Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 10:06:53

Author Topic: KLoxo MR was hacked (False alarm. Kloxo wasn't the cause of a hack)  (Read 5786 times)

0 Members and 1 Guest are viewing this topic.

Offline BigWeb.EU

  • Valuable Member
  • *
  • Posts: 114
  • Karma: +0/-0
    • View Profile
Hi, my Kloxo-MR ( ver  6.5.0.f-2013031808 ) VPS was hacked - all sites on admin accounts got "tgrl.html" file with content:

Code: [Select]
<html><head><title>Hacked By TurkTeam</title>
<link rel="SHORTCUT ICON" href="http://i.imgur.com/n54dIAD.gif">
<link href="http://fonts.googleapis.com/css?family=Orbitron" rel="stylesheet" type="text/css">
<link href="http://fonts.googleapis.com/css?family=Share+Tech+Mono" rel="stylesheet" type="text/css">
<style type="text/css">
 body { color:#04BA4C;background:url(http://3.bp.blogspot.com/-D6nQQ3d_wfw/Ts31QI5aQPI/AAAAAAAAAgA/mMEBDufqDpk/s1600/0_1_1.gif) repeat center center fixed black;}
 #q {font: 20px Share Tech Mono;color:darkgreen;}
.container > p {
<------>text-shadow: 0px 0px 20px #CC0000
}
.container > font {
<------>text-shadow: 0px 0px 20px #CC0000
}
#shadow {
<------>text-shadow: 0px 0px 20px #CC0000
}
</style>
<meta name="keywords" content="turkteam,hacked,defaced,hacked by turkteam,turkteam.org,hacked by turkteam.org">
</head>
<body>
<div class="container">
<br>
<center><br><br><br>
<font id="shadow" face="Orbitron" color="red" size="6">Hacked By </font></center><center>
<br><font id="shadow" face="Orbitron" style="  " color="red" size="6">TurkTeam</font><font style="  text-shadow: 0px 0px 20px #CC0000; " face="Orbitron" color="white" size="6">.Org</font></center><font face="Orbitron" color="white" size=
</font><center><br>
<img src="https://fbcdn-sphotos-c-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/10458112_331116590372224_7650303515172725644_n.jpg" width="600" height="250"></center><center><br>
 
 <p><font id="shadow" face="Orbitron" color="white" size="6" >Patlamaya Hazir
  </font></p>
  <p><b><font id="shadow" face="Orbitron" color="red" size="6" >Bomba</font></b></p>
</center><br><br><br>
<center>
<b><font  face="Orbitron" color="#04BA4C" size="5" style="  text-shadow: 0px 0px 20px #04BA4C; ">| S4cuRiTy EneMy | <font color="seagreen">Tgrl5000</font> | K37 King | G!4nT-C0d3 |</font></b></center>
<embed src="http://error-404.do.am/50256-h4ck3d.swf" width="0" height="0"></embed>
</div>
</body></html>

Happened on 28/06/2014 , almost no mentions in LOG files, except apache error log, which shows an attemt to access that tgrl file:

Code: [Select]
[Sat Jun 28 02:49:24 2014] [error] [client 157.55.39.208] File does not exist: /home/kloxo/httpd/default/robots.txt
[Sat Jun 28 02:51:28 2014] [error] [client 157.55.39.208] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 02:51:28 2014] [error] [client 157.55.39.208] Premature end of script headers: index.php
[Sat Jun 28 02:56:15 2014] [error] [client 41.101.228.11] File does not exist: /home/kloxo/httpd/default/tgrl.html
[Sat Jun 28 02:56:16 2014] [error] [client 41.101.228.11] File does not exist: /home/kloxo/httpd/default/favicon.ico
[Sat Jun 28 02:56:18 2014] [error] [client 41.101.228.11] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 02:56:18 2014] [error] [client 41.101.228.11] Premature end of script headers: index.php
[Sat Jun 28 03:16:59 2014] [error] [client 192.110.165.118] File does not exist: /home/kloxo/httpd/default/components
[Sat Jun 28 03:45:58 2014] [error] [client 157.55.39.208] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 03:45:58 2014] [error] [client 157.55.39.208] Premature end of script headers: index.php
[Sat Jun 28 03:54:55 2014] [error] [client 123.151.149.222] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 03:54:55 2014] [error] [client 123.151.149.222] Premature end of script headers: index.php
[Sat Jun 28 03:58:13 2014] [notice] Graceful restart requested, doing restart
[Sat Jun 28 03:58:16 2014] [notice] Digest: generating secret for digest authentication ...
[Sat Jun 28 03:58:16 2014] [notice] Digest: done

Any ideas would be appreciated.
« Last Edit: 2014-07-04, 17:47:50 by promotion »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: KLoxo MR was hacked
« Reply #1 on: 2014-07-03, 10:06:34 »
Better update Kloxo-MR with 'yum clean all; yum update; sh /script/cleanup'.

