Security issue?

oOo--STAR--oOo · September 04, 2011, 10:46:21 PM

I think there is a security issue somewhere in my forums..

I need help with this as I have no answers to the activity..

O.k. 1st off Some one has managed to access the Admin account and modify a board.
Now the only log of this is in the administration log which shows some Russian Federation IP address.
Also there is logs showing failed login attempts from this ID.. The only logs on the forums of this IP and this board being edited is in the administrator logs.

Now I did not edit this board. Plus I know that it has been edited because when you save the edits, it resets permissions.
I looked they was all reset!

On my ID there is no record of this IP at all.. If they logged in I am sure I would see there IP on my profile.
This is only logged on them being able to successfully modify a board.

Also there was some files being asked for named Java.jar which came up with Authentication Error unkown publisher.
I found these files in my root folder and deleted them instantly..
How was these scripts being asked to execute just by being in the Main DIR when I clicked to goto forum???
I do not see any edits to any of the php scripts.

There is some very suspicious activity going on and unfortunately I dunno how any of it happened.

Is there any vulnerabilities so people can do this/edit boards?

Aleksi "Lex" Kilpinen · September 04, 2011, 11:35:39 PM

Assuming you were using an up to date version of SMF, most common cause to stuff like this would be a compromised server, or a virus infected computer used by someone with FTP access to your account, or other vulnerable software on your hosting account - not directly through SMF.

There is no way I can think of that SMF could be used to upload files directly to it's root either, attachments are uploaded to a folder of their own, as are avatars as well, and mods and themes would need admin access already for someone to be able upload them, and there is no other uploads in SMF that I know of.

If you have access to your servers logs, you might want to check them for suspicious activity, and contact your host - they might be able to help you find out what happened.

oOo--STAR--oOo · September 04, 2011, 11:48:58 PM

Indeed there is some suspicious activity and the logs are not showing anything.
It is a VPS so I have looked everywhere for traces.. I can't seem to find anything..

the 2 things that Puzzle me is how come there IP is shown as modifying this board and shows they failed a few login attempts.
But there is no log of this IP on my profile.. Surely if they logged in there ip would be on track user?

The forum logs show they edited this board a few days ago.. The file came up today..
Now if they had this much access as to being able to compromise the server.. Would they just wipe it out completely?

Also how come SMF is trying to execute this .jar anyway?
It was only being requested to run when we click on forums because we have a portal.
I have checked sources and themes the obvious places and zero scripts have been edited, so it puzzles me what even allows it to execute?

Now the actual Jar file I don't think it did anything.. As user had to run and ignore the UNKOWN publisher issue.
Yes I am fully upto date with SMF recently did the FULL update.

There is FTP logs with the same IP showing they have logged into FTP is this through SMF?
Reason i am saying that is because the pw's are totally different from the forum to FTP.

Now no damage has happened this is very strange and I seriously cannot find an answer..
I don't want to have to deal with some one who has inside access to the sever and I have no idea how.

Aleksi "Lex" Kilpinen · September 05, 2011, 12:42:14 AM

Check all the board titles an descriptions - there might be something hidden in them.

Also make sure to run a full antivirus scan on your own computer! This all sounds vaguely familiar, and if I remember correctly, similar attacks have been made in the past using passwords and usernames saved or used on an infected computer.

SMF has no real FTP client in it, so most probably the FTP logs have nothing to do with SMF, and someone has actually used your FTP login.

oOo--STAR--oOo · September 05, 2011, 01:25:21 AM

Thanks for your suggestion Alex..

I have already covered these motions and steps I use the best you can get when it comes to protecting myself from this kind of things.
I use ESET Smart Security with Spybot Search and Destroy, Malaware Anitbytes and CC Cleaner.

My computer is 100% clean as I know all processes and service that are running off this machine.
Just driving me a lil crazy as to HOW this has happened..

In the mean time I have done the obvious things.. Changed all PW's and also the ports..
Now in my ftp log there was not much activity from this IP address.
Very little.. Also they seemed to of got the Login there correct instantly IE Useranme and PW.
Getting that right instantly when the forum and FTP are 2 completely different things is why I kinda look back on SMF
Times match up from when this board was edited.

I checked the board in SQL and in Admin.. There is nothing changed.. Just the fact some one has edited. I mean its completely untouched.
Just the fact that if the board is edited one mods I use resets permissions, which they was reset confirms that it has actually been edited and the log is 100% correct.

