Jump to content
simpilot

[NOTICE] - Open Flash Chart Exploit

Recommended Posts

Strider    252

I think the exploit is not just the ofc-upload-image.php, as I have seen them trying open-flash-chart.php in my error log yesterday. I think until a fix has been found, disable the charts, by removing the php-ofc-library folder and it's contents.

 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning:  include_once(/***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning:  include_once() [<a href='function.include'>function.include</a>]: Failed opening /***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Fatal error:  Class 'open_flash_chart' not found in /***/****/***/***/core/common/OFCharts.class.php on line 33  

Share this post


Link to post
Share on other sites

ok then the whole thing is a bit different to what I've read here. This folder exists on my site. Even though I deleted the file /ofc_upload_image.php yesterday and thee are no suspicious files at all. Not in the folder either and no data got lost. Everything is still functioning as it should. Error logs don't point out anything unusual either.

Share this post


Link to post
Share on other sites
AlexCohrs    0

Yesterday I cleaned my Fivedev server completely, did setup a new phpVMS install, deleteted the ofc_upload_image.php and reinstalled my skin and stuff from an old backup.

Today I realised that on the same day again some modifications on the server have been made. For example, I found a new tmp-uploade-images folder on my server. So if that's true what you are saying and that is not part of the original installation, it looks like just deleting the ofc_upload_image.php does not do the trick. Also some other files on my server with modification date this morning (where i did not do anything) looks suspiscious. The difference, this time, is that the site is still working.

Would you say that I should shutdown everything again, erase all data and wait until a new phpVMS version is valid? I have the backups, so no data will be lost, and I don't want to do this sh... again and again...

Edit: This is what I find in /access-logs/goldenghanavirtual.org (just a short part of it, repeats serveral times from different IPs):

202.175.9.212 - - [30/Sep/2013:13:26:41 -0400] "POST //core/lib/php-ofc-library/ofc_upload_image.php?name=doyok.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0"

202.175.9.212 - - [30/Sep/2013:13:26:48 -0400] "GET //core/lib/tmp-upload-images/doyok.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0"

Does that mean they TRY to hack the site again or does it mean the HAVE already access? Note that ofc_upload_image.php has already been removed from the server by that time.

Share this post


Link to post
Share on other sites
t_bergman    21

I got hack 27/09/13 and the funny is the file ofc_upload_image.php i found was modified or created 3 months ago...how ?

That is the date the file was created, not uploaded.

Share this post


Link to post
Share on other sites
vcal    8

I got hacked and while looking at the files, they threw in a load of other stuff too. Thankfully, they never touched my store. My site has been removed completely and I will reinstall. Maybe after Nabeel has a fix. They also know about removing the ofc_upload_image.php. They are following the forum.

  • Like 1

Share this post


Link to post
Share on other sites
ARV187    41

My hosting answer me this:

Hi there,

You may wish to remove the affected scripts from your site or upgrade to the latest versions, that bug is from 2009 and has been patched by the developers for awhile.

Please let us know if there is anything further we can do for you.

Best Regards

Where we can find the patch to script?

Share this post


Link to post
Share on other sites
freshJet    227

I think the exploit is not just the ofc-upload-image.php, as I have seen them trying open-flash-chart.php in my error log yesterday. I think until a fix has been found, disable the charts, by removing the php-ofc-library folder and it's contents.

 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once(/***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once() [<a href='function.include'>function.include</a>]: Failed opening /***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Fatal error: Class 'open_flash_chart' not found in /***/****/***/***/core/common/OFCharts.class.php on line 33 

That's not them, that's your charts not working because you deleted/renamed the folder...

  • Like 1

Share this post


Link to post
Share on other sites
Nabeel    1704

Looks like these are good hackers... :blink:

Good would have been an alert :\

My hosting answer me this:

Where we can find the patch to script?

Delete the core/lib/ofc_image_upload.php file, or replace it with the one from the latest download.

ofc_image_upload.php is something that's not even used. The rest of the library is just an interface to the charts, which are used internally, and no URL parameters are passed in.

