[Systems] Hacked content detected on http://www.sugarlabs.org/
Samuel Cantero
scanterog at gmail.com
Tue Oct 13 16:26:37 EDT 2015
Hello everyone,
I just recently erase all the unwanted images and the malicious php files
for www.slo.
The injected URLs [f*or ex: sugarlabs.org/index.php/cheap-canadian-viagra/
<http://sugarlabs.org/index.php/cheap-canadian-viagra/> or
sugarlabs.org/index.php/viagra <http://sugarlabs.org/index.php/viagra>*]
are not working anymore. Those URLs were generated with the head.php
script. The complete decoded code can be found here:
http://www.fpaste.org/278824/.
Also, the b374k-shell webshell is not working anymore. For the curious, it
looked like this: http://snag.gy/BmcA1.jpg
I've found similar php files in walterbender.org the other day. I replaced
the whole site for an uncompromised one.
Anyway, we still have to find how they did that and how can we protect our
server from this kind of exploit. It is not easy though. It can be a
security vulnerability on wordpress, some plugin or a permission problem.
Still pending to follow the CERT intruder detection checklist.
Regards,
On Tue, Oct 13, 2015 at 7:18 AM, Sam P. <sam at sam.today> wrote:
> I was just running ls -lsah on the root of www.slo, and it told me:
>
> * The spam (head.php) was last modified on Jun 23 13:56. I assume this is
> the creation date too.
> * head.php is owned by www-data. I assume this means that it came from
> php or apache?
> * index.php was modified 1 minute after head.php. It has a command to
> "include("head.php");"
> * every directory was modified within 2 minutes after the spam creation,
> including .git
> * eg. css/comnon.php base64 or something encoded php. Looks a
> different style to head.php, no use of regex, but IDK. It is a php
> webshell named b374k-shell version 2.8.
> * eg. assets/fs-login.php encoded php that is decoded using a regex.
> Prompts for a passoword, but no identifying stuff
> * There are also files called fedit.php Iicense.php (starting with
> cap. i) lndex.php (lower case L)
>
> Some files came before head.php, see
> http://www.fpaste.org/278658/47310741/
>
> Also, reviewing Walter's repo, I can't find a clean copy of the website,
> see https://github.com/walterbender/www-sugarlabs/issues/11 So hum,
> cleaning this will be fun!
>
> Thanks,
> Sam
>
> On Tue, Oct 13, 2015 at 12:35 PM, Samuel Cantero <scanterog at gmail.com>
> wrote:
>
>> I can't continue working on this today. Tomorrow I will try to search
>> related files. We can erase the suspicious files now but if we do not find
>> the root cause, it will happen again.
>>
>> Thanks James. I will google for it.
>>
>> On Mon, Oct 12, 2015 at 10:27 PM, James Cameron <quozl at laptop.org> wrote:
>>
>>> Sadly, I've done PHP. There were PHP vulnerabilities that can lead to
>>> site compromise if the www directory was writable by the apache processes
>>> that run PHP.
>>>
>>> Follow the CERT intruder detection checklist if you can.
>>>
>>> On 13/10/2015, at 12:01 PM, Samuel Cantero wrote:
>>>
>>> > Also, I've found the followings php files with suspicious code:
>>> >
>>> > /srv/www-sugarlabs/www/images/favicons/class.wp-date.php
>>> > /srv/www-sugarlabs/www/old/fedit.php
>>> > /srv/www-sugarlabs/www/old/Iicense.php
>>> > /srv/www-sugarlabs/www/scripts/fs-login.php
>>> > /srv/www-sugarlabs/www/xsl/fs-login.php
>>> > /srv/www-sugarlabs/www/.git/lndex.php
>>> > /srv/www-sugarlabs/www/cache/fedit.php
>>> > /srv/www-sugarlabs/www/cache/Iicense.php
>>> > /srv/www-sugarlabs/www/.cache.php
>>> >
>>> > In addition, some gzipped base64 encoded php using some hexadecimal
>>> character codes. This "fancy" code is executed via preg_replace with the e
>>> modifier.
>>> >
>>> > /srv/www-sugarlabs/www/images/Iicense.php
>>> > /srv/www-sugarlabs/www/press/Iicense.php
>>> > /srv/www-sugarlabs/www/xml/fedit.php
>>> > /srv/www-sugarlabs/www/head.php
>>> > /srv/www-sugarlabs/www/static/lndex.php
>>> > /srv/www-sugarlabs/www/assets/fs-login.php
>>> >
>>> > An expert in PHP here?