I'm a lil stuck and a lil worried about the security of the VPS.
There is a few things tha shouldn't happen under normal circumstances like jar files being executed but nothing telling them to..

I appreciate all feedback and support.. I do try to learn on my own and I have grasped alot of information lately..
I am still learning.

Aleksi "Lex" Kilpinen · September 05, 2011, 01:35:58 AM

SMF may hold your FTP login, but doesn't save your FTP passwords, so it shouldn't be possible to grab them from SMF.

EDIT:
Was the board edited once or more times according to your logs?

oOo--STAR--oOo · September 05, 2011, 01:43:27 AM

The board was edited about 7 times.. Yet I see no changes..

Also I would just like to add.. I have actually been going through my protection again.. It seems that malaware has banned the SAME IP address as a malicious website.

from chrome.exe Seems something has embedded its self in there...
I not seen this before.. I have no idea how it got there... I wonder why eset never caught this GRRR.

SO basically I have a keylogger in chrome.

I have attached an image of what I got.

Aleksi "Lex" Kilpinen · September 05, 2011, 01:50:25 AM

It might be that you don't see the changes because they are no longer there, they might have been used as part of the attack, and then cleaned to avoid suspicion.

And yes, I repeat that you might want to try and really make sure your computer is clean.

There are some trustworthy online security tools, and other alternatives to try instead of your main product. Some viruses can even stop installed antivirus tools from working correctly.

oOo--STAR--oOo · September 05, 2011, 01:59:06 AM

Quote from: Aleksi "Lex" Kilpinen on September 05, 2011, 01:50:25 AM
It might be that you don't see the changes because they are no longer there, they might have been used as part of the attack, and then cleaned to avoid suspicion.

And yes, I repeat that you might want to try and really make sure your computer is clean.

There are some trustworthy online security tools, and other alternatives to try instead of your main product. Some viruses can even stop installed antivirus tools from working correctly.

This one seems pretty clever.. Considering I have nothing installed in chrome its just bog standard..
I don't usually bother with plugins and the usual business and always make sure I have toolbars unchecked when installing new things.
I thought ESET was the best.. Many geeks tell me this lol.

Now seems like I have to remove chrome and re-install..
What I wanna know is how it got there?

I keep receiving this error all the time now in Malware now that I actually have it running with google open.
Thanks for your feedback and posts.. It has really helped me..

Now I have to defeat this object

I'm happy there is no destruction and I think the java file that was placed on the server is not harmful..
But then again I don't know.. I did scan the file came up clean.. I have removed it though now..
Incase it did have anything.

I have checked in FTP and file managers to see if any php scripts have been edited
They havn't been edited..

Well not the obvious location like sources and themes.

I think its time to use a different browser.. I ain't chancing being hacked.

EDIT: Time to get wireshark out and see exactly what this is sending..

Aleksi "Lex" Kilpinen · September 05, 2011, 02:09:17 AM

You might want to try uninstalling ESET temporarily, replace it with some other antivirus software, and run a full system scan on your computer.

For example you can get a 30 day trial of F-Secure for free.
http://www.f-secure.com/en/web/home_global/protection/internet-security/trial

I've used F-secure for years with little to no trouble at all.

F-Secure also has an online scanner, if you wish to test it out
http://www.f-secure.com/en/web/home_global/protection/free-online-tools/free-online-tools

oOo--STAR--oOo · September 05, 2011, 02:30:28 AM

I think this is a bigger issue than it looks..
My friend also has bug..

I have gone into wireshark to see what is going on there I have a UDP for
tebs01.sytes.net
from that IP address.

Do you think there is something on my server now?
I checked all logs they have only accessed FTP.. No SSH or anything anything.

EDIT:Is there anyway I can check my website for viruses.. I am sure they would be detected by something?
Can there be something on my site that causes this?
I am really worried as he is getting the same error in malwarebytes.. This is the exact same account that logged into both FTP and the forum.

Aleksi "Lex" Kilpinen · September 05, 2011, 02:41:12 AM

Yes, if they have already gained access to your server account - there might be something hidden in there somewhere.

You may or may not have some sort of virus scanner in your hosting account, failing that you might ask your host if they can scan your account - or you could take local copies of your files on server, and scan them yourself. Mind you though, that depending on what it is doing and what is there, it might not show up in a scan.

oOo--STAR--oOo · September 05, 2011, 04:46:11 AM

O.k. this is bad

3 people now have the same virus on there machines within google chrome.
Now the jar file was uploaded yesterday and google chrome was exploited on the 3rd
As my exe shows me and the files that its executing.