Share this post


Link to post
Share on other sites
Mark Noble    3

Hi All, My service provider is one.com and they suspended my domain as it was hacked. I got them to open up just ftp so I can have a look and yes I have had the same files and folders as above. I removed all my folders and files from my domain (OK its over the top but wanted to be safe). I then downloaded the latest full version from your site and re installed. I changed my ftp and MySQL passwords and also my main log in password for my one.com account. After 2 hours I got an email from one.com that its been suspended agin due to attack. I got them to open up ftp only again and yes the same files and my be even more was found. I then spoke to one.com again ref to the patch that is required for apache servers and heres the contents of the chat.....

Welcome to the One.com chat support. We are doing our best to answer your queries soon. We kindly ask for your understanding that our answers may be delayed during busy periods.

You are number 2 in the queue for our customer support. Currently the estimated waiting time is 1 minutes and 19 seconds.

You are now chatting with 'Arjun'

Arjun: Thank you for using One.com 24/7 Interactive Online Support. My name is Arjun. How may I assist you?

you: hi my site has been attacked twice now and cleared with your help. I had to remove all files from site and wait for the 3rd party to bring out a patch. there is no patch as its a problem with the hosting servers that use apache for php scripts. heres the link to rectify it. Can you check and make sure your apache is up to day so I can reload the pages back on

you: http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

Arjun: Hello

Arjun: May I know the domain name?

you: until this is done ill always get attacked

you: noble-airlines.org.uk

Arjun: Please hold on while I check.

you: k

Arjun: This does not apply to our server setup as we have PHP installed as a CGI module, so PHP is the one that handles symlinks instead of apache directly as stated in the link you have provided. At present none of your scripts have a built in upload function. However, please be informed that you were only hacked once, the second suspension was done because some files were missed from the first suspension, it was so that you could remove that too.

you: after the first hacked I also removed the whole site folders and files and re installed the software and I got attacked again at 7pm

Arjun: Your domain was suspended first on September 30, and it was re-enabled later that day. However, more infected files were detected, which were previously not listed.

Arjun: To add this to the list, it was suspended again.

Arjun: So that you could remove it.

you: not the case so just to confirm this as im going to copy this whole chat. Are ALL the files now removed then

you: the only folder left is holidays

Arjun: Yes, they are all removed and your domain has been re-enabled again. The holidays folder only contains a simple index.html file right now

you: ok so im going to now install the software again then and if I get attacked again then im going to show the next one.com adviser this chat. ITS NOT TO GET YOU IN TROUBLE but to show them theres still a why into your php setup

you: or do you want to stay online while ill install the software

Arjun: Installing the same software that has the vulnerability in it will only mean that there is a chance of getting hacked again.

Arjun: It is not an Apache vulnerability here, but rather a file upload extension in your script that is being utilized by the hacker to upload the malware.

you: they are saying there isn't its that link I gave you thats causing it

Arjun: As I explained before, this does not apply in our case as symlinks are not handled by apache on our servers, but via PHP.

Arjun: The second fix also wont help as it would mean preventing access to some particular files, but that can be done if required

you: so you don't mind if I copy and past this into their forums then for them to investergate

Arjun: Sure

Arjun: If they have further comments about it, you can let us know

you: ok thx for help

Arjun: You are welcome.

Arjun: Is there anything else I can help you with ?

you: nope that's it thanks

Arjun: Thank you for contacting Chat Support, feel free to contact us anytime if you have more inquiries.

Any ideas where to go from here regards Mark

Share this post


Link to post
Share on other sites
STALKER    13

Hi all.

If this can help someone they changed my main index.php (and they added some files I have deleted) and they changed also my index.php in my admin folder, so...

- I have restore both index.php and now all works fine

- I have deleted the /core/lib/tmp-upload-images (inside there was a file named a.php) folder

- I have renamed the /core/lib/php-ofc-library (there is no inside any file named ofc_upload_image.php)

Now I have downloaded the update version, how can I install it? simply copying the new files in my host? Can I download the full version and simply delete ALL files and copy the new files in my host to be absoluty sure there are no any malicious file in my host?

