[Systems] Hacked content detected on http://www.sugarlabs.org/

James Cameron quozl at laptop.org
Mon Oct 12 21:27:44 EDT 2015


Sadly, I've done PHP.  There were PHP vulnerabilities that can lead to site compromise if the www directory was writable by the apache processes that run PHP.

Follow the CERT intruder detection checklist if you can.

On 13/10/2015, at 12:01 PM, Samuel Cantero wrote:

> Also, I've found the followings php files with suspicious code:
> 
> /srv/www-sugarlabs/www/images/favicons/class.wp-date.php
> /srv/www-sugarlabs/www/old/fedit.php
> /srv/www-sugarlabs/www/old/Iicense.php
> /srv/www-sugarlabs/www/scripts/fs-login.php
> /srv/www-sugarlabs/www/xsl/fs-login.php
> /srv/www-sugarlabs/www/.git/lndex.php
> /srv/www-sugarlabs/www/cache/fedit.php
> /srv/www-sugarlabs/www/cache/Iicense.php
> /srv/www-sugarlabs/www/.cache.php
> 
> In addition, some gzipped base64 encoded php using some hexadecimal character codes. This "fancy" code is executed via preg_replace with the e modifier.
> 
> /srv/www-sugarlabs/www/images/Iicense.php
> /srv/www-sugarlabs/www/press/Iicense.php
> /srv/www-sugarlabs/www/xml/fedit.php
> /srv/www-sugarlabs/www/head.php
> /srv/www-sugarlabs/www/static/lndex.php
> /srv/www-sugarlabs/www/assets/fs-login.php
> 
> An expert in PHP here?
> 
> This is just Sugar Labs web site. Maybe we have a lot of them in the entire /srv directory. I have to look for it.
> 
> Regards,
> 
> On Mon, Oct 12, 2015 at 9:03 PM, Samuel Cantero <scanterog at gmail.com> wrote:
> Google is right. Our site has been hacked.
> 
> One example: http://www.sugarlabs.org/images/
> 
> There is a URL inyection: http://www.sugarlabs.org/index.php/cialis-10mg/
> 
> I will try to find all URLs not belonging to our site and the root cause.
> 
> Regards,
> 
> On Mon, Oct 12, 2015 at 5:50 PM, Bernie Innocenti <bernie at codewiz.org> wrote:
> Maybe all we need to do is click the reconsideration request link and see what happens.
> 
> Feel free to take control of the domain if you want to see the Google webmaster console.
> 
> On October 12, 2015 3:11:53 PM EDT, "Ignacio Rodríguez" <nachoel01 at gmail.com> wrote:
> Is that updated?
> 
> I remember to see some spam in sugarlabs.org (but it was Fixed).
> 
> AS the email says, can we rfetch as Google?  I mean, the tool for that-
> Greetings,
> Ignacio
> 
> 2015-10-12 16:02 GMT, Sebastian Silva <sebastian at fuentelibre.org>:
>  I did a very quick look on the pages reported, and can't find anything
>  suspicious with them.
> 
> 
>  On 12/10/15 10:52, Samuel Cantero wrote:
>  I can check this later (in 8 hours). I am away from my laptop now. If
>  someone has found something please share the info.
> 
>  Regards,
> 
>  On Monday, 12 October 2015, Bernie Innocenti <bernie at codewiz.org
> 
> <mailto:
> bernie at codewiz.org>> wrote:
> 
>      Can someone look into this to see if our ancient website really is
>      serving "hacked" content?
> 
> 
> 
>      *From:* Google Search Console Team <sc-noreply at google.com
>      <javascript:_e(%7B%7D,'cvml','sc-noreply at google.com');>>
>      *Sent:* October 6, 2015 5:47:40 PM EDT
>      *To:* bernie.codewiz at gmail.com
>      <javascript:_e(%7B%7D,'cvml','bernie.codewiz at gmail.com');>
>      *Subject:* Hacked content detected on http://www.sugarlabs.org/
> 
>      Message type: [WNC-633200]
>      Search Console
> 
>      Hacked content detected on http://www.sugarlabs.org/
> 
>      To: Webmaster of http://www.sugarlabs.org/,
> 
>      Google has detected that your site has been hacked by a third
