MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: BigWeb.EU on 2014-07-03, 09:35:21
-
Hi, my Kloxo-MR ( ver 6.5.0.f-2013031808 ) VPS was hacked - all sites on admin accounts got "tgrl.html" file with content:
<html><head><title>Hacked By TurkTeam</title>
<link rel="SHORTCUT ICON" href="http://i.imgur.com/n54dIAD.gif">
<link href="http://fonts.googleapis.com/css?family=Orbitron" rel="stylesheet" type="text/css">
<link href="http://fonts.googleapis.com/css?family=Share+Tech+Mono" rel="stylesheet" type="text/css">
<style type="text/css">
body { color:#04BA4C;background:url(http://3.bp.blogspot.com/-D6nQQ3d_wfw/Ts31QI5aQPI/AAAAAAAAAgA/mMEBDufqDpk/s1600/0_1_1.gif) repeat center center fixed black;}
#q {font: 20px Share Tech Mono;color:darkgreen;}
.container > p {
<------>text-shadow: 0px 0px 20px #CC0000
}
.container > font {
<------>text-shadow: 0px 0px 20px #CC0000
}
#shadow {
<------>text-shadow: 0px 0px 20px #CC0000
}
</style>
<meta name="keywords" content="turkteam,hacked,defaced,hacked by turkteam,turkteam.org,hacked by turkteam.org">
</head>
<body>
<div class="container">
<br>
<center><br><br><br>
<font id="shadow" face="Orbitron" color="red" size="6">Hacked By </font></center><center>
<br><font id="shadow" face="Orbitron" style=" " color="red" size="6">TurkTeam</font><font style=" text-shadow: 0px 0px 20px #CC0000; " face="Orbitron" color="white" size="6">.Org</font></center><font face="Orbitron" color="white" size=
</font><center><br>
<img src="https://fbcdn-sphotos-c-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/10458112_331116590372224_7650303515172725644_n.jpg" width="600" height="250"></center><center><br>
<p><font id="shadow" face="Orbitron" color="white" size="6" >Patlamaya Hazir
</font></p>
<p><b><font id="shadow" face="Orbitron" color="red" size="6" >Bomba</font></b></p>
</center><br><br><br>
<center>
<b><font face="Orbitron" color="#04BA4C" size="5" style=" text-shadow: 0px 0px 20px #04BA4C; ">| S4cuRiTy EneMy | <font color="seagreen">Tgrl5000</font> | K37 King | G!4nT-C0d3 |</font></b></center>
<embed src="http://error-404.do.am/50256-h4ck3d.swf" width="0" height="0"></embed>
</div>
</body></html>
Happened on 28/06/2014 , almost no mentions in LOG files, except apache error log, which shows an attemt to access that tgrl file:
[Sat Jun 28 02:49:24 2014] [error] [client 157.55.39.208] File does not exist: /home/kloxo/httpd/default/robots.txt
[Sat Jun 28 02:51:28 2014] [error] [client 157.55.39.208] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 02:51:28 2014] [error] [client 157.55.39.208] Premature end of script headers: index.php
[Sat Jun 28 02:56:15 2014] [error] [client 41.101.228.11] File does not exist: /home/kloxo/httpd/default/tgrl.html
[Sat Jun 28 02:56:16 2014] [error] [client 41.101.228.11] File does not exist: /home/kloxo/httpd/default/favicon.ico
[Sat Jun 28 02:56:18 2014] [error] [client 41.101.228.11] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 02:56:18 2014] [error] [client 41.101.228.11] Premature end of script headers: index.php
[Sat Jun 28 03:16:59 2014] [error] [client 192.110.165.118] File does not exist: /home/kloxo/httpd/default/components
[Sat Jun 28 03:45:58 2014] [error] [client 157.55.39.208] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 03:45:58 2014] [error] [client 157.55.39.208] Premature end of script headers: index.php
[Sat Jun 28 03:54:55 2014] [error] [client 123.151.149.222] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 03:54:55 2014] [error] [client 123.151.149.222] Premature end of script headers: index.php
[Sat Jun 28 03:58:13 2014] [notice] Graceful restart requested, doing restart
[Sat Jun 28 03:58:16 2014] [notice] Digest: generating secret for digest authentication ...
[Sat Jun 28 03:58:16 2014] [notice] Digest: done
Any ideas would be appreciated.
-
Better update Kloxo-MR with 'yum clean all; yum update; sh /script/cleanup'.
Look like, 1 of websites already hacked but no impact to other websites (according to apache log).
-
What do you mean by saying "Look like, 1 of websites already hacked"?
If you're talking about your hosting, then i would treat this as a security hole, if you are talking about my posted apache log - this is the only mention of that file in the log, however , on my hosting ALL domains got hacked (admin account) !
-
Have found newly created file :
/home/nginx/tpl/cgi-bin.php :
<?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a file to write to
);
$newenv = $_SERVER;
$newenv["SCRIPT_FILENAME"] = $_SERVER["X_SCRIPT_FILENAME"];
$newenv["SCRIPT_NAME"] = $_SERVER["X_SCRIPT_NAME"];
if (is_executable($_SERVER["X_SCRIPT_FILENAME"])) {
<------>$process = proc_open($_SERVER["X_SCRIPT_FILENAME"], $descriptorspec, $pipes, NULL, $newenv);
<------>if (is_resource($process)) {
<------><------>fclose($pipes[0]);
<------><------>$head = fgets($pipes[1]);
<------><------>while (strcmp($head, "\n")) {
<------><------><------>header($head);
<------><------><------>$head = fgets($pipes[1]);
<------><------>}
<------><------>fpassthru($pipes[1]);
<------><------>fclose($pipes[1]);
<------><------>fclose($pipes[2]);
<------><------>$return_value = proc_close($process);
<------>} else {
<------><------>header("Status: 500 Internal Server Error");
<------><------>echo("Internal Server Error");
<------>}
} else {
<------>header("Status: 404 Page Not Found");
<------>echo("Page Not Found");
}
?>
Is it smth KLOXO related ? Also I'm using Apache, not nginx ?
-
If your information is right where your KLoxo-MR is too old (6.5.0.f-2013031808).
In early version, no 'open_basedir' declare in php-fpm. Cgi-bin.php is normal but not implementing yet.
-
Question @promotion.
Did you ALWAYS access KloxoMR through https? Did you have same password for a mail account under admin? Always connect to the mail server via https?
Anything in the kloxo secure log?
What types of sites run under admin. Plugins?
I ask all of this because it is important to find out if YOU got hacked, or if indeed KloxoMR got hacked, there is a difference.
-
OK, I think i got it. It was hacked via Wordpress, uploading theme with PHP files that where used to populate infected files to all domains under admin.
So mostly sure it is a false alarm on kloxo MR hack. Please stay calm :)
-
If 1 of domains under certain user (let say 'admin') infected, it's possible all domains under 'admin' will be infect too. It's because all domains under 'admin' have the same 'open_basedir' (/home/admin).