Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic


Should I be fairly safe if I have image uploads throughout my site disabled for new registers? I disabled uploads on avatars, the gallery and in the ultimate profile mod for them and I don't allow attachments anymore for storage reasons. Is there anything else I should do as precautions?


I'm a victim too, and took another route in preventing future attacks. First, I didn't have backups so I downloaded and cleaned the files using this Linux bash script with base64_encode as the search term. The script deletes that line entirely, leaving no white space:
find /directory_name '*.php' -type f | while read FILE
sed -i '/base64_decode/ d' "$FILE"

This cleaned everything recursively, but I did have to replace one file that had a legit line with the search term in it (can't remember which one, but you'll know from the error it generates). Then I uploaded the clean files and was back in business. Took about an hour to do all this.

Lastly, the forum I run doesn't have any need to entertain visitors from the RIPE Network where the vast majority of attacks come from, so I added denials for all the RIPE Network IP blocks. Since I've done that, we've been clean and the server log is full of denials from the RIPE geographic area. As an afterthought, I pulled the guys referring link from the log and reported him. Probably spoofed, but who knows, I may just get lucky.

Aleksi "Lex" Kilpinen

I wouldn't really recommend banning the whole RIPE IP area... It is geographically about 25% of the world...
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF


QuoteIt is geographically about 25% of the world...

True - we considered the ramifications, but in the end decided to implement the ban since our forum's subject matter is pretty localized. Not the best choice for everyone I'd venture to say. Draconian measures need to be thought out very carefully as we did.


Quote from: LexArma on May 01, 2009, 12:54:16 PM
Quote from: vHawkeyev on May 01, 2009, 10:47:02 AM
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

i had this hack but it has not been completed, i managed to ban krisbarteo before he finished the job. i have got a lot  of errors in the log.

the user did upload an avatar but it was not an image. the comment for the avatar was JPEG image data, EXIF standard 2.2, comment: "<?php;$url 'http://wplsat23.n" 

the avatars where in the attachment folder

there was no other SW (that i installed) on the server.

i have put my forum in maintenance mode, although everything still seems to be working alright, as yet i have not started to examine the pages of the forum.


If you get a lot of errors, that's the first sign.

I had 3 errors.
dhah  something
dgobah I think it was and something that looked like it could be a session ID or encryption string.

The avatar starts the chain reaction, if you try to change theme, at least when I tried to, I got a weird error message.

If you check your files you will notice a line on top of most of your php files:
<?php ; /**/ eval(base64_decode('long string here');

If your files doesn't have that string you are most likely alright, however I would pay close attention to error logs, and maybe even to be on the safe side, upload fresh files.

A check towards smf files will give you ?? as version numbers compared to smf original files, so that's another sign of infection as well.


What I had done (perhaps what triggered the infection?)...

Noticed the ad for viagra or something in a post ...
Went and banned the user...(on everything I could)
Removed the post...
Deleted the user... (which also removed the avatar  -  but left the ban in place)
Then, error-log city !

To resolve and protect:
Downloaded the entire site
Removed the injected script from ALL php files (I had some backups)
I have the highest captcha setting, plus added the extra questions
Disabled avatar uploads

Now, clean as a whistle.


Quote from: H on May 06, 2009, 01:13:32 PM
Quote from: MrPhil on May 05, 2009, 11:09:41 PM
Quote from: Tiribulus on May 05, 2009, 06:28:08 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

I don't think that the intent is to ban setting changes and then open up the door... AFAICT, the intent is simply to get all the PHP cruft out of .htaccess and put it all in one place: php.ini. Why not? It's just that people who are used to putting PHP settings into .htaccess need to keep in mind (when giving advice about PHP setting changes) that not everyone can do it that way. Some people even advise changing httpd.conf, but users on shared servers usually can't change it. Some people still tell others to just change all their permissions to 777 when 1) this is hazardous in some cases and 2) some hosts don't permit this. The bottom line is that you can't just say "change this file", but need to couch it in terms of all the possible places that changes could need to be.

Perhaps there should be some place in this community to point users to when they need to make PHP setting changes. It would discuss the different places and different formats they may encounter on different systems. This entry could also discuss using phpinfo() to see if changes "stick". Another entry could discuss proper permissions needed for various SMF functions, and what to do to change permissions.


