News:

Join the Facebook Fan Page.

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

san2012

Had the same problem.
What about official answer?

daveaite

#101
I'm screwed. It's only a matter of time before I get hit. Farewell mates. :(


I'll tighten up security as well and make back-ups, but this is just a pain, I have enough coding troubles as is.
The BuyPoe Network!


http://vbsocial.com: Forum Styles for vBulletin and SMF

Tiribulus

Quote from: chrishicks on May 09, 2009, 11:46:37 PM
Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.

I'm just guessing, but I'm betting that the really dangerous ones can learn all they need from the code alone. It's no major feat to get read access to somebody's live files either. Even I know how to do that. Regardless, what are people supposed to do? It's impractical to just not discuss your products in public as I'm sure you realize.

WillyP

Quote from: tjhanes on May 10, 2009, 06:07:37 AM
... however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.



My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.

In every file, except for the settings file, there was this at the top, starting on the first line:

<?php /**/eval(base64_decode(' [color=red]note, there was a very long string of letters and digits here I removed for clarity[/color]=')); ?>
<?php


The avatar used displayed as a 1x1pixel, white dot.

Relyana

Quote from: WillyP on May 10, 2009, 04:49:04 PM

My forum showed no signs of the affliction... a wiki installation on the same domain errored out, thats how I knew there was a problem.


What do you mean by that ? He registered on my forum too with both of his nicknames. He only activated one of his accounts and uploaded the fake avatar containing that php code but I can't find anything wrong or weird in any other files (it's 4 a.m. here and I'm still searching). He was active for only 1 minute and 9 seconds.

Wouldn't it be safer for everyone if this topic would be in a member only board ? (I guess not ...just asking)

Polymath

Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

cowdude

That's part of the crap I deleted.  It had no impact.  There is a tool I used that someone refer to on here earlier: ATF-Cleaner @ atribune.org.  I kept cleaning my "temp files" out with this before I uploaded anything.  It worked! 

I have 6 sites tied together on one database.  If it hits one, it nails them all.  I am smarter now than 10 days ago about this stuff.

Just for the record my site is getting as tight as a crabs butt...but for now I am counting on you guys as my "DEPENDS" to help me catch my mistakes!

Thanks everyone I believe I am free of the problem now.

Cowdude
Left or right meet me at THE WATER COOLER to discuss your political views.

Sarge

Quote from: Polymath on May 10, 2009, 09:33:31 PM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?

FCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Polymath

QuoteFCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 

Thats nice.
Do I remove folder called /32 with all that stuff in it? Is it part of this hacker
* I don't suffer from insanity; I enjoy every minute of it. *
F.I.G.J.A.M

oakview

Wouldn't setting the "Method of registration employed for new members" to "Member Approval" act as a tar pit of sorts? If I understand the setting correctly, the person applying for forum membership cannot do anything until approved by an admin.

If this assumption is correct, then wouldn't this be a solution of sorts for forums who typically see a low volume of membership applications? Ours is low enough to make it feasible to examine the IP and email addresses and cull out anything suspicious, or perhaps send a canned query of sorts to the listed email address.

Thoughts anyone? Even with the IP block bans I have in place, I'm still getting applicants that are very suspicious.

Sarge

Quote from: Polymath on May 10, 2009, 11:08:39 PM
QuoteFCKeditor is not part of SMF. Some mods (TinyPortal, for example) seem to install it. 

Thats nice.
Do I remove folder called /32 with all that stuff in it? Is it part of this hacker

I'm not sure. But I suggest that you get a backup of that folder (if it's not too large) and then delete it.

However, it's possible that your forum has other problems too... I suggest locking down your site until someone with experience can check it.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Sarge

oakview, Member Approval seems like a good idea, but perhaps it's not enough.

As a precautionary measure, I suggest disabling all kind of uploads, including avatars. If you choose to let members use external avatars via an URL, make sure that you also disable downloading avatars at that URL (it's in Admin > Attachment and Avatars > Avatars).

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

thebofh

I moved my attachments directory out of public_html some time ago, would I still be vulnerable? I've just implemented bans on the IP ranges, email addresses & usernames mentioned. I've also locked down the newbies group so that they can't upload anything until they have 11 posts and installed that Stop Spam mod.

Is there anything else I should be doing?

Sarge

If anyone uses TinyPortal or any other mod that allows user uploads, disable those too.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

oakview

QuoteAs a precautionary measure, I suggest disabling all kind of uploads...

@Sarge - done! Good advice.

DirtRider

What about if your are running a gallery  :P
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

san2012

Quote from: DirtRider on May 11, 2009, 03:48:01 AM
What about if your are running a gallery  :P
I think it has vulnerability too. Because when I went to another infected sites, which links I found in my html, after tag <body>. On some sites I saw smf forum but on another gallery.

san2012

Quote from: Polymath on May 10, 2009, 09:33:31 PM
Right..In my /FCKeditor/editor/filemanager/browser/default/images/icons the is folder called /32

with something like 2500 files..(no extension) and they are all numbered something like 26ca85f79bc46b4e6ae3a1f00f679fb3

Are these part of SMF or this blokes stuff..?? safe to delete?
I had the same situation, that's not a part of smf, that's hackers links on another infected sites. But besides delete this you should find avator with <?php  code, style.css.php (May be another name) and clean every php file from  eval(base64_decode( in top.

DirtRider

Well I think if you have this mod it should stop a lot of them coming into your site to start with http://custom.simplemachines.org/mods/index.php?mod=1547
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Relyana

Few days before krisbarteo registered I noticed some weird error logs in cPanel (someone was trying on and on to get to files that didn't exist in my account like /chat, /phpchat, /phpmychat, /roundcubemail and so on) so I banned that whole IP range. He came back the next day using another Ip (close enough to the banned ones) so I banned that too.

Last night I only found the avatar with the bad code in it but it was enough to convince me to uninstall all mods, remove all files and run the large upgrade script.

Is it true that smf 2.0 RC1 is not affected by this vulnerability ? I was waiting for the stable release but I'm starting to think that it is about time to move on.

Advertisement: