We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Security Alert: use of php base64_decode command on hacked Exp Eng site

October 18, 2012 2:07pm

Subscribe [1]

  • #1 / Oct 18, 2012 2:07pm

    R.K.Foster

    138 posts

    Greetings,

    I have a client that was running a 1.x version of Exp Eng. Google blocked the site after detecting malware files on it. I’ve started the process of cleaning up the mess and thought I should post here in case this is something new. So far this is what I’ve found…

    EVERY file in the Exp Eng system has had a base64_decode command added at the beginning of the file, like this…

    <?php /**/ eval(base64_decode("RANDOM_NUMBERS_IN_BASE64"));?>

    The RANDOM_NUMBERS_IN_BASE64 are characters that translate into some kind of executable code but I have no means to translate them. In addition a hidden dot directory has been added to the web root and a number of other directories. It’s called .logs/ and contains a file called log1.txt This file contains a list of web domains that the script uses in some way. Here’s the list…

    <a href="http://elaccu08mulated.rr.nu/">http://elaccu08mulated.rr.nu/</a>
<a href="http://plem75entv.rr.nu/">http://plem75entv.rr.nu/</a>
<a href="http://ytrip14healt.rr.nu/">http://ytrip14healt.rr.nu/</a>
<a href="http://ivew82oundp.rr.nu/">http://ivew82oundp.rr.nu/</a>
<a href="http://odeapp94roache.rr.nu/">http://odeapp94roache.rr.nu/</a>
<a href="http://ing54flo.rr.nu/">http://ing54flo.rr.nu/</a>
<a href="http://nje57cti.rr.nu/">http://nje57cti.rr.nu/</a>
<a href="http://carbo89nsuse.rr.nu/">http://carbo89nsuse.rr.nu/</a>
<a href="http://ica99ltr.rr.nu/">http://ica99ltr.rr.nu/</a>
<a href="http://gan37dhim.rr.nu/">http://gan37dhim.rr.nu/</a>
<a href="http://usmorg98anwilli.rr.nu/">http://usmorg98anwilli.rr.nu/</a>
<a href="http://sell01sfam.rr.nu/">http://sell01sfam.rr.nu/</a>
<a href="http://mcique31rycatch.rr.nu/">http://mcique31rycatch.rr.nu/</a>
<a href="http://tre35ngth.rr.nu/">http://tre35ngth.rr.nu/</a>
<a href="http://targ02etede.rr.nu/">http://targ02etede.rr.nu/</a>
<a href="http://dleu36sxdo.rr.nu/">http://dleu36sxdo.rr.nu/</a>
<a href="http://lew40hats.rr.nu/">http://lew40hats.rr.nu/</a>
<a href="http://ume42nted.rr.nu/">http://ume42nted.rr.nu/</a>
<a href="http://iran80ians.rr.nu/">http://iran80ians.rr.nu/</a>
<a href="http://singso96utheas.rr.nu/">http://singso96utheas.rr.nu/</a>

    I’m working on restoring the file system but I’m worried that the database now contains hacked data, especially the templates. Any suggestions, links to relevant information, or help would be appreciated.

    Thanks,
    Bob.

  • #2 / Oct 18, 2012 4:12pm

    R.K.Foster

    138 posts

    I’ve found some further parts to the hack. There is an apparently randomized name file in the web root, in this case it is “fszfq.php” which probably tells them now what server I’m talking about. :-( And also a “georas_dear.php” file. I suspect these two since they only contain the suspect base64 code and nothing else.

    There is a “ss_52822_PG6oIIRh_import.php” file that seems to have joomla code in it.

    Again ALL files with a .php extension have the hacked code inserted into the beginning of the file. And this is NOT just the Exp Eng files. So likely the “fszfq.php” file or “georas_dear.php” file was uploaded to the server and then executed on all .php files it could find.

    Thanks,
    Bob.

  • #3 / Oct 19, 2012 5:16pm

    R.K.Foster

    138 posts

    This exploit has been identified as Trojan.PHP-33

  • #4 / Oct 22, 2012 9:49am

    Dan Decker

    7338 posts

    Hi Bob,

    Thanks for posting your information and what you’ve found.

    What version of ExpressionEngine 1.x specifically?

    Have you contacted the host to make sure everything in OK on their end? We seriously only see EE attacked when the site is on a poorly configured shared host.

    Can you check that and get back with me?

    Cheers,

  • #5 / Oct 22, 2012 7:21pm

    R.K.Foster

    138 posts

    Dan,

    Here’s the Exp Eng info…

    ExpressionEngine 1.6.8 - © Copyright 2003 - 2009 - EllisLab, Inc.
    Build:  20090723

    There were many old versions of WordPress in this account that hadn’t been updated. One person I contacted at ISC felt it was likely this was a WordPress exploit that gave the hacker access to the entire account. Once they were in multiple domains were effected since any file with a .php extension was altered. We’ve restored the file system from a backup and I’ve updated all of the WordPress installs to the most current version.

    - Bob.

  • #6 / Oct 23, 2012 5:38pm

    Dan Decker

    7338 posts

    Hey Bob,

    One person I contacted at ISC felt it was likely this was a WordPress exploit that gave the hacker access to the entire account.

    I am not allowed to point any fingers… but that is not a unique experience.

    My suggestion is to remove *any* other PHP applications in your space that you are not actively using. That won’t guard against exploits via other accounts in a shared environment, but at least you know it won’t be your account that serves as the vector.

    Is there anything else I can assist you with?


    Cheers,

  • #7 / Oct 23, 2012 7:29pm

    R.K.Foster

    138 posts

    Nothing else. Thanks for your feedback. - Bob.

  • #8 / Oct 24, 2012 9:07pm

    Dan Decker

    7338 posts

    My pleasure!

    If you need anything else, just let us know.

    Cheers!

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register