Previous Thread
Next Thread
Print Thread
Hop To
Joined: Feb 2006
Posts: 24
M
newbie
newbie
M Offline
Joined: Feb 2006
Posts: 24
I've been struggling with malware iframe injections into html and php scripts on my web site. The attacker knows to inject into files like header.php in the includes directory.

The file protections ARE locked down. In fact I have it so locked down I have difficulties doing normal duties myself and have to relax protection then restore it after I'm done (like on header.php. The Hacker can even change protection on files !!!

Finally I locked PHP from being able to write any files. And no more attacks.

The only PHP code I have is UBB Forum 7.2.2 !!!

The hosting company (host excellence) has a scanner script that gives warnings in tons of UBB php files. Like those at the bottom. Note sure if this is a valid warning or not.

Things are otherwise running smooth but I'll upgrade to latest version if known security issues are fixed.

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t@eval( $g_file );'

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t\t @eval( $hits_file );'

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t@eval( $mods_file );'

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
We've only had 1 security issue since 7.0 was released, which this patch addresses. So make sure you have that patch applied.

Any importer scripts should be removed after they have been used, so the entire importers directory can be deleted.

Usually if it's a php script that's causing the issue then it's pretty easy to track down. What you need to do is get the timestamp that one of the files were hacked. Using that timestamp you can look through your webserver access logs for that same timestamp. You can normally see if there is some script being called in a peculiar way at that same time.

As far as being able to change the permission on files. If files are read-only and the webserver doesn't own them, then normally the only way you can change those is via FTP, domain control panel, or direct server access.

Joined: Feb 2006
Posts: 24
M
newbie
newbie
M Offline
Joined: Feb 2006
Posts: 24
I don't think I have access to access logs. I do have FTP logs and there has been no activity during the time of break in.

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Your host might be able to assist. If you have the timestamps available on any of the files, then you can see if they can give you the access logs for that particular day.

Joined: Oct 2009
Posts: 16
T
stranger
stranger
T Offline
Joined: Oct 2009
Posts: 16
I am having the same problem with a forum I'm managing (UBB v.7.5.3). I'm new to the problem and having a terrible time isolating the hack. There have been so many cooks in the kitchen, it would be nearly impossible to isolate by looking at the access logs.

The referenced patch is from last year - is that correct?

I've considered just replacing all the UBB files.

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
If you're running 7.5.3 then you have the security patch in place already, so you're good there. As for tracking it by looking at the access logs, if it's being done by a web based attack then that's normally the best way.

If you have the timestamp of one of the changed files, then that gives you an exact minute to look at in the access logs, so you just need to look for activity during that minute. You also need to find out if they are only changing files that are writable by the webserver or if they are changing other files as well. If they are changing other files, then it's probably being done by FTP, domain control panel or some other server exploit. I just worked on another one of these problems that turned out to be a domain control panel issue.

Replacing all of the UBB files would assure they are clean, but it wouldn't prevent it from happening again, so you'd really need to find the source.


Joined: Oct 2009
Posts: 16
T
stranger
stranger
T Offline
Joined: Oct 2009
Posts: 16
I didn't mean to hijack the thread.

I found the source (OpenX ad server) and shut that down.

OP - this is what I found about this problem.

Quote
If you see code for an iframe with width=“0” and height=“0” in the source code of any page on your website, you have found an invisible iframe. Iframes are most commonly inserted at the very top or the very bottom of a web page’s source code. A good first place to check for iframes is before the initial tag that starts a web page’s standard code, or after the final that ends a page’s code.

I found this code in any file containing "index" in the file name and in any HTML files on the site. Delete it - problem solved.


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)