Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 8 minutes ago, Jim M said: Plus any custom attachment folders or third party application/plugin folders you may have. Will reinstalling everything from the marketplace automatically give me all the files, then my database will automatically fixed it? like customize it 9 minutes ago, Miss_B said: Personally I highly doubt that said app, or any other app for that matter which is downloaded from the Marketplace here is the cause of it. Everything that get submitted it here is thoroughly checked by the MP Moderators. You don't need to do a fresh install imo, all you have to do is overwrite your forum files with those from the Ipb package that you can download from your Client Centre. I am assuming that you are running the latest version, if not it would be best to upgrade your forum asap. Doing that it will ensure that any infected core files, will be cleaned up automatically. You mentioned Wordpress, are you using their latest version? What about any of their third party apps/plugins, are you using their latest versions as well? What should be done imo, is to do a very though checkup of your server space for any backdoors that might have been left behind. Also did you contact your host? You can aks them to check their logs around the time that the infection happened in the hopes that the culprit can be identified and be dealt with. I am worried if I don't do a fresh install of everything, I might accidentally copied the malware if I can't find it yet to the new host. Or is this something I shouldn't be worried about? Yes, there are other wordpress that were outdated, but I have removed it entirely since I don't need that site anymore, and yet the virus/malware still comes back.
Jim M Posted July 5, 2023 Posted July 5, 2023 7 minutes ago, Cach Doan said: Will reinstalling everything from the marketplace automatically give me all the files, then my database will automatically fixed it? like customize it You would lose all your data if you reinstall again.
Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 ok thank you for letting me know. I will go ahead and copy and replaced all the files. Thank you for your help. wegorz23 1
Miss_B Posted July 5, 2023 Posted July 5, 2023 13 minutes ago, Cach Doan said: I am worried if I don't do a fresh install of everything, I might accidentally copied the malware if I can't find it yet to the new host. Or is this something I shouldn't be worried about? Whatever you do, make sure to have checked everything that you will be moving to the new host, to ensure that it will be malware free. 15 minutes ago, Cach Doan said: Yes, there are other wordpress that were outdated, but I have removed it entirely since I don't need that site anymore, and yet the virus/malware still comes back. It looks like a backdoor scanario to me. Hence my advice above about a thorough checkup for them. Have you contacted your host? You can also contact your new host and explain the situation to them and ask them if they will move the site for you and make sure that everything will be clean and safe in the new environment. A lot of hosts will do that for the new clients.
Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 I am transferring the forums to a new hosting service, and see if it can resolve the issue on its own without having to share any resources with other site, basically just by itself. I'll update you guys for more tips. 17 minutes ago, Miss_B said: Whatever you do, make sure to have checked everything that you will be moving to the new host, to ensure that it will be malware free. It looks like a backdoor scanario to me. Hence my advice above about a thorough checkup for them. Have you contacted your host? You can also contact your new host and explain the situation to them and ask them if they will move the site for you and make sure that everything will be clean and safe in the new environment. A lot of hosts will do that for the new clients. I don't have no one to contact to because it is a dedicated server located at a datacenter. It's not hosting company, I manage everything. I have access to root. It's running on Centos7 linux with Centos Web Panel. I can definitely check the logs but I am not too good at it to figure out where the backdoor is. But what I am going to do now is just to move the entire site to a VPS temporary and see if the infection is back if it's by itself on another server. If there is no more viruses/malwares, i will format my server and do reinstall OS and everything then move the site back to the dedicated server. I know it'sa lot of work, but I don't really know where to find the backdoor, unless there's someone here that is willing to help me.
Dreadknux Posted July 5, 2023 Posted July 5, 2023 10 hours ago, Marc Stridgen said: I would suggest informing the author of this. Did you install it as a custom modification or from the marketplace direct? Shouldn't IPS investigate and pull the app pre-emptively and re-approve once the author has fixed the issue? If there really is an app on IPS' official marketplace that has malicious code in it, isn't there a risk of other customers being negatively impacted?
Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 5 minutes ago, Dreadknux said: Shouldn't IPS investigate and pull the app pre-emptively and re-approve once the author has fixed the issue? If there really is an app on IPS' official marketplace that has malicious code in it, isn't there a risk of other customers being negatively impacted? I believe it's not the "Movies" app, but when installing the movies app, it might have call another PHP or function in the process, and that process or PHP file already infected, which is not related to any of the files from Movies. Because I know that IPS take a look at the source files for Movies before approving it.
Adriano Faria Posted July 5, 2023 Posted July 5, 2023 7 minutes ago, Cach Doan said: I believe it's not the "Movies" app, but when installing the movies app, it might have call another PHP or function in the process, and that process or PHP file already infected, which is not related to any of the files from Movies. Because I know that IPS take a look at the source files for Movies before approving it. Someone from IPS reviewed the file today earlier and couldn’t find anything obvious that would allow this. I would concentrate your efforts in your server configuration/wordpress install. Cach Doan and Dreadknux 2
Miss_B Posted July 5, 2023 Posted July 5, 2023 34 minutes ago, Dreadknux said: Shouldn't IPS investigate and pull the app pre-emptively and re-approve once the author has fixed the issue? If there really is an app on IPS' official marketplace that has malicious code in it, isn't there a risk of other customers being negatively impacted? You have nothing to aorry about in that regard, really. Ips takes security very seriously and they have their customers best interests at heart. Hence why they check very thoroughly every single third party item submited in the Merketplace. Cach Doan and Dreadknux 2
Adriano Faria Posted July 5, 2023 Posted July 5, 2023 30 minutes ago, Cach Doan said: I believe it's not the "Movies" app, but when installing the movies app, it might have call another PHP or function in the process, and that process or PHP file already infected, which is not related to any of the files from Movies. Because I know that IPS take a look at the source files for Movies before approving it. 40 minutes ago, Dreadknux said: Shouldn't IPS investigate and pull the app pre-emptively and re-approve once the author has fixed the issue? If there really is an app on IPS' official marketplace that has malicious code in it, isn't there a risk of other customers being negatively impacted?
