I believe it's still going out, there are so many people and so few page views that it takes a long time. Text:
There's a new and already widespread exploit in WSN. It's a bit clever, but basically it involves uploading an avatar which contains text and then using the custom templates system to load and execute that avatar's text as PHP to download a shell with which they can take full control. All they *appear* to be doing with that full control is editing wrapper templates to insert javascript just below the body tag.
This javascript infects your visitors who use certain vulnerable web browsers, of which Internet Explorer 6 is confirmed to be one.
To de-infect, please follow these steps for each WSN installation you have: 1) Remove the above javascript from your wrapper template. 2) Check for a file named threaduser.php (in the base WSN directory) and delete it. This isn't a WSN file, it's created by the hacker. 3) Upgrade to the latest release.
You may want to run a virus scan on your computer in case you've used a vulnerable browser.
To prevent this from happening again, custom templates are no longer allowed to specify directory paths and avatar file names are no longer visible. As a preemptive precaution, since so many exploits for so many scripts rely on variations of the tactic, URLs can no longer be embedded within query strings.
Further update: one infected person has said she doesn't have a threaduser.php, which unfortunately must mean the hacker uses different file names on different sites in order to make it impossible to give generic deinfection instructions. If you find the javascript in the wrapper then they must have a file somewhere on your site from which they control your site, but they've given it some other name, and you'll need to find it -- the easy way being to ask your host to help. They encrypted the file to make it hard to search for text from too, but you could search for base64_decode if you can figure out how to search text across the site... I suppose it'd be a recursive grep in a shell.
Edit: Actually she doesn't seem to have any newish members with avatars, so it's possible they found some completely different vector of attack.
They've named it settings.php (in the base directory, not /classes/) in at least one case now. They've also moved the javascript to the bottom of the wrapper in order to evade the instructions.
The only way to find it is to search the text of your entire site for "D0X.de ...PHP-Script Encoder".
0/5
1
2
3
4
5
Sorry, you don't have permission to post posts. Log in, or register if you haven't yet.
Comments on Critical Update Email
Expert
Usergroup: Customer
Joined: Aug 19, 2005
Location: England
Total Topics: 391
Total Comments: 1303
When upgrading a site to 4.1.49 it stated "Critical update (see email notice), however I have never received such an email.
Did it have something in that I must see, other than telling me I must do an upgrade?
Forum Regular
Usergroup: Customer
Joined: Jun 22, 2005
Total Topics: 91
Total Comments: 305
Hi babrees,
It was related to a security issue in the latest version, where somebody could malicious code via an avatar. I suggest you upgrade.
David
Expert
Usergroup: Customer
Joined: Aug 19, 2005
Location: England
Total Topics: 391
Total Comments: 1303
Thanks David - I did upgrade
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
I believe it's still going out, there are so many people and so few page views that it takes a long time. Text:
There's a new and already widespread exploit in WSN. It's a bit clever, but
basically it involves uploading an avatar which contains text and then using
the custom templates system to load and execute that avatar's text as PHP to
download a shell with which they can take full control. All they *appear* to
be doing with that full control is editing wrapper templates to insert
javascript just below the body tag.
This javascript infects your visitors who use certain vulnerable web
browsers, of which Internet Explorer 6 is confirmed to be one.
To de-infect, please follow these steps for each WSN installation you have:
1) Remove the above javascript from your wrapper template.
2) Check for a file named threaduser.php (in the base WSN directory) and
delete it. This isn't a WSN file, it's created by the hacker.
3) Upgrade to the latest release.
You may want to run a virus scan on your computer in case you've used a
vulnerable browser.
To prevent this from happening again, custom templates are no longer allowed
to specify directory paths and avatar file names are no longer visible. As a
preemptive precaution, since so many exploits for so many scripts rely on
variations of the tactic, URLs can no longer be embedded within query
strings.
Further update: one infected person has said she doesn't have a threaduser.php, which unfortunately must mean the hacker uses different file names on different sites in order to make it impossible to give generic deinfection instructions. If you find the javascript in the wrapper then they must have a file somewhere on your site from which they control your site, but they've given it some other name, and you'll need to find it -- the easy way being to ask your host to help. They encrypted the file to make it hard to search for text from too, but you could search for base64_decode if you can figure out how to search text across the site... I suppose it'd be a recursive grep in a shell.
Edit: Actually she doesn't seem to have any newish members with avatars, so it's possible they found some completely different vector of attack.
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
They've named it settings.php (in the base directory, not /classes/) in at least one case now. They've also moved the javascript to the bottom of the wrapper in order to evade the instructions.
The only way to find it is to search the text of your entire site for "D0X.de ...PHP-Script Encoder".