Nasty, Hidden Virus on Simple Machines

[青山 素子]

That's what I did.. but we are still getting the virus warnings... so we've now looked through all the databases, and the only thing we found was a lot of HTML in the Simple Machine DB in the posts. It's an insane amount of posts to check, so it will take a while to see if any of them are malicious.

What's one of the links causing the issue?

Normally, SMF won't print raw HTML from database posts.

[ziycon]

Try using something like the query below first to get an idea of how many posts, you may be able to manually fix them. If the HTML tags are using BBCode change the brackets to square ones.

Code Select Expand

SELECT id_msg, body FROM <prefix>_messages WHERE body LIKE '%<html%</html>%';

[Flavious]

Still looking though the DB - thanks for all the suggestions/help!

[Flavious]

Also, I've been in contact with AVG as most users complaining of the issue appear to be using this as their virus protection software. Here's there official response:

"Please accept our apologies due to the inconvenience caused in regard to the mentioned issue. We truly appreciate your time and actions taken in order to provide us with more information about this.

Unfortunately the detection was a false alarm. This means that the file or website is clean and virus-free, but AVG detects it as a virus due to an error in virus definitions. Unfortunately, false alarms do appear from time to time in every security software.

We checked the URL and didn't find any pop up or detection. The false detection probably fixed on the previous AVG virus database update. Update your AVG and check the situation again."

So could it be that SEVERAL virus software providers are flagging us with false positives???

[Illori]

if they are different software being used, i would say it is not a false positive.

[ziycon]

Get all your AVG users to update their definitions and if that fixes the issue for them, find out what other anti-virus software other users having the problem are using and ask them to update their definitions but its very VERY rare that multiple, even two anti-virus providers would create a false positive with a definition at the same time for the same 'virus'.

[Sir Osis of Liver]

There's a virus going round that's spread via browsers.  Can't remember the name, but there's a thread somewhere on the forum about it.  If any of your members has it on their computer, it will keep re-infecting your forum.

[MrPhil]

I suppose that such a virus could exist, but the way it would work would be to cause the browser to exploit known security holes in the web site. Once you close up such holes, no problem for the site, except for infected browsers constantly pounding on your site trying to break in.

When will it become legal to kill all malware authors, wherever they are in the world?

[Sir Osis of Liver]

If I get a few minutes, will try to find the thread that names the virus.  Found some technical info on how it works, only some of which I understood.

[catfished]

When will it become legal to kill all malware authors, wherever they are in the world?

I'd vote for such a law but obviously it's a pipe dream.

[Flavious]

I think a lot of our issues were coming from Google Ad Sense. Turned off all the google ads, and like magic the problems stopped. Tried contacting google every wich way from sunday, I get nothing from them. "Do no evil" indeed.

Had a new one today in that one user has links showing up on the SMF home page that are not there. As of yet, I can't duplicate it.

[Flavious]

SMF was infected again. I just noticed that SMF wanted files upgraded for a security patch. I did that, and then I found javascript (theme.js) and an htaccess file in the SMF directory that was infected. The htaccess contained a command to dload a .js file, and the theme.js file contained an Iframe attack to download from zombie computers.

After the last infection, we did a clean install of SMF, reviewed EVERY file on the website, shut off a ton of functionality elsewhere on the website, deleted a ton of unused files on the website, changed all the passwords, and for about 1-2 weeks everything was fine.

Question: How the hell is this happening? Should I be looking at a new dedicated server manager? Should I be looking at ditching SMF? Is there something on my server that is moving around and re-infecting crap when it gets a chance? How the hell does this thing get permission to write to the htaccess and javascript files?

I appreciate the help so far.... We've lost 50% of our traffic to the site because of this issue. It's a very busy site with tons of traffic, and the growing chorus of people screaming because their entire hard drive was wiped out eats my guts out and has made it impossible for me to sleep in several days.

Thanks all.

[MrPhil]

Since you have lots of other code on your website (you say), it's possible that's where the attack is getting in. I know the standard line from SMF is "there are no known security exploits", and that may (or may not) be true, as long as you are at the latest SMF version (2.0.2). Since no one else seems to be complaining about such attacks, it's unlikely (though not impossible) that it's in the SMF software you're getting from this site. Removing SMF and using another forum probably isn't going to help you, in other words. Is your other site software homebrew or installed standard/commercial applications? Do other sites sharing your server (if any) also report security problems? Have you not only scrubbed your site of all code that you can't account for, but also scanned all PCs used for admin access for spyware and viruses? After doing that, have you changed all passwords (site manager, FTP, admin/privileged SMF accounts, etc.)? Don't forget that FTP sends passwords in plain text, so you might want to switch to secure FTP (SSL). Have you done a daily (or even twice daily) directory listing with file dates and sizes, to see what's being modified? You might try making all directories 555 and all files 444, except any that SMF or other applications need to write to on a regular basis (attachments, avatars, etc.). Only (temporarily) grant write permissions when you want to upload a theme or a mod.

