UBB.threads PHP Forum Software Community Forums UBB.threads 7 Version 7 Support ubb_js - All .js files keep getting infected with redirect

Hi Everyone,
I'm at wits end with this. After getting our entire site wiped out we rebuilt it from scratch, upgraded to the newest version and got rid of all customization. Basically nothing was kept besides the database and a few images and here we are one week later infected again. I just had to replace the entire ubb_js folder to get rid of the malware that was edited in.

Any ideas what is going on? Is there an exploit I need to patch?

Thanks.

Scott

Can you give more detail ?

* Having our site wiped out ? How and Why ?
* What do you mean by infected? What do you see?

Are you on a shared server or dedicated or other ?
Who has access to the files on the server (Admin outside UBB)

Hi Mark,

I've been running the forum well over 10 years. It was highly modified and successful for 9 until it got compromised do to a security flaw about two years ago. It ran so good for years I stopped checking in here and never patched it until it was too late. My fault.. What exactly happened the first time I cant say because the hosting company deleted hundreds of php's. Many were custom as far as integration with photopost. Photopost itself was known to have security flaws so there was no way to pin down what happened.

What I was able to determine was almost all the php's that were not deleted by the host had code added above the header comments that clearly was an iframe malware implementation and allot of the .js file had code added to the bottom that was surely redirect code to advertising sites.

What I did because of this compromise a little over a year ago after the site was mothballed for a while was to pay support here to migrate the site to 7.5.7 with a clean install, no custom work just a plain forum. I did it that way because of no time on my hands at all (storm sandy got us). Obviously the sites community vaporized as all the cool features, photpost and lots of embedded images were now dead links.

A few weeks went by after the fresh install and the new site was compromised again, same thing files deleted by the hosting company, those left were edited with malware code. In frustration I just closed the site, removed the index page etc.

So this week I decide to put it back together now that we recovered from storm sandy. I buy the 7.5.8 release, totally clean my directories out, do a fresh install change all passwords, browse data tables looking for bad code, scan picture folders on my workstation and finding no infection upload them and the site is now working, just the forum, no other content.

Then last night just three days into a new fresh install every .js file in the ubb_js directory has malware code inserted in the bottom.

It's a shared linux box, only the host has access besides me. I set all the folder permission as shown in the install guide and every password had been changed before uploading the new content.

I really don't want to post the actual malware code I found but could if need be. I notified the host to check their server but i'm worried there may be a flaw in the code or i'm missing something on my side.

Thanks.

JerseyDevil4x4, a few additional ideas to add to those you may have already done...

a) Change your passwords to your forum admin account, hosting account, SQL/MySQL, phpMyAdmin accounts, and any other php software you may have installed on your server (Gallery, PhotoPost, WordPress, osCommerce...etc).

b) Search your forum member-base for other users who may have admin access. revoke it.

c) Turn off Markup "Using HTML" and "Using HTML and UBBCode" for all forums, for all users except administrators @ Control Panel > Forum Permissions. Also see below, item " i "

d) Do a DIFF of all the files inside "ubbthreads-7-5-8.zip" and what you've got installed. Anything from the following directories that cannot be found in that install zip archive, remove it. Directories to check: admin, cache_builders, gallery, images, languages, libs, scripts, styles, templates, ubb_js. WINDOWS TIP: If needed, you can use the free 30 day trial of "Beyond Compare 3" to do this. Download http://www.scootersoftware.com/download.php

e) Delete everything EXCEPT "index.html" from these directories: cache, templates/compile.

f) If you have these directories on your server, delete them: importers, install.

g) Check for malicious code at - or completely disable all Active Text at Control Panel > Feature Settings > Active Text.

h) While still in that screen, go to Attachments and only use ".gif,.jpg,.txt,.zip,.png" for "Allowed Attachment File Extensions:"

i) Go back to Control Panel > Forum Permissions and set "Total # of file attachments" all to "0" (ZERO).

j) Check for any malicious code within the Default Header, Default Footer at Control Panel > Display Options > HTML Includes. If you're not using any of the Header Inserts or Sharaholic Setup Codes, you can leave these sections completely blank. "Body Onload" can also be left blank if you're not using it.

k) Go to Control Panel > Custom Islands, and review the "Body" section of each/every island to confirm that it displays exactly what you want it to display. If you're not using the following items, they can be left with their default "commented-out" items (ex: /* PHP CODE HERE */ /* BODY HERE */) or left empty.

l) And finally, Rebuild Posts, Rebuild Topics, Rebuild Forums, Rebuild Signatures, Rebuild Private Messages at Control Panel > Content Rebuilder.

I'm quite sure there are a few other items that could be checked. But these are a good place to start when looking at your own UBBT install for injected malicious code.

BONUS TIP: If you're on a shared server with your host, ask to be moved to another server -- the server you're currently on has obviously been compromised, and you've taken every action regarding your site account to make sure you're no longer an issue. You just want to be placed on a new server -- AWAY from any further malicious activity.

I appreciate the detailed reply. I'll start from scratch (wipe and fresh upload) using your recommended configurations settings. I already changed all access permissions and looked directly at member and group tables. There was an issue after support did the upgrade where all users were also members of moderator but I fixed that in SQL.

Thanks again, i'll report back!

Scott