Forum hacked

[amko_sa]

Hi for all,

I use SMF2 RC4
Simple portal. My hosting have sql, php ... up to date.

My forum is hacked I dont know how.
I am hosted on my hosting two sites. One is smf and another is wp.
Few days ago i am use xhtml validator and found this error:

Code Select Expand

<img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=...........">

On my every index.php file I found this code at the end.
First I manually delete every line from my index files, but in my hosting cp I am found many errors in apache handler. After that I am delete all files from public_html and copy clean backup files(one month old) and I thought it was okay. I delete wordpress complete and sql base because I was use wp only for testing. After that I am found strange links in google webmaster tool but with 404 error.

In my hosting cpanel .log folder I am found huge number html files with spam links(with my domain name) that google now crawl.
I am delete all of that files and search for another suspicion stuff, but everything seems ok.
I am scan my forum with many online security scan site and my site is clean(also kb_scan.php).
In beginning of my problem I am change all hosting and forum passwords.

I have now problem with google. Only google in webmaster tools crawl spam links (1000 links) and today google send me warning for that. Every link have 404 error and I dont know what to do.

Problem happens this week. I do not know why google crawl dont stop, or need some time to stop.
Is someone had a similar problem?

[SlammedDime]

It is possible that when you wiped your site clean and restored a backup, google just happen to be crawling your site, thus got 404's on everything...

Some specific links that google says are 404 would help troubleshoot...

[amko_sa]

It is possible that when you wiped your site clean and restored a backup, google just happen to be crawling your site, thus got 404's on everything...

Some specific links that google says are 404 would help troubleshoot...

Maybe for links that is really from my topics , but links that google crawl now is spam links that dont work(404) and that generated from some kind of virus. Every link begin in same way, example:

Code Select Expand

www.mysite.com/14.php?.....xxx blog or something else.

I dont have 14.php file nowhere in cp.

Only one place on my cpanel was have that links: .log folder(777) (huge number html files).

Example one name of .log folder files index.html7
When I open that file, I have many links with 14.php at the end of my site url. I am delete all  that  files from log folder after tree days (Then I found them).

[SlammedDime]

If you don't have the files that google is throwing a 404 on, then don't worry about them, they'll weed their way out of the system.

[AsYlum-]

It is quite possible that you have your ftp account data compromised.

So first of all: change ftp username and password Few years ago i've had similar problem with some kind of trojan that got my user/pass to ftp site and started adding weird spam links to index.* main* and similar files.

[amko_sa]

I'm changed all passwords. I hope that google stop index more bad links from my site because in that way I would know that everything is ok. I'm make restore files and other stuff, but I'm still little suspicious .

[busterone]

I would also check your WP installation. You did not state what version you are using, but there have been several WP exploits in the past. If they can get in through WP, they will get to SMF as well.

[amko_sa]

I delete WP at all (all files and sql database). Can I check my smf sql database with some tool?

[ukna]

Consider your FTP passes stolen, it has nothing to do with SMF.

Likely cause:
-----------------------------------------------------------------------------------
c:\WINDOWS\system32\cryptnet32.dll (Trojan.Tracur) -> Delete on reboot.
c:\documents and settings\administrator\my documents\downloads\messenger.exe (Trojan.Dropper) -> Quarantine and delete
c:\documents and settings\administrator\local settings\temp\ym3e3iala.exe (Malware.Packer) -> Quarantine and delete
c:\documents and settings\administrator\local settings\temp\_CA.tmp (Trojan.Dropper) -> Quarantine and delete
c:\WINDOWS\system32\crt.dat (Malware.Trace) -> Quarantine and delete
c:\WINDOWS\system32\cryptnet32.dll (Trojan.Tracur) -> Delete on reboot.
-----------------------------------------------------------------------------------

A client of mine had the same.

Do a malware scan and do not use CuteFTP or any other popular FTP program. All those passwords you had are now stolen. Clean your PC and request new FTP passwords for all your sites, and use KeePass to store them

Files known to be infected:
------------
n.php
/.log/ this folder is sometimes created, delete it.
.htaccess will be overwritten, check it.
check every index.php .html for the img tag.
------------

Grep:
----------------------
'imgaaa.net/t.php'
'eval(gzuncompress('
----------------------

Attack log example:
----------------------
91.200.240.10 - - [02/Apr/2011:05:30:48 +0200] "GET /11.php?q=alcobro

This IP is used to monitor activity, it's probably also hacked.


I wrote a tool to find and fix (use on your own warranty!)

Code Select Expand


<?

$log = "";

function fixcryptnet($start_dir){

$file_type = '/(\.php|\.html|\.htm)/';

  $dirlist = opendir($start_dir);             
  while ($file = readdir($dirlist)){           
    if ($file != '.' && $file != '..'){         
      $newpath = $start_dir.'/'.$file;           
      if (is_dir($newpath)){                               
fixcryptnet($newpath);
      } else {                                     
       if (preg_match($file_type, $newpath)){   

$fh = fopen($newpath, 'r');           
$inputline = fread($fh, filesize($newpath));
fclose($fh);                           
if(stristr($inputline, 'eval(gzuncompress(') !== FALSE) {
unlink($newpath); // remove the n files!
$log .=  $newpath." REMOVED! \r\n";
} else {
$inputline = preg_replace('/<img heigth="1" width="1" border="0" src="http:\/\/imgaaa.net\/t.php\?id=.*?">/', '', $inputline,-1,$count);
}

if($count){                             
    $fh = fopen($newpath, 'w');           
fwrite($fh, $inputline);                   
fclose($fh);
$log .=  $newpath." EDITED\r\n";                     
}
  }                                       
    }
  }
}

  closedir($dirlist);                       
  return true;                               
}                                             

fixcryptnet('./test');  // provide start folder, no trail slash!


?>


[zaks_bg]

Hi Ukna,

Thanks for the script, although when I run it it gives me:

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Notice: Undefined variable: log in /home/slayer/public_html/fix-1.php on line 23

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /home/slayer/public_html/fix-1.php on line 19

----
Could you please let me know what parameter to write to receive the logs in which files the malicious code was detected.

Also I have this line like:
fixcryptnet('./');  // provide start folder, no trail slash!

to ensure all dirs are checked.

Thanks.