>      party who created
> malicious content on some of your pages. This
> 
>      critical issue utilizes your site’s reputation to show potential
>      visitors unexpected or harmful content on your site or in search
>      results. It also lowers the quality of results for Google Search
>      users. Therefore, we have applied a manual action to your site
>      that will warn users of hacked content when your site appears in
>      search results. To remove this warning, clean up the hacked
>      content, and file a reconsideration request. After we determine
>      that your site no longer has hacked content, we will remove this
>      manual action.
> 
>      Following are some example URLs where we found pages that have
>      been compromised. Review them to gain a better sense of where this
>      hacked content appears. The list is not exhaustive.
> 
>      http://git.sugarlabs.org/python-xkb/mainline/commits/35bdff6
> 
>      http://meeting.sugarlabs.org/publiclab/meetings
> 
>      http://meeting.sugarlabs.org/sugar-meeting/2015-06-07
> 
> 
>          Here’s how to fix this problem:
> 
>      1  
> 
>      Check Security Issues for details of the hack
> 
>      Use the examples provided in the Security Issues report of Search
>      Console to get an initial sample of hacked pages.
> 
>       
>      Security Issues
> 
>  <https://www.google.com/appserve/mkt/p/kVgkGZKCN3DzN06od04KKAtZ0MELd5xT3j6zpU-JXhXWycXm6bg2W2xxZcBHQshGY9Dbo6BoOE6t4b1qxyCKXO2Q-JbiMgnsBSipGOHR246wqlLQhLLeM2-Pn6UVjijAxh4IQbS8msvmyuCEhUM7SaaWo_iSJfqhdrGgwaX47_mqJlPAYaytPzxHn_TzI8idMH-b6vmj470TW8hQl-j2jruE55uGYSy_3fwvNKAOjSLNHJ11QWPMjSaVMX4IpasNLfbmYxP5PZW_0mGwbkoWtSMNVe3Mq7WU>
> 
>      2  
> 
>      Look for other compromised pages or files on your site
> 
>      Be sure to check your entire site, including the homepage, for any
>      unfamiliar content that could have been added. The malicious code
>      might be placed in HTML, JavaScript, or other files on your site.
>      It can also be hidden in places you might overlook, such as server
>      configuration files (e.g. .htaccess file) or other dynamic
>      scripting pages (e.g. PHP, JSP). It’s important to be thorough in
>      your investigation.
> 
>      3  
> 
>      Use the Fetch as Google tool to isolate the malicious content
> 
>      Because some pages can appear one way to a user and another way to
>      Google crawlers, you can use the Fetch as Google tool to reveal
>      some kinds of hacking. Enter URLs from your site in the tool to
>      see the pages as Google sees them. If the page has hidden hacked
>      content, the tool can reveal that content.
> 
>       
>      Fetch as Google
> 
>  <https://www.google.com/appserve/mkt/p/I3Dm05ZvmwWJtGtmHNGyYK86h2nzUYGDM-1dIVEnmSHrHs0N84tDyBfUA5iDb72j6B-yiwNg-OrBO0P0PQbrU3v8R5tcVAdzYMv3OpcObaRWw6HuB_hF_vBUQ0wZEYtCIbe16MSxBLicOuFq6SP20C3-AbQorJKlU227T3AeC21nVaTf-KFMOvGO-OFQMdU8_Rthc-UT-ZB7e9_xKK8fusESgfkMAlFFnhedw1Mmy6z-7H7n_sA47L5Kf5TfpXQWf4tNFKZzfwYoKnY8NFJkNqyEOVpVQkAX>
> 
>      4  
> 
>      Remove all malicious content
> 
>      You can also contact your hosting provider and ask them for
>      assistance. If you’re having trouble identifying and removing all
>      the content on your site that is compromised, consider restoring
>      an older backed-up
> version of your site.
> 
> 
>      5  
> 
>      Secure your site from any future attacks
> 
>      Identify and fix vulnerabilities that caused your site to be
>      compromised. Change passwords for administrative accounts.