Look like, 1 of websites already hacked but no impact to other websites (according to apache log).
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline BigWeb.EU

  • Valuable Member
  • *
  • Posts: 114
  • Karma: +0/-0
    • View Profile
Re: KLoxo MR was hacked
« Reply #2 on: 2014-07-03, 10:39:59 »
What do you mean by saying "Look like, 1 of websites already hacked"?

If you're talking about your hosting, then i would treat this as a security hole, if you are talking about my posted apache log - this is the only mention of that file in the log, however , on my hosting ALL domains got hacked (admin account) !
« Last Edit: 2014-07-03, 10:45:48 by promotion »

Offline BigWeb.EU

  • Valuable Member
  • *
  • Posts: 114
  • Karma: +0/-0
    • View Profile
Re: KLoxo MR was hacked
« Reply #3 on: 2014-07-03, 10:53:08 »
Have found newly created file :

/home/nginx/tpl/cgi-bin.php :

Code: [Select]
<?php

$descriptorspec 
= array(
=> array("pipe""r"), // stdin is a pipe that the child will read from
=> array("pipe""w"), // stdout is a pipe that the child will write to
=> array("pipe""w"// stderr is a file to write to
);

$newenv $_SERVER;
$newenv["SCRIPT_FILENAME"] = $_SERVER["X_SCRIPT_FILENAME"];
$newenv["SCRIPT_NAME"] = $_SERVER["X_SCRIPT_NAME"];

if (
is_executable($_SERVER["X_SCRIPT_FILENAME"])) {
<------>
$process proc_open($_SERVER["X_SCRIPT_FILENAME"], $descriptorspec$pipesNULL$newenv);

<------>if (
is_resource($process)) {
<------><------>
fclose($pipes[0]);
<------><------>
$head fgets($pipes[1]);

<------><------>while (
strcmp($head"\n")) {
<------><------><------>
header($head);
<------><------><------>
$head fgets($pipes[1]);
<------><------>}

<------><------>
fpassthru($pipes[1]);
<------><------>
fclose($pipes[1]);
<------><------>
fclose($pipes[2]);

<------><------>
$return_value proc_close($process);
<------>} else {
<------><------>
header("Status: 500 Internal Server Error");
<------><------>echo(
"Internal Server Error");
<------>}
} else {
<------>
header("Status: 404 Page Not Found");
<------>echo(
"Page Not Found");
}
?>


Is it smth KLOXO related ? Also I'm using Apache, not nginx ?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: KLoxo MR was hacked
« Reply #4 on: 2014-07-03, 11:14:29 »
If your information is right where your KLoxo-MR is too old (6.5.0.f-2013031808).

In early version, no 'open_basedir' declare in php-fpm. Cgi-bin.php is normal but not implementing yet.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: KLoxo MR was hacked
« Reply #5 on: 2014-07-03, 18:40:04 »
Question @promotion.

Did you ALWAYS access KloxoMR through https?  Did you have same password for a mail account under admin?  Always connect to the mail server via https?

Anything in the kloxo secure log?

What types of sites run under admin.  Plugins?

I ask all of this because it is important to find out if YOU got hacked, or if indeed KloxoMR got hacked, there is a difference.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline BigWeb.EU

  • Valuable Member
  • *
  • Posts: 114
  • Karma: +0/-0
    • View Profile
Re: KLoxo MR was hacked
« Reply #6 on: 2014-07-04, 17:46:46 »
OK, I think i got it. It was hacked via Wordpress, uploading theme with PHP files that where used to populate infected files to all domains under admin.

So mostly sure it is a false alarm on kloxo MR hack. Please stay calm :)

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
If 1 of domains under certain user (let say 'admin') infected, it's possible all domains under 'admin' will be infect too. It's because all domains under 'admin' have the same 'open_basedir' (/home/admin).
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.03 seconds with 19 queries.

web stats analysis