Kernel.org was compromised

Leave a reply

According to the website kernel.org, their website was compromised possibly by stolen login credentials. Here is what they posted on their website:

Security breach on kernel.org

Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.

What happened?

Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
A trojan startup file was added to the system start up scripts
User interactions were logged, as well as some exploit code. We have retained this for now.
Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don’t have Xnest installed, please investigate.
It *appears* that 3.1-rc2 might have blocked the exploit injector, we don’t know if this is intentional or a side affect of another bugfix or change.

What Has Been Done so far:

We have currently taken boxes off line to do a backup and are in the process of doing complete reinstalls.
We have notified authorities in the United States and in Europe to assist with the investigation
We will be doing a full reinstall on all boxes on kernel.org
We are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified

For those of you who think that hackers aren’t trying to infect websites – all websites, think again.

Also note how they took responsibility and publicly announced what they are doing to prevent this from happening again.

How about you? What have you done to protect your websites from being infected. Infected websites affect many people – anyone who visits your website.

Let me know your thoughts on this…post a comment.

Websites infected with googlesafebrowsing.com/kwizhveo.php

Leave a reply

Here’s another round of infections from the timthumb.php vulnerability.

This time the hackers have registered a new domain: googlesafebrowsing.com (on August 17, 2011) and they are utilizing the timthumb.php and thumb.php files to infect websites.

In the header.php file, we’re finding code that begins with:
if ( !is_user_logged_in() && !isset ( $_COOKIE['MTPT'] ) ) {

and continues down to:

if ( strpos ( $doms, ’||’ ) === false ) return false; $domains = explode ( ’||’, trim ( $doms ) ); return $domains[array_rand ( $domains )]; } ?>

This is a dynamic piece of code in that it pulls a new domain from googlesafebrowsing.com/remoted.cc.txt and inserts it into an iframe that's embedded in a section of code that appears on your website. Most of the iframes have .us.to/kwizhveo.php in the URL.

You really should search your themes for any instance of timthumb.php or thumb.php and get the updated file: and replace the existing one.

What we recommend is that your use a safe FTP program like WS_FTP by Ipswitch, login to your website and search the wp-content/themes folder for any instances of timthumb.php or thumb.php. When you find one, rename it by adding .orig to the end of it. That way after adding the new file and testing, if your site doesn't work, you can always move back to the original (.orig) by deleting the new file and renaming the original by taking the .orig extension off.

If you have the thumb.php version it's normally about 18kb in size. If you want to make that file safe without replacing it, download it to your computer and open it with an editor.

Before you make any other changes check the file for code that looks like this:

If you see that code, then your site is already infected and should be thoroughly cleaned. You should call us: (847)728-0214 or email: support@wewatchyourwebsite.com

However, if you don't see that code and want to modify your existing thumb.php file, scroll down to a section that looks like:

Change that by deleting the websites listed: flickr.com, picasa.com, etc.

When you're finished it should look like:

The above steps will keep your site safe from the timthumb.php and thumb.php type of infections on your WordPress website - if you haven't had your WordPress site infected already.

1see.ir/j/ script injections

Leave a reply

This infection has been happening for about 10 days already, but we’ve been so busy cleaning them that we haven’t had time to write about it.

We’ve been seeing the following script:

usually in the meta tag section of the infected website’s pages. It appears multiple times.

The domain: 1see.ir is not currently listed as suspicious by Google:

Yet a Google search shows about 78,000 listings. Some of these are reports of the infection and not necessarily infected websites:

This is affecting osCommerce based websites that are not properly protected. Protecting osCommerce sites is something we do extremely well. If your site has been infected by this, please contact us and we can clean this, remove all backdoors and secure your website from future infections.

You can’t just remove this infection and think you’re safe. We’ve been seeing extra entries in the admin table. These are accounts hackers have inserted into your site so they maintain control over your site. There have also been many, many different backdoor shell scripts as well.

Let’s get this cleaned up.

Contact me at: traef@wewatchyourwebsite.com or (847)728-0214.

