Cach Doan Posted June 30, 2023 Posted June 30, 2023 (edited) Has anyone else encountered the error message, "Some of the source files for Invision Community have been modified"? Invision Community v4.7.11.1 This issue seems to occur quite regularly, almost on a daily basis. The source files in question are the ones I've attached to this post. I find myself having to replace these files each day. Although the files only total to about 15kb, they are causing some apps to encounter an HTTP ERROR 500 when attempting to execute a "POST" command. I will share a screenshot of the issue as soon as it occurs again. ips_bc7fe.zip Edited June 30, 2023 by Cach Doan
Marc Posted June 30, 2023 Posted June 30, 2023 Please could you clarify here. Are these what has been amended, or the files you replaced them with? Are you checking if the files have actually been changed?
Cach Doan Posted July 1, 2023 Author Posted July 1, 2023 (edited) It happened again. It happened like once every 24 hours. It looks like a certain 24 hour task is causing this. This is what I see in the admin panel And this is what I see when I click on "Fix This" Then when I clicked on "Download Unmodified FIles" it will give me a zip folder like the one I posted in beginning of this thread, then all I have to do is replaced it, then it's gone. Then 24 hours later, it happened again. I've been doing this everyday for almost a week now since the update to the latest version. 23 hours ago, Marc Stridgen said: Please could you clarify here. Are these what has been amended, or the files you replaced them with? Are you checking if the files have actually been changed? To clarify this. These should be the unmodified files. I never touched them. It's fresh out of the box, then 24 hours later, it is modified (I don't know what triggers it, and I know what are the changes). Then I have to replace it with the fresh out of the box files again for my forums to work again. And here is the recording on how I fix it. I simply just replace the new files provided by IPS. jqZtSF5yWl.mp4 Edited July 1, 2023 by Cach Doan
Cach Doan Posted July 1, 2023 Author Posted July 1, 2023 And here is my admin support page after I fixed it. There are really no issue. Nothing critical.
opentype Posted July 1, 2023 Posted July 1, 2023 The fact that those are all admin/api files is a little suspicious. First thing I would check is what the difference actually is. So instead of overwriting the files, download the existing files and compare them to the IPS version with a file comparison app or online service. Is there an actual difference in the code? media and Jim M 2
Jim M Posted July 1, 2023 Posted July 1, 2023 PHP 8.2 is not compatible with the core system, just a heads up. Don't think that would cause anything related to what you're reporting but did just want to mention it. I'd highly suggest doing what opentype suggested with comparing files. If there are any differences, I would change your passwords immediately on your hosting panel, FTP/SFTP, our software, etc... Then contact your hosting provider about it. SeNioR- 1
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 It happens again.. I will change admin password and see replace the files and see if the problem still exist. I will post both version of the files here can someone help me look for the difference?
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 I notice it's only the index.php file is modified. What could be the reasons they are modified? Here are the files. The steps I did so far. 1. Change all admin user account password. 2. Change all FTP access passwords 3. Replace the files. Now it works again, but we'll see if within the next 24 hours it is modified again. I just wanted to let you know as well that recently, I changed my webserver from Nginx as reverse proxy for Apache to pure NGINX->PHP-FPM --- I am not sure if this is the cause, but I doubt it. ips_37b41 - Original vs Modified.zip
opentype Posted July 3, 2023 Posted July 3, 2023 You are probably being hacked. Just open the index file and you see at the top that someone is injecting a hidden file from the uploads folder into every call. You could open that file and see what is actually being done there.
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 9 hours ago, opentype said: You are probably being hacked. Just open the index file and you see at the top that someone is injecting a hidden file from the uploads folder into every call. You could open that file and see what is actually being done there. Thank you for every know. I did change the password for all the admin accounts and all the FTP access already. Let's see if the problem persist. I'll give an update. Can anyone advise me how to prevent this? Is changing the passwords to FTP and Admin accounts good enough?
opentype Posted July 3, 2023 Posted July 3, 2023 You should also review all software on this server and make sure it’s all updated (including 3rd-party modules). Otherwise the door they used to get might still be open.
Marc Posted July 3, 2023 Posted July 3, 2023 You should also contact your hosting company for advice on how better to protect files on their network Jim M 1
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 (edited) I use my own dedicated server, collocation at a datacenter, I access the root of my server using a certificate, not a password. I will now change the control panel password and admin panel password. (The Admin Panel can only be logged in using my IP, so that's not the issue) However, the (User control panel, can be login using any IP) - I will change this. I will update all the applications, like antivirus, and firewall. I do have CSF firewall on. Edited July 3, 2023 by Cach Doan
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 (edited) I notice the script was put on the folder for this application that I got here. I didn't update this plugin for a while maybe that's why. This is the PHP code they put in at the beginning of every index.php file it modified I am not sure what it does, but here is the file that I see it. It's zipped just for safety. .a1df15f9.zip But I'll update you all once I don't see any changes anymore. I'll do the following: 1. Change password for all admin accounts 2. Change the password for all FTP accounts (and use Secure FTP only from now on) 3. Change the root password of my server (I am on Centos7, with Centos Web Panel) 4. Change the password of User account that is hosting the forums. 5. Update all Antivurs/Firewall for my servers. Edited July 3, 2023 by Cach Doan
A Zayed Posted July 3, 2023 Posted July 3, 2023 I saw exactly the same behavior in another invison community. I believe the actions you took are not enough, You'll almost get hacked again. As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files. Although we didn't find out the root cause, but this action stopped the hacker from messing around. I also belive there's back door, maybe from another software installed on the sever. May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community?
Chris Anderson Posted July 3, 2023 Posted July 3, 2023 Are all of the marketplace files you have installed from invisioncommunity.com or did you download them from the developer's site? It's a possibility that one of their files has been compromised.
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 2 hours ago, A Zayed said: I saw exactly the same behavior in another invison community. I believe the actions you took are not enough, You'll almost get hacked again. As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files. Although we didn't find out the root cause, but this action stopped the hacker from messing around. I also belive there's back door, maybe from another software installed on the sever. May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community? Plugins Apps Currently I am using ClamAV to scan my entire servers Since I own a dedicate server I go to the root of centos7 and scan the whole thing using ClamAV They created a lot of random files like this: Also I already use some script to modified all "index.php" that it inject a specific code to remove the code manually of all index.php on my server. Good thing that my forums is only for community discussion and not taking payments or has any sensitive information for our visitors/members. 2 hours ago, Chris Anderson said: Are all of the marketplace files you have installed from invisioncommunity.com or did you download them from the developer's site? It's a possibility that one of their files has been compromised. I download it directly from the Marketplace. Could be using Non-Secure FPT the reasons? I am not sure. 2 hours ago, A Zayed said: I saw exactly the same behavior in another invison community. I believe the actions you took are not enough, You'll almost get hacked again. As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files. Although we didn't find out the root cause, but this action stopped the hacker from messing around. I also belive there's back door, maybe from another software installed on the sever. May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community? Yes I have other wordpress installed on the same home directly of my invision power board and they are also affected with the injection to all index.php But I already use a script to remove the code from all index.php I have change all password that has access to my server and to admin panels. as for Wordpress, I only installed plugins from their marketplace. Anyone else has any advise how to completely remove them?
Cach Doan Posted July 3, 2023 Author Posted July 3, 2023 I want to add that I am using NGINX-PHP-FPM for my forums, but my other sites are still using NGINX as a reverse proxy and APACHE was the main webserver behind NGINX - but because apache is present on my wordpress, to make use of htaccess -- but if that is the cause then I can just change everything else to NGINX+PHP-FPM
Cach Doan Posted July 4, 2023 Author Posted July 4, 2023 To clarify, I am confident that the malware or infection did not originate from any plugins available on Invision's Marketplace. It seems my Wordpress site was infected first, and subsequently, this infection spread to my Invision board site. I have successfully contained the malware thus far, but its exact origin remains unknown. I have transitioned to using NGINX exclusively for all my sites. Before this incident, I primarily used NGINX as a reverse proxy to Apache for most of my sites. I have taken steps to enhance security by disabling all potentially harmful functions, including the PHP 'eval' function, which the malware was using. To eradicate the infection, I wrote several scripts on my server to specifically locate and delete all infected files. I then replaced each file with fresh files downloaded from the Invision power board forums. Furthermore, I purged all miscellaneous PHP files and files with the .ott extension. At present, the infection seems to be in remission, but I am meticulously monitoring my server to ensure it doesn't resurface. If I observe no signs of the malware over the next few days, it would suggest that I have successfully resolved the issue. I'll provide an update in such a case.
