Jump to content

[NOTICE] - Open Flash Chart Exploit

simpilot

By simpilot
in Support Forum

 Share

Recommended Posts

Strider Contributor

Strider

Posted
Posted

I think the exploit is not just the ofc-upload-image.php, as I have seen them trying open-flash-chart.php in my error log yesterday. I think until a fix has been found, disable the charts, by removing the php-ofc-library folder and it's contents.

 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning:  include_once(/***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning:  include_once() [<a href='function.include'>function.include</a>]: Failed opening /***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Fatal error:  Class 'open_flash_chart' not found in /***/****/***/***/core/common/OFCharts.class.php on line 33

Link to comment
Share on other sites
  • Replies 142
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Nabeel
Nabeel

Hi, Don't contact them for anything. Just clean out any files you don't recognize. I'm looking to determine where the hack is, and then patch the ofc library, and release an update. Unfortunately,

simpilot
simpilot

The third party Open Flash Chart script that is used within phpVMS has an exploit that has been used recently and often to deface and/or alter sites using the phpVMS software. I have cleaned 11 of my

mark1million
mark1million

Thats why you should review your logs people. [sun Sep 29 16:06:03 2013] [error] [client 178.63.17.202] PHP Warning: mkdir(): Permission denied in ****/core/lib/php-ofc-library/ofc_upload_image

skylineVirtual Newbie

skylineVirtual

Posted
Posted

ok then the whole thing is a bit different to what I've read here. This folder exists on my site. Even though I deleted the file /ofc_upload_image.php yesterday and thee are no suspicious files at all. Not in the folder either and no data got lost. Everything is still functioning as it should. Error logs don't point out anything unusual either.

Link to comment
Share on other sites
AlexCohrs Newbie

AlexCohrs

Posted
Posted

Yesterday I cleaned my Fivedev server completely, did setup a new phpVMS install, deleteted the ofc_upload_image.php and reinstalled my skin and stuff from an old backup.

Today I realised that on the same day again some modifications on the server have been made. For example, I found a new tmp-uploade-images folder on my server. So if that's true what you are saying and that is not part of the original installation, it looks like just deleting the ofc_upload_image.php does not do the trick. Also some other files on my server with modification date this morning (where i did not do anything) looks suspiscious. The difference, this time, is that the site is still working.

Would you say that I should shutdown everything again, erase all data and wait until a new phpVMS version is valid? I have the backups, so no data will be lost, and I don't want to do this sh... again and again...

Edit: This is what I find in /access-logs/goldenghanavirtual.org (just a short part of it, repeats serveral times from different IPs):

202.175.9.212 - - [30/Sep/2013:13:26:41 -0400] "POST //core/lib/php-ofc-library/ofc_upload_image.php?name=doyok.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0"

202.175.9.212 - - [30/Sep/2013:13:26:48 -0400] "GET //core/lib/tmp-upload-images/doyok.php HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0"

Does that mean they TRY to hack the site again or does it mean the HAVE already access? Note that ofc_upload_image.php has already been removed from the server by that time.

Link to comment
Share on other sites
vcal Newbie

vcal

Posted
Posted

I got hacked and while looking at the files, they threw in a load of other stuff too. Thankfully, they never touched my store. My site has been removed completely and I will reinstall. Maybe after Nabeel has a fix. They also know about removing the ofc_upload_image.php. They are following the forum.

  • Like 1
Link to comment
Share on other sites
ARV187 Rookie

ARV187

Posted
Posted

My hosting answer me this:

Hi there,

You may wish to remove the affected scripts from your site or upgrade to the latest versions, that bug is from 2009 and has been patched by the developers for awhile.

Please let us know if there is anything further we can do for you.

Best Regards

Where we can find the patch to script?

Link to comment
Share on other sites
freshJet Newbie

freshJet

Posted
Posted

I think the exploit is not just the ofc-upload-image.php, as I have seen them trying open-flash-chart.php in my error log yesterday. I think until a fix has been found, disable the charts, by removing the php-ofc-library folder and it's contents.

 [29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once(/***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Warning: include_once() [<a href='function.include'>function.include</a>]: Failed opening /***/****/***/***/core/lib/php-ofc-library/open-flash-chart.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /***/****/***/***/core/common/OFCharts.class.php on line 31
[29-Sep-2013 17:57:12 Europe/Dublin] PHP Fatal error: Class 'open_flash_chart' not found in /***/****/***/***/core/common/OFCharts.class.php on line 33

That's not them, that's your charts not working because you deleted/renamed the folder...

  • Like 1
Link to comment
Share on other sites
  • Administrators
Nabeel Grand Master

Nabeel

Posted
  • Administrators
Posted

Looks like these are good hackers... :blink:

Good would have been an alert :\

My hosting answer me this:

Where we can find the patch to script?

Delete the core/lib/ofc_image_upload.php file, or replace it with the one from the latest download.

ofc_image_upload.php is something that's not even used. The rest of the library is just an interface to the charts, which are used internally, and no URL parameters are passed in.

Link to comment
Share on other sites
Mark Noble Newbie

Mark Noble

Posted
Posted

Hi All, My service provider is one.com and they suspended my domain as it was hacked. I got them to open up just ftp so I can have a look and yes I have had the same files and folders as above. I removed all my folders and files from my domain (OK its over the top but wanted to be safe). I then downloaded the latest full version from your site and re installed. I changed my ftp and MySQL passwords and also my main log in password for my one.com account. After 2 hours I got an email from one.com that its been suspended agin due to attack. I got them to open up ftp only again and yes the same files and my be even more was found. I then spoke to one.com again ref to the patch that is required for apache servers and heres the contents of the chat.....

Welcome to the One.com chat support. We are doing our best to answer your queries soon. We kindly ask for your understanding that our answers may be delayed during busy periods.

