[Systems] Hacked content detected on http://www.sugarlabs.org/

Bernie Innocenti bernie at codewiz.org
Tue Oct 13 16:49:42 EDT 2015


How about replacing this old and insecure website?

If the new one isn't ready yet, we could temporarily serve a minimalistic page with the SL logo and a few links to the main resources. A bit like the Google home page...

On October 13, 2015 4:26:37 PM EDT, Samuel Cantero <scanterog at gmail.com> wrote:
>Hello everyone,
>
>I just recently erase all the unwanted images and the malicious php
>files
>for www.slo.
>
>The injected URLs [f*or ex:
>sugarlabs.org/index.php/cheap-canadian-viagra/
><http://sugarlabs.org/index.php/cheap-canadian-viagra/> or
>sugarlabs.org/index.php/viagra
><http://sugarlabs.org/index.php/viagra>*]
>are not working anymore. Those URLs were generated with the head.php
>script. The complete decoded code can be found here:
>http://www.fpaste.org/278824/.
>
>Also, the b374k-shell webshell is not working anymore. For the curious,
>it
>looked like this: http://snag.gy/BmcA1.jpg
>
>I've found similar php files in walterbender.org the other day. I
>replaced
>the whole site for an uncompromised one.
>
>Anyway, we still have to find how they did that and how can we protect
>our
>server from this kind of exploit. It is not easy though. It can be a
>security vulnerability on wordpress, some plugin or a permission
>problem.
>
>Still pending to follow the CERT intruder detection checklist.
>
>Regards,
>
>
>
>On Tue, Oct 13, 2015 at 7:18 AM, Sam P. <sam at sam.today> wrote:
>
>> I was just running ls -lsah on the root of www.slo, and it told me:
>>
>> * The spam (head.php) was last modified on Jun 23 13:56.  I assume
>this is
>> the creation date too.
>> * head.php is owned by www-data.  I assume this means that it came
>from
>> php or apache?
>> * index.php was modified 1 minute after head.php.  It has a command
>to
>> "include("head.php");"
>> * every directory was modified within 2 minutes after the spam
>creation,
>> including .git
>>     * eg. css/comnon.php base64 or something encoded php.  Looks a
>> different style to head.php, no use of regex, but IDK.  It is a php
>> webshell named b374k-shell version 2.8.
>>     * eg. assets/fs-login.php encoded php that is decoded using a
>regex.
>> Prompts for a passoword, but no identifying stuff
>>     * There are also files called fedit.php Iicense.php (starting
>with
>> cap. i) lndex.php (lower case L)
>>
>> Some files came before head.php, see
>> http://www.fpaste.org/278658/47310741/
>>
>> Also, reviewing Walter's repo, I can't find a clean copy of the
>website,
>> see https://github.com/walterbender/www-sugarlabs/issues/11  So hum,
>> cleaning this will be fun!
>>
>> Thanks,
>> Sam
>>
>> On Tue, Oct 13, 2015 at 12:35 PM, Samuel Cantero
><scanterog at gmail.com>
>> wrote:
>>
>>> I can't continue working on this today. Tomorrow I will try to
>search
>>> related files. We can erase the suspicious files now but if we do
>not find
>>> the root cause, it will happen again.
>>>
>>> Thanks James. I will google for it.
>>>
>>> On Mon, Oct 12, 2015 at 10:27 PM, James Cameron <quozl at laptop.org>
>wrote:
>>>
>>>> Sadly, I've done PHP.  There were PHP vulnerabilities that can lead
>to
>>>> site compromise if the www directory was writable by the apache
>processes
>>>> that run PHP.
>>>>
>>>> Follow the CERT intruder detection checklist if you can.
