Jump to content
simpilot

[NOTICE] - Open Flash Chart Exploit

Recommended Posts

simpilot    2128

The third party Open Flash Chart script that is used within phpVMS has an exploit that has been used recently and often to deface and/or alter sites using the phpVMS software. I have cleaned 11 of my client's sites in the last 36 hours.

Although some sites have been obviously defaced with homepages replaced, some have had advertising scripts uploaded to redirect users to various companies. An example of a defacement today -> http://hack-db.com/787962.html

The exploit is explained here -> http://www.exploit-d...exploits/10532/

WHAT TO LOOK FOR;

if you have a folder in /core/lib/ that is called "tmp-upload-images" your site has been compromised.

Inside that folder can be a number of files but the one that gets everything started is .wp-moon.php

I have also found these in that folder

1.php

e.php

er.php

tb.php

If this folder is present start looking in the root of your site for files possibly called

0zie.html

index.html - if you had one previously check the date of the last change, it may have been overwritten

agg.html - an advertising script for ugg boots.....

cst.html

sto.html

unc.html

What do I do now?

Delete the entire folder "tmp-upload-images" and remove any other suspicious files from the root of your site. Review ANY file that you do not recognize or has a last changed date similar to those in the "tmp-upload-images" file.

Delete or rename the folder /core/lib/php-ofc-library

The script(s) that are being used in this exploit are within this folder.

This will cause all of the flash charts on the site to no longer function but all other functionality should remain as it was.

NOTE: There is a school of thought that the only file that is being exploited is the "ofc_upload_image.php" file within the "php-ofc-library" folder. You can try to delete just this file and your charts will still function but there may still be a vulnerability and I would watch your directory tree for a while.

In all the sites I have cleaned today I have not found any evidence of any database intrusion or data loss. I would still HIGHLY recommend that if you have found any of these items on your site to change all your passwords associated with the site as soon as possible. This includes the database password that phpVMS uses, emails use, and web panel admin access passwords.

Nabeel has been made aware of this and is researching a patch at this time.

Update 1 - http://forum.phpvms.net/topic/16288-notice-open-flash-chart-exploit/#entry82657

Upadte 2 - http://forum.phpvms....__20#entry82672

  • Like 2

Share this post


Link to post
Share on other sites
simpilot    2128

Additonally today I have found files with the names;

aboutus.html

shipping.html

history.html

shipment.html

faq.html

contact.html

contanct.html

in the root of compromised sites. They have all had advertising redirects and/or iframes in them. Just a reminder that if you find that your site has been compromised to check all files with recent change dates.

Share this post


Link to post
Share on other sites
freshJet    227

I found a file called z.txt in my public_html. Inside was this:

   - Indonesian Cyber Army -

  __			  _		   
  /  \	 ___    (_)	 ___  
 | () |   |_ /    | |    / -_)
 _\__/   _/__|   _|_|_   \___|
_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'

Share this post


Link to post
Share on other sites
freshJet    227

If of any use, I traced these IP addresses:

199.48.164.78 - traced to Jacksonville, USA

114.79.19.110 - traced to Semarang, Indonesia

Both were responsible for the creation of the files in tmp-upload-images. Also found indo.php in public_html.

Share this post


Link to post
Share on other sites
Tylor Eddy    51

Thanks Guys,

I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though.

Share this post


Link to post
Share on other sites
freshJet    227

Thanks Guys,

I found these files on my site this morning, same group. For some reason they were linking to your .htaccess file Rob. They didn't succeed in hacking our site though.

On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it.

Share this post


Link to post
Share on other sites
Tylor Eddy    51

On your site? I'm trying to change my password and block these IPs but I'm getting errors about my .htaccess, which I can't find. It says it exists however when I try to create it.

Yes they were linking to your .htaccess for some reason in one of their scripts, would'nt have a clue why, but im glad they failed in their hacking attempt.

Share this post


Link to post
Share on other sites
Ariel    134

*phoneringsondeck* "yes what you see?" "ICEBERG RIGHT AHEAD" "HARD ON STARBOARD" *speaksbetweenhisteeth* "turn, ...trun,.. turn," *TITANIC HITS ICEBERG* *cpt: what was that mr ismay *mrismay: an iceberg sir, I tried to port round it but she hit

Haha talk about wierd and over dramatic but vDelta has been hit as well. I won't be able to fix any of this till later cus im at work but we will be on maintenance mode for now

Share this post


Link to post
Share on other sites
simpilot    2128

I have found an item that I was missing the first time around and am again repairing sites.

Be sure to look in the /home directory of your site, generally where your public_html folder is placed. Within it I have found a folder named /img - On some sites that I have found compromised they have been able to use a php.ini command - " disbale_functions=none " and elevate the folder to the home directory create a folder and in it place a file called sql.php - killer.php - f***.php among others which then searches for and downloads any file on the server that is a configuration file. Forums, blogs, phpVMS, anything that has a config file, at that point is open game for them.

Everything seems to center around the site -> http://www.sellukaweb.com

And the code that is being used once they gain access is by Jayalah Indonesiaku - © 2012 - http://code.google.com/p/b374k-shell - it is basically a file manager not much unlike what is in cPanel. It allows them to delete, add, edit, any file on the server.

As far as IP's, I have seen hundreds of different ones from the server logs at the time of attacks, they are using proxy's and spoofing to avoid that connection.

Share this post


Link to post
Share on other sites
Ariel    134

Well though one of my sites wasnt defaced the other ones where. I have changed name servers hoping that will work some way

Share this post


Link to post
Share on other sites

I have gotten as much info as possible

https://www.facebook.com/pages/Indonesian-Cyber-Army/143226482494126 (their facebook)

http://indocyberarmy.blogspot.com (their blog)

Mr. Xenophobic is the lead hacker: http://www.facebook.com/NewbieHackker his name is Tidak Pentin

another hacker who goes by the name Cyber_Taregh who is responsible for the defacement of vpia.org

and wnvirtual.org his name is Rifky Adri Putra his Facebook is

https://www.facebook.com/deejayakira?fref=ts

They have compromised and will do defacing. HN-Community and more

Share this post


Link to post
Share on other sites
simpilot    2128

SERVER ADMINS - Be sure the server you are running has the Apache symlink patch applied to it. I have found client sites on some outdated servers that have the simple defacement turn into a symlink attack which is now affecting all those that are hosted with them.

Justhost and GoDaddy are two that I have found that at least have a couple of servers that are not patched for this type of attack.

You can find a decent how to here -> http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

Share this post


Link to post
Share on other sites
mischka    190

thanks for the heads-up on this! i also found the .wp-moon.php file but no other suspicious files in any of the roots of my website(s) and no damage has been done.

I did get a lot of phpvms system emails about users who subscribed but looking in the system those users never appeaed. It was always something like Firstname FirstnameXX where the two firstnames was always the same and XX some random capital letters. Does this sound familiar to you guys? Could it be related?

I trust Nabeels efforts to keep this secure but not necesarily all other developers, including myself! :-/

Share this post


Link to post
Share on other sites
Ariel    134

Just to add to the files that are being used on the sites that i found on mines are

avril.php

badi.html

and one of my directories has a folder named /x you might want to make sure to deleted that it has nothing but txt files that are empty. These txt files are the config files for every hacked website that was either hit or targeted

Share this post


Link to post
Share on other sites

If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo

His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID

If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker

They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno

Share this post


Link to post
Share on other sites
Ariel    134

If you find files: indo.php the hacker is this person: https://www.facebook.com/cracker.indo

His name is Bimo Septiawan, he goes by the hacker handle: Garuda Dot ID

If you find files: xeno.php it was hacked by http://www.facebook.com/NewbieHackker

They speak little to no english but if you ask they will tell you to patch up your site an they will undeface it. no data has been lost or leaked according to Xeno

Call me silly if you will but its funny how you have kept in contact with these people, as well as know who they are, but despite all that, according to Mr. Xenophobics list of added domains to the db yours isnt listed. so now what makes you think i will trust what you are saying and contact these bunch of idiots to restore my websites. They are claiming no data has been lost or leaked now how the hell are we suppose to be sure of that or not!

Share this post


Link to post
Share on other sites
Nabeel    1701

Hi,

Don't contact them for anything.

Just clean out any files you don't recognize. I'm looking to determine where the hack is, and then patch the ofc library, and release an update.

Unfortunately, the exploit comes from a 3rd party library. My host caught it and shut down those accounts almost immediately, so there was only 1 compromised account on the fivedev servers. But it was also shut off immediately.

Thanks for looking out and letting me know. I'll try to get something together real soon.

  • Like 3

Share this post


Link to post
Share on other sites
simpilot    2128

The exploit is only through the one file within the open chart library, ofc_upload_image.php as far as i have been able to tell. It allows for unfiltered data to be uploaded. I have many sites now running with just that file removed without issue.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×