>      Consider contacting your hosting service to get help with the issue.
> 
>      6  
> 
>      Submit a reconsideration request
> 
>      Once you fix your site, file for reconsideration to remove this
>      manual action. Include any details or documentation that can help
>      us understand the changes made to your site.
> 
>       
>      Reconsideration Request
> 
>  <https://www.google.com/appserve/mkt/p/mkMChrLY5uOSnnaQ5gbTAFDfGwF9b6RURLy_mBu1favZezzi13VSZPX07YO4eT4qaxKtQQFbGwR5lgEHDrnmLOaVzvClgPw3zw4P5NW1tQCDpPfXWL3li5UfVcsWLvABq0-kSdP0RwG3S-icgEz1HOe4fAssqjSSFWSwdgGpDcsqBZK8h8zWXqgHmAnfU3-a93zxp54EiQASOsPPnMSvqx8oBIco-F5o-Ro4Da3xmZU6HpjdwyGPq_PYyPJ1utqx1VNivc0ptczU9Ga6kc6x_HzwsjXAtvwTwFDuzAqE>
> 
> 
> 
>            Need more help?
> 
>      •  Read our guide for hacked sites
> 
>  <https://www.google.com/appserve/mkt/p/IV-1opuTX8iamyLtoalATOnDHD7nAlmgL8CVzxJazsopWNGnaydlADoMVjEnxX6PPmcoakoeoAI_pi9Fr94XUsVcDgZ_5t0jCV4eFMo3ehPi0RqjmdUphK8AeWrRaiNuPE-G8mLJo_0ZxqlIaNYBxdHxDhw9idMBli6GQxEjRhkJdZHPB7crjABDHO7pW3yIGDi2MuVI09y1bKc7QlGI6OTxGFTLmpQsLxGTCflqCA==>.
> 
>      •  Learn how to use the Fetch as Google
> 
>  <https://www.google.com/appserve/mkt/p/9Ir-Bt-67WRNvKE9owMrZLp8oZJ1HImuPu4xcaEPRb0JtnzPu6aTmg2CUheZmi-tuwqORJVIvjiPKkndT4yNd0YpPysKDsWv32eQNwCtJ4If7XJl13TyrO9HotNhwd7K9lpUYNvbMjVNl7nYSBHZ7AP4nWHNjelPl4jlZIRAMWdMtDDlsvyDT79bBAs83a7NjBY2D8FnVFd5b7MV3B4prCLse477PGMw_ADsoybItKdyR1bpPjsQ288=>
>      tool in our Help Center.
>      •  Learn more about reconsideration requests
> 
>  <https://www.google.com/appserve/mkt/p/aQ8PKvfwLMXzVU_Y2JKYswOlSi_DMZlgJxl_1pKoECDrfGb2bMv7ktikhnlpXYFo5pFod5pV_5MID2lXxPnG8JXg2IT2QK4EEHFK5CKy_jEld6vmacZzTy5qkLiQ_KXYEpR3IHJRXl_5bAzuInboteGdP3kowTaHbH0k5_KGdQ-7x_7Uc9S6ZuON2GRJgf_l7VBFlCpYx63dthhREfGl3aJAmrrd5B12fcQXpUS-XivElQ5E4tuW7TZJ6-2t>
>      in our Help Center.
>      •  Ask questions in our forum
> 
>  <https://www.google.com/appserve/mkt/p/ciVSXy1Lws4CbKwqiPW7Vh6w0QYywSigyhOIHLlIjWP3nj6-NftgW0tj9Q7pqbfedTFBQzUv2xyKSI6xfNA58JuQX50x7h1ytUIKOkQiKXj_ERqHQ2gb03stUwFcck5XtNQmsaC97h1gYDzzEc9Znv0rvIn8yn7rZTLHocA63VlvS7nA4uEpsVVNhe_z53A40yKJiZ6MjC4w-CPfWa_U9yssivxOXqpB3412s9ovXag888rv1S221MwGu1kHRZrF>
>      for more help - mention message type [WNC-633200].
> 
>      Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 |
>      Unsubscribe
> 
>  <https://www.google.com/appserve/mkt/p/nD7NcGKMjSxCRFdqrYmqkL7hvzslENpmCZMgpewUjQhJa8Y3IGhAn89ccuRCUkWOuTf5YyzJCYxX0gomovUPNbNSks2EX6CeQsbJ3U39wrbENLoAoJgF2YmZ6NdumTzBxHR3erjkR92y7Fv7QpLly4IS93wNFYQYYOGhysjJLJ60gwhvItjpmW6p-A==>
>      Add partners
> 
>  <https://www.google.com/appserve/mkt/p/qTjtKM7FKDMWcpoZIrRbnRQOfhxVo6TyQct8JuQPryv-Ov_yf7iqFkiNR_wU8HLKO5ksfov9m5IVJki2NB0YDH1Jm-7KEXDMHFkAFu5ka67xYh1d1SL3hT0VuzTq99m4jFvLm0xQr0nTwz6TDTOBbeZKywq9JWpM_2HXJJrI8CgyO7_rdp7TIPdbc3kzCzJGA_xOBL-ktb1uoJAcHmk-FIJhuDu91iioHwpjGAC3o0WN06RKsDkeHjzQ2mDV_0ksYVzhx4V3yyoc-I8MQ0QvuBWU_aKms694WJmI_Q==>who
>      should receive messages for this Search Console account.
> 
> 
>      --
>      Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> 
> 
> 
>  Systems mailing list
>  Systems at lists.sugarlabs.org
>  http://lists.sugarlabs.org/listinfo/systems
> 
>  --
>  I+D SomosAzucar.Org
>  "icarito" #somosazucar en Freenode IRC
>  "Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en
>  comunión" - P. Freire
> 
> 
> 
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> 
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems



More information about the Systems mailing list