Some of the source files for Invision Community have been modified.

[Cach Doan]

Has anyone else encountered the error message, "Some of the source files for Invision Community have been modified"? 

Invision Community v4.7.11.1

This issue seems to occur quite regularly, almost on a daily basis. The source files in question are the ones I've attached to this post. I find myself having to replace these files each day. 

Although the files only total to about 15kb, they are causing some apps to encounter an HTTP ERROR 500 when attempting to execute a "POST" command. 

I will share a screenshot of the issue as soon as it occurs again.

ips_bc7fe.zip

Edited June 30, 2023 by Cach Doan

[Marc Stridgen]

Please could you clarify here. Are these what has been amended, or the files you replaced them with? Are you checking if the files have actually been changed?

[Cach Doan]

It happened again. It happened like once every 24 hours. It looks like a certain 24 hour task is causing this.

 

This is what I see in the admin panel

 

 

And this is what I see when I click on "Fix This"

 

Then when I clicked on "Download Unmodified FIles" it will give me a zip folder like the one I posted in beginning of this thread, then all I have to do is replaced it, then it's gone. Then 24 hours later, it happened again. I've been doing this everyday for almost a week now since the update to the latest version.

 

23 hours ago, Marc Stridgen said:

Please could you clarify here. Are these what has been amended, or the files you replaced them with? Are you checking if the files have actually been changed?

To clarify this. These should be the unmodified files. I never touched them. It's fresh out of the box, then 24 hours later, it is modified (I don't know what triggers it, and I know what are the changes). Then I have to replace it with the fresh out of the box files again for my forums to work again.

And here is the recording on how I fix it. I simply just replace the new files provided by IPS.

Edited July 1, 2023 by Cach Doan

[Cach Doan]

And here is my admin support page after I fixed it. There are really no issue. Nothing critical.

[opentype]

The fact that those are all admin/api files is a little suspicious. First thing I would check is what the difference actually is. So instead of overwriting the files, download the existing files and compare them to the IPS version with a file comparison app or online service. Is there an actual difference in the code?

[Jim M]

PHP 8.2 is not compatible with the core system, just a heads up. Don't think that would cause anything related to what you're reporting but did just want to mention it.

I'd highly suggest doing what opentype suggested with comparing files. If there are any differences, I would change your passwords immediately on your hosting panel, FTP/SFTP, our software, etc... Then contact your hosting provider about it.

[Cach Doan]

It happens again..

 

 

 

I will change admin password and see replace the files and see if the problem still exist. I will post both version of the files here can someone help me look for the difference?

[Cach Doan]

I notice it's only the index.php file is modified. What could be the reasons they are modified?

Here are the files.

The steps I did so far.

1. Change all admin user account password.

2. Change all FTP access passwords

3. Replace the files.

 

Now it works again, but we'll see if within the next 24 hours it is modified again.

 

I just wanted to let you know as well that recently, I changed my webserver from Nginx as reverse proxy for Apache to pure NGINX->PHP-FPM --- I am not sure if this is the cause, but I doubt it.

ips_37b41 - Original vs Modified.zip

[opentype]

You are probably being hacked. Just open the index file and you see at the top that someone is injecting a hidden file from the uploads folder into every call. You could open that file and see what is actually being done there. 

[Cach Doan]

9 hours ago, opentype said:

You are probably being hacked. Just open the index file and you see at the top that someone is injecting a hidden file from the uploads folder into every call. You could open that file and see what is actually being done there. 

Thank you for every know. I did change the password for all the admin accounts and all the FTP access already. Let's see if the problem persist. I'll give an update.

Can anyone advise me how to prevent this?
Is changing the passwords to FTP and Admin accounts good enough?

[opentype]

You should also review all software on this server and make sure it’s all updated (including 3rd-party modules). Otherwise  the door they used to get might still be open. 

[Marc Stridgen]

You should also contact your hosting company for advice on how better to protect files on their network

[Cach Doan]

I use my own dedicated server, collocation at a datacenter, I access the root of my server using a certificate, not a password.

 

I will now change the control panel password and admin panel password.

(The Admin Panel can only be logged in using my IP, so that's not the issue)
However, the (User control panel, can be login using any IP) - I will change this.

I will update all the applications, like antivirus, and firewall.

I do have CSF firewall on. 

Edited July 3, 2023 by Cach Doan

[Cach Doan]

I notice the script was put on the folder for this application that I got here. I didn't update this plugin for a while maybe that's why.

 

 

 

This is the PHP code they put in at the beginning of every index.php file it modified

 

I am not sure what it does, but here is the file that I see it. It's zipped just for safety.

.a1df15f9.zip

 

But I'll update you all once I don't see any changes anymore. 
I'll do the following:
1. Change password for all admin accounts

2. Change the password for all FTP accounts (and use Secure FTP only from now on)

3. Change the root password of my server (I am on Centos7, with Centos Web Panel)

4. Change the password of User account that is hosting the forums.

5. Update all Antivurs/Firewall for my servers.

Edited July 3, 2023 by Cach Doan

[A Zayed]

I saw exactly the same behavior in another invison community.

I believe the actions you took are not enough, You'll almost get hacked again.

As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files.

Although we didn't find out the root cause, but this action stopped the hacker from messing around.

I also belive there's back door, maybe from another software installed on the sever.

May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community?

[Chris Anderson]

Are all of the marketplace files you have installed from invisioncommunity.com or did you download them from the developer's site?  It's a possibility that one of their files has been compromised.

[Cach Doan]

2 hours ago, A Zayed said:

I saw exactly the same behavior in another invison community.

I believe the actions you took are not enough, You'll almost get hacked again.

As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files.

Although we didn't find out the root cause, but this action stopped the hacker from messing around.

I also belive there's back door, maybe from another software installed on the sever.

May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community?

Plugins

 

 

Apps

 

 

Currently I am using ClamAV to scan my entire servers
Since I own a dedicate server I go to the root of centos7 and scan the whole thing using ClamAV

They created a lot of random files like this:

 

Also I already use some script to modified all "index.php" that it inject a specific code to remove the code manually of all index.php on my server.

Good thing that my forums is only for community discussion and not taking payments or has any sensitive information for our visitors/members.

2 hours ago, Chris Anderson said:

Are all of the marketplace files you have installed from invisioncommunity.com or did you download them from the developer's site?  It's a possibility that one of their files has been compromised.

I download it directly from the Marketplace.
Could be using Non-Secure FPT the reasons? I am not sure. 

 

2 hours ago, A Zayed said:

I saw exactly the same behavior in another invison community.

I believe the actions you took are not enough, You'll almost get hacked again.

As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files.

Although we didn't find out the root cause, but this action stopped the hacker from messing around.

I also belive there's back door, maybe from another software installed on the sever.

May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community?

Yes I have other wordpress installed on the same home directly of my invision power board and they are also affected with the injection to all index.php

 

But I already use a script to remove the code from all index.php

I have change all password that has access to my server and to admin panels.

 

as for Wordpress, I only installed plugins from their marketplace.

 

Anyone else has any advise how to completely remove them?

[Cach Doan]

I want to add that I am using NGINX-PHP-FPM for my forums, but my other sites are still using NGINX as a reverse proxy and APACHE was the main webserver behind NGINX - but because apache is present on my wordpress, to make use of htaccess -- but if that is the cause then I can just change everything else to NGINX+PHP-FPM

[Cach Doan]

To clarify, I am confident that the malware or infection did not originate from any plugins available on Invision's Marketplace. It seems my Wordpress site was infected first, and subsequently, this infection spread to my Invision board site.

I have successfully contained the malware thus far, but its exact origin remains unknown. I have transitioned to using NGINX exclusively for all my sites. Before this incident, I primarily used NGINX as a reverse proxy to Apache for most of my sites.

I have taken steps to enhance security by disabling all potentially harmful functions, including the PHP 'eval' function, which the malware was using.

To eradicate the infection, I wrote several scripts on my server to specifically locate and delete all infected files. I then replaced each file with fresh files downloaded from the Invision power board forums.

Furthermore, I purged all miscellaneous PHP files and files with the .ott extension.

At present, the infection seems to be in remission, but I am meticulously monitoring my server to ensure it doesn't resurface. If I observe no signs of the malware over the next few days, it would suggest that I have successfully resolved the issue. I'll provide an update in such a case.

 

[Cach Doan]

I want to share this. This malware spread its files across many folders of mine. I hide my files and show only the Malware's files.