If you have questions or comments please comment below.

Thank you.

Willysy.com infection changes to tiasissi.com.br

Leave a reply

As you may know from our previous posts, we’ve been watching the willysy.com infection of millions of e-commerce websites over the past few weeks.

Now, it appears that many of these are still infected and the hackers have now changed the infection to:

hxxp://tiasissi. com .br/revendedores/jquery

What’s really frustrating from our perspective, is that these are so easy to prevent. To date, we’ve cleaned 1,179 of these infections and no repeat infections – our methods work!

With the willysy infections we’ve seen many entries in the admin section of the osCommerce database which shows that the hackers have taken total control of these websites and this is just the infectious code they prefer to use for now.

There are many different backdoor shell scripts the hackers are installing on these websites and code inserted into the payment processing files that allow the hackers to steal the credit card information as it gets processed.

This is all cleanable and prevention is quite easy.

If you have questions about this, please leave a comment. We’ll respond promptly.

Thank you.

TimThumb WordPress Plugin Leads to Hacked Websites

2 Replies

The WordPress Plugin TimThumb which is primarily used in themes as an image resizing tool, was found to be vulnerable to an attack that could be classified as a remote file inclusion exploit.

TimThumb allows an attacker to retrieve a remote file and saves it to directory that is accessible via a browser. Mark Maunder who is CEO of technology firm Feedjit, based in Seattle, found out the hard way about this vulnerability when his own blog: markmaunder.com was infected by this.

He has provided a good detailed description, for those of you who are technically oriented, on his blog at:

It’s also been reported that the developer of the plugin had his own blog infected via this vulnerability. To his credit, he has been extremely busy in fixing this and has definitely shown responsibility in this matter.

The fix that Mark has suggested is this:

Edit timthumb.php
Scroll down to line 27 where it starts: $allowedSites = array(
Remove all the sites like “blogger.com” and “flickr.com”
After removing the sites your line should look like: $allowedSites = array();

Save the file and you’re finished. Keep in mind this is for version 1.33. If you’re running an older version, you’ll have to contact the Theme developer and ask them for an update.

Our research shows that some themes use this plugin but the file is not named timthumb.php it could be named:

thumb.php
resizer.php
crop.php
cropper.php
and various similar names

Search your files for all these names just to be sure you find it.

If you see a folder/directory named “cache” in your wp-content folder or any of it’s sub-folders, you can add this .htaccess file there which will block running any .php files. Quick backstep: this is typically where this plugin stores the files that a hacker may have uploaded. So even if a hacker were to upload the files to that folder, they cannot run them.

.htaccess:

RewriteEngine On

Order Deny,Allow
Deny from all
Allow from localhost

Please post a comment here if you’re having issues with this, or for that matter, any other security related issues.

Thank you.

willysy.com infection of osCommerce sites

1 Reply

UPDATE August 6, 2011: The number of websites infected with this had risen to over 5 million. The prevention of this type of attack is really quite simple – and something we’ve been applying to clients websites for some time.

Currently 100,000+ osCommerce (and variations of osCommerce) pages have been infected with an iframe that points to: willysy(dot)com.

Our research finds these iframes in the title tags and at various img tag locations throughout the webpages which led us to look in the database.

We see the code in the title tags at the top of the page, inserted as the description of the store logo, following the “images/store_logo.png” or “images/logo.gif” and other similar logo links. and also in the copyright section in many web pages:

Our suggestion is to export the entire database, download it to your local computer and search for any strings with “iframe” (no quotes) in them. A few of these iframe strings have been obfuscated, so also look for the string: document.write.

Other domains used in this attack are:

exero.eu
yandekapi.com

It’s certain that more will follow.

Our research indicates that most of these websites are osCommerce or an osCommerce related website. In 89% of the websites we investigated, they have left the admin folder unchanged, which means they have not followed the recommendation of renaming the admin folder. Since this is a simple process, I would tend to believe that they have not followed other security recommendations and left their websites open to an attack.

