Strider Posted September 30, 2013 Report Share Posted September 30, 2013 I think the exploit is not just the ofc-upload-image.php, as I have seen them trying open-flash-chart.php in my error log yesterday. I think until a fix has been found, disable the charts, by removing the php-ofc-library folder and it's contents. [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once(/***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in /***/****/***/***/core/common/OFCharts.class.php on line 31 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once() [<a href='function.include'>function.include</a>]: Failed opening /***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /***/****/***/***/core/common/OFCharts.class.php on line 31 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Fatal error: Class 'open_flash_chart' not found in /***/****/***/***/core/common/OFCharts.class.php on line 33 Quote Link to comment Share on other sites More sharing options...
skylineVirtual Posted September 30, 2013 Report Share Posted September 30, 2013 I have the folder tmp-upload-images in my core/lib but there is nothing in it and there are no other suspicious files. How do I know if my server has been compromised? Quote Link to comment Share on other sites More sharing options...
Strider Posted September 30, 2013 Report Share Posted September 30, 2013 ur server was compromised, tmp-upload-images is not a folder that comes with phpvms Quote Link to comment Share on other sites More sharing options...
skylineVirtual Posted September 30, 2013 Report Share Posted September 30, 2013 ok then the whole thing is a bit different to what I've read here. This folder exists on my site. Even though I deleted the file /ofc_upload_image.php yesterday and thee are no suspicious files at all. Not in the folder either and no data got lost. Everything is still functioning as it should. Error logs don't point out anything unusual either. Quote Link to comment Share on other sites More sharing options...
Kapitan Posted September 30, 2013 Report Share Posted September 30, 2013 Thats what they post on FB group 1 Quote Link to comment Share on other sites More sharing options...
Simon Posted September 30, 2013 Report Share Posted September 30, 2013 Same.. hacked... wtf.. Quote Link to comment Share on other sites More sharing options...
vazquezjm Posted September 30, 2013 Report Share Posted September 30, 2013 Thats what they post on FB group Looks like these are good hackers... Quote Link to comment Share on other sites More sharing options...
AlexCohrs Posted September 30, 2013 Report Share Posted September 30, 2013 Yesterday I cleaned my Fivedev server completely, did setup a new phpVMS install, deleteted the ofc_upload_image.php and reinstalled my skin and stuff from an old backup. Today I realised that on the same day again some modifications on the server have been made. For example, I found a new tmp-uploade-images folder on my server. So if that's true what you are saying and that is not part of the original installation, it looks like just deleting the ofc_upload_image.php does not do the trick. Also some other files on my server with modification date this morning (where i did not do anything) looks suspiscious. The difference, this time, is that the site is still working. Would you say that I should shutdown everything again, erase all data and wait until a new phpVMS version is valid? I have the backups, so no data will be lost, and I don't want to do this sh... again and again... Edit: This is what I find in /access-logs/goldenghanavirtual.org (just a short part of it, repeats serveral times from different IPs): 202.175.9.212 - - [30/Sep/2013:13:26:41 -0400] "POST //core/lib/php-ofc-library/ofc_upload_image.php?name=doyok.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0"202.175.9.212 - - [30/Sep/2013:13:26:48 -0400] "GET //core/lib/tmp-upload-images/doyok.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0" Does that mean they TRY to hack the site again or does it mean the HAVE already access? Note that ofc_upload_image.php has already been removed from the server by that time. Quote Link to comment Share on other sites More sharing options...
Kapitan Posted September 30, 2013 Report Share Posted September 30, 2013 I got hack 27/09/13 and the funny is the files i found(all html and php they normaly uploaded) was modified or created 3 months ago...how ? Quote Link to comment Share on other sites More sharing options...
t_bergman Posted September 30, 2013 Report Share Posted September 30, 2013 I got hack 27/09/13 and the funny is the file ofc_upload_image.php i found was modified or created 3 months ago...how ? That is the date the file was created, not uploaded. Quote Link to comment Share on other sites More sharing options...
vcal Posted September 30, 2013 Report Share Posted September 30, 2013 I got hacked and while looking at the files, they threw in a load of other stuff too. Thankfully, they never touched my store. My site has been removed completely and I will reinstall. Maybe after Nabeel has a fix. They also know about removing the ofc_upload_image.php. They are following the forum. 1 Quote Link to comment Share on other sites More sharing options...
ARV187 Posted September 30, 2013 Report Share Posted September 30, 2013 My hosting answer me this: Hi there,You may wish to remove the affected scripts from your site or upgrade to the latest versions, that bug is from 2009 and has been patched by the developers for awhile. Please let us know if there is anything further we can do for you. Best Regards Where we can find the patch to script? Quote Link to comment Share on other sites More sharing options...
freshJet Posted September 30, 2013 Report Share Posted September 30, 2013 I think the exploit is not just the ofc-upload-image.php, as I have seen them trying open-flash-chart.php in my error log yesterday. I think until a fix has been found, disable the charts, by removing the php-ofc-library folder and it's contents. [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once(/***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in /***/****/***/***/core/common/OFCharts.class.php on line 31 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once() [<a href='function.include'>function.include</a>]: Failed opening /***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /***/****/***/***/core/common/OFCharts.class.php on line 31 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Fatal error: Class 'open_flash_chart' not found in /***/****/***/***/core/common/OFCharts.class.php on line 33 That's not them, that's your charts not working because you deleted/renamed the folder... 1 Quote Link to comment Share on other sites More sharing options...
Administrators Nabeel Posted September 30, 2013 Administrators Report Share Posted September 30, 2013 Looks like these are good hackers... Good would have been an alert :\ My hosting answer me this: Where we can find the patch to script? Delete the core/lib/ofc_image_upload.php file, or replace it with the one from the latest download. ofc_image_upload.php is something that's not even used. The rest of the library is just an interface to the charts, which are used internally, and no URL parameters are passed in. Quote Link to comment Share on other sites More sharing options...
Mark Noble Posted September 30, 2013 Report Share Posted September 30, 2013 Hi All, My service provider is one.com and they suspended my domain as it was hacked. I got them to open up just ftp so I can have a look and yes I have had the same files and folders as above. I removed all my folders and files from my domain (OK its over the top but wanted to be safe). I then downloaded the latest full version from your site and re installed. I changed my ftp and MySQL passwords and also my main log in password for my one.com account. After 2 hours I got an email from one.com that its been suspended agin due to attack. I got them to open up ftp only again and yes the same files and my be even more was found. I then spoke to one.com again ref to the patch that is required for apache servers and heres the contents of the chat..... Welcome to the One.com chat support. We are doing our best to answer your queries soon. We kindly ask for your understanding that our answers may be delayed during busy periods. You are number 2 in the queue for our customer support. Currently the estimated waiting time is 1 minutes and 19 seconds. You are now chatting with 'Arjun' Arjun: Thank you for using One.com 24/7 Interactive Online Support. My name is Arjun. How may I assist you? you: hi my site has been attacked twice now and cleared with your help. I had to remove all files from site and wait for the 3rd party to bring out a patch. there is no patch as its a problem with the hosting servers that use apache for php scripts. heres the link to rectify it. Can you check and make sure your apache is up to day so I can reload the pages back on you: http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/ Arjun: Hello Arjun: May I know the domain name? you: until this is done ill always get attacked you: noble-airlines.org.uk Arjun: Please hold on while I check. you: k Arjun: This does not apply to our server setup as we have PHP installed as a CGI module, so PHP is the one that handles symlinks instead of apache directly as stated in the link you have provided. At present none of your scripts have a built in upload function. However, please be informed that you were only hacked once, the second suspension was done because some files were missed from the first suspension, it was so that you could remove that too. you: after the first hacked I also removed the whole site folders and files and re installed the software and I got attacked again at 7pm Arjun: Your domain was suspended first on September 30, and it was re-enabled later that day. However, more infected files were detected, which were previously not listed. Arjun: To add this to the list, it was suspended again. Arjun: So that you could remove it. you: not the case so just to confirm this as im going to copy this whole chat. Are ALL the files now removed then you: the only folder left is holidays Arjun: Yes, they are all removed and your domain has been re-enabled again. The holidays folder only contains a simple index.html file right now you: ok so im going to now install the software again then and if I get attacked again then im going to show the next one.com adviser this chat. ITS NOT TO GET YOU IN TROUBLE but to show them theres still a why into your php setup you: or do you want to stay online while ill install the software Arjun: Installing the same software that has the vulnerability in it will only mean that there is a chance of getting hacked again. Arjun: It is not an Apache vulnerability here, but rather a file upload extension in your script that is being utilized by the hacker to upload the malware. you: they are saying there isn't its that link I gave you thats causing it Arjun: As I explained before, this does not apply in our case as symlinks are not handled by apache on our servers, but via PHP. Arjun: The second fix also wont help as it would mean preventing access to some particular files, but that can be done if required you: so you don't mind if I copy and past this into their forums then for them to investergate Arjun: Sure Arjun: If they have further comments about it, you can let us know you: ok thx for help Arjun: You are welcome. Arjun: Is there anything else I can help you with ? you: nope that's it thanks Arjun: Thank you for contacting Chat Support, feel free to contact us anytime if you have more inquiries. Any ideas where to go from here regards Mark Quote Link to comment Share on other sites More sharing options...
STALKER Posted October 1, 2013 Report Share Posted October 1, 2013 Hi all. If this can help someone they changed my main index.php (and they added some files I have deleted) and they changed also my index.php in my admin folder, so... - I have restore both index.php and now all works fine - I have deleted the /core/lib/tmp-upload-images (inside there was a file named a.php) folder - I have renamed the /core/lib/php-ofc-library (there is no inside any file named ofc_upload_image.php) Now I have downloaded the update version, how can I install it? simply copying the new files in my host? Can I download the full version and simply delete ALL files and copy the new files in my host to be absoluty sure there are no any malicious file in my host? Thank you Quote Link to comment Share on other sites More sharing options...
