1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.1 Google notified me of malware infection

Discussion in 'Troubleshooting and Problems' started by chrisj, Jun 21, 2013.

  1. chrisj

    chrisj Active Member

    I found a bunch of files in the js directory. The file that google warned me is called "js2.php". It just creates an iframe for js.php There are a few other files that contain data. The server is telling me the files were created by the user www-data.

    I'm not really sure where to go from here, I renamed "js2.php". I am trying to track what is referencing "js2.php".

    The malware uses two urls and one of them I found a blog post about on blog.dynamoo.com mentioning it as a dynamic dns being used by a Neutrino exploit kit where "malicious code is being appended to legitimate .js files on those site".
     
  2. LPH

    LPH Well-Known Member

  3. chrisj

    chrisj Active Member

    Looks to have come common elements. I found one reference to js2.php.

    This line was added to the top of install-lock.php:
    Now I need to find out how this all happened.

    I am on a linode VPS. install-lock.php's permission is 777 however should that be a problem since I am not on a shared server?
     
    Last edited: Jun 21, 2013
  4. chrisj

    chrisj Active Member

    I have only used the root account which had a very strong password. Based these facts, how much access could the hackers have gotten?
    • The only account was root with a very strong password.
    • They modified install-lock.php file which was set to chmod 777.
    • They created several files in the js folder.
    • The rest of the data seems intact. Hopefully they did not have access the database.
    install-lock.php would never be accessed by the common user so the hack would be very ineffective which leads me to believe that they did not have root access. Somehow, google was able to find out about the javascript file.
     
  5. arche

    arche Member

    If you don't mind me asking, what modules do you have loaded with your Apache config?
     
  6. chrisj

    chrisj Active Member

    I'm using an old version of nginx which I will be upgrading.
     
  7. arche

    arche Member

    no problem, was just wondering because there is Apache module injections surfacing again that kind of describe your issue.
     
  8. chrisj

    chrisj Active Member

    Should I force all users to reset their password in case the database was viewed?
     
  9. arche

    arche Member

    How are you storing the passwords?
     
  10. chrisj

    chrisj Active Member

    It's how Xenforo stores them:

     
  11. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    The main concern for the forum would be admin and mod passwords. Regular accounts aren't a concern for the security of the forum, but your users might appreciate being notified about a possible breach so they can reset their passwords themselves.
     
    SneakyDave likes this.
  12. arche

    arche Member

    Agreed.

    ok. Just checking.

    Have you noticed anything odd in your access logs or error logs on the server itself and not xenforo logs?
     
  13. chrisj

    chrisj Active Member

    I checked auth.log and noticed I have been bombarded with ssh log in attempts. I will close that down.

    If install-lock.php was modified, does that mean a log in attempt was successful?
     
  14. AndyB

    AndyB Well-Known Member

    It is normal that ssh attempts are made on your sever ssh. I have a firewall that restricts ssh attempts unless they come from my IP.
     
    SneakyDave likes this.
  15. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Very likely, yes.
     

Share This Page