News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Can't get rid of Trojan.PHP-43

Started by Мel, July 13, 2012, 06:02:26 PM

Previous topic - Next topic

SMURF6060

Mel

heres a little help in your fight. This will help scan all your php files for the bug. The script is attached to this post.

** important
change all file permissions so they cant be written to.
*******************************************
Use these regular expressions to search for all pages containing the malicious code and replace it with space:

for example:

    <iframe src=\"http://[^"]*" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>

    echo \"<iframe src=\\\"http://[^"]*\" width=1 height=1 style=\\\"visibility:hidden;position:absolute\\\"></iframe>\";

** YOU WILL NEED TO CATCH AN INFECTED FILE FIRST INORDER TO GET THE PARAMETERS NEEDED ; TAKE THE INFECTION CODE AND EDIT THE  scan.php file WITH IT.

Once you have the infection code, and included it onto the scan.php file...
- upload the scan.php file to your server ( root of the site of infection )
visit www.yoursite.com/clean.php?c=iframe
The parameter c specifies the text to search for inside the file. The results will be something like:




It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.

Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.

also:

what ever ftp client your using, configure it to show you all hidden files .
example; CORE FTP doesn't show the .htaccess file by default..

remember:
change all file permissions so they cant be written.
change your ftp client settings so your able to see ALL files

------------------------------------------------------------------------

Wanna laugh?
do a google search for SERVER SIDE INFECTION  ..  depending on your region, the first post in the results would be mine; posted on smf back in 2009 for this same issue.
i dont know why my other post; posted back in 2006 i believe-  isnt indexed.

-----------------------------------------------------------------------------------------------------

I have already experienced 2 server side infections using themes ( never the default theme ) and admins here should really look into this issue.

The only way a theme can be determined to be SAFE is where it DOES not " CALL BACK HOME"

Common sense: I can easily create a theme, sumbit it to the community...where it gets accepted...where members download it. and then later on, I  can have the theme "call home" where i can inject my google adsense code..or any other malicious code into that theme... for whatever reason.
---------------------------------------------------
to the moderator:

I know exactly what you are doing..and why you are doing it.

I will be filing a formal complaint with SIMPLE MACHINES against you




butchs

Be careful.  Type something wrong and you will duplicate your server.

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

SMURF6060

what do you mean by "type something wrong and you will duplicate your server"

Arantor

Anyone who uses that script as-is is also exposing themselves to an XSS bug in the script (by it not bothering to sanitise the contents of $_GET variables before displaying them directly to users)

Kindred

Out of curiosity....

You kee suggesting/accusing the SMF theme as being the culprit and suggesting that admins need to worry about themes downloaded fro here... However, you have not actually given any details on how this is so.

If you have a problem with a specific theme or author, then report that to the SMF team. SMF takes its security very seriously, and is one of the best forum softwares with one of the best security records out there.

Considering your screen shot shows Wordpress themes, I would hazard a guess that, if you gt needed, that may be the vector... Not anything to do wit SMF. If you actually have security details to report, then please do s, to the [email protected] email address.

Your attitude has also been very confrontational from the start... I suggest that you chill.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Kindred

To Mel...


Ok, here's part of your likely problem.
You clean the infected files, but have not found and removed the actual back door that they used.

I don't know who your host is... But when I got an infected site (from zenphoto, but it hit evey file) they helped me track down not only the infected  files, but also the 3 back door directories that had been added so the hackers could get in and reinfect at will.

So, I stored all of the avatar and attachment directories on my pc and cleaned out all of the php and HTML files.  I then just deleted everything and reinstalled from scratch.  I could also have used one of the backups, but I decided the I was going to just clean out much of the crap as well.
Then I replaced all of the avatars and attachments as well as custom graphics.

As I said, you not only have to worry about specific files which has been infected, but hidden, buried directories that have backdoors. A good host will help you track, find and remove those as well.

Finally, once you've found the backdoors, look at your server logs, find the ips which have accessed it and use htaccess to stop them.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

butchs

Quote from: SMURF6060 on July 15, 2012, 07:31:20 PM
what do you mean by "type something wrong and you will duplicate your server"

Besides what Arantor pointed out, it is not easy to use.  If the user types in the wrong thing it can copy a ton of files to the "iframe_cleaner_backup" folder filling up a limited account.  Check out KB Scan script?