>>>>
>>>> On 13/10/2015, at 12:01 PM, Samuel Cantero wrote:
>>>>
>>>> > Also, I've found the followings php files with suspicious code:
>>>> >
>>>> > /srv/www-sugarlabs/www/images/favicons/class.wp-date.php
>>>> > /srv/www-sugarlabs/www/old/fedit.php
>>>> > /srv/www-sugarlabs/www/old/Iicense.php
>>>> > /srv/www-sugarlabs/www/scripts/fs-login.php
>>>> > /srv/www-sugarlabs/www/xsl/fs-login.php
>>>> > /srv/www-sugarlabs/www/.git/lndex.php
>>>> > /srv/www-sugarlabs/www/cache/fedit.php
>>>> > /srv/www-sugarlabs/www/cache/Iicense.php
>>>> > /srv/www-sugarlabs/www/.cache.php
>>>> >
>>>> > In addition, some gzipped base64 encoded php using some
>hexadecimal
>>>> character codes. This "fancy" code is executed via preg_replace
>with the e
>>>> modifier.
>>>> >
>>>> > /srv/www-sugarlabs/www/images/Iicense.php
>>>> > /srv/www-sugarlabs/www/press/Iicense.php
>>>> > /srv/www-sugarlabs/www/xml/fedit.php
>>>> > /srv/www-sugarlabs/www/head.php
>>>> > /srv/www-sugarlabs/www/static/lndex.php
>>>> > /srv/www-sugarlabs/www/assets/fs-login.php
>>>> >
>>>> > An expert in PHP here?
>>>> >
>>>> > This is just Sugar Labs web site. Maybe we have a lot of them in
>the
>>>> entire /srv directory. I have to look for it.
>>>> >
>>>> > Regards,
>>>> >
>>>> > On Mon, Oct 12, 2015 at 9:03 PM, Samuel Cantero
><scanterog at gmail.com>
>>>> wrote:
>>>> > Google is right. Our site has been hacked.
>>>> >
>>>> > One example: http://www.sugarlabs.org/images/
>>>> >
>>>> > There is a URL inyection:
>>>> http://www.sugarlabs.org/index.php/cialis-10mg/
>>>> >
>>>> > I will try to find all URLs not belonging to our site and the
>root
>>>> cause.
>>>> >
>>>> > Regards,
>>>> >
>>>> > On Mon, Oct 12, 2015 at 5:50 PM, Bernie Innocenti
><bernie at codewiz.org>
>>>> wrote:
>>>> > Maybe all we need to do is click the reconsideration request link
>and
>>>> see what happens.
>>>> >
>>>> > Feel free to take control of the domain if you want to see the
>Google
>>>> webmaster console.
>>>> >
>>>> > On October 12, 2015 3:11:53 PM EDT, "Ignacio Rodríguez" <
>>>> nachoel01 at gmail.com> wrote:
>>>> > Is that updated?
>>>> >
>>>> > I remember to see some spam in sugarlabs.org (but it was Fixed).
>>>> >
>>>> > AS the email says, can we rfetch as Google?  I mean, the tool for
>that-
>>>> > Greetings,
>>>> > Ignacio
>>>> >
>>>> > 2015-10-12 16:02 GMT, Sebastian Silva
><sebastian at fuentelibre.org>:
>>>> >  I did a very quick look on the pages reported, and can't find
>anything
>>>> >  suspicious with them.
>>>> >
>>>> >
>>>> >  On 12/10/15 10:52, Samuel Cantero wrote:
>>>> >  I can check this later (in 8 hours). I am away from my laptop
>now. If
>>>> >  someone has found something please share the info.
>>>> >
>>>> >  Regards,
>>>> >
>>>> >  On Monday, 12 October 2015, Bernie Innocenti <bernie at codewiz.org
>>>> >
>>>> > <mailto:
>>>> > bernie at codewiz.org>> wrote:
>>>> >
>>>> >      Can someone look into this to see if our ancient website
>really is
>>>> >      serving "hacked" content?
