News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

rthrash

We had lots of files deleted, including those outside of the SMF install: anything with "log" contained in it including blog, login, logo, logout...

Aleksi "Lex" Kilpinen

Sounds like a pretty smart hacker, trying to cover up after himself.... ::)
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

cydewaze

#242
Edit: Nevermind.  That line of code is definitely NOT supposed to be there.  Time for a reinstall :(

Niklas_

Quote from: LexArma on May 18, 2009, 08:31:29 AM
The ultimate purpose seems to be linkspam... The hack adds loads of hidden links on your forum....

OK, thats kind of a relieve to me because it means that I can get rid of it without having any persistent damage done to my Board.

Quote from: JBlaze on May 18, 2009, 08:33:13 AM
So far, all we know as of now is that there is code injected into random, or seemingly random, php files. Also, there have been reports of some database tables getting injected as well.
How do I know if my tables got injected? I have about 300k Posts and 3k Users I can't check everything by myself...

Zero_Panzer

I'd like to know too Niklas_ but I'm not sure what to tell you.
BUT!
It also can get to your root site
Say you have www.mysite.com/forums/
If you have any pages (HTML, PHP, etc) make sure you REMOVE THE CODE IN THERE!
If the bot got through to you then it also got to the main site. If not, CHECK TO BE SURE!!!
It got to mine. :( BUT! I have a backup of the mainsite :D


Forum spam problem?
Wiener pill posts got ya down?
Click my signature, I posted some tips that you may find helpful.

Broken Arrow

lord, I just checked this morning and that code is on every single php file. I have subdreamer for the portal and several word press blogs and it's in all of them

I guess I have to go through each file manually and remove the code.

I did run a virus scan on my whole site and it said it showed no virus but I still don't trust this

Zero_Panzer

Quote from: Broken Arrow on May 18, 2009, 10:01:07 AM
lord, I just checked this morning and that code is on every single php file. I have subdreamer for the portal and several word press blogs and it's in all of them

I guess I have to go through each file manually and remove the code.

I did run a virus scan on my whole site and it said it showed no virus but I still don't trust this

Someone's bypassing using Bots Simple Machine forums and using them and their root sites (www.blah.com) whatever is before /forum/ to create spam or do whatever they want. My site's email was accessed and be sure to check for NEW files that we're created.

I had one called "help.php" created, I know I didn't put it there and if I went to it it bypassed my FTP and had a single page view of everything that was on the site and basically was a .php version of an FTP page. The only way that I found works to delete it is to open the help.php and use it to remove itself.

Hope this more amount of information helps.

Also, I looked in my logs (for the emails sent out) and the email address that it used was: [email protected]


Forum spam problem?
Wiener pill posts got ya down?
Click my signature, I posted some tips that you may find helpful.

Broken Arrow

I don't see a help.php file in my files. But I will go over it and be sure it isn't hidden in some folder I haven't looked in yet

I can't access the admin panel of my subdreamer section so I am reinstalling those files. I have one Word Press blog that seems to be messed up but the others look ok. For now


this is truly a mess. I'll be working on this all week I guess

My email seems to be clean..that's a good thing

Niklas_

OK, I did delete (nearly) all of the files on my webspace and uploaded a Backup. (except of htaccess and Settings.php)

Next I created a new Backup from my Database and was pretty scared because it differd to an old Backup in 20MB! (about 1/4) so I compared the two backups only looking at the differences using the linx command line tool diff:
diff -E -b -w -B -a --text --suppress-common-lines *old_backup*.sql *new_backup*.sql > diff.txt


In the end it turned out that most of the differences were error-logs which. I did not check every other entry but I for the smf_messages entries I did check I could not find anything that should not be there....

So now I am going to put my Forum back online (disabling avatar upload for new Members (Members that are not in specific groups), disabling new attachments and not allowing members to choose a template other than my default template. 

