Sad

[HaLo2FrEeEk]

I was going through some files on the server and I went into the template diectory, which contains the images and stylesheets that make Infectionist.com pretty. Insde I found two files that I was certain were not put there by me, one named style.php and the other named ho_header.php. I opened them in a PHP Editor and both contained very well-hidden exploit code. The code was base64 encoded and gzipped, then set to eval(), which means that when it's decrypted, it'll be executed.

The decrypted code was a very large PHP file that printed out multiple forms allowing anyone to execute PHP code, run shell commands, and basically do anything that I would be able to do. Here are screenshots of the 3 pages that you can get to with this script:







I've renamed the files (that's the blurred out section in the first screenshot) and also added a "die()" line at the beginning of the code, which kills it before it runs.

Very scary to imagine that someone could have deleted all the files on the server, or gained access to the database and cleared it.

The really scary thing is, how did someone get these files onto the server in the first place? The only thing I can think is that someone found my test directory, where I test out all my code ideas before putting them into "live" files. I don't generally delete things from that folder because I might need to come back to that example at a later date, sometimes I even make files in that directory public. Not anymore. I've put a password on the drectory and I'm the only one with access. It sucks that it came to that, but I do take the security of this site very seriously. I'm only one person and I can't find everything right as it happens, but I always find it.

I really want to mke things available, so it sucks that one shithead ruined it for all the other legitimate users, but that's how it has to be. I thought this site was small enough that it could fly under the radar, but apparently that's not the case. It's a bittersweet realization.

So, from here on out if you see a link with the path "/misc/testing/", it won't work anymore. Sorry, but I can't risk something like this screwing up what I've worked at for 4 and a half years.

Edit: Ok, I'm issuing a call to action! I just noticed that the frontpage had been modified as well, but stupid me, I didn't check the modified time before I removed the offending code saved the file, so I don't know WHEN the file was modified. I'm asking or everyone's help, scour the site, any accessible page should be looked at closely. Any links out of place, or to sites that I wouldn't link to, or in unusual places (the links added to the frontpage were below the bottom of the template, which should be touching the bottom of the window at all time.) Consider ANYTHING out of the ordinary to be a part of this, I mean ANYTHING. I can't find these all on my own, but I'll look in the places that you guys don't have access to. Please help me on this.

Also, I'm very sorry, but I'd recommend you all change your passwords. I know it sucks, but it's better to be safe than sorry. Imagine my pain, I have to change the passwords to the Dreamhost control panel, FTP, forum, all restricted sections of the site, and the admin control panel.

Submit anything that you find to this thread or PM me directly, I will do my absolute best to respond to each submission, and I will most certainly look into each one.

We really need to come together for this one, the site depends on it.
_________________


~HaLo2FrEeEk

[HaLo2FrEeEk]

I was going through some files on the server and I went into the template diectory, which contains the images and stylesheets that make Infectionist.com pretty. Insde I found two files that I was certain were not put there by me, one named style.php and the other named ho_header.php. I opened them in a PHP Editor and both contained very well-hidden exploit code. The code was base64 encoded and gzipped, then set to eval(), which means that when it's decrypted, it'll be executed.

The decrypted code was a very large PHP file that printed out multiple forms allowing anyone to execute PHP code, run shell commands, and basically do anything that I would be able to do. Here are screenshots of the 3 pages that you can get to with this script:







I've renamed the files (that's the blurred out section in the first screenshot) and also added a "die()" line at the beginning of the code, which kills it before it runs.

Very scary to imagine that someone could have deleted all the files on the server, or gained access to the database and cleared it.

The really scary thing is, how did someone get these files onto the server in the first place? The only thing I can think is that someone found my test directory, where I test out all my code ideas before putting them into "live" files. I don't generally delete things from that folder because I might need to come back to that example at a later date, sometimes I even make files in that directory public. Not anymore. I've put a password on the drectory and I'm the only one with access. It sucks that it came to that, but I do take the security of this site very seriously. I'm only one person and I can't find everything right as it happens, but I always find it.

I really want to mke things available, so it sucks that one shithead ruined it for all the other legitimate users, but that's how it has to be. I thought this site was small enough that it could fly under the radar, but apparently that's not the case. It's a bittersweet realization.

So, from here on out if you see a link with the path "/misc/testing/", it won't work anymore. Sorry, but I can't risk something like this screwing up what I've worked at for 4 and a half years.

Edit: Ok, I'm issuing a call to action! I just noticed that the frontpage had been modified as well, but stupid me, I didn't check the modified time before I removed the offending code saved the file, so I don't know WHEN the file was modified. I'm asking or everyone's help, scour the site, any accessible page should be looked at closely. Any links out of place, or to sites that I wouldn't link to, or in unusual places (the links added to the frontpage were below the bottom of the template, which should be touching the bottom of the window at all time.) Consider ANYTHING out of the ordinary to be a part of this, I mean ANYTHING. I can't find these all on my own, but I'll look in the places that you guys don't have access to. Please help me on this.

