hack victim? Please advise

nasv · 2007-04-15 18:51:17

I recently noticed what seems to be a harmless hack on my site (tintorecords.com); on both my “images” and “files” directories, an “index.htm” file was inserted, it showed “turkish hackers” – more of a scare, but I think harmless. You can see details of the “attack” on zone-h.org (http://www.zone-h.org/index.php?option=com_attacks&Itemid=43&filter=1), enable filters, enter “tintorecords.com” under domain for some attack details.

I’m interested in preventing future attacks, especially if it’s more malicious. I ONLY have TXP 4.0.4 installed on my site. After a few exchanges with my host, this is their latest response:

========================
“I have reviewed the hack and your account to attempt to determine the vector that the attacker used to infect your website. It would appear that they used the weak file permissions on your /images/ and /files/ folders coupled with some form of PHP/MYSQL injection. The fact that you have 777 permissions set on these two folders opens your website up for these hackers that perform mass defacement. Please review your software and the permissions requirements for these two folders to prevent this from happening again.”
========================

Any ideas, tips, advice? High detail diagnostics below.

Thanks,
-Nico

************************************************************************************

HIGH DETAIL:
Textpattern version: 4.0.4 (r1956)
Last Update: 2006-10-17 15:53:46/2006-10-18 00:13:06
Document root: /hsphere/local/home/nichola0/tintorecords.com
$path_to_site: /hsphere/local/home/nichola0/tintorecords.com
Textpattern path: /hsphere/local/home/nichola0/tintorecords.com/textpattern
Permanent link mode: section_id_title
Temporary directory path: /tmp
Site URL: www.tintorecords.com
PHP version: 4.3.11
Server Local Time: 2007-04-15 11:29:07
MySQL: 4.1.20-max-log
Locale: en_US.UTF-8
Server: Apache
Apache version: Apache
PHP Server API: apache
RFC 2616 headers:
Server OS: Linux 2.6.14.4
Active plugins: mem_moderation-0.4.4, mem_admin_parse-0.2.1, mem_moderation_article-0.4.4, mem_self_register-0.8.1, rss_admin_db_manager-4.1, bit_rss-0.3, jnm_audio-0.3

.htaccess file contents:
————————————
#DirectoryIndex index.php index.html
#Options +FollowSymLinks
#RewriteBase /relative/web/path/

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteRule ^(.*) index.php </IfModule>

php_value register_globals 0

————————————

Charset (default/config): latin1/latin1
character_set_client: latin1
character_set_connection: latin1
character_set_database: latin1
character_set_results: latin1
character_set_server: latin1
character_set_system: utf8
character_sets_dir: /usr/share/mysql/charsets/
19 Tables: OK

PHP extensions: zip, xslt, xmlrpc/0.51, xml, tokenizer/0.1, standard/4.3.11, sockets, session, pspell, posix, pgsql, pfpro, pdf, pcre, overload, mysql, mnogosearch, mhash, mcrypt, mbstring, imap, iconv, gettext, gd, ftp, exif/1.4 $Id: exif.c,v 1.118.2.37 2005/03/22 22:07:03 edink Exp $, domxml/20020815, dba, curl, ctype, calendar, bz2, bcmath, zlib/1.1, openssl, apache, Zend Optimizer

pretext_data: array ( ‘id’ => ‘’, ‘s’ => ‘’, ‘c’ => ‘’, ‘q’ => ‘’, ‘pg’ => ‘’, ‘p’ => ‘’, ‘month’ => ‘’, ‘author’ => ‘’, ‘request_uri’ => ‘/04a29bf10ae19e20491ee60b9196e91e/?txpcleantest=1’, ‘qs’ => ‘txpcleantest=1’, ‘subpath’ => ‘\\/’, ‘req’ => ‘/04a29bf10ae19e20491ee60b9196e91e/?txpcleantest=1’,
)