>>>> >
>>>> >
>>>> >
>>>> >      *From:* Google Search Console Team <sc-noreply at google.com
>>>> >      <javascript:_e(%7B%7D,'cvml','sc-noreply at google.com');>>
>>>> >      *Sent:* October 6, 2015 5:47:40 PM EDT
>>>> >      *To:* bernie.codewiz at gmail.com
>>>> >      <javascript:_e(%7B%7D,'cvml','bernie.codewiz at gmail.com');>
>>>> >      *Subject:* Hacked content detected on
>http://www.sugarlabs.org/
>>>> >
>>>> >      Message type: [WNC-633200]
>>>> >      Search Console
>>>> >
>>>> >      Hacked content detected on http://www.sugarlabs.org/
>>>> >
>>>> >      To: Webmaster of http://www.sugarlabs.org/,
>>>> >
>>>> >      Google has detected that your site has been hacked by a
>third
>>>> >      party who created
>>>> > malicious content on some of your pages. This
>>>> >
>>>> >      critical issue utilizes your site’s reputation to show
>potential
>>>> >      visitors unexpected or harmful content on your site or in
>search
>>>> >      results. It also lowers the quality of results for Google
>Search
>>>> >      users. Therefore, we have applied a manual action to your
>site
>>>> >      that will warn users of hacked content when your site
>appears in
>>>> >      search results. To remove this warning, clean up the hacked
>>>> >      content, and file a reconsideration request. After we
>determine
>>>> >      that your site no longer has hacked content, we will remove
>this
>>>> >      manual action.
>>>> >
>>>> >      Following are some example URLs where we found pages that
>have
>>>> >      been compromised. Review them to gain a better sense of
>where this
>>>> >      hacked content appears. The list is not exhaustive.
>>>> >
>>>> >      http://git.sugarlabs.org/python-xkb/mainline/commits/35bdff6
>>>> >
>>>> >      http://meeting.sugarlabs.org/publiclab/meetings
>>>> >
>>>> >      http://meeting.sugarlabs.org/sugar-meeting/2015-06-07
>>>> >
>>>> >
>>>> >          Here’s how to fix this problem:
>>>> >
>>>> >      1
>>>> >
>>>> >      Check Security Issues for details of the hack
>>>> >
>>>> >      Use the examples provided in the Security Issues report of
>Search
>>>> >      Console to get an initial sample of hacked pages.
>>>> >
>>>> >
>>>> >      Security Issues
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/kVgkGZKCN3DzN06od04KKAtZ0MELd5xT3j6zpU-JXhXWycXm6bg2W2xxZcBHQshGY9Dbo6BoOE6t4b1qxyCKXO2Q-JbiMgnsBSipGOHR246wqlLQhLLeM2-Pn6UVjijAxh4IQbS8msvmyuCEhUM7SaaWo_iSJfqhdrGgwaX47_mqJlPAYaytPzxHn_TzI8idMH-b6vmj470TW8hQl-j2jruE55uGYSy_3fwvNKAOjSLNHJ11QWPMjSaVMX4IpasNLfbmYxP5PZW_0mGwbkoWtSMNVe3Mq7WU
>>>> >
>>>> >
>>>> >      2
>>>> >
>>>> >      Look for other compromised pages or files on your site
>>>> >
>>>> >      Be sure to check your entire site, including the homepage,
>for any
>>>> >      unfamiliar content that could have been added. The malicious
>code
>>>> >      might be placed in HTML, JavaScript, or other files on your
>site.
>>>> >      It can also be hidden in places you might overlook, such as
>server
>>>> >      configuration files (e.g. .htaccess file) or other dynamic
>>>> >      scripting pages (e.g. PHP, JSP). It’s important to be
>thorough in
>>>> >      your investigation.
>>>> >
>>>> >      3
>>>> >
>>>> >      Use the Fetch as Google tool to isolate the malicious
>content
>>>> >
>>>> >      Because some pages can appear one way to a user and another
>way to
>>>> >      Google crawlers, you can use the Fetch as Google tool to
>reveal
>>>> >      some kinds of hacking. Enter URLs from your site in the tool
>to
>>>> >      see the pages as Google sees them. If the page has hidden
>hacked
>>>> >      content, the tool can reveal that content.