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

SMURF6060

Quote from: Kindred on July 15, 2012, 08:01:41 PM
Out of curiosity....

You kee suggesting/accusing the SMF theme as being the culprit and suggesting that admins need to worry about themes downloaded fro here... However, you have not actually given any details on how this is so.

[ what details would you like?  are you publically asking me to publically post how to hack a persons server  byway of an smf theme? is that what your asking?  - any theme that has the ability to "call home" is a security risk

any mod that calls home is a security risk ]

If you have a problem with a specific theme or author, then report that to the SMF team. SMF takes its security very seriously, and is one of the best forum softwares with one of the best security records out there.

[ that's your opinion...and your entitled to it   just like its my opinion to say that i do not agree with your statement]

Considering your screen shot shows Wordpress themes, I would hazard a guess that, if you gt needed, that may be the vector... Not anything to do wit SMF. If you actually have security details to report, then please do s, to the [email protected] email address.

[ the screen shot is an EXAMPLE]

Your attitude has also been very confrontational from the start... I suggest that you chill.

[ where in this topic do you see any confrontation. ??  Because I responded and explained my statements to another member using a different font color; your opinion is that its confrontational?  I beg to differ.

- suggesting " I chill "  is being confrontational..and also inciting .  I dont accept your threats  ]


Arantor

No, it's asking you to submit the details of this apparent hack to the form that will tell the developers about it. The information is passed only to the development team. Assuming it's a genuine threat and that you actually care about users enough to want to help the SMF team fix it.

FWIW, any theme installed from the admin panel is a threat to the server. Has been since... pretty much forever, because it's almost always owned by the webserver user and thus can be attacked by anything else on the server regardless of file permissions (because it's owned by the webserver, it can always have its permissions elevated)

Same deal with mods that add files, for the same reason. Even the most ardent fan of reducing file permissions refuses to acknowledge this as a possible vector, and it's something I've spent many hours trying to figure out a reasonable way around it that doesn't require the user to just do everything via FTP and be done with it. Note that this is only indirectly an SMF problem and a lot more related to how hosts configure their system and don't have things like suPHP to force PHP to be run as the file owner instead (which would totally negate this entire vector)

The fact is, whether you think it is secure or not is pretty much irrelevant. How many products do you know that have been in active use for 6 years and only received a total of 16 security patches in that time? (That's the security record of SMF 1.1 series.)

Here's the thing: you're trying to tell people who use SMF, who have used it for years, that there is a major vulnerability, except that all you're doing is blustering. We've all heard it before, usually from people who haven't a clue what they're talking about. Right now you're putting yourself in that same group.

You want to be taken seriously? Act seriously, not blustery.

Night09

Basically Mel to be fair your out of your depth here tracking this down and clutching at straws as to the real cause but not doing anything to investigate this as removal isnt removing the reason its there to begin.  Id suggest you post in the help wanted for free or paid for someone with good reputation who you can then trust with your login details. Then hopefully somebody with a decent knowledge of these situations can go over it for you.

Forget the soothsayer warnings about going to an office bla bla as its bull****** frankly as you can be ripped off anywhere...

Kindred

quote fail.....

1- No, I am asking you to send such details to the security address.
I tend to doubt your assertion though...   any mod or theme that 'calls home" but is not protected against XSS, maybe...  but not "any".

2- No, actually, it is not just my opinion. It is proven fact, backed by security reports and hack records as well as the immediate response by SMF devs when a vulnerability is found/reported.

3- suggesting that someone chill is being confrontational? inciting? threats?  Wow, you really do need to chill. I see no threats in my statements for you to accept or reject.... (a threat would be do this or else.... no where did I say that, nor do I have any power on this site to do that...   sheesh)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

QuoteI tend to doubt your assertion though...   any mod or theme that 'calls home" but is not protected against XSS, maybe...  but not "any".

That assumes the home that is being called is also not compromised. No server is bullet proof.

QuoteId suggest you post in the help wanted for free or paid for someone with good reputation who you can then trust with your login details. Then hopefully somebody with a decent knowledge of these situations can go over it for you.

Forget the soothsayer warnings about going to an office bla bla as its bull****** frankly as you can be ripped off anywhere...

No, it isn't. Proper companies that do this stuff will also have warranties they can give, i.e. insurance. How many people here - me included, for example - would do that?

