Hacked! Part 3 – Teaser
By Andrew Smith
I left off with my server almost completely back up, but not yet Apache. I’ve had to make sure the web apps off the internet weren’t full of security holes before allowing access to them again.
Though this is my third post 4 days later – in real time it’s been less than 24 hours since I’ve discovered the ftp scanner. So I had some breathing time to do a half-decent job.
Most of all I suspected Wordpress. They come up with a new version every few months and every time claim it’s a security update, which makes me wonder if it’s ever secure. Luckily both ISO Master and Grumble Grumble are just stock wordpress installs with a theme over them. Everything else is stored in the database. So I was able to delete all the code except for the themes, install Wordpress 2.7 on both, and miraculously both websites came back up with no trouble whatsoever.
I have not reviewed the theme code or the contents of the databases – I assume the Wordpress guys were smart enough not to store executable code in either of those places. Either way it was a risk I was willing to take.
A third Wordpress website (the old Canvas3D blog) I’ve decided not to bother with and left it with chmod 0.
Three web apps down, two to go – SquirrelMail and Roudcube. I have both installed because I have more than one email account, so I have both open in browser tabs at once. I’ve decided to look around before enabling these. RoudCube first. Some way or another I stumbled upon a php file in the logs directory:
root@legrand-sw:/media/hd/home/www/htdocs/mail/logs# ls -al total 129 drwxrwxr-x 2 andrew apache 120 2008-12-30 18:00 ./ drwxr-xr-x 10 andrew users 480 2008-08-15 10:25 ../ -rw-r--r-- 1 apache apache 14985 2009-01-07 13:29 errors -rw-r--r-- 1 apache apache 7033 2009-01-07 13:26 sendmail -rw-r--r-- 1 apache apache 105643 2008-12-30 18:00 zq.php
Which is a really strange place to keep a php file, especially since the directory is writeable by Apache. See how zh.php is owned by apache? That’s really bad. And lookie here what was at the top of zq.php:
/******************************************************************************************************/ /* /* # # # # /* # # # # /* # # # # /* # ## #### ## # /* ## ## ###### ## ## /* ## ## ###### ## ## /* ## ## #### ## ## /* ### ############ ### /* ######################## /* ############## /* ######## ########## ####### /* ### ## ########## ## ### /* ### ## ########## ## ### /* ### # ########## # ### /* ### ## ######## ## ### /* ## # ###### # ## /* ## # #### # ## /* ## ## /* /* /* /* r57shell.php - /* : http://rst.void.ru /* : 1.3 (05.03.2006) /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ /* : blf, phoenix, virus, NorD RST/GHC. /* - /* rst@void.ru. . /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ /* (c)oded by 1dt.w0lf /* RST/GHC http://rst.void.ru , http://ghc.ru /* ANY MODIFIED REPUBLISHING IS RESTRICTED /******************************************************************************************************/
Isn’t that interesting.. I didn’t quite know what to think of the bug – on the one hand looks like the hacker put it there to taunt me, on the other hand RoundCube is a young open source project so who knows what the developer was smoking?
Didn’t take long to figure out though: both http://rst.void.ru and http://ghc.ru are hacker websites, though ghc.ru looks half-commercial. And the contents of the file (which I’ve had no time to analyse) clearly do something that isn’t nice. I’ve renamed the file to .txt and put it up for you to study if you care.
As with mailman (see previous post) I decided this service is not going to be reenabled. Maybe I messed up something during setup, but just as likely RoudCube was at fault. After all it was the first ’stable’ version, 0.1. And I’ll keep SquirrelMail off too for good measure, I’ll just install Thunderbird on all my machines.
So there you go. One clue in Mailman, one in RoudCube. Are they related or are they two separate hacking attempts? Were they run by script kiddies or serious hackers? Having some evidence that the ftp scanner was set up manually I tend to favour the latter possibility. And what of this zq.php? Was the logo there because it’s a general-purpose cracking tool, or because those groups actually had something to do with my server?
There’s lots of investigation left still. At this point my server is completely operational so I have lots of time. I do hope I find more clues, mystery solving turns out to be a really exciting hobby.
January 13th, 2009 at 7:12
So, the first time I read these stories (or rather, when I read the first two parts), I thought “wow, that must suck”.
Earlier today, however, I was emailed by someone with an FYI that the footers on my blog contained spam links. WTH. I had akismet and comment moderation, so that wasn’t it. I’m running subversion-based wordpress, which makes updating easy, but also keeps around old modifications made by people we don’t like particularly much. So while I know that my install somehow was modified thus, I don’t know how or when. Or rather, I know the index.php mod happened 3 days ago, but I also know that it doesn’t work because my server does not allow remote includes. And when I say “my server” I mean “my friend’s server on which my site happens to be hosted, along with a whole bunch of other websites”, so it is almost as easily possible that things were hacked somewhere else first. On the other hand, all the files were still owned by me, so it doesn’t seem anyone had root at any point… Unfortunately I don’t have root or even sudo rights, so I am not able to poke about as much as you are.
At this point, I can see the spam still in the WP-Cache’d versions of my pages, and when I clear the cache they keep coming back – but when I view the site I don’t see anything, which is peculiar. I was also not able to find any modifications which would have put the content there (grepping through for “base64″ and “compress” and “that thing which spammers like to advertise” yielded no other useful results)
Ideas? :-)
January 14th, 2009 at 9:48
Sucks what happened, but thanks for posting your story. An interesting read.
January 20th, 2009 at 17:21
Same thing on my site last night. In my case, they’re getting in through an old WordPress caching plugin. If you’ve got /wp-content/cache.php, erase it. I forget which caching plugin that was (I installed it years ago, disabled it, then forgot about it), but apparently there was a hole in it. My cache.php was 104k, which was a real tip-off. They’re POSTing data to it in order to execute commands on the server. If some script kiddie has stuck that on your server, I recommend highly renaming it and then opening it in a browser yourself. It’s impressive, even if you don’t know Russian.
Gijs, you don’t see it because, in all likelihood, the code is written to show those spam links only when the site is being loaded by an IP within Google’s IP range. Check out the Google cache of your site and you’ll see.
February 7th, 2009 at 5:09
I love the PHP script. I was genuinely interested in combing through it until my Antivirus popped up and flagged it as a Back Door Trojan. Ha!