic has been fixed in SMF 1.1.9 or 2.0 RC1-1

Release announcement: http://www.simplemachines.org/community/index.php?topic=311899.0
Confirm that your site has not been exploited with our scanning tool: http://www.simplemachines.org/community/index.php?topic=313201.0

If you have any further questions or concerns please start a new topic so that we can track individual issues.

Thanks
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)