>>> >
>>> > This is just Sugar Labs web site. Maybe we have a lot of them in the
>>> entire /srv directory. I have to look for it.
>>> >
>>> > Regards,
>>> >
>>> > On Mon, Oct 12, 2015 at 9:03 PM, Samuel Cantero <scanterog at gmail.com>
>>> wrote:
>>> > Google is right. Our site has been hacked.
>>> >
>>> > One example: http://www.sugarlabs.org/images/
>>> >
>>> > There is a URL inyection:
>>> http://www.sugarlabs.org/index.php/cialis-10mg/
>>> >
>>> > I will try to find all URLs not belonging to our site and the root
>>> cause.
>>> >
>>> > Regards,
>>> >
>>> > On Mon, Oct 12, 2015 at 5:50 PM, Bernie Innocenti <bernie at codewiz.org>
>>> wrote:
>>> > Maybe all we need to do is click the reconsideration request link and
>>> see what happens.
>>> >
>>> > Feel free to take control of the domain if you want to see the Google
>>> webmaster console.
>>> >
>>> > On October 12, 2015 3:11:53 PM EDT, "Ignacio Rodríguez" <
>>> nachoel01 at gmail.com> wrote:
>>> > Is that updated?
>>> >
>>> > I remember to see some spam in sugarlabs.org (but it was Fixed).
>>> >
>>> > AS the email says, can we rfetch as Google? I mean, the tool for that-
>>> > Greetings,
>>> > Ignacio
>>> >
>>> > 2015-10-12 16:02 GMT, Sebastian Silva <sebastian at fuentelibre.org>:
>>> > I did a very quick look on the pages reported, and can't find anything
>>> > suspicious with them.
>>> >
>>> >
>>> > On 12/10/15 10:52, Samuel Cantero wrote:
>>> > I can check this later (in 8 hours). I am away from my laptop now. If
>>> > someone has found something please share the info.
>>> >
>>> > Regards,
>>> >
>>> > On Monday, 12 October 2015, Bernie Innocenti <bernie at codewiz.org
>>> >
>>> > <mailto:
>>> > bernie at codewiz.org>> wrote:
>>> >
>>> > Can someone look into this to see if our ancient website really is
>>> > serving "hacked" content?
>>> >
>>> >
>>> >
>>> > *From:* Google Search Console Team <sc-noreply at google.com
>>> > <javascript:_e(%7B%7D,'cvml','sc-noreply at google.com');>>
>>> > *Sent:* October 6, 2015 5:47:40 PM EDT
>>> > *To:* bernie.codewiz at gmail.com
>>> > <javascript:_e(%7B%7D,'cvml','bernie.codewiz at gmail.com');>
>>> > *Subject:* Hacked content detected on http://www.sugarlabs.org/
>>> >
>>> > Message type: [WNC-633200]
>>> > Search Console
>>> >
>>> > Hacked content detected on http://www.sugarlabs.org/
>>> >
>>> > To: Webmaster of http://www.sugarlabs.org/,
>>> >
>>> > Google has detected that your site has been hacked by a third
>>> > party who created
>>> > malicious content on some of your pages. This
>>> >
>>> > critical issue utilizes your site’s reputation to show potential
>>> > visitors unexpected or harmful content on your site or in search
>>> > results. It also lowers the quality of results for Google Search
>>> > users. Therefore, we have applied a manual action to your site
>>> > that will warn users of hacked content when your site appears in
>>> > search results. To remove this warning, clean up the hacked
>>> > content, and file a reconsideration request. After we determine
>>> > that your site no longer has hacked content, we will remove this
>>> > manual action.
>>> >
>>> > Following are some example URLs where we found pages that have
>>> > been compromised. Review them to gain a better sense of where this
>>> > hacked content appears. The list is not exhaustive.
>>> >
>>> > http://git.sugarlabs.org/python-xkb/mainline/commits/35bdff6
>>> >
>>> > http://meeting.sugarlabs.org/publiclab/meetings
>>> >
>>> > http://meeting.sugarlabs.org/sugar-meeting/2015-06-07
>>> >
>>> >
>>> > Here’s how to fix this problem:
>>> >
>>> > 1
>>> >
>>> > Check Security Issues for details of the hack
>>> >
>>> > Use the examples provided in the Security Issues report of Search
>>> > Console to get an initial sample of hacked pages.