I wish you the best in getting this cleaned up -- it sounds like someone is really determined to get you.

[Flavious]

Removing SMF and using another forum probably isn't going to help you, in other words. Is your other site software homebrew or installed standard/commercial applications?

There is one other application on the site that we wrote from scratch. We have checked every line of code in it, and had a third party check it as well. We've never had any problems there, no files have been written to in that directory, so I am reasonably sure it was not any of that code. Pretty simple app anyway, not much to it.

Do other sites sharing your server (if any) also report security problems?

It's a dedicated server.

Have you not only scrubbed your site of all code that you can't account for, but also scanned all PCs used for admin access for spyware and viruses?

Yes we have scrubbed all outdated or unidentified files some time ago. The macs and PC's used to do anything to the site are checked frequently, checked today, all came up clean.

After doing that, have you changed all passwords (site manager, FTP, admin/privileged SMF accounts, etc.)?

This was done after the first infection. Still working on it now after this latest infection.

Have you done a daily (or even twice daily) directory listing with file dates and sizes, to see what's being modified? You might try making all directories 555 and all files 444, except any that SMF or other applications need to write to on a regular basis (attachments, avatars, etc.). Only (temporarily) grant write permissions when you want to upload a theme or a mod.

We talked about this today, and it is one option I think we will try - lock down everything so nothing can be written - except attachments and avatars... what else cannot be locked down? Or what all can I lock down without breaking Simple Machines? 

I wish you the best in getting this cleaned up -- it sounds like someone is really determined to get you.

There is a possibility of one group doing this.. they have openly made it their goal to destroy my website for some time now. But I would need proof before I could take any kind of legal action or get the police involved. So far the only consistent factor has been Simple Machines.

[青山 素子]

SMF was infected again.

Not totally related, but I've noticed a persistent re-infection on one specific site I help manage that's on Dreamhost. The last time, I removed write permissions on all files and things still managed to become infected. Looking through using SSH, I found a few files with another account's owner were in the website root. About the only thing I can determine after that is that their shared hosting servers aren't all that secure. None of my other six plus SMF installs (mixed 1.1 and 2.0) have ever had an issue. I think it would be way too premature to blame the SMF software itself when there is no evidence of a systemic problem.

It's a dedicated server.

Okay, that's somewhat good. Do you have multiple domains on the server? What services are running and listening on ports? How updated are you on patches?

Are you using a commercial control panel package, or manually configuring things? How are you running PHP?

Keep in mind that "utility" web applications may also be an entry point. I once had a client who had a server intrusion. The attacker was using an old phpMyAdmin installation as a launching point. The client thought they had it blocked to outside IPs and thus didn't need to keep it updated, but mis-configured the server and left it open to the world.

Yes we have scrubbed all outdated or unidentified files some time ago. The macs and PC's used to do anything to the site are checked frequently, checked today, all came up clean.

Some of the newer Windows-based password-stealers use rootkit techniques to hidethemselves. Scan using a bootable CD antivirus tool. UBCD4Windows works and many AV companies offer a burnable ISO that will scan your system.

We talked about this today, and it is one option I think we will try - lock down everything so nothing can be written - except attachments and avatars... what else cannot be locked down? Or what all can I lock down without breaking Simple Machines? 

If you want something a bit industrial-strength, look at AIDE. It's pretty awesome. There is also the much older Open Source Tripwire, but it hasn't been significantly updated in some time.

I also encourage the use of Fail2ban. It can be configured to examine various system logs and ban IPs found in those logs. I usually at the least have it watch SSH and FTP services.

In theory, you can make everything read-only. It is recommended at minimum to keep the cache directory and Settings.php writable. If you allow attachments or uploaded avatars, you'll need to set those as well.

Also, while you're locking things down, check all the files in every directory to see if they are supposed to be there. On that earlier infection on DreamHost I found a PHP-based shell tool hidden a few directories deep.

