this is odd?

hipneck · March 17, 2011, 12:38:20 PM

I got here by googling on the malware URL, because it was found in a non Simple Machines page I maintain...BUT Simple Machines is running on a subdomain of the site, on the same box, and I was hit on the same date with the same iframe include.

Might just be coincidence, but I'm wondering if someone found a vulnerability in SM that allowed them access to edit this other (static html) file on the same server

Arantor · March 17, 2011, 12:40:19 PM

If the file permissions were set wrong, anyone on the server could have modified the files - not necessarily through a direct vulnerability in the software itself.

hipneck · March 17, 2011, 01:29:29 PM

Quote from: Arantor on March 17, 2011, 12:40:19 PM
If the file permissions were set wrong, anyone on the server could have modified the files - not necessarily through a direct vulnerability in the software itself.

The file in question is set to 644, but it is a shared server.

Arantor · March 17, 2011, 01:52:16 PM

And it's not like some hacks reset file permissions afterwards or anything...

hipneck · March 17, 2011, 02:17:04 PM

Sorry, I didn't mean to say that SM was the weakness, or even the most likely candidate, but it's worth keeping an eye out for similar incidents, because the inserted code and the the date of the breach were exactly the same on my site as on the OP's, we both have SM running, and the permissions on the file in question have always been 644.

If I saw a 3rd report of the same malicious iframe insertion on a server running SM, I'd be concerned...

busterone · March 17, 2011, 05:51:45 PM

The Google results that I actually read said that code was inserted into WordPress sites.

News:

this is odd?

hipneck

Arantor

hipneck

Arantor

hipneck

busterone