>>> >
>>> >
>>> > Security Issues
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/kVgkGZKCN3DzN06od04KKAtZ0MELd5xT3j6zpU-JXhXWycXm6bg2W2xxZcBHQshGY9Dbo6BoOE6t4b1qxyCKXO2Q-JbiMgnsBSipGOHR246wqlLQhLLeM2-Pn6UVjijAxh4IQbS8msvmyuCEhUM7SaaWo_iSJfqhdrGgwaX47_mqJlPAYaytPzxHn_TzI8idMH-b6vmj470TW8hQl-j2jruE55uGYSy_3fwvNKAOjSLNHJ11QWPMjSaVMX4IpasNLfbmYxP5PZW_0mGwbkoWtSMNVe3Mq7WU
>>> >
>>> >
>>> > 2
>>> >
>>> > Look for other compromised pages or files on your site
>>> >
>>> > Be sure to check your entire site, including the homepage, for any
>>> > unfamiliar content that could have been added. The malicious code
>>> > might be placed in HTML, JavaScript, or other files on your site.
>>> > It can also be hidden in places you might overlook, such as server
>>> > configuration files (e.g. .htaccess file) or other dynamic
>>> > scripting pages (e.g. PHP, JSP). It’s important to be thorough in
>>> > your investigation.
>>> >
>>> > 3
>>> >
>>> > Use the Fetch as Google tool to isolate the malicious content
>>> >
>>> > Because some pages can appear one way to a user and another way to
>>> > Google crawlers, you can use the Fetch as Google tool to reveal
>>> > some kinds of hacking. Enter URLs from your site in the tool to
>>> > see the pages as Google sees them. If the page has hidden hacked
>>> > content, the tool can reveal that content.
>>> >
>>> >
>>> > Fetch as Google
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/I3Dm05ZvmwWJtGtmHNGyYK86h2nzUYGDM-1dIVEnmSHrHs0N84tDyBfUA5iDb72j6B-yiwNg-OrBO0P0PQbrU3v8R5tcVAdzYMv3OpcObaRWw6HuB_hF_vBUQ0wZEYtCIbe16MSxBLicOuFq6SP20C3-AbQorJKlU227T3AeC21nVaTf-KFMOvGO-OFQMdU8_Rthc-UT-ZB7e9_xKK8fusESgfkMAlFFnhedw1Mmy6z-7H7n_sA47L5Kf5TfpXQWf4tNFKZzfwYoKnY8NFJkNqyEOVpVQkAX
>>> >
>>> >
>>> > 4
>>> >
>>> > Remove all malicious content
>>> >
>>> > You can also contact your hosting provider and ask them for
>>> > assistance. If you’re having trouble identifying and removing all
>>> > the content on your site that is compromised, consider restoring
>>> > an older backed-up
>>> > version of your site.
>>> >
>>> >
>>> > 5
>>> >
>>> > Secure your site from any future attacks
>>> >
>>> > Identify and fix vulnerabilities that caused your site to be
>>> > compromised. Change passwords for administrative accounts.
>>> > Consider contacting your hosting service to get help with the
>>> issue.
>>> >
>>> > 6
>>> >
>>> > Submit a reconsideration request
>>> >
>>> > Once you fix your site, file for reconsideration to remove this
>>> > manual action. Include any details or documentation that can help
>>> > us understand the changes made to your site.
>>> >
>>> >
>>> > Reconsideration Request
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/mkMChrLY5uOSnnaQ5gbTAFDfGwF9b6RURLy_mBu1favZezzi13VSZPX07YO4eT4qaxKtQQFbGwR5lgEHDrnmLOaVzvClgPw3zw4P5NW1tQCDpPfXWL3li5UfVcsWLvABq0-kSdP0RwG3S-icgEz1HOe4fAssqjSSFWSwdgGpDcsqBZK8h8zWXqgHmAnfU3-a93zxp54EiQASOsPPnMSvqx8oBIco-F5o-Ro4Da3xmZU6HpjdwyGPq_PYyPJ1utqx1VNivc0ptczU9Ga6kc6x_HzwsjXAtvwTwFDuzAqE
>>> >
>>> >
>>> >
>>> >
>>> > Need more help?
>>> >
>>> > • Read our guide for hacked sites
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/IV-1opuTX8iamyLtoalATOnDHD7nAlmgL8CVzxJazsopWNGnaydlADoMVjEnxX6PPmcoakoeoAI_pi9Fr94XUsVcDgZ_5t0jCV4eFMo3ehPi0RqjmdUphK8AeWrRaiNuPE-G8mLJo_0ZxqlIaNYBxdHxDhw9idMBli6GQxEjRhkJdZHPB7crjABDHO7pW3yIGDi2MuVI09y1bKc7QlGI6OTxGFTLmpQsLxGTCflqCA==
>>> >.
