Sub Menu
Links Menu
Online Users

In total there are 301 users online :: 2 registered, 0 hidden and 299 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Bing [Bot], Google [Bot] based on users active over the past 60 minutes

Code injected into forum

Support for IntegraMOD 141

Moderator: Integra Moderator

Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 7:55 am

Injection found in root/viewforum.php

I was on our site yesterday, and found I was getting an error trying to view our forum.
I was able to view the index page, but when clicking on any forum area to view the topics in that forum area, I got this error:

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/aaquac5/public_html/bindepot.net/forum/viewforum.php on line 273

So I opened the file and compared it to a newly downloaded viewforum.php file, and found some code injected in the file.

Line 272 and before was ok, but the next couple lines were not supposed to be there.

What it should look like:

Code: Select all
         // Redirect via an HTML form for PITA webservers         if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))         {                 header('Refresh] . '</title></head><body><div>' . sprintf($lang['Rediect_to'], '<a>', '</a>') . '</div></body></html>';                 exit;         }           // Behave as per HTTP/1.1 spec for others         header('Location: ' . $url);         exit;}//-- fin mod : categories hierarchy ----------------------------------------------------------------  


What was in mine:

Code: Select all
         // Redirect via an HTML form for PITA webservers         if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))         {                 header('Refresh] . '</title></head><body><div>' . sprintf($lang['Rediect_to'], '<a>', '</a>') . '</div><ed19d794e594f5827df26f9ff1c925ab><0873547521><a> </a><ed19d794e594f5827df26f9ff1c925ab></body></html>';                 exit;         }           // Behave as per HTTP/1.1 spec for others         header('Location: ' . $url);         exit;}//-- fin mod : categories hierarchy ----------------------------------------------------------------  


The injected code:

Code: Select all
<ed19d794e594f5827df26f9ff1c925ab><0873547521><a> </a><ed19d794e594f5827df26f9ff1c925ab>


This has been found in some of my other sites also.
Removing the code fixed the file and site.

Anyway to prevent this from happening again?

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:18 am

Also found it in root/viewtopic.php

Getting error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 478

Found:

Code: Select all
// page the post is on and the correct display of viewtopic)//$join_sql_table = (!$post_id) ? '' ] --><= $post_id";$count_sql = (!$post_id) ? '' : ", COUNT(p2.post_id) AS prev_posts";  


Again injected code:

Code: Select all
<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:23 am

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 722

Code: Select all
}  $select_post_days = '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><select>';for($i = 0; $i < count($previous_days); $i++){


Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:26 am

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 812

Code: Select all
elseif ($start + $board_config['posts_per_page'] > $forum_topic_data['topic_replies']) {    $row_id = intval($forum_topic_data['topic_replies']) % intval($board_config['posts_per_page']);    if ($postrow[$row_id]['post_id'] != $forum_topic_data['topic_last_post_id'] || $start + count($postrow) <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< $forum_topic_data['topic_replies'])    {       $resync = TRUE;    }


Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:30 am

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 874

Code: Select all
         $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));           for($i = 0; $i <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< sizeof($words); $i++)         {                 if (trim($words[$i]) != '')


Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:32 am

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1150

Code: Select all
if(isset($finish)){         $pagination_ppp = ($finish <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< 0)? -$finish]

Code injected:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:35 am

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1311

Code: Select all
                                 $server_protocol = ( $board_config['cookie_secure'] ) ? 'https] <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';                                 $script_name = preg_replace('/^/?(.*?)/?$/', "\1", trim($board_config['script_path']));                                 $script_name = ( $script_name != '' ) ? $script_name . '/viewtopic.'.$phpEx : 'viewtopic.'.$phpEx;  


Code injected:

Code: Select all
<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:37 am

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1729

Code: Select all
                 }                   $poll_expired = ( $vote_info[0]['vote_length'] ) ? ( ( $vote_info[0]['vote_start'] + $vote_info[0]['vote_length'] <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< time() ) ? TRUE ]

Code injected:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:39 am

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1756

Code: Select all
                                 $vote_graphic_img = $images['voting_graphic'][$vote_graphic];                                 $vote_graphic = ($vote_graphic <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< $vote_graphic_max - 1) ? $vote_graphic + 1 ]

Injected code:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:42 am

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1865

Code: Select all
                         $s_hidden_fields = '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><input><input>';                 }                                 if ( $max_vote > 1 )


Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:44 am

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1885

Code: Select all
                 $s_hidden_fields .= '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><input>';  


Injected code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: .QUACK.Major.Pain » Sun Nov 22, 2009 8:50 am

There were several more instances in the same file.
Hope you don't mind posting a lot of the locations.
Thought it might provide some insight to where or how it is done.

Removing seems to fix the site, but who know how many more files have been altered.

.QUACK.Major.Pain
Sr Integra Member
Sr Integra Member
 
Posts: 986
Likes: 0 post
Liked in: 0 post
Joined: Sat Jan 27, 2007 10:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: CaNNon » Sun Nov 22, 2009 10:25 am

Change all ftp passwords and if you given anyone access have those changed too, I check for exploits and post back.

you may also want to move this to security
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: CaNNon » Sun Nov 22, 2009 12:00 pm

you missed a bit,
Code: Select all
XML Parsing Error]http://www.bindepot.net/forum/chat/index.phpLine[/url] Number 101, Column 62:<2548a689ead92ad9bb554ca1d2f2685d><2713547521><a> </a>-------------------------------------------------------------^


and
[code]Warning]

Make sure Crafty Syntax Live Help is greater than ver 2.14.6
I would also check the chat, maybe it's his in.
Not a full hacker buddy, more a annoying Viagra spammer but if he can get access he will use you as a home base to link to.
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Re: Code injected into forum

PostAuthor: CaNNon » Sun Nov 22, 2009 2:27 pm

Test post, took out java and replaced it with broken. <img>
Image
Image
User avatar
CaNNon
Sr Integra Member
Sr Integra Member
 
Posts: 750
Likes: 0 post
Liked in: 0 post
Joined: Thu Apr 19, 2007 11:15 am
Cash on hand: 0.00

Next

Return to IntegraMOD 141

Who is online

Registered users: Bing [Bot], Google [Bot]

cron