Now there was a file in roaming that was starting at windows startup with the name
v1009.exe Pretending to be owned by google.
Also where google was installed it showed old_chrome.exe Strange heh..

I have removed chrome I will not be returning to it.

Now I do not think this has gotten on there computers through Uniquez due to the fact of files being uploaded and the day google decided to attack me..
with this fake google.exe process and it was a day later they got my keylog information to upload them files to the server...

How would that latch onto everyone else.. Since it was a jar tha didn't execute because or security warnings.

Seems like a global issue.. I cannot find answers online anywhere.. I am affraid of my members being attacked

Aleksi "Lex" Kilpinen · September 05, 2011, 04:56:28 AM

If we assume that whatever it is placed that .jar in there, we can safely assume that .jar also plays a part in the attack. No one would place a safe meaningles file on your server for nothing.

You could extract the .jar file ( for example using 7zip ) and see what it holds really.

oOo--STAR--oOo · September 05, 2011, 05:38:40 AM

Quote from: Aleksi "Lex" Kilpinen on September 05, 2011, 04:56:28 AM
If we assume that whatever it is placed that .jar in there, we can safely assume that .jar also plays a part in the attack. No one would place a safe meaningles file on your server for nothing.

You could extract the .jar file ( for example using 7zip ) and see what it holds really.

I understand you there.. But my google was compromised a day before the server the new files in roamng was created on the 3rd..
Files put on the 4th. So the keylogger has come from somewhere else but amazing how all 3 of us have it.
So that adds up.. Meaning I was keylogged through google they got my server login as I did login that day.
Then they put the jar file on the server. I found them literally within 1 hr and removed them.

I don't have the jar file no more.. I deleted it right off.

I have just installed chrome after removing all things connected and uninstalling fully...

Browsing website.... Nothing there.. Its not done anything.. No spyware/malware AT all.. All seems clean.. Even with restarts and what not.
So there is another source to where this keylogger is coming from.

I do not understand this... I no longer trust google. I think this is a bigger issue than it looks how can 3 people have the same virus?

And thankyou very much for your response and feedback its been very helpful to me.. Its annoying when you don't know anything yet you feel you could be liable for something bad.

Angelina Belle · September 19, 2011, 02:33:16 PM

Are you still having this problem? Have you reported it it to SMF security?

oOo--STAR--oOo · September 23, 2011, 02:28:20 PM

There is an issue I do have though, because of this issue it seems that just having ANY virus protection open doesn't prevent you from being attacked.

I now use malwarebytes and use there protection with my normal antivirus which blocks these outgoing connections.
Now when browsing my own website.. I do not see BLOCKED IP port 56787 What ever random port they usually are.

But browsing This forum I get loads of blocked IP's.. Something trying to send and outgoing connection..
Also this is within the chrome browser.

I do not think that whatever is doing this is out to cause any harm to people but to plant seeds.. What they want, not sure.
Information maybe?

Angelina Belle · September 28, 2011, 01:39:43 PM

Have you changed your FTP password? Have you changed your SMF password?

Angelina Belle · September 28, 2011, 01:47:34 PM

What about the database password? If someone has gained FTP access, they can easily get your settings.php file, and get into your database.
They can even change board titles directly in the database, without using SMF.

They could even have done this by uploading some other file, or by modifying some other file to give them admin-like access -- without having to make them admin.

It is hard to understand what is going on.

Have you tried one of the online website virus scanners?

oOo--STAR--oOo · September 30, 2011, 09:13:37 AM

Quote from: AngelinaBelle on September 28, 2011, 01:47:34 PM
What about the database password? If someone has gained FTP access, they can easily get your settings.php file, and get into your database.
They can even change board titles directly in the database, without using SMF.

They could even have done this by uploading some other file, or by modifying some other file to give them admin-like access -- without having to make them admin.

It is hard to understand what is going on.

Have you tried one of the online website virus scanners?

Hey,

Yeah all passwords have been rotated since this incident.
I don't have any problems no more..

Scanned with this http://www.avg.com.au/resources/web-page-scanner/

I mean,, When browsing this forum as in Simplemachines.. In some topics maybe due to adverts or attachments / Images
Malware bytes starts blocking outgoing connections on some topics, while browsing in google chrome.

Is Google chrome really a security issue? Does it allow people to do activities that other browsers don't?

News:

Security issue?