You may see entries in your log files like this:

XXX.XXX.XXX.XXX – - [08/Jul/2011:02:19:54 -0500] “GET /admin/configuration.php/login.php HTTP/1.1″ 200 24492 “http://(domain removed)/admin/configuration.php/login.php” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

The key here is the “200″ following the HTTP/1.1 string. This means the above GET request was successful.

This will be followed by:

GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1″ 200 24835 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

and…

“POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

To prevent this, you should:

Rename the admin folder to something that does not include the word ‘admin’
Depending on what version of osCommerce you’re running, you should modify the code in application_top.php (2 files) to eliminate the $PHP_SELF
You should disable define_language.php and file_manager.php
Use various methods to prevent the configuration.php/login.php in the URL

You may also find additional users in your administrators table. Hackers have been adding these as well. Many of them will have their own email address as well so that a request to reset a password will go to them.

Various .php backdoors and some Perl shell scripts might be added to your website as well. The hackers have been using a variety of these in order to maintain control of the website.

First, make a backup of your database. Then after all these database entries have been found and removed, you’ll have to change the password to your database as they obviously know what it is and then import your database.

All of this needs to be cleaned up.

If you need help in cleaning this up, please send an email to support@wewatchyourwebsite.com or call me directly at (847)833-5666

com_avreloaded needs to be updated

Leave a reply

Joomla plugin security alert!

According to the author of the Joomla plugin AllVideos Reloaded:

Security Alert
Attention!
A serious SQL injection vulnerability was just found in AllVideos Reloaded! A zero-day exploit already exists in the wild, which uses this vulnerability in order to steal your user-database!

All users of version 1.2.6 and below, update to version 1.2.7 immediately!

For those who want to keep their database of customized players/tags/rippers, use the package named com_avreloaded-1.2.7_SECUPDATE-WITHOUT-DB.zip and simply install it over the existing version using Joomla’s extension installer. All other users: Use the regular (full) installer package.

Please check your sites and if you’re using this plugin, please update immediately.

Have any other plugins you’re concerned with?

Post here with what they are and we’ll check them out for you.

WordPress plugin wp-phpmyadmin should be removed

Leave a reply

If anyone reading this blog has wp-phpmyadmin installed on their site you should remove it immediately.

For the past 2 months we’ve been seeing more and more websites with this plugin being infected.

There is usually a file added: upgrade.php that is not part of the legitimate files and has various malicious code inside.

This plugin is no longer on the WordPress plugin repository as it has not been updated since 2007.

While a plugin like this might seem more convenient for database work than using your hosting provider’s control panel, it’s also more convenient for hackers.

We did a Google search on this and found that the majority of websites with this plugin, also don’t have any prevention for viewing the directory this is installed in.

This means that a hacker can click on “Parent Directory” and see all the plugins installed. While this isn’t a huge vulnerability, it’s so easy to prevent with a either a .htaccess file or an empty index.html file.

The less information a hacker knows about your website the better off you are.

What about you? Do you have this installed on your website? Are there other plugins you worry about? Leave a comment here and we’ll investigate it.

Need your website cleaned, protected and monitored? Send us an email: support@wewatchyourwebsite.com

FCKEditor Attacks

Leave a reply

I realize we’re not the first to write about this, but my intention is not to be a ground-breaking news source, but for our readers, I hope to be at least educational.

We’ve been seeing more log files, ever since we’ve been beta testing our new log analyzer, with probes for fckeditor and also editormonkey. This has led us on a journey to see why.

What we found was that many people are using editormonkey, even though it’s been “shelved” for some time. This means, no updates, nobody to fix bugs or more importantly – no security patches.

Here is a screenshot from the Editormonkey website:

Screen shot from editormonkey website

For those of you unfamiliar with FCKeditor and Editormonkey, they work with various programs like WordPress, Joomla and other Content Management Systems (CMS), to provide a more robust writing platform.

These programs were designed to bring more text editing features to web based programs.