All your base64_decode are belong to us!

Heh :P
Jason Clemons
Former Team Member 2009 - 2012


So is this Krisbarteo a BOT or a real person? Just curious if the anti-SPAM would have caught this...




Interestingly, I have the Krisbarteo user on a few forums, and he dropped avatars on them, but my forums did not get infected.  I am running the suhosion module for php - were any of the people who did get "hacked" running sohusin?  I have the avatar if anyone is interested.


Quote from: Rumboogy on May 07, 2009, 02:22:41 PM
So is this Krisbarteo a BOT or a real person? Just curious if the anti-SPAM would have caught this...



So far, the only Anti-Spam mod that whill catch him is the Stop Spammer mod as his username, email and IP are reported to the spam blacklist. This mod will catch him if he registers and will prevent posting or anything until admin approval.
Jason Clemons
Former Team Member 2009 - 2012


I had 4 from the 94.142.*.* range to register before this Krisbarteo situation arose. They all had different email addies and IPs, and I believe they were human. They successfully navigated the "are you human" mod, confirmed their email, and then logged on to the forum. Each time, they were online no more than 5 minutes and logged out.
I thought it was odd that I had 4 from the same range in just a few days, and that they left right after logging on. After this thread started, I realized what was going on. As I stated earlier in this thread, I do not allow anyone but admins to upload an avatar or attachment. I beleive this is what prevented mine from being hacked. They are probably all connected to each other in some way or another.
I banned them all, deleted them, and went a step farther.  I banned the range in htaccess. Now if they or another cohort attempts to return, they get a 404 error page instead of the forum.


Quote from: StarWars Fan on May 07, 2009, 05:23:24 PM
Please be advised that this user is also using another alias - something like MagicOPromotion

[email protected]
IP address
Hostname   Not available
Country   Latvia

He tried registering on my forum, but, I don't allow avatar uploads for new users and I deleted him promptly in any event  8)


lots of stuff listed onn that IP there.


Indeed, very busy one that one is. :)


Our forum also got 'f.i.t.a.' by Krisbarteo. I actually manually granted this guy access to our forum, not being made suspicious by his name. If only I had been suspicious, I could have saved myself a lot of time right now during exam period at the university...  >:( Actually I was running 1.1.4, if I'm not mistaken, together with a similarly old version of Joomla. Yes, I know, old, but I was supposed to upgrade this summer, before handing over the admin task to a friend of mine.

Also, in our forum, I found the base-64 at the top, and in many .php and .html files I found malicious links to some russian sites that would invariably infect visiting machines with rootkit.hacktool. I believe my machine now also is infected with it and I haven't had the time to rid it of that.

What did I do:
- delete the whole public_html directory on the server
- uploaded my latest backup dating from december 2007 (!)
- carefully adding files from a backup I took after the virus attack (attachments, avatars, updated code)

The site and forum ran again, but only short time after I got messages on my own machine and from forum members that it was trying to infect machines again.

I just got so angry, after having used so much time on this silly virus, but I just must slay it...

So, I deleted all of my files from the server again. Now for some reason I don't even have public_html left so I will have the web hotel restore it again, so I can once more upload my backup from 2007. This time, I will make sure to upgrade both Joomla and SMF to the newest versions before maticulously putting back files from my infected backup.

By the way, I cannot see that Krisbarteo had uploaded any avatar, strangely enough. Must he have done that, in order to spread the virus onto our site, or could he have done it otherwise? Neither does our forum give users the option of changing the template, it is set on the one I made.

When maticulously putting files back from the infected version, apart from the first line containing the base-64 code, what other code should I be wary about? And are there any files in particular that can make the virus spring up again?


There is a number of forum installations reported to be vulnerable to this hack.

I am not sure, but did I miss official opinion from SMF developers on the problem?



Check with your host about a backup.  Typically the host saves a backup at least once a month, so they may be able to restore your site to a set more recent than 2007.

If you were running 1.1.4, there are a number of ways that you could have been infected. That is why it is critical to keep up to date with security releases.

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."


This has got me pretty nervous.

Also, I found this in my referrer file:
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/
Date and Time : Thursday 07th May 2009 01:33:05 AM

This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.


So did someone come up with a sure fire way to prevent this from working, other than disabling avatar uploads?