Hacked website

[aducom]

My E107 website (latest) status was hacked and all my folders were injected with the same script as can be found here:
https://stackoverflow.com/questions/67296060/hacked-wordpress-htaccess

Has anybody experienced this issue and has a cause? I have no open forms on my website so this really puzzles me.

A.

[Deltik]

You should look through the web server access logs for suspicious activity. Otherwise, all we can do here is speculate.

[aducom]

We are, but at the same time, I'm sharing our experience and hope that others might have similar issues. It is by no means a signal that E107 has an issue,.

[Alex-e107nl]

Hi Albert, how did you find out there was a problem on the website, couldn't log in anymore? Website no longer available? Did you also have cron commands that you had not set yourself?

I haven't seen it on my servers yet..

Php version? Latest means 2.3.2?

Thx for the info!

[aducom]

I couldn't access any of the pages except for the homepage. I run 2.3.2. I had to write a small script to delete all the suspected .htaccess files (each folder had one!) and then re-uploaded my backup. It was handled pretty quickly but I try to find out what caused it. I don't have odd crons, and currently diving into the logs to see who did what. I realized too lately that I should have investigated the index.php to see if and how they are hacked. If it is a similar hack as WP then there are files with multiple <?php in them. As soon as I find an infected file I'll write some detector.

[aducom]

From the logiles: https://www.phspeed.com/access.php?10001abcaa55atesta5

Now access.php is not in the root of my E107, actually I can't find it at all. But the link works and points to a Japanese website. Any clues?

[aducom]

Correction, I have a compromised access.php and admin.php.

[Alex-e107nl]

Well how did they get there Albert? Is the server infected, ftp login data leaked? I'm curious if you can find out, I checked mine but I don't have both files anywhere... Can you find anything in your log files on the server?

[aducom]

Ok, I will now close this post. My findings are below. The E107 website was compromised by a WP hack. By coincidence, I found out within minutes, so I was able to trace it down, using the logs. If you want to verify if you have the same issue, then scan your site for the following. Except for the annoying access I had no trouble, but this hack allows your site to become a 'man in the middle as it is able to access your site from outside.

There are two files injected: access.php and admin.php. In my case in my root folder. There is also an image folder created with a license.txt which is actually an encrypted PHP file (unphp.com for your assistance). I will not go into detail about what the scripts do, but in your apache log you will find entries like:

http://api.firstguide.xyz/
GET /admin.php?n=access&q=25-2&y=2
GET /access.php?10001abcaa55atesta5

Again, it is a hack that is used within the WordPress world, and for that reason, I fear that E107 has a similar issue. I was not able to find out which plugin or module is vulnerable. It is still possible that it has another cause.

As an afterburner, from the research, I found out that this script is used for many purposes. Access.php will generate a not found if you have not the right code. But if you do it will lead to all kinds of websites.

[aducom]

For some reason I cannot find out how the site is being hacked, I can see a lot of incoming messages and for some reason they still succeed in infecting my site. I also see a lot of 404 as they are trying all kinds of things, which gave me the idea to focus on this. The only problem is that I want to intercept 404 which is in the .htaccess, but if I do then my friendly urls do not work. Does anybody know how I can attach my own 404 routing, without disturbing E107? Or do I have to make my changes in error.php?

[CaMer0n]

@aducom Thank you very much for sharing. Of course, the main question is - how did the files get on the server to begin with?

Are you able to share some basic details about the server? ie:

• Is it a dedicated or shared server?
• Is it using cPanel or some other software for server management?
• Which version of PHP are you using?
• Have you disabled vulnerable PHP functions etc in your configuration? (eg. shellexec).
• Is mod_security installed?
• What are your "allowed file types" listed in the "File Uploading" preferences of e107?
• Was it an upgraded e107 site, if so, what was the first version installed and did you run file-inspector each time after upgrading?

If you can answer these, I would really appreciate it.

[aducom]

@CaMer0n, I'll be most happy to share the details and things I did to block this. But I don't want to publish that info here, as I'm still suffering from loads of attacks, so if you have an email I can send it to, then I will. Btw, I don't think that E107 is the problem in this hack. I run more apps.

[aducom]

I added a small piece of code to error_pages_class that might be helpful to people suffering from similar issues. It works database less. I have put it above the return $body in the script. It reads the ip on a 404. Then locates the spam file to see if there are more then 10 entries within 5 minutes. If the file is initiall older then it is removed and a new one created. If there are more entries wihtin that time, the ip is added to the .htaccess. There might be better ways, but works for me. (Btw, I have a cron that deletes the amount of spam files that are older than one hour and runs a few times per day)

$ip=$_SERVER['REMOTE_ADDR'];
$ipo=$ip;
$ip=str_replace(':','', $ip);
$ip=str_replace('.','', $ip);
$fid='spam_'.$ip.'.txt';

// now get timestamp of file
$dtf=date("YmdHi", filemtime($fid));

// get current datetime
$dtn=date("YmdHi");

// if timedifference is larger then 5 minutes then delete the original file,
// most likely a legit 'mistake'
$x=($dtn-$dtf);
if(($dtn-$dtf) > 5) {
    unlink($fid); 
}               
// write time stamp as a line
file_put_contents($fid, $ipo.'|'.$dtn."\n", FILE_APPEND | LOCK_EX);

// count the number of records. If it is higher then 10 then it's considered to be from a hacker.
$rc=0;
$fh = fopen($fid,'r');
while ($line = fgets($fh)) { $rc++; }   
if($rc>10) { // now the site will be blocked!
   file_put_contents('.htaccess', 'Deny from '.$ipo."\n" , FILE_APPEND | LOCK_EX);
}        
fclose($fh);

// the original logs
file_put_contents('phspeedlog.txt', $dtn.' '.$_SERVER['REMOTE_ADDR']."\n" , FILE_APPEND | LOCK_EX);