External links inserted among left panels
Asked Modified Viewed 5,360 times
asked
Looking at the home page of my fusion site (www.rnsyc.net) this morning I happened to click on View Source and found the following code inserted between two left side panels (at Line 131, just above the Users Online panel):
I've no idea how long it has been there, or how it was inserted. The last major change was the upgrade to v6.01.15. So far I haven't been able to find the code in the core files I've looked at, e.g. news.php. Has anyone else come across this? Any ideas where I should look for the inserted code?
Many thanks,
RobbieB
Code Download source
<div style=position:absolute;left:-2107px;width:507px>Mabry ListX 1.04.012, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=6729>download PTC Pro Engineer Wildfire 3.0 Linux download</a>, Megatech MegaCAD 3D 2007, Ashlar-Vellum Cobalt 8.0 Build 818 BETA Multilanguage, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=6278>cheap ImTOO DVD to PSP Converter 4.0.39.0117</a>, Abb QuickTeach 5.3, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=6981>download Master Of Defense 1.65 cheap</a>, VMWare Workstation 4.5.2, Honestech DVD Authoring Studio 2.0 Retail, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=7837>cheap 18 Wheels Of Steel Haulin oem</a>, NVIDIA PureVideo Decoder 1.02.145, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=11532>oem PTC PRO ENGINEER WILDFIRE 3.0.M130.WIN64 cheap</a>, Cambridge English Pronouncing Dictionary, Adobe Photoshop Elements 6.0 Bilingual, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=2813>cheap Domain Name Analyzer Professional 4.0.102204</a>, G7 Productivity Systems VersaCheck Platinum 2008, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=11049>Autodesk MotionBuilder 7.5 Extension 2 oem</a>, SpyDestroy Pro 1.0.8, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=997>download Solidworks 2003 MoldBase download</a>, CursorArts IconForge v6.31, Mcafee Virus Scan Professional Edition V8.02, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=6721>cheap Roxio RecordNow Premier 8.0 Multilanguage</a>, Allok MPEG4 Converter 2.0.2, Compuware DevPartner Java Edition 4.0, <a href=http://www.oemsoftdiscount.com/index.php?target=desc&progid=7594>download EMRC NISA CIVIL 14 cheap</a></div>I've no idea how long it has been there, or how it was inserted. The last major change was the upgrade to v6.01.15. So far I haven't been able to find the code in the core files I've looked at, e.g. news.php. Has anyone else come across this? Any ideas where I should look for the inserted code?
Many thanks,
RobbieB
Edited by robbieB on 25-08-2008 12:21,
muscapaul
muscapaul 10
Paul
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
- Veteran Member, joined since
- Contributed 1,075 posts on the community forums.
- Started 8 threads in the forums
See if you can find the code in the latest_users_online_panel.
Usually the occurrence of code like this in files is the result of a backdoor script being placed on your server at the moment there was an unclosed vulnerability. It may have been there for a long time and it may even have been dormant for quite some tim, too.
I got rid of such scripts and the resulting code insertions by downloading all site files to a local computer. If there is a nasty version, then your virus scanner may already pick it up on download. Some scripts with encrypted code may excapae detection. If you have downloaded all files, use a program that can scan the contents of the files for certain strings (I use AgentRansack, but there are scores of others, maybe even Windows Desktop Search and the likes that can do it for you, too). Strings attached to these encrypted backdoor scripts usually contain some text like 'base64', 'gzinflate' or 'md5pass'. Inserted code can be placed in iframes (so search for 'iframe') and the most often inserted code (to my experience) includes 'oemsoft'.
Please note that there are several files of PHPFusion core that also may contain the strings 'iframe', 'base64', 'gzinflate' (depending on the PHPFusion version and whether you bothered to upload the whole tiny_mce folder, for example). When you find these strings in files where they do not belong, you need to re-upload clean versions from your installation package.
Code may also have been placed in the database. Custom Pages, Panels and to a lesser extent News are the most likely places where you will need to check. Use the admin panel to check all Custom Pages, you may have for code you did not put there yourself. In the admin panel you should also check all panels of which the content is stored in the database (these are indicated by PHP rather than by File).
Further, you should check that any of the infusions are free of vulnerabilities. I see you have a Calendar Infusion. Check on the mods site whether this is the latest version. There has been a version of a Calendar that had a vulnerability and this was exploited on many sites before it was closed. I am certain there still will be sites using vulnerable versions. Maybe this is even the first thing you should check.
Once you think you have found all the culprits, then change your password to the site and have all other admins do the same, a.s.a.p. The backdoor scripts were probably able to read admin passwords and thus someone could gain access to your site in the first place. As long as these scripts are still in place, changing the passwords will have little to no effect.
Usually the occurrence of code like this in files is the result of a backdoor script being placed on your server at the moment there was an unclosed vulnerability. It may have been there for a long time and it may even have been dormant for quite some tim, too.
