Cach Doan

I just did another task over 1k emails. (I have 21k members in my community)

I have over 21k members and about 70% of them subscribed to the newsletter.

Anyway, I just sent a bulk email out to 668 members without any issues.

Here's the proof from invision power

Here's my Amazon SES quota.

I did it twice:

11 hours ago, opentype said:

I used SES for some of my communities over the last couple of years (via SMTP). The ‘send-rate per second’ didn’t seem to matter for this delivery method. It was pushing out the several hundred bulk mails per task without issues. I did get warnings about getting close to the send limit per 24 hours though. 

What was your rate for emails per second on your Amazon SES account that you can use push through several hundreds email per task?

Also when you said several hundreds, how many hundred? Can I go 500 at a time?

Sorry for bringing this up again.

I need to send emails to over 13,000 people who want to get my newsletters and updates. My Amazon SES account lets me send only 14 emails every second. What should I do to send them out efficiently? If I set it to send 10 emails every second, I think I can send all 13,000 emails in about 22 minutes. So far I haven't found a way to do this with invision power board. I hope someday there is an update and there is an option we can do this.

19 hours ago, pan pan said:

Is there any files that could be blocking an smtp server from sending emails? I use alt smtp settings to test if the problem is script-sided and the emails deliver successfully. When i change smtp to the ones i want to have i get an error, is there any chance that the issue is still with invision? (I recently migrated servers)

Are you utilizing a Virtual Private Server (VPS)? Some VPS providers may block the SMTP port as a standard measure. If this applies to your situation, you can submit a support ticket requesting the unblocking of the SMTP port. Be prepared to provide evidence supporting your specific use case scenario.

I've received private messages from several individuals inquiring about the steps I took during this process. So, for anyone else who may come across this topic in the future and have similar questions, here's my response:

I'm not entirely sure of the problem's origins myself. I recently eliminated my entire WordPress website because it's no longer active and unnecessary. In fact, I didn't even conduct a virus scan on the WordPress site; I simply erased all of its contents. (I did see way much more random malware files on the wordpress site's files compared to Invision Community)

Regarding the Invision community, I downloaded all its files onto my computer and then ran them through several antivirus programs for a thorough check.

For instance, I used Bitdefender to scan the folder with my Invision board's backup. Following that, I uninstalled Bitdefender and repeated the process with a different antivirus software, ensuring that if Bitdefender missed anything, the other would likely detect it. I did this three times, using Bitdefender, Avast, and Kaspersky.

As for the WordPress situation, I've observed on YouTube that people simply update everything to the latest versions and use a plugin called Wordfence to scan for any potential viruses. Additionally, you can download WordPress onto your computer and scrutinize all the files, similar to what I did with the Invision community.

Here's the link to Wordfence:
https://wordpress.org/plugins/wordfence/

This plugin even scrutinizes the database to guarantee that there's nothing harmful in it. However, I didn't utilize it since I had already removed the WordPress site.

I'd like to share an update: I managed to eliminate the malware from my system by completely removing my WordPress site, which was located in the root directory of my hosting account. 

The source of this malware was predominantly an outdated WordPress plugin.

For future reference, I will not host WordPress on the same hosting account as my Invision Community. Since I own a dedicated server, I can create multiple user accounts and host WordPress separately on one of them.

I executed a comprehensive cleanup of all infected files. This involved downloading all the files to my personal computer, conducting a thorough scan using various antivirus software—primarily Bitdefender Free, Avast, and Kaspersky Free—to eradicate and repair all infected files. After the cleanup, I reuploaded them to my server, without the WordPress sites.

Question: Is an empty index.html in some of the directory normal? I see those files. Do you guys have it? I hope it's not related to the malware since I am on a new server.

Update:

I moved my entire site to another server. I got a free trial from Kamatera for 30 days just to test out if the malware will replicate or create more malware files on the new server.

Before I made the move, I download all files to my local computer and scan it with avast, and this is what I found:

Don't mind the folder "SYNC2" because that's the folder I sync all the files from the root directory to my local computer. the .ott file here is the main thing malware that we talked about this topic.

I made sure to delete all of the files before I reupload all the files to the new server.

Now this site is running by itself on the entire VPS server, so if there is any replication of malware, we will know for sure that the malware come from my invision power board directory and not from other WordPress site since there are no WordPress site running on this VPS.

I re-install the "Movies" app after my site is running on the new VPS server, but so far no malware showing up.

Let's wait for at least 24 hours and see if anything show up. 

If however, I can't resolved this issue on my own, I would like to move my site to the cloud, so that invision team will assist me to fix the issue? Then I can move back to my own server once it's fixed? Because I heard that once the files are on the cloud, all the malwares are not going to work.

Meanwhile, I can't even access my dedicated server, it's now completely dead. I can't access any of the files. Luckily I have daily backup of my entire server on a daily basis and that was how I was able to upload files and database to the new server.

1 hour ago, Stuart Silvester said:

If you haven't already I would recommend looking at the server access logs (and any other logs) around the time those files were first created.

You might also want to check the `core_javascript` table for the file you're finding in the movies javascript folder. It sounds like it may have been inserted into the database which is then written to the filesystem when caches are cleared (i.e. when an app is installed).

This is very useful information! I will take a look at that. I got a pm from someone here that offers to help me out. I appreciate all of your help.

5 minutes ago, Dreadknux said:

Shouldn't IPS investigate and pull the app pre-emptively and re-approve once the author has fixed the issue? If there really is an app on IPS' official marketplace that has malicious code in it, isn't there a risk of other customers being negatively impacted?

I believe it's not the "Movies" app, but when installing the movies app, it might have call another PHP or function in the process, and that process or PHP file already infected, which is not related to any of the files from Movies. Because I know that IPS take a look at the source files for Movies before approving it.

I am transferring the forums to a new hosting service, and see if it can resolve the issue on its own without having to share any resources with other site, basically just by itself.

I'll update you guys for more tips.

17 minutes ago, Miss_B said:

Whatever you do, make sure to have checked everything that you will be moving to the new host, to ensure that it will be malware free.

It looks like a backdoor scanario to me. Hence my advice above about a thorough checkup for them.

Have you contacted your host? You can also contact your new host and explain the situation to them and ask them if they will move the site for you and make sure that everything will be clean and safe in the new environment. A lot of hosts will do that for the new clients.

I don't have no one to contact to because it is a dedicated server located at a datacenter. It's not hosting company, I manage everything. I have access to root.
It's running on Centos7 linux with Centos Web Panel. I can definitely check the logs but I am not too good at it to figure out where the backdoor is. 

But what I am going to do now is just to move the entire site to a VPS temporary and see if the infection is back if it's by itself on another server.

If there is no more viruses/malwares, i will format my server and do reinstall OS and everything then move the site back to the dedicated server. I know it'sa lot of work, but I don't really know where to find the backdoor, unless there's someone here that is willing to help me. 

ok thank you for letting me know. I will go ahead and copy and replaced all the files.

Thank you for your help. 

8 minutes ago, Jim M said:

 

Plus any custom attachment folders or third party application/plugin folders you may have.

Will reinstalling everything from the marketplace automatically give me all the files, then my database will automatically fixed it? like customize it

9 minutes ago, Miss_B said:

Personally I highly doubt that said app, or any other app for that matter which is downloaded from the Marketplace here is the cause of it. Everything that get submitted it here is thoroughly checked by the MP Moderators.

You don't need to do a fresh install imo, all you have to do is overwrite your forum files with those from the Ipb package that you can download from your Client Centre. I am assuming that you are running the latest version, if not it would be best to upgrade your forum asap. Doing that it will ensure that any infected core files, will be cleaned up automatically.

You mentioned Wordpress, are you using their latest version? What about any of their third party apps/plugins, are you using their latest versions as well?

What should be done imo, is to do a very though checkup of your server space for any backdoors that might have been left behind.

Also did you contact your host? You can aks them to check their logs around the time that the infection happened in the hopes that the culprit can be identified and be dealt with. 

 

I am worried if I don't do a fresh install of everything, I might accidentally copied the malware if I can't find it yet to the new host. Or is this something I shouldn't be worried about?

Yes, there are other wordpress that were outdated, but I have removed it entirely since I don't need that site anymore, and yet the virus/malware still comes back.

I am installing it from the market directly.

I would tell the author, however, I can't really sure if it was the "Movies" app that cause this or just the movie app that call a function or a php during the installing that is already existed on my server. So I can't really tell at this time if it was the app "Movies" or something else. 

I will keep you guys updated how I am resolving it. At the moment, it's back even without the "Movies" app. I just need to find the root of this. Meanwhile I am fresh installing my forums on another server to removed any unknown files.

Can you guide me how to do this?

My thoughts are:

1. Set up a new server, fresh installing Invision Power Board

2. Copy the upload folder? Because that's the files that user uploaded, like images, avatar, attachment.

3. I will reinstall the themes fresh, and also the plugins and apps fresh from the market place (not using the backup files since it might be infected)

4. Alfter all of that, I will simply Import and replace the new database with the old database (my backup mysql)

Is this the correct steps?

This way it is to ensure all the files are fresh, except the upload folders , since that folder is important since all the files are there.

I will also scan the upload folders with my antivirus software on my computer to make sure there are no viruses.

Let me know if I can do this?

@Marc Stridgen

Here's the update:

I uninstalled the "Movies" application yesterday, suspecting it to be the cause of the issue. I also cleared all related files and executed a script to eliminate any identified malware-infected files or the malware itself. This seemed to halt the recurrence for over 24 hours. However, upon reinstalling the "Movies" application, the issue resurfaced immediately.

Although I can't definitively pin the blame on the "Movies" app, I can confirm that this malware or virus has compromised my forums and a Wordpress site I manage. I'm unsure of the original source, but it's evident that installing the "Movies" application from the Invision marketplace prompts the duplication of infected files across numerous directories, including on my other Wordpress site. I've once again uninstalled "Movies" and re-executed yesterday's script to purge known infected files.

The infected files appears in the directory for “Movies” as well as others.

I'll monitor the situation for another couple of days and update you on whether the issue reemerges or not.

@CaptJeff I'm no specialist myself, but I faced a similar problem you're describing. For years, I was trapped in the exact version you currently have because any attempt to upgrade would result in issues. However, one day I decided to upload the newest Invision board files and ran the upgrade - surprisingly, it worked.

Before attempting this, it's crucial to disable all plugins, themes, and third-party applications. 

What I did was quite simple. I just copied and pasted the new files from Invision, replacing all the old files, and ran the upgrader. Miraculously, everything started functioning as it should. However, I also had to update all outdated plugins and applications post-upgrade.

During this process, I discovered a particular plugin that caused a crash after the upgrade. So, I disabled it, and everything worked smoothly.

Make sure before you attempt to do anything, please back up your database and files.

I want to share this. This malware spread its files across many folders of mine. I hide my files and show only the Malware's files.

To clarify, I am confident that the malware or infection did not originate from any plugins available on Invision's Marketplace. It seems my Wordpress site was infected first, and subsequently, this infection spread to my Invision board site.

I have successfully contained the malware thus far, but its exact origin remains unknown. I have transitioned to using NGINX exclusively for all my sites. Before this incident, I primarily used NGINX as a reverse proxy to Apache for most of my sites.

I have taken steps to enhance security by disabling all potentially harmful functions, including the PHP 'eval' function, which the malware was using.

To eradicate the infection, I wrote several scripts on my server to specifically locate and delete all infected files. I then replaced each file with fresh files downloaded from the Invision power board forums.

Furthermore, I purged all miscellaneous PHP files and files with the .ott extension.

At present, the infection seems to be in remission, but I am meticulously monitoring my server to ensure it doesn't resurface. If I observe no signs of the malware over the next few days, it would suggest that I have successfully resolved the issue. I'll provide an update in such a case.

I want to add that I am using NGINX-PHP-FPM for my forums, but my other sites are still using NGINX as a reverse proxy and APACHE was the main webserver behind NGINX - but because apache is present on my wordpress, to make use of htaccess -- but if that is the cause then I can just change everything else to NGINX+PHP-FPM

2 hours ago, A Zayed said:

I saw exactly the same behavior in another invison community.

I believe the actions you took are not enough, You'll almost get hacked again.

As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files.

Although we didn't find out the root cause, but this action stopped the hacker from messing around.

I also belive there's back door, maybe from another software installed on the sever.

May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community?

Plugins

Apps

Currently I am using ClamAV to scan my entire servers
Since I own a dedicate server I go to the root of centos7 and scan the whole thing using ClamAV

They created a lot of random files like this:

Also I already use some script to modified all "index.php" that it inject a specific code to remove the code manually of all index.php on my server.

Good thing that my forums is only for community discussion and not taking payments or has any sensitive information for our visitors/members.

2 hours ago, Chris Anderson said:

Are all of the marketplace files you have installed from invisioncommunity.com or did you download them from the developer's site?  It's a possibility that one of their files has been compromised.

I download it directly from the Marketplace.
Could be using Non-Secure FPT the reasons? I am not sure. 

 

2 hours ago, A Zayed said:

I saw exactly the same behavior in another invison community.

I believe the actions you took are not enough, You'll almost get hacked again.

As a temp. action, the webmaster added a rule to the htaccess file to prevent the hacker from writing to the index.php files.

Although we didn't find out the root cause, but this action stopped the hacker from messing around.

I also belive there's back door, maybe from another software installed on the sever.

May I ask you some questions? Do you have WordPress installed on the same website? Do you mind sharing a list of apps or plugins you have for your invision community?

Yes I have other wordpress installed on the same home directly of my invision power board and they are also affected with the injection to all index.php

But I already use a script to remove the code from all index.php

I have change all password that has access to my server and to admin panels.

as for Wordpress, I only installed plugins from their marketplace.

Anyone else has any advise how to completely remove them?

I notice the script was put on the folder for this application that I got here. I didn't update this plugin for a while maybe that's why.

This is the PHP code they put in at the beginning of every index.php file it modified

I am not sure what it does, but here is the file that I see it. It's zipped just for safety.

.a1df15f9.zip

But I'll update you all once I don't see any changes anymore. 
I'll do the following:
1. Change password for all admin accounts

2. Change the password for all FTP accounts (and use Secure FTP only from now on)

3. Change the root password of my server (I am on Centos7, with Centos Web Panel)

4. Change the password of User account that is hosting the forums.

5. Update all Antivurs/Firewall for my servers.

I use my own dedicated server, collocation at a datacenter, I access the root of my server using a certificate, not a password.

I will now change the control panel password and admin panel password.

(The Admin Panel can only be logged in using my IP, so that's not the issue)
However, the (User control panel, can be login using any IP) - I will change this.

I will update all the applications, like antivirus, and firewall.

I do have CSF firewall on. 

9 hours ago, opentype said:

You are probably being hacked. Just open the index file and you see at the top that someone is injecting a hidden file from the uploads folder into every call. You could open that file and see what is actually being done there. 

Thank you for every know. I did change the password for all the admin accounts and all the FTP access already. Let's see if the problem persist. I'll give an update.

Can anyone advise me how to prevent this?
Is changing the passwords to FTP and Admin accounts good enough?

I notice it's only the index.php file is modified. What could be the reasons they are modified?

Here are the files.

The steps I did so far.

1. Change all admin user account password.

2. Change all FTP access passwords

3. Replace the files.

Now it works again, but we'll see if within the next 24 hours it is modified again.

I just wanted to let you know as well that recently, I changed my webserver from Nginx as reverse proxy for Apache to pure NGINX->PHP-FPM --- I am not sure if this is the cause, but I doubt it.

ips_37b41 - Original vs Modified.zip