>>>> >
>>>> >
>>>> >      Fetch as Google
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/I3Dm05ZvmwWJtGtmHNGyYK86h2nzUYGDM-1dIVEnmSHrHs0N84tDyBfUA5iDb72j6B-yiwNg-OrBO0P0PQbrU3v8R5tcVAdzYMv3OpcObaRWw6HuB_hF_vBUQ0wZEYtCIbe16MSxBLicOuFq6SP20C3-AbQorJKlU227T3AeC21nVaTf-KFMOvGO-OFQMdU8_Rthc-UT-ZB7e9_xKK8fusESgfkMAlFFnhedw1Mmy6z-7H7n_sA47L5Kf5TfpXQWf4tNFKZzfwYoKnY8NFJkNqyEOVpVQkAX
>>>> >
>>>> >
>>>> >      4
>>>> >
>>>> >      Remove all malicious content
>>>> >
>>>> >      You can also contact your hosting provider and ask them for
>>>> >      assistance. If you’re having trouble identifying and
>removing all
>>>> >      the content on your site that is compromised, consider
>restoring
>>>> >      an older backed-up
>>>> > version of your site.
>>>> >
>>>> >
>>>> >      5
>>>> >
>>>> >      Secure your site from any future attacks
>>>> >
>>>> >      Identify and fix vulnerabilities that caused your site to be
>>>> >      compromised. Change passwords for administrative accounts.
>>>> >      Consider contacting your hosting service to get help with
>the
>>>> issue.
>>>> >
>>>> >      6
>>>> >
>>>> >      Submit a reconsideration request
>>>> >
>>>> >      Once you fix your site, file for reconsideration to remove
>this
>>>> >      manual action. Include any details or documentation that can
>help
>>>> >      us understand the changes made to your site.
>>>> >
>>>> >
>>>> >      Reconsideration Request
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/mkMChrLY5uOSnnaQ5gbTAFDfGwF9b6RURLy_mBu1favZezzi13VSZPX07YO4eT4qaxKtQQFbGwR5lgEHDrnmLOaVzvClgPw3zw4P5NW1tQCDpPfXWL3li5UfVcsWLvABq0-kSdP0RwG3S-icgEz1HOe4fAssqjSSFWSwdgGpDcsqBZK8h8zWXqgHmAnfU3-a93zxp54EiQASOsPPnMSvqx8oBIco-F5o-Ro4Da3xmZU6HpjdwyGPq_PYyPJ1utqx1VNivc0ptczU9Ga6kc6x_HzwsjXAtvwTwFDuzAqE
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >            Need more help?
>>>> >
>>>> >      •  Read our guide for hacked sites
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/IV-1opuTX8iamyLtoalATOnDHD7nAlmgL8CVzxJazsopWNGnaydlADoMVjEnxX6PPmcoakoeoAI_pi9Fr94XUsVcDgZ_5t0jCV4eFMo3ehPi0RqjmdUphK8AeWrRaiNuPE-G8mLJo_0ZxqlIaNYBxdHxDhw9idMBli6GQxEjRhkJdZHPB7crjABDHO7pW3yIGDi2MuVI09y1bKc7QlGI6OTxGFTLmpQsLxGTCflqCA==
>>>> >.
>>>> >
>>>> >      •  Learn how to use the Fetch as Google
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/9Ir-Bt-67WRNvKE9owMrZLp8oZJ1HImuPu4xcaEPRb0JtnzPu6aTmg2CUheZmi-tuwqORJVIvjiPKkndT4yNd0YpPysKDsWv32eQNwCtJ4If7XJl13TyrO9HotNhwd7K9lpUYNvbMjVNl7nYSBHZ7AP4nWHNjelPl4jlZIRAMWdMtDDlsvyDT79bBAs83a7NjBY2D8FnVFd5b7MV3B4prCLse477PGMw_ADsoybItKdyR1bpPjsQ288=
>>>> >
>>>> >      tool in our Help Center.