Kindred

true, arantor...   if the target site is already infected - depending on what is being done with the "call home" function, it could be a problem.

Of course, he doesn't specify what he actually means by "call home".
Does he means "adds a link back to the author's site"? (if so, I can't see any way that would cause a problem)
Does he mean, in the admin section, checks against the recent versions or news form the author's site? (if so, I could see a way for that to be targeted, but only if the user had admin access already - or the mod didn't do proper checks AND was not configured against XSS
Does he mean something else?   His reports, as both you and I pointed out are full of hot air and bluster and very little actual content.

Of course, since neither of us have access to the security reports email and discussion area, we can't confirm if he has or has not submitted any reports... but I don't recall seeing anything from this user when I was on the team....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Night09

Quote from: Arantor on July 15, 2012, 10:15:13 PM
QuoteI tend to doubt your assertion though...   any mod or theme that 'calls home" but is not protected against XSS, maybe...  but not "any".

That assumes the home that is being called is also not compromised. No server is bullet proof.

QuoteId suggest you post in the help wanted for free or paid for someone with good reputation who you can then trust with your login details. Then hopefully somebody with a decent knowledge of these situations can go over it for you.

Forget the soothsayer warnings about going to an office bla bla as its bull****** frankly as you can be ripped off anywhere...

No, it isn't. Proper companies that do this stuff will also have warranties they can give, i.e. insurance. How many people here - me included, for example - would do that?

I work at an apple authorised IT repair centre dealing with both Mac and PC and theres no warranty on viruses since users are too stupid not to reinfect machines doing the exact same stuff that caused it to begin. People can have activated subs to all major antivirus products yet the logs will show they never ever run a  scan and some even disable it working properly to begin.

Arantor

QuoteDoes he mean, in the admin section, checks against the recent versions or news form the author's site? (if so, I could see a way for that to be targeted, but only if the user had admin access already - or the mod didn't do proper checks AND was not configured against XSS

That's a vulnerability vector and no mistake. Let's say it is in the admin panel. Now let's say for the sake of argument that the method used to 'call home' is done as a compromise against the JS files SMF normally uses for such things (that SMF, SimplePortal, SimpleDesk etc. all in their own slightly different ways)... that file will be included against an admin user. If that happens to, say, steal the session ID (which is entirely possible) the entire administrative session could theoretically be spoofed.

There's all kinds of other vectors. Bad Behaviour's author, for example (I mean the original BB, not the SMF port of it) is planning to add a setup to the next major version to allow rule lists to be downloaded automatically. Depending on the method used there, it's entirely possible that it could allow arbitrary code execution, and if that IS the case, should his site be compromised, anyone else could also be compromised by the same fashion.

QuotePeople can have activated subs to all major antivirus products yet the logs will show they never ever run a  scan and some even disable it working properly to begin.

I actually don't bother running AV as standard. I do routine scans every month or so, or when anything isn't working as expected, and I keep an eye on other things, but I don't have any in the background, there is little real point to it, IMNSHO.

青山 素子

Мel,

If you'd like someone to take a look at the website and see what is going on, I can certainly offer some assistance. If it's somewhat simple, I can work on cleaning it up. If it's a complex thing to clean up, I'll tell you so and you can decide how you want to proceed.

If you'd like references or at least some reassurances that I know what I'm doing, I'd be happy to send you my credentials in a PM. I'll say publicly that I'm a systems administrator for a small Internet development company in California that has done work for large clients like Experian and Quicksilver. I'm also fairly experienced in reviewing compromised sites.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Arantor

FWIW, I'd vouch for 青山 素子 as someone who is trustworthy and very competent all round :)

NanoSector

Quote from: Arantor on July 16, 2012, 08:09:13 AM
FWIW, I'd vouch for 青山 素子 as someone who is trustworthy and very competent all round :)
So do I, Motoko is good with these kind of things :)
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Kindred

As a side note: I installed the Curve Multicolor theme, looked through the installation and the files and can not see any (obvious) way that the theme itself could have been used. The only function which is subject to an injection would be the variant= argument...  however, this appears to be properly handled.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

That's the thing: I don't think there's any vulnerability in the theme code itself, I still suspect it is as I called it: there is a side vulnerability in file ownership that allowed them to get infected, but there was a separate vulnerability that was the way into the server.

Advertisement: