Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Web Attack MassInjection

nicepaulnicepaul
edited June 2013 in Vanilla 2.0 - 2.8

Following on from last week's spam attack (which we resolved by deleting the hidden spam and adding spambot protection to the forum), we're experiencing a "Web Attack MassInjection" on the forum, so I have taken it offline. Viewing the source code looks like this:

Any ideas on how to remove this?

thanks,
Paul

Comments

  • Options
    x00x00 MVP
    edited June 2013

    A quick search shows this is not targeted towards a particular software. It doesn't mean it is not using a vanilla specific exploit, but it could also be more general security weakness.

    First things first, you should change your ftp passwords, database, and anything you use to access the server, and services you use. Then you should ask your host to provide you ftp/access logs to see if any files were modified recently.

    You can also check yourself the modification date of any files.

    I would definitely consult with your host on security. You need to ensure you are taking basic steps.

    You should update to to 2.0.18.8 see the security sticky. I would backup your database with a dump or two. You might have to setup up the forum form a fresh install, reintroduce what you need.

    First the injection is happening before the master template, secondly, it is a fixture, not related to a particular input such as a post. It might not be in the database at all (I would say files are the likely source), however you can check the database too for good measure.

    However it is repeated several times which means it is likely to be injected into something that loops or is called more than once.

    In other example, it is inserted in different places, so it will exploit what it can, it is not picky, or smart.

    Simplest you could either take a database dump (you could check the dump for similar code), then you could either ask you host to restore a old copy of your site from backup then upgrade the forum, or you can start the forum from scratch, reintroduce the data, and themes an plugins.

    grep is your friend.

  • Options
    x00x00 MVP
    edited June 2013

    All the site that that I have checked with this infection have php, and apache in common, even if additional languages are used. This may be simply becuase the popularity makes an obvious choice.

    Typically well known frameworks, but not necessarily.

    The infection is not very smart, and often result in malformed code. it is indiscriminate injection.

    grep is your friend.

  • Options
    mega6382mega6382 Ultimate Programmer ✭✭

    I think it is kind of encoded.

Sign In or Register to comment.