Administrators simpilot Posted September 27, 2013 Administrators Report Share Posted September 27, 2013 The third party Open Flash Chart script that is used within phpVMS has an exploit that has been used recently and often to deface and/or alter sites using the phpVMS software. I have cleaned 11 of my client's sites in the last 36 hours. Although some sites have been obviously defaced with homepages replaced, some have had advertising scripts uploaded to redirect users to various companies. An example of a defacement today -> http://hack-db.com/787962.html The exploit is explained here -> http://www.exploit-d...exploits/10532/ WHAT TO LOOK FOR; if you have a folder in /core/lib/ that is called "tmp-upload-images" your site has been compromised. Inside that folder can be a number of files but the one that gets everything started is .wp-moon.php I have also found these in that folder 1.php e.php er.php tb.php If this folder is present start looking in the root of your site for files possibly called 0zie.html index.html - if you had one previously check the date of the last change, it may have been overwritten agg.html - an advertising script for ugg boots..... cst.html sto.html unc.html What do I do now? Delete the entire folder "tmp-upload-images" and remove any other suspicious files from the root of your site. Review ANY file that you do not recognize or has a last changed date similar to those in the "tmp-upload-images" file. Delete or rename the folder /core/lib/php-ofc-library The script(s) that are being used in this exploit are within this folder. This will cause all of the flash charts on the site to no longer function but all other functionality should remain as it was. NOTE: There is a school of thought that the only file that is being exploited is the "ofc_upload_image.php" file within the "php-ofc-library" folder. You can try to delete just this file and your charts will still function but there may still be a vulnerability and I would watch your directory tree for a while. In all the sites I have cleaned today I have not found any evidence of any database intrusion or data loss. I would still HIGHLY recommend that if you have found any of these items on your site to change all your passwords associated with the site as soon as possible. This includes the database password that phpVMS uses, emails use, and web panel admin access passwords. Nabeel has been made aware of this and is researching a patch at this time. Update 1 - http://forum.phpvms.net/topic/16288-notice-open-flash-chart-exploit/#entry82657 Upadte 2 - http://forum.phpvms....__20#entry82672 2 Quote Link to comment Share on other sites More sharing options...
flyalaska Posted September 27, 2013 Report Share Posted September 27, 2013 Thank you Dave. Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted September 27, 2013 Author Administrators Report Share Posted September 27, 2013 Additonally today I have found files with the names; aboutus.html shipping.html history.html shipment.html faq.html contact.html contanct.html in the root of compromised sites. They have all had advertising redirects and/or iframes in them. Just a reminder that if you find that your site has been compromised to check all files with recent change dates. Quote Link to comment Share on other sites More sharing options...
Sava Posted September 27, 2013 Report Share Posted September 27, 2013 My site was compromised as well. Thanks for letting me know what the issue is. Quote Link to comment Share on other sites More sharing options...
Moderators joeri Posted September 27, 2013 Moderators Report Share Posted September 27, 2013 same here this morning it was ok and later on it got hacked. Quote Link to comment Share on other sites More sharing options...
freshJet Posted September 27, 2013 Report Share Posted September 27, 2013 I found a file called z.txt in my public_html. Inside was this: - Indonesian Cyber Army - __ _ / \ ___ (_) ___ | () | |_ / | | / -_) _\__/ _/__| _|_|_ \___| _|"""""|_|"""""|_|"""""|_|"""""| "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' Quote Link to comment Share on other sites More sharing options...
flyalaska Posted September 27, 2013 Report Share Posted September 27, 2013 Probably from the 100's of bogus signups I get each month Quote Link to comment Share on other sites More sharing options...
freshJet Posted September 27, 2013 Report Share Posted September 27, 2013 If of any use, I traced these IP addresses: 199.48.164.78 - traced to Jacksonville, USA 114.79.19.110 - traced to Semarang, Indonesia Both were responsible for the creation of the files in tmp-upload-images. Also found indo.php in public_html. Quote Link to comment Share on other sites More sharing options...
Tylor Eddy Posted September 28, 2013 Report Share Posted September 28, 2013 Thanks Guys, I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though. Quote Link to comment Share on other sites More sharing options...
Tom Posted September 28, 2013 Report Share Posted September 28, 2013 Big ol' list of people they've exploited: http://www.hack-db.com/team/indonesian_cyber_army/all.html Go back a few pages and there's tons of VA sites. Pretty much everyone. Quote Link to comment Share on other sites More sharing options...
Kapitan Posted September 28, 2013 Report Share Posted September 28, 2013 Same happen to me Quote Link to comment Share on other sites More sharing options...
freshJet Posted September 28, 2013 Report Share Posted September 28, 2013 Thanks Guys, I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though. On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it. Quote Link to comment Share on other sites More sharing options...
Ashj24uk Posted September 28, 2013 Report Share Posted September 28, 2013 thanks for that dave Jet2 was attacked aswell Quote Link to comment Share on other sites More sharing options...
Toyuko Posted September 28, 2013 Report Share Posted September 28, 2013 I dont know weather my site got compromised...But all check now Yes it was compromised. Quote Link to comment Share on other sites More sharing options...
Strider Posted September 28, 2013 Report Share Posted September 28, 2013 Another file called clean.html was on my site, it is another one they place. Quote Link to comment Share on other sites More sharing options...
Tylor Eddy Posted September 28, 2013 Report Share Posted September 28, 2013 On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it. Yes they were linking to your .htaccess for some reason in one of their scripts, would'nt have a clue why, but im glad they failed in their hacking attempt. Quote Link to comment Share on other sites More sharing options...
