OESF | ELSI (coming soon) | Community Links (coming soon) | LinuxPDA | Ibiblio

IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> [solved] Forum Infected With Malware, ... doing malicious redirects
Varti
post Feb 24 2016, 08:33 AM
Post #1





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



Hi,

this is a long standing issue here, but so far no-one has ever fixed it. sad.gif

Every time I try to access the forum, the first time it always redirects to a malicious website (url123.info). When I reload the page, it correctly redirects me to the forum.

This seems to be the issue (thanks Tomoe for the hint):

https://revisium.com/en/kbe/infected_ipb_and_vbulletin.html

I hope that the DB (with the usernames/passwords) hasn't been compromised too sad.gif

Varti
Go to the top of the page
 
+Quote Post
Varti
post Mar 21 2016, 05:17 AM
Post #2





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



I have now sent a PM to InSearchOf, he seems to still come here from time to time. I wonder if he's the only remaining admin here or if there are others who are still active...

Varti
Go to the top of the page
 
+Quote Post
sdjf
post Sep 28 2016, 07:28 PM
Post #3





Group: Members
Posts: 462
Joined: 17-November 05
Member No.: 8,551



I wonder if the malware had anything to do with triggering the last 6 months or so of outage?

Looking at his profile, it looks like InSearchOf has not been here (at this point) since July 2015. Several moderators have privatized the dates of their last visits, so it is hard to say if there are any active moderators at all!
Go to the top of the page
 
+Quote Post
Varti
post Sep 29 2016, 12:57 AM
Post #4





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



QUOTE(sdjf @ Sep 29 2016, 05:28 AM) *
I wonder if the malware had anything to do with triggering the last 6 months or so of outage?

No idea. The malware was anyway here since at least a couple of years, I believe it might have been some server update on the host which might have required to fix the configuration files of the forum. I'm anyway glad that the malware has been removed, there's no redirection anymore when opening www.oesf.org, just a blank page is opened. IMHO it would be better that it would link to the main OESF page, or redirect to www.oesf.org/forum.

QUOTE
Looking at his profile, it looks like InSearchOf has not been here (at this point) since July 2015. Several moderators have privatized the dates of their last visits, so it is hard to say if there are any active moderators at all!

I guess that the moderators' list requires a cleanup and new moderators should be found, among the users who are more active lately here.

Varti
Go to the top of the page
 
+Quote Post
Varti
post Sep 29 2016, 01:11 AM
Post #5





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



Hi,

the main page redirection malware has been thankfully removed, but there are still at least two present, you can see them by searching oesf.org with Google:

- one adds the following text to each found page on Google, and it seems there's a link hidden there redirecting to a phishing site: "Call of Duty: Black Ops 3" and "Call of Duty: Black Ops 3 is my most anticipated title of the year. Developer Treyarch and publisher Activision recently let players across the globe beta test some..."

https://www.google.com/search?q=site%3Awww....-8&oe=utf-8


- it seems that www.oesf.org/images/diag contains lots of harmful php scripts (e.g. sitemap51.php, sitemap92.php, art-924073.php...), with text in cyrillic (in russian?):

https://www.google.it/search?q=%22Call+of+D...te:www.oesf.org


Varti
Go to the top of the page
 
+Quote Post
sdjf
post Sep 29 2016, 07:26 AM
Post #6





Group: Members
Posts: 462
Joined: 17-November 05
Member No.: 8,551



Those pages are not in the forum, whose working url is http://www.oesf.org/forum, they are in the home page link http://www.oesf.org.

In a browser, I cannot even get to http://www.oesf.org, only the forum when I go directly.

The google search of oesf.org (not forum) turns up the feed, which is alive and well (yay!), and a bunch of pages which should get removed if they are still there, but who can do that?

https://www.google.com/search?q=site%3Awww....amp;btnG=Search

The only place in the forum where "call of duty" now appears is in one user's profile, as far as I can tell???

Okay, I see those pages are still on the web, and accessible via google, although not in the forum itself. Is offroadgeek the only person now with admin rights? I PM'd speculatrix (or emailed, I forget which) to see if he is still reachable, although not about the malware.

sdjf
Go to the top of the page
 
+Quote Post
Varti
post Sep 29 2016, 08:11 AM
Post #7





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



Well, it has happened once, with one of the search results with the "Call of Duty" tag, that I was redirected on a phishing site instead of the forum's thread, so I believe that this malware can be harmful when searching the forum via Google (I do that sometimes).

Varti
Go to the top of the page
 
+Quote Post
sdjf
post Sep 30 2016, 06:54 AM
Post #8





Group: Members
Posts: 462
Joined: 17-November 05
Member No.: 8,551



QUOTE(Varti @ Sep 29 2016, 09:11 AM) *
Well, it has happened once, with one of the search results with the "Call of Duty" tag, that I was redirected on a phishing site instead of the forum's thread, so I believe that this malware can be harmful when searching the forum via Google (I do that sometimes).

