Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Hacked twice in 2 days [Gallery 1.5] :: Archived (page 2) ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Hacked twice in 2 days [Gallery 1.5]


scoopy wrote
I thought the OP had defined the results of this "hack" pretty clearly. I have been trying to figure out how someone is able to add code to my index file and thus fix the problem... as I am sure that was the same intention of the OP.


This isn't rocket science my friend, they log in.
They change the index file. Or they exploit a remote access vulnerability (which from your prior posts wouldn't be possible...sure) and modify your pages.

Yes... I still have the "error_log" and No... to any previous HTTP logs. Someone has again somehow modified my index file today and I found the same <script> added to the bottom of the index.

Line 133 was where this HTML code was added by the "script kiddy" which is what breaks the PHP code and produces the error message... instead of the IFRAME or redirection they had intended. The error is then logged and that is what gives me an approx. time of the "hack".


News flash, this is no script kiddie....this is a purposful attempt to turn your site into a malware distribution site.

Obsfucated scripting is not something your average script kiddie can figure out.

Anyway... I think I may have guessed what me and the OP had in common that could be the reason we both had this same problem and will upgrade that module we both are running on our sites.


Well I had a guess that the attacker was using known vulnerabilities in googlemaps API,

But...no details or advise on whether or not this was being used on the site. We can guess but it doesn't help the problem guessing when the OP knows 100% Much like yourself.

You still do not tell us 'what module' you suspect is the problem.

You still do not tell us what versions of DF your using.

How can we help you more when we don't know what we are working with?

Your making this more difficult than it has to be.

See we have spent a lot of time making DF secure. DJMaze and Nano have spent considerable time in ensuring this is priority #1, at the expense of other facets of the project.

Suffice to say a properly installed DF with no 'unsafe' or 'untested' 3rd party modules or other code it utilized is very secure. This is not guaranteed, but so far the only vulnerabilities that have been disclosed were fixed in 2005, and outside of CVS I'm only aware of two vulnerabilities that made it out to the public packages. Both minor and fixed.

So yes I am VERY curious about HOW they attacked you. But you have to start providing us with the detail we ask for.

You need to help us help you.

Thank you.

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


News flash, this is no script kiddie....this is a purposful attempt to turn your site into a malware distribution site.


If this is such an accomplished cracker, why are they unable to understand how to add to an index.php file to make it display the malware page instead of break the site?

Also, is the DF google maps module not a secure module?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / 2.0.46 (Red Hat) / 0.9.7a / 4.1.9-standard / 4.3.2 / 9.0.6.1


spacebar wrote
News flash, this is no script kiddie....this is a purposful attempt to turn your site into a malware distribution site.


If this is such an accomplished cracker, why are they unable to understand how to add to an index.php file to make it display the malware page instead of break the site?


Ah some details...I did not know, but then it appears there is a lot of ignorance here.

Also, is the DF google maps module not a secure module?


I don't know, I haven't received a copy of it to date. But if the underlying system (ie: the API) is insecure, what hope does the module have?

Again, we're just guessing...

Cheers,

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


Jeruvy wrote

Also, is the DF google maps module not a secure module?


I don't know, I haven't received a copy of it to date. But if the underlying system (ie: the API) is insecure, what hope does the module have?

Again, we're just guessing...

Cheers,


Right, thats what I'm asking. I hadn't heard the google map api was insecure. Do you know if this something that is being addressed by google?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / 2.0.46 (Red Hat) / 0.9.7a / 4.1.9-standard / 4.3.2 / 9.0.6.1


So yes I am VERY curious about HOW they attacked you. But you have to start providing us with the detail we ask for.


/me too... so just the facts Wink

The problem: Someone has been able to add their script to my index (see OP's post) apparently without leaving any trace in any log files. From what I have learned... this fits the characteristics of Cross Site Scripting. But without any proof in the logs or anything else... we can only guess as to who, what, when, where, and why.

As a result of above attempt... I have found my site displaying this error:

Parse error: syntax error, unexpected '<' in /home/scoopy/public_html/index.php on line 133


Here's the specifics to my account:

cPanel Version 11.11.0-RELEASE
cPanel Build 16983
CMS Version 9.1.2.1
PHP Version 5.2.1
MySQL Version 5.0.27-standard (client: 5.0.27)
GD Version bundled (2.0.28 compatible)
Server API CGI
Virtual Directory Support disabled
Configuration File (php.ini) Path /usr/local/Zend/etc/php.ini
PHP API 20041225
PHP Extension 20060613
Zend Extension 220060519
Debug Build no
Thread Safety disabled
Zend Memory Manager enabled
IPv6 Support enabled
Registered PHP Streams php, file, data, http, ftp, compress.zlib, https, ftps
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, convert.iconv.*, zlib.*


PHP info:
www.showmeyourpix.com/phpinfo.php

What has been done:

I have upgraded Gallery 1.5 to the latest 1.5.7 verion. This is the only thing that I have added to DF and was running as a module. (Have suffered same hack after doing this)

I have changed all the admin passwords to cpanel, mysql, and DF. (my previous password was pretty secure... a mix of lower, upper case, & numerals)

Although today has been the first day this week I have not found my site "hacked"... I am still not confident that we have this licked... at least on my site.

thanks,

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


gallery.menalto.com/pa...ew_release

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


Been there / done that...

scoopy wrote
Guess it was not that module I updated yesterday... they did it again tonight.


scoopy wrote
I have upgraded Gallery 1.5 to the latest 1.5.7 verion. This is the only thing that I have added to DF and was running as a module. (Have suffered same hack after doing this)


I suppose that could of been the initial root of my problems... but how were they able to do the same thing after this was upgraded... unless they were able to steal my password using this exploit... But then if they logged in last time... I would of thought that this would show in the log file after they accessed admin.php?

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


scoopy wrote
Been there / done that...

scoopy wrote
Guess it was not that module I updated yesterday... they did it again tonight.


scoopy wrote
I have upgraded Gallery 1.5 to the latest 1.5.7 verion. This is the only thing that I have added to DF and was running as a module. (Have suffered same hack after doing this)


I suppose that could of been the initial root of my problems... but how were they able to do the same thing after this was upgraded... unless they were able to steal my password using this exploit... But then if they logged in last time... I would of thought that this would show in the log file after they accessed admin.php?


Since you changed passwords has it happened again?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / 2.0.46 (Red Hat) / 0.9.7a / 4.1.9-standard / 4.3.2 / 9.0.6.1


spacebar wrote
Since you changed passwords has it happened again?

No... not since then. Has been almost 2 full days now since changing passwords.

SO the possibility remains that they initially used the Gallery 1.5 module to inject their script(s)... while also capturing my password... which then allowed for the subsequent hacking.

Can they really use Cross Site Scripting to steal passwords ? If so... then maybe we have this solved. But then why wasn't this found in the logs... and why didn't they do more (like fix their code) when they had the chance ?

PS: Where's OP Ronin ? I am wondering if he maybe has done the same thing (upgrade gallery and change passwords)

Wanna Play A Game ? | Jazz it up @ the JazzArcade | A Splash of FUN @ the Arcade Splash

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
nix/1.3.37/5.0.27/5.2.1/9something


Jeruvy ask so many times to include all possible infos to have an idea on what happen. The infos are finally provided and we can see the results.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


Wow, from 2006...

www.securityfocus.com/...17437/info

The gist:

Gallery is prone to an unspecified cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.


Latest version of Gallery 1, 1.5.7. This particular issue affects below 1.5.3

Now you need to know who is specifically using targetted requests to your gallery vs. legit users who would browse it or come in via referral. Given they probably had login permissions, if this has been reset, then it's back to attempting to steal a cookie. If this is patched it's unlikely you will see this attempt, but you should still see the attempts unless the logs are getting cleared. I'd run a cron to ftp my logs every hour.

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


Sorry all, not sure how I missed these latest posts. I don't use gallery. I do use WHM and CPanel which after being upgraded haven't given me any issues.... that I know about.... 😉

Jeruvy, could you provide links to this Google Maps vulnerability you are referring to? I couldn't find anything. I'd like to actually confirm whether the dfmaps module has a problem or not.

Cheers,

Ronin
Ronin Technologies
Dragonfly Google Maps Module

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 14.04 / 2.4.7 / 5.5.37 / 5.5.9 / 9.4.0.0


Surley he isn't referring to the VML exploit from 2006.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
[CentOS release 4.6 (Final)] | [Apache 1.3.37] | [MySQL 4.1.21-standard-log (client: 4.1.21) | [PHP 4.4.7] | [DF 9.2.1] | [FPro 2.0.2]


No sultan I wasn't. My brain can't store garbage that long Wink
Ronin, I'll try to reference it again and post back.

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


Actually (I can't believe it) it was from back in 2006. Man time flies too fast. Going to have to do another vacation to fix this brain problem. Smile

Nov 2006. Instead of posting the ONE issue, I give you ALL of Google's vulnerabilities. Beware, Secunia does link to evil web sites. It's rare but you never know where you'll end up sometimes. But this will show the entire history of disclosed vulnerabilities.

secunia.com/search/?search=google

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}

All times are UTC