Ariel Posted September 28, 2013 Report Share Posted September 28, 2013 *phoneringsondeck* "yes what you see?" "ICEBERG RIGHT AHEAD" "HARD ON STARBOARD" *speaksbetweenhisteeth* "turn, ...trun,.. turn," *TITANIC HITS ICEBERG* *cpt: what was that mr ismay *mrismay: an iceberg sir, I tried to port round it but she hit Haha talk about wierd and over dramatic but vDelta has been hit as well. I won't be able to fix any of this till later cus im at work but we will be on maintenance mode for now Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted September 28, 2013 Author Administrators Report Share Posted September 28, 2013 I have found an item that I was missing the first time around and am again repairing sites. Be sure to look in the /home directory of your site, generally where your public_html folder is placed. Within it I have found a folder named /img - On some sites that I have found compromised they have been able to use a php.ini command - " disbale_functions=none " and elevate the folder to the home directory create a folder and in it place a file called sql.php - killer.php - f***.php among others which then searches for and downloads any file on the server that is a configuration file. Forums, blogs, phpVMS, anything that has a config file, at that point is open game for them. Everything seems to center around the site -> http://www.sellukaweb.com And the code that is being used once they gain access is by Jayalah Indonesiaku - © 2012 - http://code.google.com/p/b374k-shell - it is basically a file manager not much unlike what is in cPanel. It allows them to delete, add, edit, any file on the server. As far as IP's, I have seen hundreds of different ones from the server logs at the time of attacks, they are using proxy's and spoofing to avoid that connection. Quote Link to comment Share on other sites More sharing options...
Ariel Posted September 28, 2013 Report Share Posted September 28, 2013 Well though one of my sites wasnt defaced the other ones where. I have changed name servers hoping that will work some way Quote Link to comment Share on other sites More sharing options...
SkiesTheLimit Posted September 28, 2013 Report Share Posted September 28, 2013 I have gotten as much info as possible https://www.facebook.com/pages/Indonesian-Cyber-Army/143226482494126 (their facebook) http://indocyberarmy.blogspot.com (their blog) Mr. Xenophobic is the lead hacker: http://www.facebook.com/NewbieHackker his name is Tidak Pentin another hacker who goes by the name Cyber_Taregh who is responsible for the defacement of vpia.org and wnvirtual.org his name is Rifky Adri Putra his Facebook is https://www.facebook.com/deejayakira?fref=ts They have compromised and will do defacing. HN-Community and more Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted September 28, 2013 Author Administrators Report Share Posted September 28, 2013 SERVER ADMINS - Be sure the server you are running has the Apache symlink patch applied to it. I have found client sites on some outdated servers that have the simple defacement turn into a symlink attack which is now affecting all those that are hosted with them. Justhost and GoDaddy are two that I have found that at least have a couple of servers that are not patched for this type of attack. You can find a decent how to here -> http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/ Quote Link to comment Share on other sites More sharing options...
Strider Posted September 28, 2013 Report Share Posted September 28, 2013 Question is, how do you know if ur server is patched? 1 Quote Link to comment Share on other sites More sharing options...
mischka Posted September 29, 2013 Report Share Posted September 29, 2013 thanks for the heads-up on this! i also found the .wp-moon.php file but no other suspicious files in any of the roots of my website(s) and no damage has been done. I did get a lot of phpvms system emails about users who subscribed but looking in the system those users never appeaed. It was always something like Firstname FirstnameXX where the two firstnames was always the same and XX some random capital letters. Does this sound familiar to you guys? Could it be related? I trust Nabeels efforts to keep this secure but not necesarily all other developers, including myself! :-/ Quote Link to comment Share on other sites More sharing options...
Ariel Posted September 29, 2013 Report Share Posted September 29, 2013 Just to add to the files that are being used on the sites that i found on mines are avril.php badi.html and one of my directories has a folder named /x you might want to make sure to deleted that it has nothing but txt files that are empty. These txt files are the config files for every hacked website that was either hit or targeted Quote Link to comment Share on other sites More sharing options...
SkiesTheLimit Posted September 29, 2013 Report Share Posted September 29, 2013 If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno Quote Link to comment Share on other sites More sharing options...
Ariel Posted September 29, 2013 Report Share Posted September 29, 2013 If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno Call me silly if you will but its funny how you have kept in contact with these people, as well as know who they are, but despite all that, according to Mr. Xenophobics list of added domains to the db yours isnt listed. so now what makes you think i will trust what you are saying and contact these bunch of idiots to restore my websites. They are claiming no data has been lost or leaked now how the hell are we suppose to be sure of that or not! Quote Link to comment Share on other sites More sharing options...
Administrators Nabeel Posted September 29, 2013 Administrators Report Share Posted September 29, 2013 Hi, Don't contact them for anything. Just clean out any files you don't recognize. I'm looking to determine where the hack is, and then patch the ofc library, and release an update. Unfortunately, the exploit comes from a 3rd party library. My host caught it and shut down those accounts almost immediately, so there was only 1 compromised account on the fivedev servers. But it was also shut off immediately. Thanks for looking out and letting me know. I'll try to get something together real soon. 3 Quote Link to comment Share on other sites More sharing options...
freshJet Posted September 29, 2013 Report Share Posted September 29, 2013 Is it worth notifying hosts? Quote Link to comment Share on other sites More sharing options...
Strider Posted September 29, 2013 Report Share Posted September 29, 2013 Chase Reid, just looked them up, he is not a hacker, nor does he have any need to hack other VA's. Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted September 29, 2013 Author Administrators Report Share Posted September 29, 2013 The exploit is only through the one file within the open chart library, ofc_upload_image.php as far as i have been able to tell. It allows for unfiltered data to be uploaded. I have many sites now running with just that file removed without issue. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.