[NOTICE] - Open Flash Chart Exploit

[simpilot]

The third party Open Flash Chart script that is used within phpVMS has an exploit that has been used recently and often to deface and/or alter sites using the phpVMS software. I have cleaned 11 of my client's sites in the last 36 hours.

Although some sites have been obviously defaced with homepages replaced, some have had advertising scripts uploaded to redirect users to various companies. An example of a defacement today -> http://hack-db.com/787962.html

The exploit is explained here -> http://www.exploit-d...exploits/10532/

WHAT TO LOOK FOR;

if you have a folder in /core/lib/ that is called "tmp-upload-images" your site has been compromised.

Inside that folder can be a number of files but the one that gets everything started is .wp-moon.php

I have also found these in that folder

1.php

e.php

er.php

tb.php

If this folder is present start looking in the root of your site for files possibly called

0zie.html

index.html - if you had one previously check the date of the last change, it may have been overwritten

agg.html - an advertising script for ugg boots.....

cst.html

sto.html

unc.html

What do I do now?

Delete the entire folder "tmp-upload-images" and remove any other suspicious files from the root of your site. Review ANY file that you do not recognize or has a last changed date similar to those in the "tmp-upload-images" file.

Delete or rename the folder /core/lib/php-ofc-library

The script(s) that are being used in this exploit are within this folder.

This will cause all of the flash charts on the site to no longer function but all other functionality should remain as it was.

NOTE: There is a school of thought that the only file that is being exploited is the "ofc_upload_image.php" file within the "php-ofc-library" folder. You can try to delete just this file and your charts will still function but there may still be a vulnerability and I would watch your directory tree for a while.

In all the sites I have cleaned today I have not found any evidence of any database intrusion or data loss. I would still HIGHLY recommend that if you have found any of these items on your site to change all your passwords associated with the site as soon as possible. This includes the database password that phpVMS uses, emails use, and web panel admin access passwords.

Nabeel has been made aware of this and is researching a patch at this time.

Update 1 - http://forum.phpvms.net/topic/16288-notice-open-flash-chart-exploit/#entry82657

Upadte 2 - http://forum.phpvms....__20#entry82672

[flyalaska]

Thank you Dave.

[simpilot]

Additonally today I have found files with the names;

aboutus.html

shipping.html

history.html

shipment.html

faq.html

contact.html

contanct.html

in the root of compromised sites. They have all had advertising redirects and/or iframes in them. Just a reminder that if you find that your site has been compromised to check all files with recent change dates.

[Sava]

My site was compromised as well. Thanks for letting me know what the issue is.

[joeri]

same here this morning it was ok and later on it got hacked.

[freshJet]

I found a file called z.txt in my public_html. Inside was this:

   - Indonesian Cyber Army -

  __			  _		   
  /  \	 ___    (_)	 ___  
 | () |   |_ /    | |    / -_)
 _\__/   _/__|   _|_|_   \___|
_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'

[flyalaska]

Probably from the 100's of bogus signups I get each month

[freshJet]

If of any use, I traced these IP addresses:

199.48.164.78 - traced to Jacksonville, USA

114.79.19.110 - traced to Semarang, Indonesia

Both were responsible for the creation of the files in tmp-upload-images. Also found indo.php in public_html.

[Tylor Eddy]

Thanks Guys,

I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though.

[Tom]

Big ol' list of people they've exploited: http://www.hack-db.com/team/indonesian_cyber_army/all.html

Go back a few pages and there's tons of VA sites. Pretty much everyone.

[Kapitan]

Same happen to me

[freshJet]

Thanks Guys,

I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though.

On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it.

[Ashj24uk]

thanks for that dave Jet2 was attacked aswell

[Toyuko]

I dont know weather my site got compromised...But all check now

Yes it was compromised.

[Strider]

Another file called clean.html was on my site, it is another one they place.

[Tylor Eddy]

On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it.

Yes they were linking to your .htaccess for some reason in one of their scripts, would'nt have a clue why, but im glad they failed in their hacking attempt.