Cach Doan Posted July 4, 2023 Author Posted July 4, 2023 (edited) I want to share this. This malware spread its files across many folders of mine. I hide my files and show only the Malware's files. Edited July 4, 2023 by Cach Doan
Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 Here's the update: I uninstalled the "Movies" application yesterday, suspecting it to be the cause of the issue. I also cleared all related files and executed a script to eliminate any identified malware-infected files or the malware itself. This seemed to halt the recurrence for over 24 hours. However, upon reinstalling the "Movies" application, the issue resurfaced immediately. Although I can't definitively pin the blame on the "Movies" app, I can confirm that this malware or virus has compromised my forums and a Wordpress site I manage. I'm unsure of the original source, but it's evident that installing the "Movies" application from the Invision marketplace prompts the duplication of infected files across numerous directories, including on my other Wordpress site. I've once again uninstalled "Movies" and re-executed yesterday's script to purge known infected files. The infected files appears in the directory for “Movies” as well as others. I'll monitor the situation for another couple of days and update you on whether the issue reemerges or not.
Marc Posted July 5, 2023 Posted July 5, 2023 7 hours ago, Cach Doan said: Here's the update: I uninstalled the "Movies" application yesterday, suspecting it to be the cause of the issue. I also cleared all related files and executed a script to eliminate any identified malware-infected files or the malware itself. This seemed to halt the recurrence for over 24 hours. However, upon reinstalling the "Movies" application, the issue resurfaced immediately. Although I can't definitively pin the blame on the "Movies" app, I can confirm that this malware or virus has compromised my forums and a Wordpress site I manage. I'm unsure of the original source, but it's evident that installing the "Movies" application from the Invision marketplace prompts the duplication of infected files across numerous directories, including on my other Wordpress site. I've once again uninstalled "Movies" and re-executed yesterday's script to purge known infected files. The infected files appears in the directory for “Movies” as well as others. I'll monitor the situation for another couple of days and update you on whether the issue reemerges or not. I would suggest informing the author of this. Did you install it as a custom modification or from the marketplace direct?
Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 (edited) I am installing it from the market directly. I would tell the author, however, I can't really sure if it was the "Movies" app that cause this or just the movie app that call a function or a php during the installing that is already existed on my server. So I can't really tell at this time if it was the app "Movies" or something else. I will keep you guys updated how I am resolving it. At the moment, it's back even without the "Movies" app. I just need to find the root of this. Meanwhile I am fresh installing my forums on another server to removed any unknown files. Can you guide me how to do this? My thoughts are: 1. Set up a new server, fresh installing Invision Power Board 2. Copy the upload folder? Because that's the files that user uploaded, like images, avatar, attachment. 3. I will reinstall the themes fresh, and also the plugins and apps fresh from the market place (not using the backup files since it might be infected) 4. Alfter all of that, I will simply Import and replace the new database with the old database (my backup mysql) Is this the correct steps? This way it is to ensure all the files are fresh, except the upload folders , since that folder is important since all the files are there. I will also scan the upload folders with my antivirus software on my computer to make sure there are no viruses. Let me know if I can do this? @Marc Stridgen Edited July 5, 2023 by Cach Doan
Miss_B Posted July 5, 2023 Posted July 5, 2023 33 minutes ago, Cach Doan said: I would tell the author, however, I can't really sure if it was the "Movies" app that cause this or just the movie app that call a function or a php during the installing that is already existed on my server. So I can't really tell at this time if it was the app "Movies" or something else. Personally I highly doubt that said app, or any other app for that matter which is downloaded from the Marketplace here is the cause of it. Everything that get submitted it here is thoroughly checked by the MP Moderators. You don't need to do a fresh install imo, all you have to do is overwrite your forum files with those from the Ipb package that you can download from your Client Centre. I am assuming that you are running the latest version, if not it would be best to upgrade your forum asap. Doing that it will ensure that any infected core files, will be cleaned up automatically. You mentioned Wordpress, are you using their latest version? What about any of their third party apps/plugins, are you using their latest versions as well? What should be done imo, is to do a very though checkup of your server space for any backdoors that might have been left behind. Also did you contact your host? You can aks them to check their logs around the time that the infection happened in the hopes that the culprit can be identified and be dealt with.
Jim M Posted July 5, 2023 Posted July 5, 2023 38 minutes ago, Cach Doan said: fresh installing Invision Power Board You wouldn't want a fresh install of it. You would simply want to upload fresh files from Client Area, restore your database, and bring over your conf_global.php file from your old server and updating the connection details. 41 minutes ago, Cach Doan said: 2. Copy the upload folder? Because that's the files that user uploaded, like images, avatar, attachment. Plus any custom attachment folders or third party application/plugin folders you may have.
Recommended Posts