I got rid of such scripts and the resulting code insertions by downloading all site files to a local computer. If there is a nasty version, then your virus scanner may already pick it up on download. Some scripts with encrypted code may excapae detection. If you have downloaded all files, use a program that can scan the contents of the files for certain strings (I use AgentRansack, but there are scores of others, maybe even Windows Desktop Search and the likes that can do it for you, too). Strings attached to these encrypted backdoor scripts usually contain some text like 'base64', 'gzinflate' or 'md5pass'. Inserted code can be placed in iframes (so search for 'iframe') and the most often inserted code (to my experience) includes 'oemsoft'.
Please note that there are several files of PHPFusion core that also may contain the strings 'iframe', 'base64', 'gzinflate' (depending on the PHPFusion version and whether you bothered to upload the whole tiny_mce folder, for example). When you find these strings in files where they do not belong, you need to re-upload clean versions from your installation package.
Code may also have been placed in the database. Custom Pages, Panels and to a lesser extent News are the most likely places where you will need to check. Use the admin panel to check all Custom Pages, you may have for code you did not put there yourself. In the admin panel you should also check all panels of which the content is stored in the database (these are indicated by PHP rather than by File).
Further, you should check that any of the infusions are free of vulnerabilities. I see you have a Calendar Infusion. Check on the mods site whether this is the latest version. There has been a version of a Calendar that had a vulnerability and this was exploited on many sites before it was closed. I am certain there still will be sites using vulnerable versions. Maybe this is even the first thing you should check.
Once you think you have found all the culprits, then change your password to the site and have all other admins do the same, a.s.a.p. The backdoor scripts were probably able to read admin passwords and thus someone could gain access to your site in the first place. As long as these scripts are still in place, changing the passwords will have little to no effect.
answered
Many thanks Paul. Looks like a full sanitising job is needed :@ !
krispy_b
krispy_b 10
Webmaster of THREE PHP Fusion driven community sites;
Lord of the Rings Online, Jumpgate Evolution Fansite, & Da Orcs Ead - Warhammer Online fansite
Lord of the Rings Online, Jumpgate Evolution Fansite, & Da Orcs Ead - Warhammer Online fansite
- Junior Member, joined since
- Contributed 41 posts on the community forums.
- Started 8 threads in the forums
One way I've seen script attacks like this get into a site is through a 'dodgy' copy of something like Dreamweaver.
What I say happen, was that some one was not using a legitimate copy of dreamweaver, and all was well for them for ages, but then their websites started getting links and re-directs to some dodgy places (domains which contained trojan horse downloads).
I helped them identify the problem - and it wasn't their web hosts or PHP fusion being compromised, it was some Javascript being injected into files as they used dreamweaver to FTP the files up - so you never saw it on their pc or in the php files, but did on the 'view source' of the hosted pages.
They were very clever javascript hacks too - nothing you could read and work out - it was all direct document.write commands, using encodes and hex numbers - i had to write utility javascripts just to work out what the final html was.
So I'm not saying you have 'dodgy' web design software, nor dodgy ftp software, but be aware that script attacks/injections can be very clever - even during the ftp part of uploading a site!
What I say happen, was that some one was not using a legitimate copy of dreamweaver, and all was well for them for ages, but then their websites started getting links and re-directs to some dodgy places (domains which contained trojan horse downloads).
I helped them identify the problem - and it wasn't their web hosts or PHP fusion being compromised, it was some Javascript being injected into files as they used dreamweaver to FTP the files up - so you never saw it on their pc or in the php files, but did on the 'view source' of the hosted pages.
They were very clever javascript hacks too - nothing you could read and work out - it was all direct document.write commands, using encodes and hex numbers - i had to write utility javascripts just to work out what the final html was.
So I'm not saying you have 'dodgy' web design software, nor dodgy ftp software, but be aware that script attacks/injections can be very clever - even during the ftp part of uploading a site!
answered
@krispy_b
I HAVE recently used Dreamweaver to ftp some files, but I'm pretty sure my Dreamweaver CD is authentic; I usually use ws_ftp when uploading files. Thanks for the tip.
So far I've found a php file in the forum/attachments folder. Also, it looks as though the intruder has altered the forum system settings in the admin panel to allow zip, rar and gz files, although the allow/disallow attachments setting was still NO. The php file is encoded so I am not able to read it. Despite deleting the php file on the server, the inserted code still shows in the source code of the home page so I've clearly not found everything yet.
Robbie
I HAVE recently used Dreamweaver to ftp some files, but I'm pretty sure my Dreamweaver CD is authentic; I usually use ws_ftp when uploading files. Thanks for the tip.
