News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Vulnerable software detected on your account; wtf?

Started by Mick., April 02, 2021, 10:42:56 PM

Previous topic - Next topic

Mick.

So i was removing the oneall social login mod manually and I did edited the Subs.php file based on the backwards uninstall. Soon after, my host shut my site down...

QuoteDear Michaelangelo,

While conducting our regular server security audit, we detected that the site hosted on your account idesignsmf.com has become vulnerable to exploits and hacks and creates a serious threat to the integrity of the shared server.

The list with all suspicious files we found is stored in your account's home folder in a file called suspicious_files.txt:

/home/customer/www/idesignsmf.com/suspicious_files.txt

It can be downloaded either through your File Manager or using your local FTP client.

To ensure the overall security of the server and all websites hosted on it, we had to temporarily disable access to this application.

Very often sites are compromised because of outdated software or stolen login details. Please check the following article for more information:

https://www.siteground.com/kb/why-was-my-website-compromised/

In your case we can offer you 2 solutions:

1. Clean and secure the site by yourself. After that you should reopen the ticket about this case so that we can confirm the issue is resolved.

2. Security audit performed by our partners from Sucuri. We recommend the website security company Sucuri for malware detection, malware cleanup and malware prevention. Their 2-in-1 Website AntiVirus Website Firewall (WAF) solution supports and protects all websites built on any platform.

https://siteground.com/sucuri

Also, provide us with scan results of your local computer with an anti-virus software of your choice, confirming that the same is not infected in any way. You can provide us with the results in the form of a screenshot attached to this ticket.

Thank you for your understanding and cooperation.

Best regards,
Dimitar G
SiteGround System Administrator
SiteGround.com

This is what's in the suspicious file they sent...

[STR]php_self_delete_1 [23/01/21] /home/u148-vjs52jezkqud/www/idesignsmf.com/public_html/dev-site2/Sources/Subs.php
[STR]php_self_delete_1 [03/04/21] /home/u148-vjs52jezkqud/www/idesignsmf.com/public_html/Sources/Subs.php
[STR]php_self_delete_1 [19/12/20] /home/u148-vjs52jezkqud/www/idesignsmf.com/public_html/Sources/Subs.php~

live627


Mick.

Quote from: live627 on April 03, 2021, 02:46:56 AM
Scumbags. No line numbers?
Their tool only detects the type of infection, not the malicious code itself. ::sigh::
I replaced the Subs.php on both locations but seems is still detecting the infection.

Aleksi "Lex" Kilpinen

That would be Sucuri for you. The same service that just randomly deletes files on GoDaddy.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Mick.

I had no choice but to sign up to Sucuri.

These are the files they cleaned up so far wtf!!

QuoteThe following files have been cleaned so far:

CLEARED: Cleared malware from file: ./dev-site2/Sources/tasks/ExportProfileData.php Details: php.malware.injector.072
CLEARED: Cleared malware from file: ./Sources/tasks/ExportProfileData.php Details: php.malware.injector.072
CLEARED: Cleared malware from file: ./Sources/LightPortal/ManagePlugins.php Details: php.malware.cc_stealer.034.02


We are still investigating your ticket and will provide further updates as soon as we have them.

shawnb61

Do you have any way to compare the files to their previous state?  To see what changed?
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Mick.

Quote from: shawnb61 on April 03, 2021, 11:41:27 AM
Do you have any way to compare the files to their previous state?  To see what changed?
Not really since I had no access. Now I do, all's good. Just need to set permissions to Subs.php to which I don't remember what it was..

Warning: require_once(/home/customer/www/idesignsmf.com/public_html/Sources/Subs.php): failed to open stream: Permission denied in /home/customer/www/idesignsmf.com/public_html/index.php on line 72

Fatal error: require_once(): Failed opening required '/home/customer/www/idesignsmf.com/public_html/Sources/Subs.php' (include_path='.:/usr/local/php73/pear') in /home/customer/www/idesignsmf.com/public_html/index.php on line 72

Mick.

Never mind.... just needed to empty the cache file. All's good.

Advertisement: