Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+8 votes
3.5k views
in Q2A Core by
edited by

File 1 discovered: stats.php

   in folder /qa-include/stats.php

File 2 discovered: zp.php

   in folder: /qa-plugin/q2a-edit-history/zp.php

   in folder: /qa-theme/mobiles/zp.php

File 3 discovered: apps/facebook/class.php

  (it is a folder holding only an index.html, nothing else, so the hacker must have used a "filemanger" to find it)


I uploaded all files to the github repository: https://github.com/echteinfachtv/q2a-various

File zp.php states "c99shell.php v.1.0 beta (îò 16.02.2005)

CCTeaM.
WEB: ccteam.ru
© Captain Crunch Security TeaM

"

Please help.

 

@Scott: Could it be that they came throught the q2a edit plugin?

@gidgreen: How could they write to the theme folder? Seeing the logs it seems that they came via qa-include/stats.php ! But they did not put the stats.php by ftp. Seems that class.php is a filemanger, but could not find a trace yet how they put this file. Any tip?

---

I have not found any FTP access, so they must have been using a script. This is what I found in the server logs from 2013-07-19 (IP 128.72.113.203 from Moscow, Russia): https://github.com/echteinfachtv/q2a-various/blob/master/2013-07-19-log.txt

--

What could that mean? What is the purpose of this attack?

PLEASE CHECK your own server files!

Q2A version: 1.5.4
by
More findings: Yesterday the IP 188.27.175.58 (Romania, Bukarest) used stats.php to "do" something on my system as well. See log: https://github.com/echteinfachtv/q2a-various/blob/master/2013-07-29-log.txt

The first "hit" with file "stats.php" that I have in my logs, is from 19 July 2013: 95.68.219.222 - - [19/Jul/2013:22:29:12 +0200] "GET //qa-include/stats.php HTTP/1.1" 200 11348 "http://neplohoybiz.ru/man/index.php" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 AlexaToolbar/alxg-3.1"

However, my logs are not complete as my provider deletes them after 7 days. So I only have some of my own incomplete log backups...
by
Found another stats.php in one of my other domains (!).

Damn it. There is also a "enlightenment.tgz" that holds c code and a picture "funny.jpg" -> "blackhats with kernel exploits"

See:
IMG: https://github.com/echteinfachtv/q2a-various/blob/master/enlightenment-funny.jpg
TGZ: https://github.com/echteinfachtv/q2a-various/blob/master/enlightenment.tgz
by
Checked my site, no problems anywhere.
Not sure there's any reason to suspect any of my plugins. See if you can find the earliest requests to your site from that IP, see if you notice anything.
by
Thanks for the feedback, Scott. I just saw one file within the edit-history folder, so I wanted to ask you :)
by
edited by
Ah OK sorry I missed that. I will double check my plugins but as far as I know a security flaw would not allow arbitrary uploads or arbitrary execution of PHP code.
The flaw could perhaps be in some upload code.

What server are you using? And what other plugins do you have?
Also if you have anything else like phpMyAdmin (especially older versions) you should make sure to get the latest versions.

2 Answers

+3 votes
by
There's nothing like this on the Q2A server.

Are you running any other things on the same server, e.g. WordPress, webmail, etc...

If so it is most likely they got in via another package, since Q2A does not have such a high profile that I would expect it to be targeted. A similar thing happened on one of my servers (not related to Q2A) which was running an old version of SquirrelMail.

You should clean it out but don't have to panic - generally these attacks are automated and they don't do much at the beginning except run an IRC bot.
by
edited by
thx gid. I have modx installed on another domain, but that's it.

It's also weird that those files were put somehow arbitrary.

I have blocked file access to these files via htaccess. As a first step. But I don't know if this is effective.

And my provider said, it is not a Linux kernel exploit, and points to my scripts.

Furthermore I have put "quotas" that only allows access to the specific folder(s) of the domain, but not higher folders.
+3 votes
by

Okay, very good it is not q2a!

I found out it was ModX 1.0.5 that I have not yet updated to 1.0.10.

The attacker uploaded the stats.php there and could thus access all my server: http://forums.modx.com/thread/85896/my-modx-site-got-hacked

Lessons learnt: Use at least QUOTA to protect each of your domains, d*mn it.

@gidgreen: I hope you are right and I don't have to panic... I cleaned out all foreign php files that I could find. Btw, the initial attack was 10 June, another say-hello on 10 July and yesterday 29 July.

Why do we have to waste so much time for such nonsense... ~~

by
I apply patchs of "Forgat Manager Login" to MODX1.0.5 and I continue using it.

http://forums.modx.com/thread/81545/modx-evolution-1-0-7-and-prior-forgotmanager-plugin-vulnerability
http://modx.com/extras/package/forgotmanagerlogin

Attention:
Many changes are added to latest MODX in comparison with 1.0.5 (cache, etc). If you don't do much customization in MODX, problems may rarely occur. However, if many problems occur by version up, I recommend method to apply patch. The issues from people who updated to recent MODX are increasing in Japan. Compatibility with the third party plugin tends to become in particular the problem.
by
Also check for anything weird in your /tmp or /var/tmp directories.
by
edited by
did so, clean.

I set up quoras for each domain-folder now. Plus updated modx. Plus searched for modified files in June/July using the "search remote files" feature of filezilla.

@sama55: You should definitely update to the newest version!
...