Previous Thread
Next Thread
Print Thread
Hop To
Are there any know security (Malware injections) holes in 7.2.2 #229464 09/25/2009 4:35 PM
Joined: Feb 2006
Posts: 24
mswlogo_ Offline OP
newbie
OP Offline
newbie
Joined: Feb 2006
Posts: 24
I've been struggling with malware iframe injections into html and php scripts on my web site. The attacker knows to inject into files like header.php in the includes directory.

The file protections ARE locked down. In fact I have it so locked down I have difficulties doing normal duties myself and have to relax protection then restore it after I'm done (like on header.php. The Hacker can even change protection on files !!!

Finally I locked PHP from being able to write any files. And no more attacks.

The only PHP code I have is UBB Forum 7.2.2 !!!

The hosting company (host excellence) has a scanner script that gives warnings in tons of UBB php files. Like those at the bottom. Note sure if this is a valid warning or not.

Things are otherwise running smooth but I'll upgrade to latest version if known security issues are fixed.

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t@eval( $g_file );'

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t\t @eval( $hits_file );'

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t@eval( $mods_file );'

Re: Are there any know security (Malware injections) holes in 7.2.2 [Re: mswlogo_] #229466 09/25/2009 6:08 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
We've only had 1 security issue since 7.0 was released, which this patch addresses. So make sure you have that patch applied.

Any importer scripts should be removed after they have been used, so the entire importers directory can be deleted.

Usually if it's a php script that's causing the issue then it's pretty easy to track down. What you need to do is get the timestamp that one of the files were hacked. Using that timestamp you can look through your webserver access logs for that same timestamp. You can normally see if there is some script being called in a peculiar way at that same time.

As far as being able to change the permission on files. If files are read-only and the webserver doesn't own them, then normally the only way you can change those is via FTP, domain control panel, or direct server access.

Re: Are there any know security (Malware injections) holes in 7.2.2 [Re: Rick] #229475 09/25/2009 10:52 PM
Joined: Feb 2006
Posts: 24
mswlogo_ Offline OP
newbie
OP Offline
newbie
Joined: Feb 2006
Posts: 24
I don't think I have access to access logs. I do have FTP logs and there has been no activity during the time of break in.

Re: Are there any know security (Malware injections) holes in 7.2.2 [Re: mswlogo_] #229477 09/25/2009 11:06 PM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
Your host might be able to assist. If you have the timestamps available on any of the files, then you can see if they can give you the access logs for that particular day.

Re: Are there any know security (Malware injections) holes in 7.2.2 [Re: Rick] #229837 10/08/2009 8:32 PM
Joined: Oct 2009
Posts: 16
TxConx Offline
stranger
Offline
stranger
Joined: Oct 2009
Posts: 16
I am having the same problem with a forum I'm managing (UBB v.7.5.3). I'm new to the problem and having a terrible time isolating the hack. There have been so many cooks in the kitchen, it would be nearly impossible to isolate by looking at the access logs.

The referenced patch is from last year - is that correct?

I've considered just replacing all the UBB files.

Re: Are there any know security (Malware injections) holes in 7.2.2 [Re: TxConx] #229845 10/09/2009 8:54 AM
Joined: Jun 2006
Posts: 9,243
Rick Offline
Former Developer
Offline
Former Developer
Joined: Jun 2006
Posts: 9,243
If you're running 7.5.3 then you have the security patch in place already, so you're good there. As for tracking it by looking at the access logs, if it's being done by a web based attack then that's normally the best way.

If you have the timestamp of one of the changed files, then that gives you an exact minute to look at in the access logs, so you just need to look for activity during that minute. You also need to find out if they are only changing files that are writable by the webserver or if they are changing other files as well. If they are changing other files, then it's probably being done by FTP, domain control panel or some other server exploit. I just worked on another one of these problems that turned out to be a domain control panel issue.

Replacing all of the UBB files would assure they are clean, but it wouldn't prevent it from happening again, so you'd really need to find the source.


Re: Are there any know security (Malware injections) holes in 7.2.2 [Re: Rick] #229852 10/09/2009 4:14 PM
Joined: Oct 2009
Posts: 16
TxConx Offline
stranger
Offline
stranger
Joined: Oct 2009
Posts: 16
I didn't mean to hijack the thread.

I found the source (OpenX ad server) and shut that down.

OP - this is what I found about this problem.

Quote:
If you see code for an iframe with width=“0” and height=“0” in the source code of any page on your website, you have found an invisible iframe. Iframes are most commonly inserted at the very top or the very bottom of a web page’s source code. A good first place to check for iframes is before the initial tag that starts a web page’s standard code, or after the final that ends a page’s code.


I found this code in any file containing "index" in the file name and in any HTML files on the site. Delete it - problem solved.


Forum Search
ShoutChat Box
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Mobile app?
by Baldeagle - 12/06/2019 9:32 PM
How do you change Text Line spacing?
by jorb - 11/23/2019 12:14 AM
What happened to FAQ or Forum Help
by Ruben - 11/20/2019 11:58 AM
Search feature encountering an Error message
by jorb - 11/20/2019 12:06 AM
Followed List v7.7.2 Question
by Ruben - 11/12/2019 12:22 PM
Who's Online Now
0 registered members (), 57 guests, and 412 spiders.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Amusing Terain Scenics
Amusing Terain Scenics
by isaac, August 19
Sky places
Sky places
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Snapshot build 20191023)