>>> >
>>> > • Learn how to use the Fetch as Google
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/9Ir-Bt-67WRNvKE9owMrZLp8oZJ1HImuPu4xcaEPRb0JtnzPu6aTmg2CUheZmi-tuwqORJVIvjiPKkndT4yNd0YpPysKDsWv32eQNwCtJ4If7XJl13TyrO9HotNhwd7K9lpUYNvbMjVNl7nYSBHZ7AP4nWHNjelPl4jlZIRAMWdMtDDlsvyDT79bBAs83a7NjBY2D8FnVFd5b7MV3B4prCLse477PGMw_ADsoybItKdyR1bpPjsQ288=
>>> >
>>> > tool in our Help Center.
>>> > • Learn more about reconsideration requests
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/aQ8PKvfwLMXzVU_Y2JKYswOlSi_DMZlgJxl_1pKoECDrfGb2bMv7ktikhnlpXYFo5pFod5pV_5MID2lXxPnG8JXg2IT2QK4EEHFK5CKy_jEld6vmacZzTy5qkLiQ_KXYEpR3IHJRXl_5bAzuInboteGdP3kowTaHbH0k5_KGdQ-7x_7Uc9S6ZuON2GRJgf_l7VBFlCpYx63dthhREfGl3aJAmrrd5B12fcQXpUS-XivElQ5E4tuW7TZJ6-2t
>>> >
>>> > in our Help Center.
>>> > • Ask questions in our forum
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/ciVSXy1Lws4CbKwqiPW7Vh6w0QYywSigyhOIHLlIjWP3nj6-NftgW0tj9Q7pqbfedTFBQzUv2xyKSI6xfNA58JuQX50x7h1ytUIKOkQiKXj_ERqHQ2gb03stUwFcck5XtNQmsaC97h1gYDzzEc9Znv0rvIn8yn7rZTLHocA63VlvS7nA4uEpsVVNhe_z53A40yKJiZ6MjC4w-CPfWa_U9yssivxOXqpB3412s9ovXag888rv1S221MwGu1kHRZrF
>>> >
>>> > for more help - mention message type [WNC-633200].
>>> >
>>> > Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 |
>>> > Unsubscribe
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/nD7NcGKMjSxCRFdqrYmqkL7hvzslENpmCZMgpewUjQhJa8Y3IGhAn89ccuRCUkWOuTf5YyzJCYxX0gomovUPNbNSks2EX6CeQsbJ3U39wrbENLoAoJgF2YmZ6NdumTzBxHR3erjkR92y7Fv7QpLly4IS93wNFYQYYOGhysjJLJ60gwhvItjpmW6p-A==
>>> >
>>> > Add partners
>>> >
>>> > <
>>> https://www.google.com/appserve/mkt/p/qTjtKM7FKDMWcpoZIrRbnRQOfhxVo6TyQct8JuQPryv-Ov_yf7iqFkiNR_wU8HLKO5ksfov9m5IVJki2NB0YDH1Jm-7KEXDMHFkAFu5ka67xYh1d1SL3hT0VuzTq99m4jFvLm0xQr0nTwz6TDTOBbeZKywq9JWpM_2HXJJrI8CgyO7_rdp7TIPdbc3kzCzJGA_xOBL-ktb1uoJAcHmk-FIJhuDu91iioHwpjGAC3o0WN06RKsDkeHjzQ2mDV_0ksYVzhx4V3yyoc-I8MQ0QvuBWU_aKms694WJmI_Q==
>>> >who
>>> > should receive messages for this Search Console account.
>>> >
>>> >
>>> > --
>>> > Sent from my Android device with K-9 Mail. Please excuse my
>>> brevity.
>>> >
>>> >
>>> >
>>> >
>>> > Systems mailing list
>>> > Systems at lists.sugarlabs.org
>>> > http://lists.sugarlabs.org/listinfo/systems
>>> >
>>> > --
>>> > I+D SomosAzucar.Org
>>> > "icarito" #somosazucar en Freenode IRC
>>> > "Nadie libera a nadie, nadie se libera solo. Los seres humanos se
>>> liberan en
>>> > comunión" - P. Freire
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>> >
>>> >
>>> > _______________________________________________
>>> > Systems mailing list
>>> > Systems at lists.sugarlabs.org
>>> > http://lists.sugarlabs.org/listinfo/systems
>>>
>>>
>>
>> _______________________________________________
>> Systems mailing list
>> Systems at lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/systems
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/private/systems/attachments/20151013/74b5680c/attachment.html>
More information about the Systems
mailing list