Thank you

Share this post


Link to post
Share on other sites
mark1million    159

Things to look for are.

Your current htaccess files and all index files, remember hackers will place their code outside of your page view to usually to the right of the page where you wouldnt normally look or scroll across to or 100 or so lines below the bottom of your page.....

You should have no blank lines in any of your pages because thats where their exploit code is, you think you have cleaned the original exploit but they have created their own one inside your pages.

Share this post


Link to post
Share on other sites
mark1million    159

Well, my site has been hacked. Would be nice if we had a CRC check feature like some of the CMS have.

Upload the install folder and run the file checkinstall.php, dont forget to delete it again afterwards.

Share this post


Link to post
Share on other sites
captainB    0

I assume that would work for a "clean" install only? My installation was highly customized

Upload the install folder and run the file checkinstall.php, dont forget to delete it again afterwards.

Share this post


Link to post
Share on other sites
simpilot    2128

Well, my site has been hacked. Would be nice if we had a CRC check feature like some of the CMS have.

That would be a nice feature, feel free to fork the repo and contribute.

Share this post


Link to post
Share on other sites
yourairways    0

Dear All!

Our site was also hacked.

29th evening - some index.php/html files where replaced.

29th later evening - some more index.php/html files where replaced.

We tought that it is a "robot" that uses some kind a weakness. All passwords where replaced and software upgraded to the latest versions (where possible).

30th early morning - it was clear (according to logs), that it was not a "robot" but a human, who was quite freely changing files, making copies of files, etc. The access to the web was blocked by us, until we could find out what is the weak spot.

Later on 30th of September - We took some "drastic" measures (mainly by creative minds from http://www.flightsim.ee/) to protect our Servers (3-4 hrs of hard work). Sadly, I think that it can not be used for other VA-s, since we run phpvms only for "Intranet". Anyways, please contact us for more details, if You are interested, since I am not going to post the "trick" here. The system is up and running, files are cleaned, and everything restored - aircraft flying. The server log shows that there has been several attempts to re-hack without success, so far.

Those kids from Indonesia do not sleep, and it seems that a really huge amount of VA-s are down for now, and it is just stupid, to do it for competition. And I think that they will continue to "score" until the working patch is out.

http://flyjh.lennusimu.net

Share this post


Link to post
Share on other sites
TAV1702    909

We got hit to. I cleaned everything out. They had a remote sql script installed and we were running a joomla and wordpress site. and a BUNCH of other files.

Share this post


Link to post
Share on other sites
Strider    252

Yourairways I think u need to read the announcements forum, nabeel has already released an update with the culprit file patched.

Share this post


Link to post
Share on other sites
captainB    0

Gents,

Check for log.php in your root, looks like malicious code too,

Olly

Files I found at my site, worth to check if you guys have those:

x.txt

components.zip;unzip.1

e.php

kliverz.php

log.php

php.ini(multiple)

pijar.php

cwd.php

bim.php

default.php(multiple)

sunnah.html

Share this post


Link to post
Share on other sites
captainB    0

That would be a nice feature, feel free to fork the repo and contribute.

Done that now, already made the code that produces the MD5 from all the files, will work on the script that will do the checks and then try to integrate that somehow ( in the admin panel? or a CRON outside script? )

Share this post


Link to post
Share on other sites
gabry5    0

I have two language versions on separate domains. During checking I found ".php" file in /lib/js/js-ofc-library but it's not present in second domain and in a raw version of phpvms, so I suppose that's connected to THEM.

Share this post


Link to post
Share on other sites
yourairways    0

Yeah, I saw the official "post" about patch for phpvms. But since the phpvms is not so widely used, as some other software (wordpress for example or similar), the week spots there are, will be patched after most of the users are already hacked. That is just something that we can not allow to happen anymore, since "sensitive" information can be lost. That is the reason why "dual" protection is used. Our phpvms users wont notice it anyways.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×