 

Edited July 4, 2023 by Cach Doan

[Cach Doan]

Here's the update:

I uninstalled the "Movies" application yesterday, suspecting it to be the cause of the issue. I also cleared all related files and executed a script to eliminate any identified malware-infected files or the malware itself. This seemed to halt the recurrence for over 24 hours. However, upon reinstalling the "Movies" application, the issue resurfaced immediately.

Although I can't definitively pin the blame on the "Movies" app, I can confirm that this malware or virus has compromised my forums and a Wordpress site I manage. I'm unsure of the original source, but it's evident that installing the "Movies" application from the Invision marketplace prompts the duplication of infected files across numerous directories, including on my other Wordpress site. I've once again uninstalled "Movies" and re-executed yesterday's script to purge known infected files.

The infected files appears in the directory for “Movies” as well as others.

I'll monitor the situation for another couple of days and update you on whether the issue reemerges or not.

[Marc Stridgen]

7 hours ago, Cach Doan said:

Here's the update:

I uninstalled the "Movies" application yesterday, suspecting it to be the cause of the issue. I also cleared all related files and executed a script to eliminate any identified malware-infected files or the malware itself. This seemed to halt the recurrence for over 24 hours. However, upon reinstalling the "Movies" application, the issue resurfaced immediately.

Although I can't definitively pin the blame on the "Movies" app, I can confirm that this malware or virus has compromised my forums and a Wordpress site I manage. I'm unsure of the original source, but it's evident that installing the "Movies" application from the Invision marketplace prompts the duplication of infected files across numerous directories, including on my other Wordpress site. I've once again uninstalled "Movies" and re-executed yesterday's script to purge known infected files.

The infected files appears in the directory for “Movies” as well as others.

I'll monitor the situation for another couple of days and update you on whether the issue reemerges or not.

I would suggest informing the author of this. Did you install it as a custom modification or from the marketplace direct?

[Cach Doan]

I am installing it from the market directly.

I would tell the author, however, I can't really sure if it was the "Movies" app that cause this or just the movie app that call a function or a php during the installing that is already existed on my server. So I can't really tell at this time if it was the app "Movies" or something else. 

I will keep you guys updated how I am resolving it. At the moment, it's back even without the "Movies" app. I just need to find the root of this. Meanwhile I am fresh installing my forums on another server to removed any unknown files.

Can you guide me how to do this?

My thoughts are:

1. Set up a new server, fresh installing Invision Power Board

2. Copy the upload folder? Because that's the files that user uploaded, like images, avatar, attachment.

3. I will reinstall the themes fresh, and also the plugins and apps fresh from the market place (not using the backup files since it might be infected)

4. Alfter all of that, I will simply Import and replace the new database with the old database (my backup mysql)

Is this the correct steps?

This way it is to ensure all the files are fresh, except the upload folders , since that folder is important since all the files are there.

I will also scan the upload folders with my antivirus software on my computer to make sure there are no viruses.

 

Let me know if I can do this?

@Marc Stridgen

Edited July 5, 2023 by Cach Doan

[Miss_B]

33 minutes ago, Cach Doan said:

I would tell the author, however, I can't really sure if it was the "Movies" app that cause this or just the movie app that call a function or a php during the installing that is already existed on my server. So I can't really tell at this time if it was the app "Movies" or something else. 

Personally I highly doubt that said app, or any other app for that matter which is downloaded from the Marketplace here is the cause of it. Everything that get submitted it here is thoroughly checked by the MP Moderators.

You don't need to do a fresh install imo, all you have to do is overwrite your forum files with those from the Ipb package that you can download from your Client Centre. I am assuming that you are running the latest version, if not it would be best to upgrade your forum asap. Doing that it will ensure that any infected core files, will be cleaned up automatically.

You mentioned Wordpress, are you using their latest version? What about any of their third party apps/plugins, are you using their latest versions as well?

What should be done imo, is to do a very though checkup of your server space for any backdoors that might have been left behind.

Also did you contact your host? You can aks them to check their logs around the time that the infection happened in the hopes that the culprit can be identified and be dealt with. 

 

[Jim M]

38 minutes ago, Cach Doan said:

fresh installing Invision Power Board

You wouldn't want a fresh install of it. You would simply want to upload fresh files from Client Area, restore your database, and bring over your conf_global.php file from your old server and updating the connection details.

41 minutes ago, Cach Doan said:

2. Copy the upload folder? Because that's the files that user uploaded, like images, avatar, attachment.

Plus any custom attachment folders or third party application/plugin folders you may have.