Varti


I see what you mean, they are in the oesf domain although not in the forum itself. But, who has admin rights who can remove those pages? Do moderators or does it have to be someone at a higher level?
Go to the top of the page
 
+Quote Post
Varti
post Sep 30 2016, 07:21 AM
Post #9





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



QUOTE(sdjf @ Sep 30 2016, 04:54 PM) *
QUOTE(Varti @ Sep 29 2016, 09:11 AM) *
Well, it has happened once, with one of the search results with the "Call of Duty" tag, that I was redirected on a phishing site instead of the forum's thread, so I believe that this malware can be harmful when searching the forum via Google (I do that sometimes).

Varti


I see what you mean, they are in the oesf domain although not in the forum itself. But, who has admin rights who can remove those pages? Do moderators or does it have to be someone at a higher level?

EDIT: I have talked with speculatrix about the matter, unfortunately neither moderators nor admins (like him) have access to the file structure, except offroadgeek.

Varti
Go to the top of the page
 
+Quote Post
Varti
post Apr 18 2017, 04:23 PM
Post #10





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



(Note: I have merged the two "malware" threads, since this post will answer both of them).

It has taken quite some time and effort, but at last I can now announce that I have removed all the malware which was pestering the forum all these years, or at least I have not managed to find any more of them.

I have registered the forum on the Google Search Console, and asked them for a security review. They have now answered me that the review has been successful and that no more malware have been found, they will now remove all the security warnings related to the forum. I have also activated all the available security options in the admin's control panel, although we'll need to switch to a newer CMS to be safer from similar attacks in the future.

For those curious to know what type of malware was infecting the board:

- by searching for the "Call of Duty" text in a dump of the database, I have found that it was injected in the Borderline-Blue skin, which is an alternative skin to the default one we use here. For some reason, Google cached all the pages using this skin, and sometimes a redirection URL was triggered when opening a page from a Google search. Google will probably still keep the cached pages with the injected text for some months, as it doesn't refresh them often, but at least all the pages which will be cached from now on will not have that text anymore.

- the images/diag directory was full of harmful scripts; the images directory is actually part of the (still offline, I'm working on that) Wiki, so all those files have been added though the Wiki, rather than the forum. The owner of all the files was "apache" and not the OESF shell's account user, since the were added via the HTTP protocol, and only that "user" (and ibiblio's root) could remove them or change the permissions. I solved the problem by temporarily installing a PHP web file manager with an internal web shell, and by manually removing the files using that shell. There was also a malware file called wso2.php inside images/thumb which has been removed, too.

- when searching for write-protected files (i.e. set as 700 and similar), I found out that the lang_global.php and lang_javascript.js files in the forum's cache had the malicious code described here: https://peter.upfold.org.uk/blog/2013/01/15...url4short-mess/

I'll check Google's Search Console in the future for any security issue, since the admin's board is unfortunately unable to detect such threats.

Varti
Go to the top of the page
 
+Quote Post
HoloVector
post Apr 19 2017, 03:17 PM
Post #11





Group: Members
Posts: 525
Joined: 22-March 06
From: Winnipeg, Canada
Member No.: 9,420



Thanks for all your hard work on this. I can't wait to have wiki back.
Go to the top of the page
 
+Quote Post
Varti
post Apr 20 2017, 06:08 AM
Post #12





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



QUOTE(HoloVector @ Apr 20 2017, 01:17 AM) *
Thanks for all your hard work on this. I can't wait to have wiki back.

Regarding the MediaWiki upgrade, I'm currently stuck with the upgrade of the wiki database: the web updater script is showing me a blank page every time I run it, and unfortunately I can't use the command line version of the updater since the php shell command is disabled sad.gif I'll try to find out what's blocking the updater.

Varti
Go to the top of the page
 
+Quote Post
koan
post May 7 2017, 09:31 AM
Post #13





Group: Members
Posts: 351
Joined: 25-February 04
From: UK
Member No.: 2,025



Good work on fixing the infection.

Perhaps you can download a copy of the wiki database and run the update script locally to work out what is going on ?
Go to the top of the page
 
+Quote Post
speculatrix
post May 7 2017, 12:34 PM
Post #14





Group: Admin
Posts: 3,343
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



nice work!
Go to the top of the page
 
+Quote Post
Varti
post May 9 2017, 01:00 AM
Post #15





Group: Admin
Posts: 250
Joined: 30-April 08
Member No.: 21,713



QUOTE(koan @ May 7 2017, 07:31 PM) *
Perhaps you can download a copy of the wiki database and run the update script locally to work out what is going on ?

Good idea, I'll try that too, thanks for the hint!

Varti
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 24th June 2017 - 12:45 PM