Stuart Silvester Posted July 5, 2023 Posted July 5, 2023 If you haven't already I would recommend looking at the server access logs (and any other logs) around the time those files were first created. You might also want to check the `core_javascript` table for the file you're finding in the movies javascript folder. It sounds like it may have been inserted into the database which is then written to the filesystem when caches are cleared (i.e. when an app is installed).
Cach Doan Posted July 5, 2023 Author Posted July 5, 2023 1 hour ago, Stuart Silvester said: If you haven't already I would recommend looking at the server access logs (and any other logs) around the time those files were first created. You might also want to check the `core_javascript` table for the file you're finding in the movies javascript folder. It sounds like it may have been inserted into the database which is then written to the filesystem when caches are cleared (i.e. when an app is installed). This is very useful information! I will take a look at that. I got a pm from someone here that offers to help me out. I appreciate all of your help.
Cach Doan Posted July 6, 2023 Author Posted July 6, 2023 (edited) Update: I moved my entire site to another server. I got a free trial from Kamatera for 30 days just to test out if the malware will replicate or create more malware files on the new server. Before I made the move, I download all files to my local computer and scan it with avast, and this is what I found: Don't mind the folder "SYNC2" because that's the folder I sync all the files from the root directory to my local computer. the .ott file here is the main thing malware that we talked about this topic. I made sure to delete all of the files before I reupload all the files to the new server. Now this site is running by itself on the entire VPS server, so if there is any replication of malware, we will know for sure that the malware come from my invision power board directory and not from other WordPress site since there are no WordPress site running on this VPS. I re-install the "Movies" app after my site is running on the new VPS server, but so far no malware showing up. Let's wait for at least 24 hours and see if anything show up. If however, I can't resolved this issue on my own, I would like to move my site to the cloud, so that invision team will assist me to fix the issue? Then I can move back to my own server once it's fixed? Because I heard that once the files are on the cloud, all the malwares are not going to work. Meanwhile, I can't even access my dedicated server, it's now completely dead. I can't access any of the files. Luckily I have daily backup of my entire server on a daily basis and that was how I was able to upload files and database to the new server. Edited July 6, 2023 by Cach Doan
Cach Doan Posted July 6, 2023 Author Posted July 6, 2023 Question: Is an empty index.html in some of the directory normal? I see those files. Do you guys have it? I hope it's not related to the malware since I am on a new server.
Miss_B Posted July 6, 2023 Posted July 6, 2023 5 hours ago, Cach Doan said: I would like to move my site to the cloud That would be a good move. Like that you will not have to worry yourself with the security and other server related headaches and you can concentrate on building your community.
Cach Doan Posted July 12, 2023 Author Posted July 12, 2023 (edited) I'd like to share an update: I managed to eliminate the malware from my system by completely removing my WordPress site, which was located in the root directory of my hosting account. The source of this malware was predominantly an outdated WordPress plugin. For future reference, I will not host WordPress on the same hosting account as my Invision Community. Since I own a dedicated server, I can create multiple user accounts and host WordPress separately on one of them. I executed a comprehensive cleanup of all infected files. This involved downloading all the files to my personal computer, conducting a thorough scan using various antivirus software—primarily Bitdefender Free, Avast, and Kaspersky Free—to eradicate and repair all infected files. After the cleanup, I reuploaded them to my server, without the WordPress sites. Edited July 12, 2023 by Cach Doan
Randy Calvert Posted July 12, 2023 Posted July 12, 2023 I’m glad you found the root cause! Isolation is a good thing as it not only contains a potential blast radius, but helps you more quickly identify where the problem is coming from! Cach Doan 1
Cach Doan Posted July 12, 2023 Author Posted July 12, 2023 (edited) This post was recognized by Marc! Cach Doan was awarded the badge 'Helpful' and 5 points. I've received private messages from several individuals inquiring about the steps I took during this process. So, for anyone else who may come across this topic in the future and have similar questions, here's my response: I'm not entirely sure of the problem's origins myself. I recently eliminated my entire WordPress website because it's no longer active and unnecessary. In fact, I didn't even conduct a virus scan on the WordPress site; I simply erased all of its contents. (I did see way much more random malware files on the wordpress site's files compared to Invision Community) Regarding the Invision community, I downloaded all its files onto my computer and then ran them through several antivirus programs for a thorough check. For instance, I used Bitdefender to scan the folder with my Invision board's backup. Following that, I uninstalled Bitdefender and repeated the process with a different antivirus software, ensuring that if Bitdefender missed anything, the other would likely detect it. I did this three times, using Bitdefender, Avast, and Kaspersky. As for the WordPress situation, I've observed on YouTube that people simply update everything to the latest versions and use a plugin called Wordfence to scan for any potential viruses. Additionally, you can download WordPress onto your computer and scrutinize all the files, similar to what I did with the Invision community. Here's the link to Wordfence:https://wordpress.org/plugins/wordfence/ This plugin even scrutinizes the database to guarantee that there's nothing harmful in it. However, I didn't utilize it since I had already removed the WordPress site. Edited July 12, 2023 by Cach Doan
Recommended Posts