Jorin

Is there any risk that modifications like the smf gallery can be unsafe to use in that way?

jackulator

got me too - avatars missing, I look through php files and they all have the same line at the top now:

<?php /**/eval(base64_decode('................alphanumeric jibberish...............')); ?>

over ELEVEN hours of prank calls done with megaboards like The Jackulator 9000 - with over 12,000 audio files from Jack Nicholson - check 'em out at www.jackulator.com [nofollow]

jackulator

does everyone think this hacker went to a bunch of random SMF sites and did an sql-injection, or might it be possible that the section in admin that gives you updates from SMF was somehow hacked?

every php file on my site has that line in my previous post in it - not just the smf folder, so I don't know...
over ELEVEN hours of prank calls done with megaboards like The Jackulator 9000 - with over 12,000 audio files from Jack Nicholson - check 'em out at www.jackulator.com [nofollow]

Aleksi "Lex" Kilpinen

Quote from: jackulator on May 18, 2009, 01:39:09 PM
does everyone think this hacker went to a bunch of random SMF sites and did an sql-injection, or might it be possible that the section in admin that gives you updates from SMF was somehow hacked?
Neither - it has been established here, that this was done with a file upload...
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

jackulator

here's the IP I had for the krisbarteo guy: 94.142.129.147

is this the same IP everyone else found? if he was dumb enough not to use a proxie I think a call to his ISP is in order - at the very least...
over ELEVEN hours of prank calls done with megaboards like The Jackulator 9000 - with over 12,000 audio files from Jack Nicholson - check 'em out at www.jackulator.com [nofollow]

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

robone

Mine had a link to "Luxorplay" posted in each php file. I checked most of the PHP files, and deleted the links, but I am still finding them in the help files.

From what I understand about C99Shell is that once they have access to your site, they can do a bulk add to all the php files. I had a look at the software, because a friend of mine managed to make a copy of it when he was infected, and it is powerful.

I don't think it was included with any upgrade. It gets in via uploaded avatars or attachments. And yes, again from what I understand, they try and see how many sites they can infect, so they identify all the smf sites and hack away.

I would look for the C99shell on your site, if you have been hacked, because if you have not found it, it i still there waiting for them to come back. As mentioned previously, I had 2 copies of it on mine. I was happy when I found the 1st one, and almost gave up looking, but then found the next one.

MrPhil

Quote from: robone on May 18, 2009, 02:07:10 PM
I would look for the C99shell on your site, if you have been hacked

I have some custom scripts to scan my site for common hacks (base64, etc.). Is there any consistent pattern that I could look for to detect the C99shell?

robone

#257
I am looking for a script to do exactly that.

I have seen scripts (search google) that look for C99shell and some other names, but, they change the name, so you need a script that will open each php file and check the code.

See http://www.viruslist.com/en/viruses/encyclopedia?virusid=188613     

The file is 229051 bytes in size, so you need a script that will search all the files for a php that size


There is another site that may help. http://www.elitehackers.info/forums/showthread.php?t=17712

See post #4

I must admit, I actually do not understand what they are saying

MrPhil

Quote from: robone on May 18, 2009, 02:55:09 PM
The file is 229051 bytes in size, so you need a script that will search all the files for a php that size

That wouldn't be hard to do (ls -alR | grep "229051"), but is it sufficient? Can this malware be trivially changed to be a slightly different size?

Quote
I must admit, I actually do not understand what they are saying

As best I can tell, PHP includes (and presumably requires) can be given a full URL rather than just a local file. In PHP 5 the inclusion of a URL is off by default, but it can be tricked into doing so? Anyway, it's not clear from the post whether this is something that C99shell does, or if it's something that is foisted on SMF's includes. Since SMF doesn't (AFAIK) include as names strings from user input, that shouldn't be a problem. I don't know if it uses a $_GET anywhere to bring in a file name (or URL) to be included -- I don't recall ever seeing such a thing. So, presumably, C99shell is doing this include or require to bring in a URL. Apparently, C99shell has to be "planted" in a separate operation first.

Faded Glory

Quote from: jackulator on May 18, 2009, 01:50:28 PM
here's the IP I had for the krisbarteo guy: 94.142.129.147

is this the same IP everyone else found? if he was dumb enough not to use a proxie I think a call to his ISP is in order - at the very least...

That IP goes back to RIPE. It may as well be a proxy for all the good it does to try to track it. RIPE could care less.
Collection 2 for Spray sig!

Advertisement: