Hello,

My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.

I have cleaned index.php but the page source still has this line!

Please Help



edited by: mderdem, Mar 25, 2008 - 05:37 PM

Once time i saw that code in the final of the /index.php file
check and remove that code.

Also, download the error_logs to find the vulnerable section in your site.

--
- Mateo T. [25] -
Mis principios... son mis fines

Check out the forums as well. There have been a lot of topics on hacks lately. Make sure that all your modules are up to date etc.

--
http://www.erikspaan.nl
http://www.avwijchen.nl

Involved in: BlankTheme [31], StoriesExt, Menu templates, SmugView and zikula.nl

http://community.postnuke.com/module-Forum-viewtopic-topic-54176-highlight-iframe.htm

You have to have both a secure/updated web server and patched modules... there are actually no known problems that are a result of both a reasonably secure/updated web server and updated modules.


--
David Pahl
Zikula Support Team

as already mentioned one needs far more information to help you with the issue (server enviroment, installed third party modules) etc. - i've analyzed a couple of iframe injections that all had in common that the initial exploit was PNphpbb-related (SQL-injection to the footermessage from admin-settings)

- if PNphpBB [42] is installed check with a diff-programm (e.g. winmerge) if you are using the latest build
- check the logfiles (both access and errorlog) for the exploit from the time of attack (mostly it's done via a remote code injection)
- check the enviroment via e.g. phpsecinfo [43] to optimize the security

--
regards from germany
..::[Zikula Application Framework [44]]::.. ..::[SEO-Blog [45]]::.. ..::[CMS Sicherheit [46]]::..

Ok. I have place echo lines to figure out where this comes from. I have found that the news/index.php was infected. Later I realized each and every single index.html and index.php were infected.

1. Does anybody know a good tool to handle find/replace text on the server ?

2. You mentioned that modules need to be updated. I am running .764 as it is. I checked the download site and I don't see module updates there. Where can I find updated (I mean more secure) modules.

3. I don't use PNphpBB [52], if I disable the module and delete it from the modules dir, would that break anything ?

4. phpsecinfo [53] warns about register_globals [54]. Can this be a serious security hole ?

5. One hint. If you have the AVG free addition, it can find this malicious code if you download the index.htm/php files to your computer. Cool.

Thanks guys.

MDE



edited by: mderdem, Mar 26, 2008 - 10:21 PM

1. ...that really depends on your OS an server access level
2. Check for 'author' site for updated modules.
3. If you no longer use PNphpBB2 [60], uninstall and delete it. Yup.
4. It is auto-linked for a reason... It is not a security enhancement, but it is recommended OFF.
5. You could, but the ones I have seen are in the Database. ... So you are looking at the output, not the source.

--
David Pahl
Zikula Support Team

2. if you are running .764 the core should be 'safe' - updates for third-party-modules should be checked individually
3. if you don't use PNphpBB [66] (but you did before?) disable and remove the module in administration-modules and later on remove /modules/PNphpbb from the filesystem completly (the known exploits are done via a direct call to the filesystem)
4. yes - the baseline analyzer within the PostNuke administration should print this important warning already for some time
a .htaccess file with

or maybe an individual php.ini with

should disable register_globals [67] (otherwise ask your provider)


if index.html and index.php files have been changed by the attacker i'd recommend to start from scratch with a fresh and clean download - otherwise you might forget some malicous content within the filesystem (remote console, spambot, phishing bot etc). although this means lot of work it's the only way to be safe for the future

--
regards from germany
..::[Zikula Application Framework [68]]::.. ..::[SEO-Blog [69]]::.. ..::[CMS Sicherheit [70]]::..