News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Help with hacked site 2.0 RC3

Started by TeeJay, August 06, 2010, 04:13:31 PM

Previous topic - Next topic

TeeJay

Yep, I think you guys are right

I tried from my laptop and the link is OK but the Google search re-directs

Thanks for the offer K@

I'll have to speak to the site owners to get their consent so I'll get back to you on it

kat

No problem!

I have a wedding, today, as Paul and Pauline are getting hitched. http://www.simplemachines.org/community/index.php?topic=394626.0;topicseen

So, it might be tomorrow, now. :)

TeeJay

Thanks again for all the input

Is it possible that there is a "conditional redirect" which redirect if the refferer is a search engine, maybe javascript somehere in the files (I don't have an htacces file) ?

If so, where might I start to look ?

TeeJay

Update

I no longer beleive it is Google at fault....

It appears as though there may well be a condition redirect in the scripts somewhere (hopefully K@ can find it)

See here for Google info on the redirects
http://www.google.com/support/forum/p/Webmasters/thread?tid=33d2b7c117f84168&hl=en&search_impression_id=2cc34e43dcfe09d7%3A12a5605b571&search_source=related_question

Also by using a site checking service http://www.unmaskparasites.com , I've discovered that there does appear to be a re-direct in place to a Russian website which then redirect to alternating malicious pages

Take a look at http://www.unmaskparasites.com and type the url www.lfr-wales.co.uk into the site to be checked and see the results

So having discovered this can anyone help me find the hacked file ?

kat

Found some nasties in ezportal's javascript files.

I'm clearing those out and then I'm gonna dig deeper.

kat

Nope. I can't find anything else and I've been looking for over an hour. :(

In your ezportal directory, there's a file named "jquery-1.2.6.pack0.js".

Take a look at the last line.

I cleaned that out and you'll see the difference between that and "jquery-1.2.6.pack.js", which is the cleaned one.

Look at the difference in the filesizes, too!

Now, if that was my forum, this is what I'd do.

BACKUP FIRST!!

I'd get the full SMF install package and upload all the files, from there, to your site, overwriting what's there, now.

NOT Settings.php or install.php.

That will, without a doubt, screw all of your mods. :(

They'll still be in your Packages directory, though, so you'll just need to reinstall them. :)

Plus, of course, you might need to redo your portal blocks.

TeeJay

Many many many thanks K@

Would you help me by teeling me how you tracked that down as I'd been opening files forever and couldn't see anything (only if it's not too much time for you)


Also, would you have any clues as to how the file became corrupted ?

Thanks

kat

Pure luck, for the most part.

That link you posted said to check javascript files and .htaccess files, which is what I started-out with.

When checking the files, I looked for an unfeasibly long line, such as that one.

How did you cop it?

Well, now. That's the question, ain' it?

I really don't have a clue, to be honest.

I'll give the dev team a wave, in case there's an exploit that they could've used.

RC3 is only a Release Candidate, after all.

That's why it's not recommended for "live" sites.

TeeJay

Thanks K@

Query....

You said you had taken the code out of the infected files and renamed them yet I cannot see the new or old files in the ezportal directory ?
I can see them in the backup on my local PC

I have another SMF site at www.vdsr.co.uk which has those exact same files in the ezportal directory with the same contents (letter for letter) yet VDSR doesn't get redirected via the Google link

Are you certain that code was malicious ?

kat

That's odd...

Those files aren't there, now.

**Scratches head**

That line was exactly as described in that link you posted.

QuoteAnother common method is the use of php code or javascript.  This code is almost always obfuscated. With php the lines of code typically start out eval(base64_decode(" then a long string of characters. With Joomla check the file includes/defines.php   With javascript you see code like eval(unescape("  or   String.fromCharCode(  then long strings of character/numbers.

TeeJay

Damn
Looks like I'm going to have to pull both sites down and upload the latest files (after backing up of course)
Then re-install and configure all add-ons

At the moment I've got to guess that it isn't those files at all as they are identical to the one's on VDSR which doesn't have the same issues
Oddly though as those files don't appear to be in the downloaded ezportal mod

kat

Yeah, I noticed that, when I downloaded the portal, to compare the files.

I've given the devs a wave, in case this is an exploit, somehow.

Do you know what those files actually are?

If you didn't put them there, maybe that's where the problem was. I mean how they got in?

Maybe there's security hole in ezportal, rather than SMF.

TeeJay

No idea how the files got in there but here's a list of installed mods...

ezportal
smf classifieds
Uncensored Boards
Recount Member Posts
Global Headers Footers
Annoy User
SMF Trader System
SMF Links
Birthday Posts
Aeva Media

The modified date on the suspect files was 14th March 2010 but most of the installed mods were done long before that

kat

Thanks, for that!

Let's wait for the devs to see the message I left them.

Maybe they can figure this one out.

Tyrsson

k@ you should also point VBgamer to this thread since he is the mod author and may have some insight that could offer a jump on this. Just a thought.
PM at your own risk, some I answer, if they are interesting, some I ignore.

kat

Good finkin'.

'course, it might not be that mod, but it's sure worth checking.

Ta!

Tyrsson

I doubt its the mod or anything related to smf, most times with this type of hack its server side problems. A lot of times a admin will be hit with a keylogger and then the hacker will have ftp details, which gives them server access, a file can then be uploaded, the file can be run, the encoded code will then include outside files etc etc blah blah.... Not saying that is how this one worked, but it is the most common way.
PM at your own risk, some I answer, if they are interesting, some I ignore.

kat


vbgamer45

I don't include jquery in the latest versions of ezportal and have never used it.
If it is a packed jquery file that would be done to improve performance.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

kat

Ta, VB.

I dunno which version it was.

Were those files in earlier versions? (Just curious)

Advertisement: