[Systems] Fwd: Hacked content detected on http://www.sugarlabs.org/

Samuel Cantero scanterog at gmail.com
Mon Oct 12 21:01:13 EDT 2015


Also, I've found the followings php files with suspicious code:

/srv/www-sugarlabs/www/images/favicons/class.wp-date.php
/srv/www-sugarlabs/www/old/fedit.php
/srv/www-sugarlabs/www/old/Iicense.php
/srv/www-sugarlabs/www/scripts/fs-login.php
/srv/www-sugarlabs/www/xsl/fs-login.php
/srv/www-sugarlabs/www/.git/lndex.php
/srv/www-sugarlabs/www/cache/fedit.php
/srv/www-sugarlabs/www/cache/Iicense.php
/srv/www-sugarlabs/www/.cache.php

In addition, some gzipped base64 encoded php using some hexadecimal
character codes. This "fancy" code is executed via *preg_replace* with the
e modifier.

/srv/www-sugarlabs/www/images/Iicense.php
/srv/www-sugarlabs/www/press/Iicense.php
/srv/www-sugarlabs/www/xml/fedit.php
/srv/www-sugarlabs/www/head.php
/srv/www-sugarlabs/www/static/lndex.php
/srv/www-sugarlabs/www/assets/fs-login.php

An expert in PHP here?

This is just Sugar Labs web site. Maybe we have a lot of them in the entire
/srv directory. I have to look for it.

Regards,

On Mon, Oct 12, 2015 at 9:03 PM, Samuel Cantero <scanterog at gmail.com> wrote:

> Google is right. Our site has been hacked.
>
> One example: http://www.sugarlabs.org/images/
>
> There is a URL inyection: http://www.sugarlabs.org/index.php/cialis-10mg/
>
> I will try to find all URLs not belonging to our site and the root cause.
>
> Regards,
>
> On Mon, Oct 12, 2015 at 5:50 PM, Bernie Innocenti <bernie at codewiz.org>
> wrote:
>
>> Maybe all we need to do is click the reconsideration request link and see
>> what happens.
>>
>> Feel free to take control of the domain if you want to see the Google
>> webmaster console.
>>
>> On October 12, 2015 3:11:53 PM EDT, "Ignacio Rodríguez" <
>> nachoel01 at gmail.com> wrote:
>>>
>>> Is that updated?
>>>
>>> I remember to see some spam in sugarlabs.org (but it was Fixed).
>>>
>>> AS the email says, can we rfetch as Google?  I mean, the tool for that-
>>> Greetings,
>>> Ignacio
>>>
>>> 2015-10-12 16:02 GMT, Sebastian Silva <sebastian at fuentelibre.org>:
>>>
>>>>  I did a very quick look on the pages reported, and can't find anything
>>>>  suspicious with them.
>>>>
>>>>
>>>>  On 12/10/15 10:52, Samuel Cantero wrote:
>>>>
>>>>>  I can check this later (in 8 hours). I am away from my laptop now. If
>>>>>  someone has found something please share the info.
>>>>>
>>>>>  Regards,
>>>>>
>>>>>  On Monday, 12 October 2015, Bernie Innocenti <bernie at codewiz.org
>>>>>
>>>>> <mailto:bernie at codewiz.org>> wrote:
>>>>>
>>>>>      Can someone look into this to see if our ancient website really is
>>>>>      serving "hacked" content?
>>>>>
>>>>>
>>>>> ------------------------------
>>>>>
>>>>>      *From:* Google Search Console Team <sc-noreply at google.com
>>>>>      <javascript:_e(%7B%7D,'cvml','sc-noreply at google.com');>>
>>>>>      *Sent:* October 6, 2015 5:47:40 PM EDT
>>>>>      *To:* bernie.codewiz at gmail.com
>>>>>      <javascript:_e(%7B%7D,'cvml','bernie.codewiz at gmail.com');>
>>>>>      *Subject:* Hacked content detected on http://www.sugarlabs.org/
>>>>>
>>>>>      Message type: [WNC-633200]
>>>>>      Search Console
>>>>>
>>>>>      Hacked content detected on http://www.sugarlabs.org/
>>>>>
>>>>>      To: Webmaster of http://www.sugarlabs.org/,
>>>>>
>>>>>      Google has detected that your site has been hacked by a third
>>>>>      party who created
>>>>> malicious content on some of your pages. This
>>>>>      critical issue utilizes your site’s reputation to show potential
>>>>>      visitors unexpected or harmful content on your site or in search
>>>>>      results. It also lowers the quality of results for Google Search
>>>>>      users. Therefore, we have applied a manual action to your site
>>>>>      that will warn users of hacked content when your site appears in
>>>>>      search results. To remove this warning, clean up the hacked
>>>>>      content, and file a reconsideration request. After we determine
>>>>>      that your site no longer has hacked content, we will remove this
>>>>>      manual action.
>>>>>
>>>>>      Following are some example URLs where we found pages that have
>>>>>      been compromised. Review them to gain a better sense of where this
>>>>>      hacked content appears. The list is not exhaustive.
>>>>>
>>>>>      http://git.sugarlabs.org/python-xkb/mainline/commits/35bdff6
>>>>>
>>>>>      http://meeting.sugarlabs.org/publiclab/meetings
>>>>>
>>>>>      http://meeting.sugarlabs.org/sugar-meeting/2015-06-07
>>>>>
>>>>>
>>>>>          Here’s how to fix this problem:
>>>>>
>>>>>      1
>>>>>
>>>>>      Check Security Issues for details of the hack
>>>>>
>>>>>      Use the examples provided in the Security Issues report of Search
>>>>>      Console to get an initial sample of hacked pages.
>>>>>
>>>>>
>>>>>      Security Issues
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/kVgkGZKCN3DzN06od04KKAtZ0MELd5xT3j6zpU-JXhXWycXm6bg2W2xxZcBHQshGY9Dbo6BoOE6t4b1qxyCKXO2Q-JbiMgnsBSipGOHR246wqlLQhLLeM2-Pn6UVjijAxh4IQbS8msvmyuCEhUM7SaaWo_iSJfqhdrGgwaX47_mqJlPAYaytPzxHn_TzI8idMH-b6vmj470TW8hQl-j2jruE55uGYSy_3fwvNKAOjSLNHJ11QWPMjSaVMX4IpasNLfbmYxP5PZW_0mGwbkoWtSMNVe3Mq7WU>
>>>>>
>>>>>      2
>>>>>
>>>>>      Look for other compromised pages or files on your site
>>>>>
>>>>>      Be sure to check your entire site, including the homepage, for any
>>>>>      unfamiliar content that could have been added. The malicious code
>>>>>      might be placed in HTML, JavaScript, or other files on your site.
>>>>>      It can also be hidden in places you might overlook, such as server
>>>>>      configuration files (e.g. .htaccess file) or other dynamic
>>>>>      scripting pages (e.g. PHP, JSP). It’s important to be thorough in
>>>>>      your investigation.
>>>>>
>>>>>      3
>>>>>
>>>>>      Use the Fetch as Google tool to isolate the malicious content
>>>>>
>>>>>      Because some pages can appear one way to a user and another way to
>>>>>      Google crawlers, you can use the Fetch as Google tool to reveal
>>>>>      some kinds of hacking. Enter URLs from your site in the tool to
>>>>>      see the pages as Google sees them. If the page has hidden hacked
>>>>>      content, the tool can reveal that content.
>>>>>
>>>>>
>>>>>      Fetch as Google
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/I3Dm05ZvmwWJtGtmHNGyYK86h2nzUYGDM-1dIVEnmSHrHs0N84tDyBfUA5iDb72j6B-yiwNg-OrBO0P0PQbrU3v8R5tcVAdzYMv3OpcObaRWw6HuB_hF_vBUQ0wZEYtCIbe16MSxBLicOuFq6SP20C3-AbQorJKlU227T3AeC21nVaTf-KFMOvGO-OFQMdU8_Rthc-UT-ZB7e9_xKK8fusESgfkMAlFFnhedw1Mmy6z-7H7n_sA47L5Kf5TfpXQWf4tNFKZzfwYoKnY8NFJkNqyEOVpVQkAX>
>>>>>
>>>>>      4
>>>>>
>>>>>      Remove all malicious content
>>>>>
>>>>>      You can also contact your hosting provider and ask them for
>>>>>      assistance. If you’re having trouble identifying and removing all
>>>>>      the content on your site that is compromised, consider restoring
>>>>>      an older backed-up
>>>>> version of your site.
>>>>>
>>>>>      5
>>>>>
>>>>>      Secure your site from any future attacks
>>>>>
>>>>>      Identify and fix vulnerabilities that caused your site to be
>>>>>      compromised. Change passwords for administrative accounts.
>>>>>      Consider contacting your hosting service to get help with the issue.
>>>>>
>>>>>      6
>>>>>
>>>>>      Submit a reconsideration request
>>>>>
>>>>>      Once you fix your site, file for reconsideration to remove this
>>>>>      manual action. Include any details or documentation that can help
>>>>>      us understand the changes made to your site.
>>>>>
>>>>>
>>>>>      Reconsideration Request
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/mkMChrLY5uOSnnaQ5gbTAFDfGwF9b6RURLy_mBu1favZezzi13VSZPX07YO4eT4qaxKtQQFbGwR5lgEHDrnmLOaVzvClgPw3zw4P5NW1tQCDpPfXWL3li5UfVcsWLvABq0-kSdP0RwG3S-icgEz1HOe4fAssqjSSFWSwdgGpDcsqBZK8h8zWXqgHmAnfU3-a93zxp54EiQASOsPPnMSvqx8oBIco-F5o-Ro4Da3xmZU6HpjdwyGPq_PYyPJ1utqx1VNivc0ptczU9Ga6kc6x_HzwsjXAtvwTwFDuzAqE>
>>>>>
>>>>>
>>>>>
>>>>>            Need more help?
>>>>>
>>>>>      •  Read our guide for hacked sites
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/IV-1opuTX8iamyLtoalATOnDHD7nAlmgL8CVzxJazsopWNGnaydlADoMVjEnxX6PPmcoakoeoAI_pi9Fr94XUsVcDgZ_5t0jCV4eFMo3ehPi0RqjmdUphK8AeWrRaiNuPE-G8mLJo_0ZxqlIaNYBxdHxDhw9idMBli6GQxEjRhkJdZHPB7crjABDHO7pW3yIGDi2MuVI09y1bKc7QlGI6OTxGFTLmpQsLxGTCflqCA==>.
>>>>>
>>>>>      •  Learn how to use the Fetch as Google
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/9Ir-Bt-67WRNvKE9owMrZLp8oZJ1HImuPu4xcaEPRb0JtnzPu6aTmg2CUheZmi-tuwqORJVIvjiPKkndT4yNd0YpPysKDsWv32eQNwCtJ4If7XJl13TyrO9HotNhwd7K9lpUYNvbMjVNl7nYSBHZ7AP4nWHNjelPl4jlZIRAMWdMtDDlsvyDT79bBAs83a7NjBY2D8FnVFd5b7MV3B4prCLse477PGMw_ADsoybItKdyR1bpPjsQ288=>
>>>>>      tool in our Help Center.
>>>>>      •  Learn more about reconsideration requests
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/aQ8PKvfwLMXzVU_Y2JKYswOlSi_DMZlgJxl_1pKoECDrfGb2bMv7ktikhnlpXYFo5pFod5pV_5MID2lXxPnG8JXg2IT2QK4EEHFK5CKy_jEld6vmacZzTy5qkLiQ_KXYEpR3IHJRXl_5bAzuInboteGdP3kowTaHbH0k5_KGdQ-7x_7Uc9S6ZuON2GRJgf_l7VBFlCpYx63dthhREfGl3aJAmrrd5B12fcQXpUS-XivElQ5E4tuW7TZJ6-2t>
>>>>>      in our Help Center.
>>>>>      •  Ask questions in our forum
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/ciVSXy1Lws4CbKwqiPW7Vh6w0QYywSigyhOIHLlIjWP3nj6-NftgW0tj9Q7pqbfedTFBQzUv2xyKSI6xfNA58JuQX50x7h1ytUIKOkQiKXj_ERqHQ2gb03stUwFcck5XtNQmsaC97h1gYDzzEc9Znv0rvIn8yn7rZTLHocA63VlvS7nA4uEpsVVNhe_z53A40yKJiZ6MjC4w-CPfWa_U9yssivxOXqpB3412s9ovXag888rv1S221MwGu1kHRZrF>
>>>>>      for more help - mention message type [WNC-633200].
>>>>>
>>>>>      Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 |
>>>>>      Unsubscribe
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/nD7NcGKMjSxCRFdqrYmqkL7hvzslENpmCZMgpewUjQhJa8Y3IGhAn89ccuRCUkWOuTf5YyzJCYxX0gomovUPNbNSks2EX6CeQsbJ3U39wrbENLoAoJgF2YmZ6NdumTzBxHR3erjkR92y7Fv7QpLly4IS93wNFYQYYOGhysjJLJ60gwhvItjpmW6p-A==>
>>>>>      Add partners
>>>>>
>>>>>  <https://www.google.com/appserve/mkt/p/qTjtKM7FKDMWcpoZIrRbnRQOfhxVo6TyQct8JuQPryv-Ov_yf7iqFkiNR_wU8HLKO5ksfov9m5IVJki2NB0YDH1Jm-7KEXDMHFkAFu5ka67xYh1d1SL3hT0VuzTq99m4jFvLm0xQr0nTwz6TDTOBbeZKywq9JWpM_2HXJJrI8CgyO7_rdp7TIPdbc3kzCzJGA_xOBL-ktb1uoJAcHmk-FIJhuDu91iioHwpjGAC3o0WN06RKsDkeHjzQ2mDV_0ksYVzhx4V3yyoc-I8MQ0QvuBWU_aKms694WJmI_Q==>who
>>>>>      should receive messages for this Search Console account.
>>>>>
>>>>>
>>>>>      --
>>>>>      Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------
>>>>>
>>>>>  Systems mailing list
>>>>>  Systems at lists.sugarlabs.org
>>>>>  http://lists.sugarlabs.org/listinfo/systems
>>>>>
>>>>
>>>>  --
>>>>  I+D SomosAzucar.Org
>>>>  "icarito" #somosazucar en Freenode IRC
>>>>  "Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en
>>>>  comunión" - P. Freire
>>>
>>>
>>>
>>>
>>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/private/systems/attachments/20151012/dc9a5fbc/attachment.html>


More information about the Systems mailing list