Also, I'm very sorry, but I'd recommend you all change your passwords. I know it sucks, but it's better to be safe than sorry. Imagine my pain, I have to change the passwords to the Dreamhost control panel, FTP, forum, all restricted sections of the site, and the admin control panel.

Submit anything that you find to this thread or PM me directly, I will do my absolute best to respond to each submission, and I will most certainly look into each one.

We really need to come together for this one, the site depends on it.
_________________


~HaLo2FrEeEk

[Poisonblood]

Holy shit, what an asshole move. Scout Wray is on the way, no dirty links will get past me.
_________________

[Poisonblood]

Holy shit, what an asshole move. Scout Wray is on the way, no dirty links will get past me.
_________________

[HaLo2FrEeEk]

They weren't even dirty, if by dirty you meant..."dirtyyyy". One was a link to a blackjack site and the other to a loan site. I have a feeling they were random though, and the script behind them was too long to just display a link, which is why I recommend you change your password, it's possible to intercept a session and hijack a password from it, if you know what you're doing. I have a feeling that these people didn't know what they were doing because the code that they used is widely distributed online.
_________________


~HaLo2FrEeEk

[HaLo2FrEeEk]

They weren't even dirty, if by dirty you meant..."dirtyyyy". One was a link to a blackjack site and the other to a loan site. I have a feeling they were random though, and the script behind them was too long to just display a link, which is why I recommend you change your password, it's possible to intercept a session and hijack a password from it, if you know what you're doing. I have a feeling that these people didn't know what they were doing because the code that they used is widely distributed online.
_________________


~HaLo2FrEeEk

[Pikachu]

No! There gonna spam up the site and glass the entire website! It's like HippiePivot all over again! Spamming bastards.
_________________

HaLo2FrEeEk wrote:

I like painful sex

^ I have proof of this, I swear.

[Poisonblood]

Heh, that happened twice on HP. There now on Artistwith.in.

And by dirty I meant...mean, nasty? You dirty bastards!? Ain't no dirty bastard links getting past me! Like that.
_________________

[Poisonblood]

Heh, that happened twice on HP. There now on Artistwith.in.

And by dirty I meant...mean, nasty? You dirty bastards!? Ain't no dirty bastard links getting past me! Like that.
_________________

[bK x PwNeR]

Well, you know you can trust us who have been around for years H2F. I would hate to see this place gone.
_________________

[Poisonblood]

[Poisonblood]

[s.k.]

SHIIITTT!!!! Thats bad, I will now look on every page on this site
_________________

[HaLo2FrEeEk]

The real problem lies with the files that aren't visible. In the case of the links on the frontpage, I got very lucky. I would never have noticed it at all had I not been looking over the frontpage and noticed a small gap between the bottom of the layout and the bottom of the window (not supposed to be there). The arduous task of going through EVERY SINGLE FILE on the site and checking it for malevolence, lies with me. It's going to be a painstaking process, but it needs to be done, for the good of the site.
_________________


~HaLo2FrEeEk

[HaLo2FrEeEk]

The real problem lies with the files that aren't visible. In the case of the links on the frontpage, I got very lucky. I would never have noticed it at all had I not been looking over the frontpage and noticed a small gap between the bottom of the layout and the bottom of the window (not supposed to be there). The arduous task of going through EVERY SINGLE FILE on the site and checking it for malevolence, lies with me. It's going to be a painstaking process, but it needs to be done, for the good of the site.
_________________


~HaLo2FrEeEk

[Eviscerate Core]

Man, this is some BS. I'll keep an eye out for any funny business. I'll also keep a closer eye on eviscerate.infectionist.com just in case.

I don't see how anyone could get files into your template directory through the test directory. But however they did it, it really bums me out. Keep us updated (not that you wouldn't anyways)

EDIT: I just saw that the last "person" to join Infectionist was a spammer, and it got me thinking... you might want to start worrying about spam bots, H2F. I've seen a really legitimate forum destroyed by spam bots (including not only spam, but deleting the entire database). Over the last few weeks I've seen some other infectionist joins that I thought were suspicious at the time, especially because they didn't post anything. I'm curious if any of this is related or not. Just some thoughts and observations.
_________________


-- Eviscerate Core

[Eviscerate Core]

Man, this is some BS. I'll keep an eye out for any funny business. I'll also keep a closer eye on eviscerate.infectionist.com just in case.

I don't see how anyone could get files into your template directory through the test directory. But however they did it, it really bums me out. Keep us updated (not that you wouldn't anyways)

EDIT: I just saw that the last "person" to join Infectionist was a spammer, and it got me thinking... you might want to start worrying about spam bots, H2F. I've seen a really legitimate forum destroyed by spam bots (including not only spam, but deleting the entire database). Over the last few weeks I've seen some other infectionist joins that I thought were suspicious at the time, especially because they didn't post anything. I'm curious if any of this is related or not. Just some thoughts and observations.
_________________


-- Eviscerate Core