• mderdem [15]
  
  

  • Rank: Freshman
  • Registered: 31.10.03
  • last visit: 24.03.09
  • Posts: 40

  [16] Posted: 25.03.2008, 16:16

  Hello,
  
  My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.
  
  I have cleaned index.php but the page source still has this line!
  
  Please Help
  
  
  
  edited by: mderdem, Mar 25, 2008 - 05:37 PM

  • [17]
  •   [18]
• nestormateo [20]
  
  

  • Rank: Team Member
  • Registered: 07.09.06
  • last visit: 03.07.09
  • Posts: 1915

  [21] Posted: 25.03.2008, 17:06

  Once time i saw that code in the final of the /index.php file
  check and remove that code.
  
  Also, download the error_logs to find the vulnerable section in your site.
  
  --
  - Mateo T. [22] -
  Mis principios... son mis fines

  • [23]
  •   [24]
• espaan [26]
  
  

  • Rank: Professional
  • Registered: 24.08.03
  • last visit: 03.07.09
  • Posts: 756

  [27] Posted: 25.03.2008, 19:50

  Check out the forums as well. There have been a lot of topics on hacks lately. Make sure that all your modules are up to date etc.
  
  --
  erikspaan.nl [28], avwijchen.nl [29]
  
  BlankTheme [30], News module [31], zikula.nl [32]

  • [33]
  •   [34]
• AmmoDump [36]
  
  

  • Rank: Team Member
  • Registered: 08.12.03
  • last visit: 29.06.09
  • Posts: 3062

  [37] Posted: 26.03.2008, 01:26

  http://community.postnuke.com/module-Forum-viewtopic-topic-54176-highlight-iframe.htm
  
  You have to have both a secure/updated web server and patched modules... there are actually no known problems that are a result of both a reasonably secure/updated web server and updated modules.
  
  
  --
  David Pahl
  Zikula Support Team

  • [38]
  •   [39]
• larsneo [41]
  
  

  • Rank: Software Foundation
  • Registered: 31.12.69
  • last visit: 27.06.09
  • Posts: 4458

  [42] Posted: 26.03.2008, 12:06

  Quote

  My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.
  I have cleaned index.php but the page source still has this line!

  
  as already mentioned one needs far more information to help you with the issue (server enviroment, installed third party modules) etc. - i've analyzed a couple of iframe injections that all had in common that the initial exploit was PNphpbb-related (SQL-injection to the footermessage from admin-settings)
  
  - if PNphpBB [43] is installed check with a diff-programm (e.g. winmerge) if you are using the latest build
  - check the logfiles (both access and errorlog) for the exploit from the time of attack (mostly it's done via a remote code injection)
  - check the enviroment via e.g. phpsecinfo [44] to optimize the security
  
  --
  regards from germany
  ..::[Zikula Application Framework [45]]::.. ..::[SEO-Blog [46]]::.. ..::[CMS Sicherheit [47]]::..

  • [48]
  •   [49]
• mderdem [51]
  
  

  • Rank: Freshman
  • Registered: 31.10.03
  • last visit: 24.03.09
  • Posts: 40

  [52] Posted: 26.03.2008, 22:18

  Ok. I have place echo lines to figure out where this comes from. I have found that the news/index.php was infected. Later I realized each and every single index.html and index.php were infected.
  
  1. Does anybody know a good tool to handle find/replace text on the server ?
  
  2. You mentioned that modules need to be updated. I am running .764 as it is. I checked the download site and I don't see module updates there. Where can I find updated (I mean more secure) modules.
  
  3. I don't use PNphpBB [53], if I disable the module and delete it from the modules dir, would that break anything ?
  
  4. phpsecinfo [54] warns about register_globals [55]. Can this be a serious security hole ?
  
  5. One hint. If you have the AVG free addition, it can find this malicious code if you download the index.htm/php files to your computer. Cool.
  
  Thanks guys.
  
  MDE
  
  
  
  edited by: mderdem, Mar 26, 2008 - 10:21 PM

  • [56]
  •   [57]
• AmmoDump [59]
  
  

  • Rank: Team Member
  • Registered: 08.12.03
  • last visit: 29.06.09
  • Posts: 3062

  [60] Posted: 26.03.2008, 23:25

  1. ...that really depends on your OS an server access level
  2. Check for 'author' site for updated modules.
  3. If you no longer use PNphpBB2 [61], uninstall and delete it. Yup.
  4. It is auto-linked for a reason... It is not a security enhancement, but it is recommended OFF.
  5. You could, but the ones I have seen are in the Database. ... So you are looking at the output, not the source.
  
  --
  David Pahl
  Zikula Support Team

  • [62]
  •   [63]
• larsneo [65]
  
  

  • Rank: Software Foundation
  • Registered: 31.12.69
  • last visit: 27.06.09
  • Posts: 4458

  [66] Posted: 26.03.2008, 23:25

  2. if you are running .764 the core should be 'safe' - updates for third-party-modules should be checked individually
  3. if you don't use PNphpBB [67] (but you did before?) disable and remove the module in administration-modules and later on remove /modules/PNphpbb from the filesystem completly (the known exploits are done via a direct call to the filesystem)
  4. yes - the baseline analyzer within the postnuke administration should print this important warning already for some time
  a .htaccess file with
  

  Code

  php_flag register_globals off

  
  or maybe an individual php.ini with
  

  Code

  php_admin_flag register_globals Off

  
  should disable register_globals [68] (otherwise ask your provider)
  
  
  if index.html and index.php files have been changed by the attacker i'd recommend to start from scratch with a fresh and clean download - otherwise you might forget some malicous content within the filesystem (remote console, spambot, phishing bot etc). although this means lot of work it's the only way to be safe for the future
  
  --
  regards from germany
  ..::[Zikula Application Framework [69]]::.. ..::[SEO-Blog [70]]::.. ..::[CMS Sicherheit [71]]::..

  • [72]
  •   [73]
•  
•  

Users online

• Simon [75],
• Wendell [76],
• thezikulan [77],
• videokid [78]

This list is based on the users active over the last 60 minutes.