IntegraMOD

Injection found in root/viewforum.php

I was on our site yesterday, and found I was getting an error trying to view our forum.
I was able to view the index page, but when clicking on any forum area to view the topics in that forum area, I got this error:

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/aaquac5/public_html/bindepot.net/forum/viewforum.php on line 273

So I opened the file and compared it to a newly downloaded viewforum.php file, and found some code injected in the file.

Line 272 and before was ok, but the next couple lines were not supposed to be there.

What it should look like:

Code: Select all

         // Redirect via an HTML form for PITA webservers         if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))         {                 header('Refresh] . '</title></head><body><div>' . sprintf($lang['Rediect_to'], '<a>', '</a>') . '</div></body></html>';                 exit;         }           // Behave as per HTTP/1.1 spec for others         header('Location: ' . $url);         exit;}//-- fin mod : categories hierarchy ----------------------------------------------------------------  

What was in mine:

Code: Select all

         // Redirect via an HTML form for PITA webservers         if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))         {                 header('Refresh] . '</title></head><body><div>' . sprintf($lang['Rediect_to'], '<a>', '</a>') . '</div><ed19d794e594f5827df26f9ff1c925ab><0873547521><a> </a><ed19d794e594f5827df26f9ff1c925ab></body></html>';                 exit;         }           // Behave as per HTTP/1.1 spec for others         header('Location: ' . $url);         exit;}//-- fin mod : categories hierarchy ----------------------------------------------------------------  

The injected code:

Code: Select all

<ed19d794e594f5827df26f9ff1c925ab><0873547521><a> </a><ed19d794e594f5827df26f9ff1c925ab>

This has been found in some of my other sites also.
Removing the code fixed the file and site.

Anyway to prevent this from happening again?

Also found it in root/viewtopic.php

Getting error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 478

Found:

Code: Select all

// page the post is on and the correct display of viewtopic)//$join_sql_table = (!$post_id) ? '' ] --><= $post_id";$count_sql = (!$post_id) ? '' : ", COUNT(p2.post_id) AS prev_posts";  

Again injected code:

Code: Select all

<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 722

Code: Select all

}  $select_post_days = '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><select>';for($i = 0; $i < count($previous_days); $i++){

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 812

Code: Select all

elseif ($start + $board_config['posts_per_page'] > $forum_topic_data['topic_replies']) {    $row_id = intval($forum_topic_data['topic_replies']) % intval($board_config['posts_per_page']);    if ($postrow[$row_id]['post_id'] != $forum_topic_data['topic_last_post_id'] || $start + count($postrow) <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< $forum_topic_data['topic_replies'])    {       $resync = TRUE;    }

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 874

Code: Select all

         $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));           for($i = 0; $i <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< sizeof($words); $i++)         {                 if (trim($words[$i]) != '')

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1150

Code: Select all

if(isset($finish)){         $pagination_ppp = ($finish <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< 0)? -$finish]

Code injected:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1311

Code: Select all

                                 $server_protocol = ( $board_config['cookie_secure'] ) ? 'https] <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';                                 $script_name = preg_replace('/^/?(.*?)/?$/', "\1", trim($board_config['script_path']));                                 $script_name = ( $script_name != '' ) ? $script_name . '/viewtopic.'.$phpEx : 'viewtopic.'.$phpEx;  

Code injected:

Code: Select all

<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1729

Code: Select all

                 }                   $poll_expired = ( $vote_info[0]['vote_length'] ) ? ( ( $vote_info[0]['vote_start'] + $vote_info[0]['vote_length'] <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< time() ) ? TRUE ]

Code injected:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1756

Code: Select all

                                 $vote_graphic_img = $images['voting_graphic'][$vote_graphic];                                 $vote_graphic = ($vote_graphic <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< $vote_graphic_max - 1) ? $vote_graphic + 1 ]

Injected code:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1865

Code: Select all

                         $s_hidden_fields = '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><input><input>';                 }                                 if ( $max_vote > 1 )

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1885

Code: Select all

                 $s_hidden_fields .= '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><input>';  

Injected code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

There were several more instances in the same file.
Hope you don't mind posting a lot of the locations.
Thought it might provide some insight to where or how it is done.

Removing seems to fix the site, but who know how many more files have been altered.

Change all ftp passwords and if you given anyone access have those changed too, I check for exploits and post back.

you may also want to move this to security

you missed a bit,

Code: Select all

XML Parsing Error]http://www.bindepot.net/forum/chat/index.phpLine[/url] Number 101, Column 62:<2548a689ead92ad9bb554ca1d2f2685d><2713547521><a> </a>-------------------------------------------------------------^

and
[code]Warning]

Make sure Crafty Syntax Live Help is greater than ver 2.14.6
I would also check the chat, maybe it's his in.
Not a full hacker buddy, more a annoying Viagra spammer but if he can get access he will use you as a home base to link to.

Test post, took out java and replaced it with broken. <img>

Fixed the first one you posted.

The second is nothing related.

Code: Select all

//// Link categories dropdown list//foreach($link_categories as $cat_id => $cat_title){         $link_cat_option .= "<option>$cat_title</option>";}        

Line 691 is the foreach line.
Looks like a coding issue.

I contacted my host and this was their reply]Hello Breck,

Thank you for contacting us.

It appears that your site was hacked by someone who was able to log in using your FTP credentials. We are not 100% as to how they were able to obtain your login credentials, however we do believe it was due to an exploit called Gumblar, which uses a vulnerability in Adobe software products like Acrobat Reader or Flash Player to capture your FTP information and send it out on the internet.

You will need to change your FTP password, otherwise your account can still easily be compromised. Your FTP password is actually the same as your cPanel password. To update your FTP password:
1. Log into your cPanel
2. Click the, "Change Password" icon
3. Type in your new password, and click, "Change your password now!"

We strongly suggest that you update your Adobe products with the latest security patches available. A link to Adobe's security center can be found in our following Knowledge Base article, entitled, "Website Security":
[/quote]

Quick question, how did you, or how do you search an entire sites file system for such a thing?
Without viewing every file individually?
I want to check my other sites for any traces.

you have renamed your backup folder?

Yea - but I think I will change it again to be safe.

Quick question, how did you, or how do you search an entire sites file system for such a thing?
Without viewing every file individually?

firebug <img>

How would I do it?
Select script?

I used net and console (with full error settings). I never thought to try script but it may work too. <img>

Best thing is just play with it a bit and things just start to click for you.