Moderators mark1million Posted October 1, 2013 Moderators Report Share Posted October 1, 2013 Things to look for are. Your current htaccess files and all index files, remember hackers will place their code outside of your page view to usually to the right of the page where you wouldnt normally look or scroll across to or 100 or so lines below the bottom of your page..... You should have no blank lines in any of your pages because thats where their exploit code is, you think you have cleaned the original exploit but they have created their own one inside your pages. Quote Link to comment Share on other sites More sharing options...
captainB Posted October 1, 2013 Report Share Posted October 1, 2013 Well, my site has been hacked. Would be nice if we had a CRC check feature like some of the CMS have. Quote Link to comment Share on other sites More sharing options...
Moderators mark1million Posted October 1, 2013 Moderators Report Share Posted October 1, 2013 Well, my site has been hacked. Would be nice if we had a CRC check feature like some of the CMS have. Upload the install folder and run the file checkinstall.php, dont forget to delete it again afterwards. Quote Link to comment Share on other sites More sharing options...
captainB Posted October 1, 2013 Report Share Posted October 1, 2013 I assume that would work for a "clean" install only? My installation was highly customized Upload the install folder and run the file checkinstall.php, dont forget to delete it again afterwards. Quote Link to comment Share on other sites More sharing options...
captainB Posted October 1, 2013 Report Share Posted October 1, 2013 we could use this instead of that Flash thing :http://www.chartjs.org/ Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted October 1, 2013 Author Administrators Report Share Posted October 1, 2013 Well, my site has been hacked. Would be nice if we had a CRC check feature like some of the CMS have. That would be a nice feature, feel free to fork the repo and contribute. Quote Link to comment Share on other sites More sharing options...
yourairways Posted October 1, 2013 Report Share Posted October 1, 2013 Dear All! Our site was also hacked. 29th evening - some index.php/html files where replaced. 29th later evening - some more index.php/html files where replaced. We tought that it is a "robot" that uses some kind a weakness. All passwords where replaced and software upgraded to the latest versions (where possible). 30th early morning - it was clear (according to logs), that it was not a "robot" but a human, who was quite freely changing files, making copies of files, etc. The access to the web was blocked by us, until we could find out what is the weak spot. Later on 30th of September - We took some "drastic" measures (mainly by creative minds from http://www.flightsim.ee/) to protect our Servers (3-4 hrs of hard work). Sadly, I think that it can not be used for other VA-s, since we run phpvms only for "Intranet". Anyways, please contact us for more details, if You are interested, since I am not going to post the "trick" here. The system is up and running, files are cleaned, and everything restored - aircraft flying. The server log shows that there has been several attempts to re-hack without success, so far. Those kids from Indonesia do not sleep, and it seems that a really huge amount of VA-s are down for now, and it is just stupid, to do it for competition. And I think that they will continue to "score" until the working patch is out. http://flyjh.lennusimu.net Quote Link to comment Share on other sites More sharing options...
TAV1702 Posted October 1, 2013 Report Share Posted October 1, 2013 We got hit to. I cleaned everything out. They had a remote sql script installed and we were running a joomla and wordpress site. and a BUNCH of other files. Quote Link to comment Share on other sites More sharing options...
Strider Posted October 1, 2013 Report Share Posted October 1, 2013 Yourairways I think u need to read the announcements forum, nabeel has already released an update with the culprit file patched. Quote Link to comment Share on other sites More sharing options...
bunoire14 Posted October 2, 2013 Report Share Posted October 2, 2013 Gents, Check for log.php in your root, looks like malicious code too, Olly Quote Link to comment Share on other sites More sharing options...
captainB Posted October 2, 2013 Report Share Posted October 2, 2013 Gents, Check for log.php in your root, looks like malicious code too, Olly Files I found at my site, worth to check if you guys have those: x.txt components.zip;unzip.1 e.php kliverz.php log.php php.ini(multiple) pijar.php cwd.php bim.php default.php(multiple) sunnah.html Quote Link to comment Share on other sites More sharing options...
captainB Posted October 2, 2013 Report Share Posted October 2, 2013 That would be a nice feature, feel free to fork the repo and contribute. Done that now, already made the code that produces the MD5 from all the files, will work on the script that will do the checks and then try to integrate that somehow ( in the admin panel? or a CRON outside script? ) Quote Link to comment Share on other sites More sharing options...
gabry5 Posted October 2, 2013 Report Share Posted October 2, 2013 I have two language versions on separate domains. During checking I found ".php" file in /lib/js/js-ofc-library but it's not present in second domain and in a raw version of phpvms, so I suppose that's connected to THEM. Quote Link to comment Share on other sites More sharing options...
yourairways Posted October 2, 2013 Report Share Posted October 2, 2013 Yeah, I saw the official "post" about patch for phpvms. But since the phpvms is not so widely used, as some other software (wordpress for example or similar), the week spots there are, will be patched after most of the users are already hacked. That is just something that we can not allow to happen anymore, since "sensitive" information can be lost. That is the reason why "dual" protection is used. Our phpvms users wont notice it anyways. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.