You are number 2 in the queue for our customer support. Currently the estimated waiting time is 1 minutes and 19 seconds.

You are now chatting with 'Arjun'

Arjun: Thank you for using One.com 24/7 Interactive Online Support. My name is Arjun. How may I assist you?

you: hi my site has been attacked twice now and cleared with your help. I had to remove all files from site and wait for the 3rd party to bring out a patch. there is no patch as its a problem with the hosting servers that use apache for php scripts. heres the link to rectify it. Can you check and make sure your apache is up to day so I can reload the pages back on

you: http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

Arjun: Hello

Arjun: May I know the domain name?

you: until this is done ill always get attacked

you: noble-airlines.org.uk

Arjun: Please hold on while I check.

you: k

Arjun: This does not apply to our server setup as we have PHP installed as a CGI module, so PHP is the one that handles symlinks instead of apache directly as stated in the link you have provided. At present none of your scripts have a built in upload function. However, please be informed that you were only hacked once, the second suspension was done because some files were missed from the first suspension, it was so that you could remove that too.

you: after the first hacked I also removed the whole site folders and files and re installed the software and I got attacked again at 7pm

Arjun: Your domain was suspended first on September 30, and it was re-enabled later that day. However, more infected files were detected, which were previously not listed.

Arjun: To add this to the list, it was suspended again.

Arjun: So that you could remove it.

you: not the case so just to confirm this as im going to copy this whole chat. Are ALL the files now removed then

you: the only folder left is holidays

Arjun: Yes, they are all removed and your domain has been re-enabled again. The holidays folder only contains a simple index.html file right now

you: ok so im going to now install the software again then and if I get attacked again then im going to show the next one.com adviser this chat. ITS NOT TO GET YOU IN TROUBLE but to show them theres still a why into your php setup

you: or do you want to stay online while ill install the software

Arjun: Installing the same software that has the vulnerability in it will only mean that there is a chance of getting hacked again.

Arjun: It is not an Apache vulnerability here, but rather a file upload extension in your script that is being utilized by the hacker to upload the malware.

you: they are saying there isn't its that link I gave you thats causing it

Arjun: As I explained before, this does not apply in our case as symlinks are not handled by apache on our servers, but via PHP.

Arjun: The second fix also wont help as it would mean preventing access to some particular files, but that can be done if required

you: so you don't mind if I copy and past this into their forums then for them to investergate

Arjun: Sure

Arjun: If they have further comments about it, you can let us know

you: ok thx for help

Arjun: You are welcome.

Arjun: Is there anything else I can help you with ?

you: nope that's it thanks

Arjun: Thank you for contacting Chat Support, feel free to contact us anytime if you have more inquiries.

Any ideas where to go from here regards Mark

Link to comment
Share on other sites
STALKER Newbie

STALKER

Posted
Posted

Hi all.

If this can help someone they changed my main index.php (and they added some files I have deleted) and they changed also my index.php in my admin folder, so...

- I have restore both index.php and now all works fine

- I have deleted the /core/lib/tmp-upload-images (inside there was a file named a.php) folder

- I have renamed the /core/lib/php-ofc-library (there is no inside any file named ofc_upload_image.php)

Now I have downloaded the update version, how can I install it? simply copying the new files in my host? Can I download the full version and simply delete ALL files and copy the new files in my host to be absoluty sure there are no any malicious file in my host?

Thank you

Link to comment
Share on other sites
  • Moderators
mark1million Newbie

mark1million

Posted
  • Moderators
Posted

Things to look for are.

Your current htaccess files and all index files, remember hackers will place their code outside of your page view to usually to the right of the page where you wouldnt normally look or scroll across to or 100 or so lines below the bottom of your page.....

You should have no blank lines in any of your pages because thats where their exploit code is, you think you have cleaned the original exploit but they have created their own one inside your pages.

Link to comment
Share on other sites
yourairways Newbie

yourairways

Posted
Posted

Dear All!

Our site was also hacked.

29th evening - some index.php/html files where replaced.

29th later evening - some more index.php/html files where replaced.

We tought that it is a "robot" that uses some kind a weakness. All passwords where replaced and software upgraded to the latest versions (where possible).

30th early morning - it was clear (according to logs), that it was not a "robot" but a human, who was quite freely changing files, making copies of files, etc. The access to the web was blocked by us, until we could find out what is the weak spot.

Later on 30th of September - We took some "drastic" measures (mainly by creative minds from http://www.flightsim.ee/) to protect our Servers (3-4 hrs of hard work). Sadly, I think that it can not be used for other VA-s, since we run phpvms only for "Intranet". Anyways, please contact us for more details, if You are interested, since I am not going to post the "trick" here. The system is up and running, files are cleaned, and everything restored - aircraft flying. The server log shows that there has been several attempts to re-hack without success, so far.

Those kids from Indonesia do not sleep, and it seems that a really huge amount of VA-s are down for now, and it is just stupid, to do it for competition. And I think that they will continue to "score" until the working patch is out.

http://flyjh.lennusimu.net

Link to comment
Share on other sites
captainB Newbie

captainB

Posted
Posted

That would be a nice feature, feel free to fork the repo and contribute.

Done that now, already made the code that produces the MD5 from all the files, will work on the script that will do the checks and then try to integrate that somehow ( in the admin panel? or a CRON outside script? )

Link to comment
Share on other sites
yourairways Newbie

yourairways

Posted
Posted

Yeah, I saw the official "post" about patch for phpvms. But since the phpvms is not so widely used, as some other software (wordpress for example or similar), the week spots there are, will be patched after most of the users are already hacked. That is just something that we can not allow to happen anymore, since "sensitive" information can be lost. That is the reason why "dual" protection is used. Our phpvms users wont notice it anyways.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...