/include/txp_category.php: r1879 (aee777474b2f67ca07fc25756ba25c15)
/include/txp_plugin.php: r1917 (74184c0d8ed8608f840707a255178617)
/include/txp_auth.php: r1879 (b1dd4072b7daf4e997c6ff65ce3d1b2d)
/include/txp_form.php: r1913 (16ec600b41438b4cca10d2c8a19b2db8)
/include/txp_section.php: r1891 (2959593586ba3e97bc602f369c32e738)
/include/txp_tag.php: r1915 (3b4a7f73d92f9bbbe09985c5aa830d29)
/include/txp_list.php: r1892 (41f4d32fd070234b78f94adefebd5234)
/include/txp_page.php: r1913 (34331a5468bbb18dd9f6a282f3aa11e8)
/include/txp_discuss.php: r1909 (9b9ee934a30f52cd7a4d8cb45c8380ab)
/include/txp_prefs.php: r1946 (05615b6275d8927a2a0d51918d70a896)
/include/txp_log.php: r1919 (ed54d02e865319f2506c642a6bde768b)
/include/txp_preview.php: r1238 (5a4ae3ff0d68f4cb573d6d62a00ce9e8)
/include/txp_image.php: r1955 (20be975e67fa7c4aa9a1a3e51bfaf379)
/include/txp_article.php: r1889 (7749f699c03d0c57e04fafe17dbfa94c)
/include/txp_css.php: r1897 (f5cf1c20badb96a063c7c180e9020359)
/include/txp_admin.php: r1879 (d36dac010d21df7bcf9cf5e242b34d58)
/include/txp_link.php: r1879 (0652287df8bb32c66cfa1b939402404a)
/include/txp_diag.php: r1902 (96697ade63048e517177f4129d47de76)
/include/txp_file.php: r1895 (6ed67b094522e51b028dc88baa07444c)
/include/txp_import.php: r1238 (634e75d1b61958875ff275e3130f23ad)
/lib/admin_config.php: r1747 (1563fcbaffe25b3272b0d85ff9d5571d)
/lib/txplib_misc.php: r1956 (182c50b86195f1abe9dbe15728df3cae)
/lib/taglib.php: r1535 (04806ef864d5b0d2974e0e5f6397a2d7)
/lib/txplib_head.php: r1887 (b110efd071e9a5bb395beea66ced128a)
/lib/classTextile.php: r1943 (2c559991e34738eef1990dc079bd91c4)
/lib/txplib_html.php: r1937 (c206ca9cb9a54a7a95f3355b77fd0fa2)
/lib/txplib_db.php: r1879 (d68b6ea69950e405c4fec23b8641d9c2)
/lib/IXRClass.php: r765 (cbe59b59246dce060a4b4a52b4d448d8)
/lib/txplib_forms.php: r1887 (0049a228dc8eb346f8603478a7c1b2e2)
/lib/class.thumb.php: r1955 (12961180eee3add5096e69e0a154284e)
/lib/constants.php: unknown (0e40251c717c52b2b7fe992b62a3e97a)
/lib/txplib_update.php: r1239 (757f8189fcc53a795d7c807f17b2e788)
/lib/txplib_wrapper.php: unknown (584448787b4a3488200722672c0eee0d)
/publish/taghandlers.php: r1949 (3fa1b9ded18e6074b2495a3f4e3c33b5)
/publish/atom.php: r1864 (50602e2f1c443819a0a60f14f39d3093)
/publish/log.php: r1637 (a4a772567079f18101a1752446f3f6d4)
/publish/comment.php: r1951 (a3f803d744fea80808eb27a3f6b28674)
/publish/search.php: r1748 (b0182abc287055fe0932c263b2a5266d)
/publish/rss.php: r1864 (ae43eaa9ebe6b00e63810ae60ca7c6b6)
/publish.php: r1945 (abff727405efc6c4ec8b1cb403290063)
/index.php: r1948 (adf86f44861797f4969373c708ef48fb)
/css.php: r944 (763fa7658fc19ad23a5b2126fcdf366c)

ruud · 2007-04-15 22:00:28

Those directory permissions can and should (!) be lowered to 755 in most cases. File permissions should be 644 for files and images.
Were the inserted files owned by a different user account on the webserver?

It would appear that they used the weak file permissions on your /images/ and /files/ folders coupled with some form of PHP/MYSQL injection.

But where did the PHP/MySQL injection take place… in TXP or in a PHP script hosted on a different domain that’s on the same server as your domain. Their explanation seems to suggest the latter.

zem · 2007-04-15 22:27:40

I’ve asked nasv for more information in private email. I’m closing this thread until we know what happened, and either have a fix or have ruled out Textpattern.

We know from experience that the bad guys read this forum, so please take care when posting about security issues.

Textpattern CMS

Textpattern CMS support forum

#1 2007-04-15 18:51:17

hack victim? Please advise

#2 2007-04-15 22:00:28

Re: hack victim? Please advise

#3 2007-04-15 22:27:40

Re: hack victim? Please advise

Board footer