So far I've found a php file in the forum/attachments folder. Also, it looks as though the intruder has altered the forum system settings in the admin panel to allow zip, rar and gz files, although the allow/disallow attachments setting was still NO. The php file is encoded so I am not able to read it. Despite deleting the php file on the server, the inserted code still shows in the source code of the home page so I've clearly not found everything yet.
Robbie
muscapaul
muscapaul 10
Paul
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
- Veteran Member, joined since
- Contributed 1,075 posts on the community forums.
- Started 8 threads in the forums
A far as I know dreamweaver did not enter into the equation of the site I worked on (I persoanlly haven't used it in 3 years or so). I don't know about FTP clients.
What I do know, is that the site I cleaned was dealt with by the same people that deal with others sites and these have remained free of these incidents. And additionally: Some files were demostraby altered later than they were uploaded, as they were checkerd earlier.
So, maybe you are right, but I put my money on a vulnerability in PHPFusion that was patched too late or a vulnerability in an infusion (that still may be there).
What I do know, is that the site I cleaned was dealt with by the same people that deal with others sites and these have remained free of these incidents. And additionally: Some files were demostraby altered later than they were uploaded, as they were checkerd earlier.
So, maybe you are right, but I put my money on a vulnerability in PHPFusion that was patched too late or a vulnerability in an infusion (that still may be there).
Edited by muscapaul on 25-08-2008 18:54,
answered
Just to close off this particular episode, the web links were in a hidden panel. The encrypted backdoor script did have a string containing"gzinflate" and "base64". So Paul's tips were spot on.
Nothing else showed up during a thorough trawl through the site; nor did my host support people find anything else suspicious. There's still the question of how security was breached I'm still looking into that.
Thanks for the help guys.
Robbie
Nothing else showed up during a thorough trawl through the site; nor did my host support people find anything else suspicious. There's still the question of how security was breached I'm still looking into that.
Thanks for the help guys.
Robbie
muscapaul
muscapaul 10
Paul
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
- Veteran Member, joined since
- Contributed 1,075 posts on the community forums.
- Started 8 threads in the forums
Remember what I said: The script may have been there for quite a while and may have been added at a time a vulnerability in PHPFusion was only just announced but your site not yet updated.
Still, what infusions do you have (name and version)?
Still, what infusions do you have (name and version)?
Edited by muscapaul on 30-08-2008 20:56,
answered
Calendar of Events, 1.202, Kevin J. Sieger
Classifieds, 3.0.1, AusiMods
Coppermine gallery infusion,1.10, CasNuy
Extended Profile, 2.01, Initial idea by Ronald Iwema (v5.00), this version by muscapaul (v6.00.2xx)
Extended User Information, 1.07, HACKERSOFT
External Page Wrapper, 1.16, Rayxen
Single Signon Infusions, 1.01, CasNuy
Suggestions, 1.0, Scotty & JGudmundson
Video clip database, 4.50, fetloser & Domi
Classifieds, Suggestions and Video Clip are little used & I'm comfortable with the idea of defusing them. But the others are integral to the site. Unfortunately some of them will probably not get rewritten for V7.
Robbie
Classifieds, 3.0.1, AusiMods
Coppermine gallery infusion,1.10, CasNuy
Extended Profile, 2.01, Initial idea by Ronald Iwema (v5.00), this version by muscapaul (v6.00.2xx)
Extended User Information, 1.07, HACKERSOFT
External Page Wrapper, 1.16, Rayxen
Single Signon Infusions, 1.01, CasNuy
Suggestions, 1.0, Scotty & JGudmundson
Video clip database, 4.50, fetloser & Domi
Classifieds, Suggestions and Video Clip are little used & I'm comfortable with the idea of defusing them. But the others are integral to the site. Unfortunately some of them will probably not get rewritten for V7.
Robbie
muscapaul
muscapaul 10
Paul
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
Time flies like an arrow, fruit flies like banana (Groucho Marx)
Sites: Diptera.info (site owner); Online-Keys.net (site owner); Sciomyzidae.info (site co-owner); muscapaul.com (defunct; site owner)
- Veteran Member, joined since
- Contributed 1,075 posts on the community forums.
- Started 8 threads in the forums
I don't know the first infusion, the calendar, but afaik the other ones are safe.
answered
I know of no reason to doubt the integrity of kejonn's Calendar of Events either.
The only advice I got from my host support people was to check the phpini file and make sure register_globals was set to OFF -- which it was.
So I'm no nearer to discovering how the hack was done.
Anyway, thanks for your help.
Robbie
The only advice I got from my host support people was to check the phpini file and make sure register_globals was set to OFF -- which it was.
So I'm no nearer to discovering how the hack was done.
Anyway, thanks for your help.
Robbie
Category Forum
Official Core Support - 6Labels
None yet
Statistics
- Views 0 views
- Posts 10 posts
- Votes 0 votes
- Topic users 3 members
0 participants
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions