Thread

A site I have been maintaining for one of my clients has been hacked.

The hackers managed to place a file that contained a backdoor kit within the directory:
/system/expressionengine/helpers/indexx.php

This file enabled the hackers to upload several phishing websites and as a consequence I was contacted by a security company and asked to suspend the site.

I have since stopped the hackers attempts on the site and its now running clean. However I need to report to my clients how the hacker was able to gain access to the site.

Does anyone know of any exploits that can be used to place a file with the above directory?

EE Version 2.3.1
EE MSN Version 2.1.0

Thanks
TC

You might find this link helpful. One of our site’s got hit with something like this a couple of months back. It was a client we know had not been keeping it’s software up-to-date on it’s local machines.

Hi Kurt,

Thanks for your reply. We have examined the server logs and can’t see any evidence of an FTP attack.

Is anyone aware of any exploits for 2.3.1 that would give a hacker access to the /system/expressionengine/helpers/ directory?

Thanks
TC

Hi TC,
Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

- Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* index.php
* admin.php
* system/index.php
* system/expressionengine/config/config.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Cheers!

Hi TC,
Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

- Other scripts on your account, whether in use or not (phpBB, etc…)*

Expression Engine is the only script running on the site. We are using the following extensions, addons and Plugins:

Expression Engine 2.4.0
Multiple Site Manager 2.1.2

MODULES (Non-Core Additions)
—————-
Mega Upload
SEO Lite
Wygwam

ACCESSORIES
—————-
ExpressionEngine Info
MX Cloner
NSM Morphine theme

EXTENSIONS (Non-Core Additions)
—————-
MX Cloner

FIELDTYPES (Non-Core Additions)
—————-
Mega Upload
NSM TinyMCE
Wygwam

PLUGINS (Non-Core Additions)
—————-
Magpie RSS Parser
Twitter Search
XML Encode

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

The server techs have ruled out a server side attack. The attack was localised to the domain where the EE site was located. No other accounts were affected.

While we work through this, please check through these files:

* index.php
* admin.php
* system/index.php
* system/expressionengine/config/config.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

No files in the site were altered. The attacker was careful to avoid detection by placing the malicious file in the /system/expressionengine/helpers/ directory. The file was called indexx.php

This way they avoided tripping the EE core file edit alert.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

All parties associated have been alerted, the issue has been resolved and all scripts have been updated.

What I am trying to ascertain is how the attacker gained access to site.

Thanks for your help
TC

Hi surfacemedia,

Looks like you have done your homework.

As far as we know there are no issues with 2.X that would allow this.

I am going to list a few ides here, but I am sure you have considered this already.

The placement of a file like that makes me believe that the hacker had user level access to your server account. Your hosting provider is saying that there were no signs of intrusion? If that is the case, and I would hope that your provider is using tripwire or similar, then this was probably done with your own user account.

Is it possible that your account for the server (ssh, ftp, etc.) was compromised? Were you using a simple password? Did you change that password recently? Does anyone else know your password and/or account information? Is the username/password combo used anywhere else?

There has to be some evidence. Unless Agent X had root level access, there has to be something somewhere. Have you looked through the logs to see if there was a time your username accessed the server but you do not recall having done so? Simply using history -c or wiping or editing shell files will cover up what they did, but the hosting company should have remote logs, right?

Please keep us posted, I would love to know how this turns out.

Cheers,