[Ariel]

*phoneringsondeck* "yes what you see?" "ICEBERG RIGHT AHEAD" "HARD ON STARBOARD" *speaksbetweenhisteeth* "turn, ...trun,.. turn," *TITANIC HITS ICEBERG* *cpt: what was that mr ismay *mrismay: an iceberg sir, I tried to port round it but she hit

Haha talk about wierd and over dramatic but vDelta has been hit as well. I won't be able to fix any of this till later cus im at work but we will be on maintenance mode for now

[simpilot]

I have found an item that I was missing the first time around and am again repairing sites.

Be sure to look in the /home directory of your site, generally where your public_html folder is placed. Within it I have found a folder named /img - On some sites that I have found compromised they have been able to use a php.ini command - " disbale_functions=none " and elevate the folder to the home directory create a folder and in it place a file called sql.php - killer.php - f***.php among others which then searches for and downloads any file on the server that is a configuration file. Forums, blogs, phpVMS, anything that has a config file, at that point is open game for them.

Everything seems to center around the site -> http://www.sellukaweb.com

And the code that is being used once they gain access is by Jayalah Indonesiaku - © 2012 - http://code.google.com/p/b374k-shell - it is basically a file manager not much unlike what is in cPanel. It allows them to delete, add, edit, any file on the server.

As far as IP's, I have seen hundreds of different ones from the server logs at the time of attacks, they are using proxy's and spoofing to avoid that connection.

[Ariel]

Well though one of my sites wasnt defaced the other ones where. I have changed name servers hoping that will work some way

[SkiesTheLimit]

I have gotten as much info as possible

https://www.facebook.com/pages/Indonesian-Cyber-Army/143226482494126 (their facebook)

http://indocyberarmy.blogspot.com (their blog)

Mr. Xenophobic is the lead hacker: http://www.facebook.com/NewbieHackker his name is Tidak Pentin

another hacker who goes by the name Cyber_Taregh who is responsible for the defacement of vpia.org

and wnvirtual.org his name is Rifky Adri Putra his Facebook is

https://www.facebook.com/deejayakira?fref=ts

They have compromised and will do defacing. HN-Community and more

[simpilot]

SERVER ADMINS - Be sure the server you are running has the Apache symlink patch applied to it. I have found client sites on some outdated servers that have the simple defacement turn into a symlink attack which is now affecting all those that are hosted with them.

Justhost and GoDaddy are two that I have found that at least have a couple of servers that are not patched for this type of attack.

You can find a decent how to here -> http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

[Strider]

Question is, how do you know if ur server is patched?

[mischka]

thanks for the heads-up on this! i also found the .wp-moon.php file but no other suspicious files in any of the roots of my website(s) and no damage has been done.

I did get a lot of phpvms system emails about users who subscribed but looking in the system those users never appeaed. It was always something like Firstname FirstnameXX where the two firstnames was always the same and XX some random capital letters. Does this sound familiar to you guys? Could it be related?

I trust Nabeels efforts to keep this secure but not necesarily all other developers, including myself! :-/

[Ariel]

Just to add to the files that are being used on the sites that i found on mines are

avril.php

badi.html

and one of my directories has a folder named /x you might want to make sure to deleted that it has nothing but txt files that are empty. These txt files are the config files for every hacked website that was either hit or targeted

[SkiesTheLimit]

If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo

His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID

If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker

They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno

[Ariel]

If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo

His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID

If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker

They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno

Call me silly if you will but its funny how you have kept in contact with these people, as well as know who they are, but despite all that, according to Mr. Xenophobics list of added domains to the db yours isnt listed. so now what makes you think i will trust what you are saying and contact these bunch of idiots to restore my websites. They are claiming no data has been lost or leaked now how the hell are we suppose to be sure of that or not!

[Nabeel]

Hi,

Don't contact them for anything.

Just clean out any files you don't recognize. I'm looking to determine where the hack is, and then patch the ofc library, and release an update.

Unfortunately, the exploit comes from a 3rd party library. My host caught it and shut down those accounts almost immediately, so there was only 1 compromised account on the fivedev servers. But it was also shut off immediately.

Thanks for looking out and letting me know. I'll try to get something together real soon.

[freshJet]

Is it worth notifying hosts?

[Strider]

Chase Reid, just looked them up, he is not a hacker, nor does he have any need to hack other VA's.

[simpilot]

The exploit is only through the one file within the open chart library, ofc_upload_image.php as far as i have been able to tell. It allows for unfiltered data to be uploaded. I have many sites now running with just that file removed without issue.