Thread

ExpressionEngine 1.6.0 - Build: 20070621
Host: 1and1
allow_url_include is set to off

I know the build is older, but I am trying to figure out asap if this loophole (if it is one on the EE side) is still open and how to close it.

Somebody hackt into the site and placed a file into the error directory and than inserted code into all index.php (eval(base64..) and index.html (per script-tag) files.

This is from the access.log:

91.224.. - - [08/May/2012:02:53:15 -0400] “POST /index.php/topic/comments/have-you-ever/?-d+allow_url_include=1+-d+auto_prepend_file=php://input HTTP/1.1” 200 115 http://www.domain.com “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E; Zune 4.7)” “-”

91.224.. - - [08/May/2012:02:53:15 -0400] “POST /error/lmqtrfy.php HTTP/1.1” 200 25 http://www.domain.com “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.813.0 Safari/535.1” “-”

Thanks

Hello klinge,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

- Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* index.php
* admin.php
* system/index.php
* system/expressionengine/config/config.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Cheers!

Host is not dream…, not shared, just EE on it, also EE Forum.

No iframe or js in index.php and admin.php

Since this is Vers. 1.6 there is no system/expressionengine/config/config.php

Is this type of “infusion” still possible in the most current version?

Thanks

Hello klinge,

I do not believe this was infusion, this sounds like the host was compromised, possibly through FTP.

Did you get a chance to talk with your provider?

Cheers,

They say our server is the only one with that problem.

Our ftp pw is super strong; I am the only only one who has access by ftp.

Doesn’t make sense through ftp. It looks like somebody used a vulnerability of EE.
Everything on the EE side is pretty much stock.

What is the tech department saying? Did they try to research the problem by using the above url “infusion” type call?

Thanks.

Hello klinge,

We need some more information to determine things.

ExpressionEngine is not a closed system, it uses Add-Ons, segments variables, even hand coded SQL using the Query Module. There is really no such thing as a “stock” install of ExpressionEngine. What Add-Ons do you have installed and are you using any custom SQL queries? Are you using any segment variables?

Please let me know.

Thanks Shane,

Just EE 1.6.0 and EE-Forum 2.0.0
Freeform 2.5.2
No segment variables
No custom SQL

This is as stock as it gets

Hey klinge,

I think the next step here is to upgrade to the latest version. 1.6.0 is very old, like 5 years old, that I am not able to really spend much more time on it. I tried, but it’s really not supported anymore.

One thing to think about is that the injection was more than likely a file perm. But again, the software in use is quite old.

Are you able to update at this time?

Thank you,

Well, if you can’t figure it out for 1.6 who knows if this security hole is fixed in the new version.
So instead of throwing more money into buying 2.x, I would like to be sure if the 2.x EE is safe.
Otherwise I better invest in something different.

Thanks anyway

Hey klinge,

I feel your frustration here and I am sorry you are experiencing this.

Version 1.6 is legacy and so spending cycles on an out of date version of our product is not the best use of time in support. The injection, as I have mentioned, is most likely do to file permissions. That is my best guess.

I would love to help you further here, but to do so I need you to upgrade to 1.7.3 and then make sure your installation is secure.

Please let me know.

Cheers,