>>>> >      •  Learn more about reconsideration requests
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/aQ8PKvfwLMXzVU_Y2JKYswOlSi_DMZlgJxl_1pKoECDrfGb2bMv7ktikhnlpXYFo5pFod5pV_5MID2lXxPnG8JXg2IT2QK4EEHFK5CKy_jEld6vmacZzTy5qkLiQ_KXYEpR3IHJRXl_5bAzuInboteGdP3kowTaHbH0k5_KGdQ-7x_7Uc9S6ZuON2GRJgf_l7VBFlCpYx63dthhREfGl3aJAmrrd5B12fcQXpUS-XivElQ5E4tuW7TZJ6-2t
>>>> >
>>>> >      in our Help Center.
>>>> >      •  Ask questions in our forum
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/ciVSXy1Lws4CbKwqiPW7Vh6w0QYywSigyhOIHLlIjWP3nj6-NftgW0tj9Q7pqbfedTFBQzUv2xyKSI6xfNA58JuQX50x7h1ytUIKOkQiKXj_ERqHQ2gb03stUwFcck5XtNQmsaC97h1gYDzzEc9Znv0rvIn8yn7rZTLHocA63VlvS7nA4uEpsVVNhe_z53A40yKJiZ6MjC4w-CPfWa_U9yssivxOXqpB3412s9ovXag888rv1S221MwGu1kHRZrF
>>>> >
>>>> >      for more help - mention message type [WNC-633200].
>>>> >
>>>> >      Google Inc. 1600 Amphitheatre Parkway Mountain View, CA
>94043 |
>>>> >      Unsubscribe
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/nD7NcGKMjSxCRFdqrYmqkL7hvzslENpmCZMgpewUjQhJa8Y3IGhAn89ccuRCUkWOuTf5YyzJCYxX0gomovUPNbNSks2EX6CeQsbJ3U39wrbENLoAoJgF2YmZ6NdumTzBxHR3erjkR92y7Fv7QpLly4IS93wNFYQYYOGhysjJLJ60gwhvItjpmW6p-A==
>>>> >
>>>> >      Add partners
>>>> >
>>>> >  <
>>>>
>https://www.google.com/appserve/mkt/p/qTjtKM7FKDMWcpoZIrRbnRQOfhxVo6TyQct8JuQPryv-Ov_yf7iqFkiNR_wU8HLKO5ksfov9m5IVJki2NB0YDH1Jm-7KEXDMHFkAFu5ka67xYh1d1SL3hT0VuzTq99m4jFvLm0xQr0nTwz6TDTOBbeZKywq9JWpM_2HXJJrI8CgyO7_rdp7TIPdbc3kzCzJGA_xOBL-ktb1uoJAcHmk-FIJhuDu91iioHwpjGAC3o0WN06RKsDkeHjzQ2mDV_0ksYVzhx4V3yyoc-I8MQ0QvuBWU_aKms694WJmI_Q==
>>>> >who
>>>> >      should receive messages for this Search Console account.
>>>> >
>>>> >
>>>> >      --
>>>> >      Sent from my Android device with K-9 Mail. Please excuse my
>>>> brevity.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >  Systems mailing list
>>>> >  Systems at lists.sugarlabs.org
>>>> >  http://lists.sugarlabs.org/listinfo/systems
>>>> >
>>>> >  --
>>>> >  I+D SomosAzucar.Org
>>>> >  "icarito" #somosazucar en Freenode IRC
>>>> >  "Nadie libera a nadie, nadie se libera solo. Los seres humanos
>se
>>>> liberan en
>>>> >  comunión" - P. Freire
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Sent from my Android device with K-9 Mail. Please excuse my
>brevity.
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Systems mailing list
>>>> > Systems at lists.sugarlabs.org
>>>> > http://lists.sugarlabs.org/listinfo/systems
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Systems mailing list
>>> Systems at lists.sugarlabs.org
>>> http://lists.sugarlabs.org/listinfo/systems
>>>
>>>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Systems mailing list
>Systems at lists.sugarlabs.org
>http://lists.sugarlabs.org/listinfo/systems

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/private/systems/attachments/20151013/dafe84c6/attachment.html>


More information about the Systems mailing list