Support forums : You can sense the bug

hacked?

Not like "it smells funny when I click that". This is for bugs that don't show an error but something just doesn't seem right or ends up doing something you think is wrong. It doesn't show you an error but you know something ain't right.

Moderator: Dracones

hacked?

Postby EdB » Sun Jan 23, 2011 5:21 pm

We don't really have a forum for conspiracy theories so I picked this one. Probably not our issue but it doesn't hurt to bring it up here.

So anyway I got an email yesterday from my host saying they blocked a path due to finding a malicious file - "notify_a_friend.php" or some such, located in qp_plugins/free_html_widget/po/ and "lang.pll.php" located in root. This was a slightly modified copy of QP based around late august that the guy never paid for so I left it there just in case he changed his mind. They decided to change my password from something to something else. Not sure at this exact moment if they've done anything else. Oh and last night I deleted out the entire insallation except the path to the "friend" thing (which I was locked out of) and the "lang" thing they did not identify. Today is when I found out they figured out "lang" is also bad (duh). So anyway ... yeah the files are still there and I dunno what their plan is. I told them yesterday that once they're done figuring out what went wrong (which I guessed they would blame on old CMS or sloppy password maintenance, which they did both) that I would just wipe out the entire folder. SuPHP is installed here, no folder or file has ever been CHMOD'd to anything, and currently this is the only malicious activity I'm aware of.

Oh yeah my copy of "summary.php" is still on that path but has a date/time of 2 minutes after the "lang" file came into being - both about 3 days ago. So anyway if this is something we need to do something about it concerns summary.php and the free html widget, but I doubt it.

Here's a thought for maybe a plugin or maybe core: a snapshot of how many folders and files we have so we can occasionally compare what is to what should be. Obviously "media" would be a PITA, but just randomly thinking if we compared an array to what was there and highlighted the diffs then ID#1 could say "yeah those are good files". Or not depending, but if not it wouldn't be our mission to do anything about it. Just knowing what the mystery stuff is would be the goal.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Yabs » Sun Jan 23, 2011 7:47 pm

I hate "helpful hosts" that lock you out of the problem file limiting your ability to work out the problem :-S

Was QP the only software installed on the domain?

Can you post the content of lang.pll.php .. assume they haven't locked that one as well?

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: hacked?

Postby EdB » Sun Jan 23, 2011 8:34 pm

Locked out of it as well. Should have grabbed a copy last night eh? 161,935 bytes - yowch!
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Yabs » Sun Jan 23, 2011 8:48 pm

Betting that's a rootkit :-S ... Any chance you could ask your host to email you a copy of both files?

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: hacked?

Postby EdB » Sun Jan 23, 2011 9:27 pm

QP is and was the only thing installed. Multiple copies of it - I do installs in a folder until someone pays up.

I will ask them for copies but I won't hold my breath.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby EdB » Mon Jan 24, 2011 2:06 am

Okay this is kinda interesting. They renamed the 3 bad files - I kinda missed one in the /po/ path - by putting a .txt on the end, so I FTP'd the first to my desktop. Immediately Microsoft Security Essentials shat itself. Apparently it doesn't like the fact that it sees something called C99shell.G where Isaw lang.pll.php.txt so I dunno if I can ... or even want to zip it up for sharing here. http://www.microsoft.com/security/porta ... 2147621088 is what it links to for more info online. I'm guessing the other two files will end up with a very similar problem when downloaded.

Anyway I got a groovy little email from the host that I haven't really read through. But hey that doesn't stop me from copy/pasting to right here :) Scrubbed a wee bit to remove duplicate entries for the same file names (from multiple paths). In fact, scrubbed down to a single folder that I'm pretty sure is the current official release:
Hello Ed Bennett,

Your helpdesk ticket 134532 concerning your hosting service: Max - 1912webworks.com, has been updated by Ariel P. with the following reply:

================================================================
Our scans did not reveal any further malicious scripts on this account.

The 'lang.pll.php' file in the [impressive] directory has been reactivated for FTP/file manager access only.
To prevent accidental execution of the malicious script, we have renamed it to 'lang.pll.php.txt'.

We have reactivated the [impressive/qp_plugins/free_html_widget/po] directory and the files contained therein for FTP/file manager access only.
We have renamed 'post.php' to 'post.php.txt' and 'tell_a_friend.php' to 'tell_a_friend.php.txt' to prevent accidental execution of the malicious code in those files.

These files contain generic PHP shells. Although a flaw in the CMS' security may have allowed their upload, the malicious files themselves will likely not yield any additional information.

Generally speaking, arbitrary file upload vulnerabilities exist in any scripts that use the '$_FILES' superglobal or the deprecated '$HTTP_POST_FILES' associative array without stringent data validation and naming practices.
This would include mime type checking, uploaded data contents validation/filtering (e.g. loading uploaded files that claim to have an image as image data in the PHP script and save the image data with the appropriate functions, then discarding the uploaded file), file size limits enforcement, destination file existence checking (e.g. not overwriting existing files), changing destination file names to include valid randomly selected characters or other means of manipulating the file name that cannot be guessed by looking at the resulting file name, ensuring moved files are not made executable, and adding extensions to files based on their detected file types.

The following files on the [caqugna] account reference the '$_FILES' superglobal or the '$HTTP_POST_FILES' array:
======
impressive/lang.pll.php.txt
impressive/qp_plugins/free_html_widget/po/tell_a_friend.php.txt
demo1/qp_inc/files/upload.ctrl.php
demo1/qp_inc/_main.inc.php
======

Other types of vulnerabilities may exist when variables containing potentially user-generated or user-derived data are used in 'require' or 'include' calls, which may give attackers the ability to run their own PHP code that may be able to download additional files onto the account.

The following files in the [caqugna] account may contain 'include', 'require', or 'require_once' calls that may directly use potentially-unsafe data:
======
demo1/qp_inc/_blog_main.inc.php
demo1/qp_inc/_blog_main.inc.php
demo1/qp_inc/cron/_cron.funcs.php
demo1/qp_inc/templates/_template.funcs.php
demo1/qp_inc/templates/_template.funcs.php
demo1/qp_inc/templates/_template.funcs.php
demo1/qp_inc/widgets/model/_widget.class.php
demo1/qp_inc/_core/_class5.funcs.php
demo1/qp_inc/locales/_locale.funcs.php
demo1/qp_inc/plugins/model/_plugins.class.php
demo1/qp_inc/plugins/_plugin.class.php
demo1/qp_plugins/code_highlight_plugin/_code_highlight.plugin.php
demo1/qp_plugins/code_highlight_plugin/_code_highlight.plugin.php
======

Please let us know if you require further assistance regarding this issue.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Yabs » Mon Jan 24, 2011 11:41 am

OK, google just gave me a headache with that one. Now I have 2 problems to fix :-S

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: hacked?

Postby Tblue » Tue Jan 25, 2011 7:47 pm

What about the webserver logs? Perhaps we could use them to find "interesting" URLs used for the attack... Sadly, that will only work if the attacker used a GET request as POST data (usually) doesn't show up in the logs.

//edit: It's also possible somebody got to know your FTP login credentials (e. g. by brute-forcing them)...
Tblue
Dracone
 
Posts: 340
Joined: Sat Nov 21, 2009 1:35 pm
Location: Berlin, Germany

Re: hacked?

Postby Afwas » Tue Jan 25, 2011 8:03 pm

Tblue wrote://edit: It's also possible somebody got to know your FTP login credentials (e. g. by brute-forcing them)...

Unlikely because they'd inject index.php alike files not impressive/qp_plugins/free_html_widget/po/tell_a_friend.php
Afwas
Dracone
User avatar
 
Posts: 72
Joined: Sun Nov 22, 2009 5:28 pm
Location: Groningen, The Netherlands

Re: hacked?

Postby Afwas » Tue Jan 25, 2011 8:13 pm

EdB
Are you aware of any specific content in FreeHTML widgets you used that may be infected or may be honey to some scammers?
Afwas
Dracone
User avatar
 
Posts: 72
Joined: Sun Nov 22, 2009 5:28 pm
Location: Groningen, The Netherlands

Next

Return to You can sense the bug

Who is online

Users browsing this forum: No registered users and 1 guest

cron