IntegraMOD

Injection found in root/viewforum.php

I was on our site yesterday, and found I was getting an error trying to view our forum.
I was able to view the index page, but when clicking on any forum area to view the topics in that forum area, I got this error:

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/aaquac5/public_html/bindepot.net/forum/viewforum.php on line 273

So I opened the file and compared it to a newly downloaded viewforum.php file, and found some code injected in the file.

Line 272 and before was ok, but the next couple lines were not supposed to be there.

What it should look like:

Code: Select all

         // Redirect via an HTML form for PITA webservers         if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))         {                 header('Refresh] . '</title></head><body><div>' . sprintf($lang['Rediect_to'], '<a>', '</a>') . '</div></body></html>';                 exit;         }           // Behave as per HTTP/1.1 spec for others         header('Location: ' . $url);         exit;}//-- fin mod : categories hierarchy ----------------------------------------------------------------  

What was in mine:

Code: Select all

         // Redirect via an HTML form for PITA webservers         if (@preg_match('/Microsoft|WebSTAR|Xitami/', getenv('SERVER_SOFTWARE')))         {                 header('Refresh] . '</title></head><body><div>' . sprintf($lang['Rediect_to'], '<a>', '</a>') . '</div><ed19d794e594f5827df26f9ff1c925ab><0873547521><a> </a><ed19d794e594f5827df26f9ff1c925ab></body></html>';                 exit;         }           // Behave as per HTTP/1.1 spec for others         header('Location: ' . $url);         exit;}//-- fin mod : categories hierarchy ----------------------------------------------------------------  

The injected code:

Code: Select all

<ed19d794e594f5827df26f9ff1c925ab><0873547521><a> </a><ed19d794e594f5827df26f9ff1c925ab>

This has been found in some of my other sites also.
Removing the code fixed the file and site.

Anyway to prevent this from happening again?

Also found it in root/viewtopic.php

Getting error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 478

Found:

Code: Select all

// page the post is on and the correct display of viewtopic)//$join_sql_table = (!$post_id) ? '' ] --><= $post_id";$count_sql = (!$post_id) ? '' : ", COUNT(p2.post_id) AS prev_posts";  

Again injected code:

Code: Select all

<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 722

Code: Select all

}  $select_post_days = '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><select>';for($i = 0; $i < count($previous_days); $i++){

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 812

Code: Select all

elseif ($start + $board_config['posts_per_page'] > $forum_topic_data['topic_replies']) {    $row_id = intval($forum_topic_data['topic_replies']) % intval($board_config['posts_per_page']);    if ($postrow[$row_id]['post_id'] != $forum_topic_data['topic_last_post_id'] || $start + count($postrow) <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< $forum_topic_data['topic_replies'])    {       $resync = TRUE;    }

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 874

Code: Select all

         $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));           for($i = 0; $i <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< sizeof($words); $i++)         {                 if (trim($words[$i]) != '')

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1150

Code: Select all

if(isset($finish)){         $pagination_ppp = ($finish <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< 0)? -$finish]

Code injected:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1311

Code: Select all

                                 $server_protocol = ( $board_config['cookie_secure'] ) ? 'https] <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><> 80 ) ? ':' . trim($board_config['server_port']) . '/' : '/';                                 $script_name = preg_replace('/^/?(.*?)/?$/', "\1", trim($board_config['script_path']));                                 $script_name = ( $script_name != '' ) ? $script_name . '/viewtopic.'.$phpEx : 'viewtopic.'.$phpEx;  

Code injected:

Code: Select all

<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1729

Code: Select all

                 }                   $poll_expired = ( $vote_info[0]['vote_length'] ) ? ( ( $vote_info[0]['vote_start'] + $vote_info[0]['vote_length'] <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< time() ) ? TRUE ]

Code injected:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected '[', expecting T_STRING or T_VARIABLE or '$' in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1756

Code: Select all

                                 $vote_graphic_img = $images['voting_graphic'][$vote_graphic];                                 $vote_graphic = ($vote_graphic <f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>< $vote_graphic_max - 1) ? $vote_graphic + 1 ]

Injected code:

[code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>

And again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1865

Code: Select all

                         $s_hidden_fields = '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><input><input>';                 }                                 if ( $max_vote > 1 )

Code injected]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

Again in root/viewtopic.php

Error:

Parse error: syntax error, unexpected T_STRING in /home/aaquac5/public_html/bindepot.net/forum/viewtopic.php on line 1885

Code: Select all

                 $s_hidden_fields .= '<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540><input>';  

Injected code]<f6fec1339da4f21ec3ea1130185fd540><9963547521><a> </a><f6fec1339da4f21ec3ea1130185fd540>[/code]

There were several more instances in the same file.
Hope you don't mind posting a lot of the locations.
Thought it might provide some insight to where or how it is done.

Removing seems to fix the site, but who know how many more files have been altered.

Change all ftp passwords and if you given anyone access have those changed too, I check for exploits and post back.

you may also want to move this to security

you missed a bit,

Code: Select all

XML Parsing Error]http://www.bindepot.net/forum/chat/index.phpLine[/url] Number 101, Column 62:<2548a689ead92ad9bb554ca1d2f2685d><2713547521><a> </a>-------------------------------------------------------------^

and
[code]Warning]

Make sure Crafty Syntax Live Help is greater than ver 2.14.6
I would also check the chat, maybe it's his in.
Not a full hacker buddy, more a annoying Viagra spammer but if he can get access he will use you as a home base to link to.

Test post, took out java and replaced it with broken. <img>