There is a possibility of one group doing this.. they have openly made it their goal to destroy my website for some time now. But I would need proof before I could take any kind of legal action or get the police involved. So far the only consistent factor has been Simple Machines.

While that might be possible, it really depends on the skills of those involved. Statistically, it's more likely there is some automated attack being done by a script kiddie than some targeted attack directly against you.

Also, as I noted earlier, there hasn't been any evidence of a systemic problem with SMF itself. With all the users, an active exploit would be noticed quickly from reports.

[Flavious]

Okay, that's somewhat good. Do you have multiple domains on the server? What services are running and listening on ports? How updated are you on patches?

Are you using a commercial control panel package, or manually configuring things? How are you running PHP?

No just one domain.

Cpanel, very minimal.

[Night09]

Ok First learn what your talking about: 'MBR viruses' = Master Boot Record = servers HDD so no matter how much you clean your site you will be reinfected!  Your hosts issue to resolve that.

AVG free: You got more chance of knitting fog than that piece of **** doing the job.

Run Emisoft anti malware, Malwarebytes then install Kaspersky internet security 30 day trial to keep your own PC under control as you could be the infection source if you are relying on AVG. Avira antimalware scanner is a decent free program to use after. Dont run two together as they will conflict.

If SMF was the culprit im sure more than you would be reporting this by now.

Just my 2pence worth.

[青山 素子]

Okay, that's somewhat good. Do you have multiple domains on the server? What services are running and listening on ports? How updated are you on patches?

Are you using a commercial control panel package, or manually configuring things? How are you running PHP?

No just one domain.

Cpanel, very minimal.

What about server patches? I'm guessing you're on Linux?

cPanel's default settings aren't very good, so you might want to review that configuration as well.

Ok First learn what your talking about: 'MBR viruses' = Master Boot Record = servers HDD so no matter how much you clean your site you will be reinfected!  Your hosts issue to resolve that.

MBR viruses are not really all that common anymore. Especially with the whole NT stack, they tend to break things more than infect them. It is more likely there is a rootkit involved, which is more difficult to detect.

AVG free: You got more chance of knitting fog than that piece of **** doing the job.

AVG's detection engine isn't bad, but their newest software packages have become very bloated. However, if you read, you'll see that the mention of AVG was from end users browsing the website. Rant about AVG all you like, but the people actually using it won't read that.

Run Emisoft anti malware, Malwarebytes then install Kaspersky internet security 30 day trial to keep your own PC under control as you could be the infection source if you are relying on AVG. Avira antimalware scanner is a decent free program to use after. Dont run two together as they will conflict.

Haven't heard of Emisoft before. KAV and Avira have both been decent. However, for the Windows systems, a bootable scanner CD is the best option as it will allow detection of items that may hide when Windows itself is running.

If SMF was the culprit im sure more than you would be reporting this by now.

Yeah, probably. Isolated incidents are usually related to that specific server or website contents.

[busterone]

Kaspersky has good bootable scanner that runs on linux.  You can download the iso and burn it to cd, or also download the usb app that will create a bootable stick with the iso.  It will also configure your network adapter to update the signature file before the scan. The only negative I have found with it is that it has a problem configuring some wireless devices. If your only web access is wireless, there is a potential issue with updating the signature.

[Night09]

MBR viruses are not really all that common anymore. Especially with the whole NT stack, they tend to break things more than infect them. It is more likely there is a rootkit involved, which is more difficult to detect.

Kaspersky do a good range of standalone apps and a rescue disk too which can be booted from, Avira also do one that can be booted from too.

AVG's detection engine isn't bad, but their newest software packages have become very bloated. However, if you read, you'll see that the mention of AVG was from end users browsing the website. Rant about AVG all you like, but the people actually using it won't read that.

From my jobs point of view (IT Tech) Systems with AVG , Norton and Mcafee can report your system safe but when scanned with another scanner IE malwarebytes/Emisoft for instance they suddenly start finding infections off the back of the other scanner. Its entirely up to the end user to decide how much security they wish to implement but personally I would not rely on any of the 3 named alone. Kaspersky suite or ESET would be a top choice for decent security generally available for a reasonable price. Avira is my choice of free scanners but I would also run a manual scan with Malwarebytes regular too.

Another biggie that gets overlooked a lot is people dont update Flash Java and Windows updates which also leaves holes they neednt have. Browsers generally bug you to update but windows can be very out of date in some instances.

(overlaps busters post but was written when he posted)