[solved] Forum Infected With Malware

[Varti]

Hi,

this is a long standing issue here, but so far no-one has ever fixed it.  

Every time I try to access the forum, the first time it always redirects to a malicious website (url123.info). When I reload the page, it correctly redirects me to the forum.

This seems to be the issue (thanks Tomoe for the hint):

https://revisium.com/en/kbe/infected_ipb_and_vbulletin.html

I hope that the DB (with the usernames/passwords) hasn't been compromised too

Varti

[Varti]

I have now sent a PM to InSearchOf, he seems to still come here from time to time. I wonder if he's the only remaining admin here or if there are others who are still active...

Varti

[sdjf]

I wonder if the malware had anything to do with triggering the last 6 months or so of outage?

Looking at his profile, it looks like InSearchOf has not been here (at this point) since July 2015.  Several moderators have privatized the dates of their last visits, so it is hard to say if there are any active moderators at all!

[Varti]

I wonder if the malware had anything to do with triggering the last 6 months or so of outage?

No idea. The malware was anyway here since at least a couple of years, I believe it might have been some server update on the host which might have required to fix the configuration files of the forum. I'm anyway glad that the malware has been removed, there's no redirection anymore when opening www.oesf.org, just a blank page is opened. IMHO it would be better that it would link to the main OESF page, or redirect to www.oesf.org/forum.

Looking at his profile, it looks like InSearchOf has not been here (at this point) since July 2015.  Several moderators have privatized the dates of their last visits, so it is hard to say if there are any active moderators at all!

I guess that the moderators' list requires a cleanup and new moderators should be found, among the users who are more active lately here.

Varti

[Varti]

Hi,

the main page redirection malware has been thankfully removed, but there are still at least two present, you can see them by searching oesf.org with Google:

- one adds the following text to each found page on Google, and it seems there's a link hidden there redirecting to a phishing site: "Call of Duty: Black Ops 3" and "Call of Duty: Black Ops 3 is my most anticipated title of the year. Developer Treyarch and publisher Activision recently let players across the globe beta test some..."

https://www.google.com/search?q=site%3Awww....-8&oe=utf-8


- it seems that www.oesf.org/images/diag contains lots of harmful php scripts (e.g. sitemap51.php, sitemap92.php, art-924073.php...), with text in cyrillic (in russian?):

https://www.google.it/search?q=%22Call+of+D...te:www.oesf.org


Varti

[sdjf]

Those pages are not in the forum, whose working url is https://www.oesf.org/forum, they are in the home page link https://www.oesf.org.

In a browser, I cannot even get to https://www.oesf.org, only the forum when I go directly.

The google search of oesf.org (not forum) turns up the feed, which is alive and well (yay!), and a bunch of pages which should get removed if they are still there, but who can do that?

 https://www.google.com/search?q=site%3Awww....amp;btnG=Search

The only place in the forum where "call of duty" now appears is in one user's profile, as far as I can tell???

Okay, I see those pages are still on the web, and accessible via google, although not in the forum itself.  Is offroadgeek the only person now with admin rights?  I PM'd speculatrix (or emailed, I forget which) to see if he is still reachable, although not about the malware.

sdjf

[Varti]

Well, it has happened once, with one of the search results with the "Call of Duty" tag, that I was redirected on a phishing site instead of the forum's thread, so I believe that this malware can be harmful when searching the forum via Google (I do that sometimes).

Varti

[sdjf]

Well, it has happened once, with one of the search results with the "Call of Duty" tag, that I was redirected on a phishing site instead of the forum's thread, so I believe that this malware can be harmful when searching the forum via Google (I do that sometimes).

Varti

I see what you mean, they are in the oesf domain although not in the forum itself.  But, who has admin rights who can remove those pages?  Do moderators or does it have to be someone at a higher level?

[Varti]

Well, it has happened once, with one of the search results with the "Call of Duty" tag, that I was redirected on a phishing site instead of the forum's thread, so I believe that this malware can be harmful when searching the forum via Google (I do that sometimes).

Varti

I see what you mean, they are in the oesf domain although not in the forum itself.  But, who has admin rights who can remove those pages?  Do moderators or does it have to be someone at a higher level?

EDIT: I have talked with speculatrix about the matter, unfortunately neither moderators nor admins (like him) have access to the file structure, except offroadgeek.

Varti

[Varti]

(Note: I have merged the two "malware" threads, since this post will answer both of them).

It has taken quite some time and effort, but at last I can now announce that I have removed all the malware which was pestering the forum all these years, or at least I have not managed to find any more of them.

I have registered the forum on the Google Search Console, and asked them for a security review. They have now answered me that the review has been successful and that no more malware have been found, they will now remove all the security warnings related to the forum. I have also activated all the available security options in the admin's control panel, although we'll need to switch to a newer CMS to be safer from similar attacks in the future.

For those curious to know what type of malware was infecting the board:

- by searching for the "Call of Duty" text in a dump of the database, I have found that it was injected in the Borderline-Blue skin, which is an alternative skin to the default one we use here. For some reason, Google cached all the pages using this skin, and sometimes a redirection URL was triggered when opening a page from a Google search. Google will probably still keep the cached pages with the injected text for some months, as it doesn't refresh them often, but at least all the pages which will be cached from now on will not have that text anymore.

- the images/diag directory was full of harmful scripts; the images directory is actually part of the (still offline, I'm working on that) Wiki, so all those files have been added though the Wiki, rather than the forum. The owner of all the files was "apache" and not the OESF shell's account user, since the were added via the HTTP protocol, and only that "user" (and ibiblio's root) could remove them or change the permissions. I solved the problem by temporarily installing a PHP web file manager with an internal web shell, and by manually removing the files using that shell. There was also a malware file called wso2.php inside images/thumb which has been removed, too.

- when searching for write-protected files (i.e. set as 700 and similar), I found out that the lang_global.php and lang_javascript.js files in the forum's cache had the malicious code described here: https://peter.upfold.org.uk/blog/2013/01/15...url4short-mess/

I'll check Google's Search Console in the future for any security issue, since the admin's board is unfortunately unable to detect such threats.

Varti

[HoloVector]

Thanks for all your hard work on this.  I can't wait to have wiki back.

[Varti]

Thanks for all your hard work on this.  I can't wait to have wiki back.

Regarding the MediaWiki upgrade, I'm currently stuck with the upgrade of the wiki database: the web updater script is showing me a blank page every time I run it, and unfortunately I can't use the command line version of the updater since the php shell command is disabled  I'll try to find out what's blocking the updater.

Varti

[koan]

Good work on fixing the infection.

Perhaps you can download a copy of the wiki database and run the update script locally to work out what is going on ?

[speculatrix]

nice work!

[Varti]

Perhaps you can download a copy of the wiki database and run the update script locally to work out what is going on ?

Good idea, I'll try that too, thanks for the hint!

Varti