According to the CKEditor website:

CKEditor and FCKeditor
The problem with any plugin, component, module, etc. is that they often times provide a file manager. A file manager for an editor is key so you can upload graphic files without leaving the editor. For instance, if you wanted to add a picture to something you’re writing about, you would upload it to your website and then insert into your text. A good editor will enable you to perform that task, without ever leaving the editor.

When you have multiple ways of uploading files to your website, you also introduce multiple exploits for hackers to abuse and infect your website.

Let’s see what is so bad about this.

First, let me begin by saying that if you follow our security principles, you’ll know that all software should be kept up-to-date.

ALL SOFTWARE!!!

Yes, that means even web based editors.

For older versions of FCKeditor, like 2.0 -> 2.2, this string is dangerous:

http://[target]/[path]/editor/filemanager/browser/default/connectors/php/connector.php

This allows an attacker to upload a file, like a backdoor shell script to the vulnerable website without any real “hacking” skills.

How would a hacker know you have this installed on your website?

Google is a hacker’s best friend. They can search using:

inurl:/editor/filemanager/browser/default/connectors/php/connector.php

And find websites that Google has indexed and found that string.

What can you do to prevent this?

I’m glad you asked.

First, you can update your software. As posted above, FCKeditor has been renamed CKEditor. Update immediately.

Next, you can also use “security by obscurity”. In your robots.txt file you specify what the search engines index on your website. Does the world need to know what plugins you’re using in your WordPress blog?

Probably not.

You can use something like this in your robots.txt file:

# Hide certain folders from spiders
User-agent: *
Disallow: /(path to your editor folder)

We’re not big fans of relying on security by obscurity so you should also locate the config.php file. It’s usually located here:

editor/filemanager/connectors/php/config.php

Open it with a text editor and search for the line that looks like:

$Config['Enabled'] = true ;

And change “true” to “false” (no quotes). That will disable that connector.

Other safety precautions you can take is to password protect the editor folder. Usually your hosting provider will have that option in their Control Panel for your account.

You could also delete the filemanager folder altogether. This eliminates the vulnerability completely.

If you absolutely have to upload files to your website via the editor, then I suggest you pick some area of your website to designate as an upload folder, but you should know that the permissions on that upload folder have to be set to 777 (world readable/writable). Again, you are warned not to do this.

In review, always use a multi-layered strategy for website security.

Keep all software updated – even editors
Hide folders from search engines
Hide folders by using password protection
Disable potentially vulnerable functions
Hire a good security company (like us!)

Fake google-analytics code

2 Replies

It’s rare for me to post twice in the same day, but I thought this one needed your attention.

In some infected osCommerce and WordPress sites we’ve been seeing this line of code:

< scr ipt snc=hxxp: // www. google-analytics.com/urchin.js id=googleanalytics>var emob = googleanalytics;var emsk = 126853 * 4;var emsp = googleanalytics.id.substr(1,0);var k = 1;var t = emob.innerHTML.split…(removed)< /scr ipt >

In the osCommerce sites it was in:

/catalog/includes/languages/english/define_mainpage.php

In the WordPress sites it was in:

wp-load.php

Usually at the end of a div tag in the body of the page code. This has been noticed more and more. It used to be that the malicious code was somewhere either in the beginning or near the end of the page code.

This code works by looking like legitimate google-analytics code, but notice that in the opening script tag, that’s not a src variable. It’s snc. Which looks at first like src, but it’s not.

What the code does is replace use the id variable and replace it with a different URL and then the code at the end of the malscript sets the source for the script src with:

emob.src = emsp.substr(15)

Of the ones we’ve cleaned, so far, they’ve all pointed to:

hxxp:// chadon.nl/js/jquery.js

We’ve gathered the log files for these sites and processed them through our log analyzer and found that the hackers are using file inclusion strings in already vulnerable sites to infect them.

We can remove this from your site and help protect it or, if you have your files downloaded to your PC and have already installed grepWin, you can use this regex to find and remove these strings from your website files:

Please post back here with any comments, other URLs that this script is directing to or any other pertinent information.

Thank you.