News:

Join the Facebook Fan Page.

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

Ratiomaster

I used it on my own server :)
Because this hack infects not only php in the forum directory , but also all php files in other directories up to root, it was not realistic for me to try and clean it by hand.
I've attached cleanup_test.php. This file will only scan all php's and report infected files with "INFECTED" line without actually removing anything. So you can see if you are clean or not.

Ratiomaster

Also, i just noticed, simple machines released official clean up tool in this thread :
http://www.simplemachines.org/community/index.php?topic=313201.0

Keep in mind that it only cleans files in your forum directory. If you want to clean all server, then you need to copy :
settings.php. SBI.php and kb_scan.php to your root folder.
And then type in the browser hxxp:www.yoursite.com/kb_scan.php [nonactive] and wait a few minutes :)

I was clean also according to official tool, so i feel much safer now :)

Good luck.

Ratiomaster

Thats actually an oversight. The whole site is compromised due to attack, not only forum. I hope they fix it soon.
You can still avoid that check, but running script in the same window (same session) after you logged into your forum, and then manually changing url.


Dzonny

Thanks for info, this is great tool, i'm glad this is released too.. :D

aly22

ran cleanup_test.php and it just lists a ton of files. I see no "infected" tag on them so does that mean I'm clean or did something wrong?

Ratiomaster

Quote from: StarWars Fan on May 26, 2009, 11:17:36 AM
What's cool about Ratiomaster's script is that it can catch any "base64_decode" injection in all directories - am I correct?

You can drop it in any directory and it will search it and all subdirectories.

Official tool is more user friendly and comprehensive, it looks in 'php', 'phtml', 'php3' for pattern. But it requires that you drop this tool in your forum folder.
Also trying to look something in database - not found anything on my site and it slightly suspicious, because i didnt touched database and if exploit does change database, then it means the backdoor is still there...
I dont suggest to run official tool on the whole site (on the forum only its probably OK), because it can corrupt one of your valid files .
I'd wait until official team fix those issues first.

Ratiomaster

Quote from: aly22 on May 26, 2009, 11:20:47 AM
ran cleanup_test.php and it just lists a ton of files. I see no "infected" tag on them so does that mean I'm clean or did something wrong?

If you didnt manually cleaned up infections , then it definitely means you're not infected. If you cleaned them up before running either tool, it just confirms that you dont have most obvious traces of it. But considering sophistication of the exploit, i'm afraid that it installed some backdoors which neither of tools really cleans.

glennk

Hi There,

Theres quite a lot oftopics on this and a lot of posts here. I dont really know where to start. I have (Did have) a forum member called Krisbarteo. I have now banned him. I have been experiencing problems for a few weeks. My forum members tell me that their antivirus is warning of problems in the site. Namely

exploit javascript obfuscation type(501)

j.s.cruzer-c (trj) trojan horse

It appears to have effected a lot of things even the spellchecker.

It apparently is also present in my coippermine gallery and my wordpress sites which are all on the same domain in subfolders.

Can someone advise on what to do. Do I overwrite everyfile or is their a simpler solution here ??

Many thanks for your time - Glenn

Antechinus

Grab the cleanup script and run it. http://www.simplemachines.org/community/index.php?topic=313201.0
This one has been looked at by the SMF team. As far as I know Ratiomaster's script has not, so at the moment I'm not in a position to recommend it. However if other members are getting good results with it this is a good sign, and we may be able to incorporate the best features of both scripts in one tool. 

Fustrate

FYI, you can change the path to SSI.php at the top of the file in order to use it from a lower directory.

Both Ratiomaster's and my scripts do the same thing for the infected files, but kb_scan.php also scans the database and looks for files such as those that could be added by the exploit. By what I see in cleanup.php, it's safe and should do the just as well for any infected files :)
Steven Hoffman
Former Team Member, 2009-2012

Anhinga

I'm a member of a forum running SMF 1.1.4 where users can upload there own avatars, and krisbarteo is registered there, although as far as I can tell he hasn't attacked it yet.  I hope I can get the administrator to delete this guy's account and update the forum.

The forum is http://tyrantkingforums.net/ .  I don't see any spam links in the forum's source code; is there anything else I should look for to determine whether he's used this exploit there?

Fustrate

You should point them towards http://www.simplemachines.org/community/index.php?topic=313201.0 so that they can check everything themself :)
Steven Hoffman
Former Team Member, 2009-2012

kassie

Quote from: LexArma on May 01, 2009, 12:54:16 PM
Quote from: vHawkeyev on May 01, 2009, 10:47:02 AM
All the php files on my site have been injected with Base64-encoded text that translates to
Do you have a recent member called "krisbarteo" ?
If you do, could you answer these couple of questions:

- Did he upload an avatar?
- Do you use the attachment folder for avatars, or some other custom folder?
- What other software than SMF are you running on your server?

Then please delete that user, and his avatar from your forum.

Hi had this member on my forum & so I deleted them & all the code that was at the top of site when in profile to change themes is now gone. I left my computer for an hour & now I can't see my site any more. I get this message.

"Not Found

The requested URL /smf/index.php was not found on this server."

I've gone into Cpanel & all the files are there. I don't have a backup either. What can I do?

JBlaze

Have you tried using the exploit utility released especially for this hack?

http://www.simplemachines.org/community/index.php?topic=313201.0
Jason Clemons
Former Team Member 2009 - 2012

kassie

No I haven't, thanks.
Oh can I use that with 1.1.9? I had updated before knowing about this.

JBlaze

Yes, you can use it on any version from the 1.0.x series, 1.1.x series as well as 2.0
Jason Clemons
Former Team Member 2009 - 2012

kassie


H

The hack that caused the issue prompting this topic has been fixed in SMF 1.1.9 or 2.0 RC1-1

Release announcement: http://www.simplemachines.org/community/index.php?topic=311899.0
Confirm that your site has not been exploited with our scanning tool: http://www.simplemachines.org/community/index.php?topic=313201.0

If you have any further questions or concerns please start a new topic so that we can track individual issues.

Thanks
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Advertisement: