Jump to content

[NOTICE] - Open Flash Chart Exploit


simpilot

Recommended Posts

  • Administrators

The third party Open Flash Chart script that is used within phpVMS has an exploit that has been used recently and often to deface and/or alter sites using the phpVMS software. I have cleaned 11 of my client's sites in the last 36 hours.

Although some sites have been obviously defaced with homepages replaced, some have had advertising scripts uploaded to redirect users to various companies. An example of a defacement today -> http://hack-db.com/787962.html

The exploit is explained here -> http://www.exploit-d...exploits/10532/

WHAT TO LOOK FOR;

if you have a folder in /core/lib/ that is called "tmp-upload-images" your site has been compromised.

Inside that folder can be a number of files but the one that gets everything started is .wp-moon.php

I have also found these in that folder

1.php

e.php

er.php

tb.php

If this folder is present start looking in the root of your site for files possibly called

0zie.html

index.html - if you had one previously check the date of the last change, it may have been overwritten

agg.html - an advertising script for ugg boots.....

cst.html

sto.html

unc.html

What do I do now?

Delete the entire folder "tmp-upload-images" and remove any other suspicious files from the root of your site. Review ANY file that you do not recognize or has a last changed date similar to those in the "tmp-upload-images" file.

Delete or rename the folder /core/lib/php-ofc-library

The script(s) that are being used in this exploit are within this folder.

This will cause all of the flash charts on the site to no longer function but all other functionality should remain as it was.

NOTE: There is a school of thought that the only file that is being exploited is the "ofc_upload_image.php" file within the "php-ofc-library" folder. You can try to delete just this file and your charts will still function but there may still be a vulnerability and I would watch your directory tree for a while.

In all the sites I have cleaned today I have not found any evidence of any database intrusion or data loss. I would still HIGHLY recommend that if you have found any of these items on your site to change all your passwords associated with the site as soon as possible. This includes the database password that phpVMS uses, emails use, and web panel admin access passwords.

Nabeel has been made aware of this and is researching a patch at this time.

Update 1 - http://forum.phpvms.net/topic/16288-notice-open-flash-chart-exploit/#entry82657

Upadte 2 - http://forum.phpvms....__20#entry82672

  • Like 2
Link to comment
Share on other sites

  • Administrators

Additonally today I have found files with the names;

aboutus.html

shipping.html

history.html

shipment.html

faq.html

contact.html

contanct.html

in the root of compromised sites. They have all had advertising redirects and/or iframes in them. Just a reminder that if you find that your site has been compromised to check all files with recent change dates.

Link to comment
Share on other sites

Thanks Guys,

I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though.

On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it.

Link to comment
Share on other sites

On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it.

Yes they were linking to your .htaccess for some reason in one of their scripts, would'nt have a clue why, but im glad they failed in their hacking attempt.

Link to comment
Share on other sites

*phoneringsondeck* "yes what you see?" "ICEBERG RIGHT AHEAD" "HARD ON STARBOARD" *speaksbetweenhisteeth* "turn, ...trun,.. turn," *TITANIC HITS ICEBERG* *cpt: what was that mr ismay *mrismay: an iceberg sir, I tried to port round it but she hit

Haha talk about wierd and over dramatic but vDelta has been hit as well. I won't be able to fix any of this till later cus im at work but we will be on maintenance mode for now

Link to comment
Share on other sites

  • Administrators

I have found an item that I was missing the first time around and am again repairing sites.

Be sure to look in the /home directory of your site, generally where your public_html folder is placed. Within it I have found a folder named /img - On some sites that I have found compromised they have been able to use a php.ini command - " disbale_functions=none " and elevate the folder to the home directory create a folder and in it place a file called sql.php - killer.php - f***.php among others which then searches for and downloads any file on the server that is a configuration file. Forums, blogs, phpVMS, anything that has a config file, at that point is open game for them.

Everything seems to center around the site -> http://www.sellukaweb.com

And the code that is being used once they gain access is by Jayalah Indonesiaku - © 2012 - http://code.google.com/p/b374k-shell - it is basically a file manager not much unlike what is in cPanel. It allows them to delete, add, edit, any file on the server.

As far as IP's, I have seen hundreds of different ones from the server logs at the time of attacks, they are using proxy's and spoofing to avoid that connection.

Link to comment
Share on other sites

I have gotten as much info as possible

https://www.facebook.com/pages/Indonesian-Cyber-Army/143226482494126 (their facebook)

http://indocyberarmy.blogspot.com (their blog)

Mr. Xenophobic is the lead hacker: http://www.facebook.com/NewbieHackker his name is Tidak Pentin

another hacker who goes by the name Cyber_Taregh who is responsible for the defacement of vpia.org

and wnvirtual.org his name is Rifky Adri Putra his Facebook is

https://www.facebook.com/deejayakira?fref=ts

They have compromised and will do defacing. HN-Community and more

Link to comment
Share on other sites

  • Administrators

SERVER ADMINS - Be sure the server you are running has the Apache symlink patch applied to it. I have found client sites on some outdated servers that have the simple defacement turn into a symlink attack which is now affecting all those that are hosted with them.

Justhost and GoDaddy are two that I have found that at least have a couple of servers that are not patched for this type of attack.

You can find a decent how to here -> http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

Link to comment
Share on other sites

thanks for the heads-up on this! i also found the .wp-moon.php file but no other suspicious files in any of the roots of my website(s) and no damage has been done.

I did get a lot of phpvms system emails about users who subscribed but looking in the system those users never appeaed. It was always something like Firstname FirstnameXX where the two firstnames was always the same and XX some random capital letters. Does this sound familiar to you guys? Could it be related?

I trust Nabeels efforts to keep this secure but not necesarily all other developers, including myself! :-/

Link to comment
Share on other sites

Just to add to the files that are being used on the sites that i found on mines are

avril.php

badi.html

and one of my directories has a folder named /x you might want to make sure to deleted that it has nothing but txt files that are empty. These txt files are the config files for every hacked website that was either hit or targeted

Link to comment
Share on other sites

If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo

His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID

If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker

They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno

Link to comment
Share on other sites

If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo

His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID

If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker

They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno

Call me silly if you will but its funny how you have kept in contact with these people, as well as know who they are, but despite all that, according to Mr. Xenophobics list of added domains to the db yours isnt listed. so now what makes you think i will trust what you are saying and contact these bunch of idiots to restore my websites. They are claiming no data has been lost or leaked now how the hell are we suppose to be sure of that or not!

Link to comment
Share on other sites

  • Administrators

Hi,

Don't contact them for anything.

Just clean out any files you don't recognize. I'm looking to determine where the hack is, and then patch the ofc library, and release an update.

Unfortunately, the exploit comes from a 3rd party library. My host caught it and shut down those accounts almost immediately, so there was only 1 compromised account on the fivedev servers. But it was also shut off immediately.

Thanks for looking out and letting me know. I'll try to get something together real soon.

  • Like 3
Link to comment
Share on other sites

  • Administrators

The exploit is only through the one file within the open chart library, ofc_upload_image.php as far as i have been able to tell. It allows for unfiltered data to be uploaded. I have many sites now running with just that file removed without issue.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...