Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Site hacked! Found "base64" in 2 files
#1
Exclamation 
Our website, www.psewer.com, has been hacked. After clicking around for a while on the site, it will eventually redirect to www.hotglasses[dot]us/#psewer.com. The weird thing is it doesn't happen right away and it's different every time. Sometimes it's after 3 clicks, sometimes after 50. My web host thinks I'm making it up!! I did some googling but didn't find much so I did a search through all my code and found "base64" in 2 locations:

admin\inc\basic.php
AND
admin\template\js\codemirror\lib\codemirror-compressed.js

My question is, is it supposed to be there? Is it ever okay to have base64 in your code or does it always mean something bad?

I am not familiar with a lot of complicated code but I need to get this fixed. It's for a client of mine. Confused
Reply
#2
Have you tested this from different computers?
Reply
#3
(2016-03-06, 00:43:11)Carlos Wrote: Have you tested this from different computers?

I agree with Carlos, this is usually a malicious browser addon/plugin attack from a client computer.

Also, I ALWAYS remove any logo or anything that lets a attacker know what software your using. So for example I recommend removing anything that says you are using GetSimple or other software. If a vulnerability is found for the software, advertising it increases your odds of a successful attack.

If you use ftp (like I do) make sure you use encryption. I used a web hosting company that was constantly hacked for 3years until they started requiring everyone to use it. Once everyone used encryption no more hacks!
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply
#4
base64 is just that encoded data, many legit uses, you could always decode it using a web decoder and image decoder, its probably just images or icons.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#5
I was about to post something about un malicious plugin on your browser, but just to be sure I tried to randomly click on your website : I was redirected to... well, httpx://wwx.hotglasses.us/#psewer.com

So.. yes there may be something wrong.

As shawn_a said, probably nothing wrong with base64. If you want to be sure use a online decoder like https://www.base64decode.org/
__
Contact me if you need a french translation file for your plugin.
Reply
#6
I'm trying to investigate deeper by using the firefox plugin "TamperData", which give you all the request done by the browser.
__

Here is the last request to your website, and the first one to hotglass :


Code:
18:01:59.898[202ms][total 202ms] État: 200[OK]
GET http://psewer.com/?id=forms Indicateurs chargement[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Taille contenu[-1] Type Mime[text/html]
  En-têtes requête:
     Host[psewer.com]
     User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
     Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
     Accept-Language[fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3]
     Accept-Encoding[gzip, deflate]
     DNT[1]
     Referer[http://psewer.com/?id=frequently-asked-questions]
     Connection[keep-alive]
  En-têtes réponse:
     Date[Sat, 05 Mar 2016 17:02:00 GMT]
     Content-Type[text/html]
     Server[Microsoft-IIS/6.0]
     X-Powered-By[ASP.NET]
     Vary[Accept-Encoding]
     Transfer-Encoding[chunked]


18:02:00.136[1033ms][total 5108ms] État: 200[OK]
GET http://www.hotglasses.us/#psewer.com Indicateurs chargement[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Taille contenu[-1] Type Mime[text/html]
  En-têtes requête:
     Host[www.hotglasses.us]
     User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
     Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
     Accept-Language[fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3]
     Accept-Encoding[gzip, deflate]
     DNT[1]
     Referer[http://www.hotglasses.us/]
     Cookie[__cfduid=dd50a9736e3ef8112b64553f77f1d2fd91457195326; cookie_test=please_accept_for_session; zenid=8addf2d3e3eed50eb5af2931942e252d]
     Connection[keep-alive]
  En-têtes réponse:
     Date[Sat, 05 Mar 2016 17:02:01 GMT]
     Content-Type[text/html; charset=iso-8859-1]
     Transfer-Encoding[chunked]
     Connection[keep-alive]
     X-Powered-By[PHP/5.3.29]
     Set-Cookie[cookie_test=please_accept_for_session; expires=Mon, 04-Apr-2016 17:04:30 GMT; path=/; domain=www.hotglasses.us]
     Expires[Thu, 19 Nov 1981 08:52:00 GMT]
     Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
     Pragma[no-cache]
     Vary[Accept-Encoding,User-Agent]
     Server[cloudflare-nginx]
     CF-RAY[27ef2217431f25fe-MRS]

edit : did some more tests, many times I'm redirected on hotglass. This can happen from any pages of the site. Can't really find anything usefull. Here is a screenshot of the wireshark-like plugin I mentionned before : http://nsa37.casimages.com/img/2016/03/0...692481.jpg
Just a thing : each time I'm redirected to hotglass site, It first start to load the normal page I asked for, then switch to hotglass. Something like if their was a <meta http-equiv="Refresh" content="0; url=http://hotglass...." />
But there is not any header like this one in your page, so please check carefully your .htaccess
And enable debug mode! (http://get-simple.info/forums/showthread.php?tid=877)


Plz tell us if you find the trick!
__
Contact me if you need a french translation file for your plugin.
Reply
#7
Probably a js injection it should be fairly easy to find in the source.

Look for location.href
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#8
(2016-03-06, 09:09:44)shawn_a Wrote: Probably a js injection it should be fairly easy to find in the source.

Look for location.href

That's what I was thinking shawn_a I just didn't know how to find it. Thank you all for your feedback. I'll keep you posted. So frustrating!
Reply
#9
FOUND IT! When I did a search before for the base URL, I wasn't getting any results but now I am. I searched location.href and it came right up. Those F-ers added a php include into my index.php file that pointed to a php file in my \images\ folder.

My question now is how do I stop this from happening again? Will the previously mentioned security fixes do the trick? I also changed the admin user and password but should I have my client change their webhost logins too?

Also, thank you thank you thank you!
Reply
#10
Something similar happened to a site of mine last year. Some advice (from a non-expert):

You may never know how the site was hacked, but there are only a few possible ways in. By ftp, through the GS login or through a script introduced via an insecure plugin or a contact form or something. I can tell you that Shawn has done a lot of work on security and if you are using the latest core GS it is very, very unlikely that GS itself was the vulnerable part of your site. It's worth changing all the passwords.

There may be files all over your server with innocuous names and it is difficult to check them all. Hopefully you have backups and you can delete everything and reinstall. Check the backup you reinstall from because sometimes these attacks are time delayed so you maight reinstall the rogue files.
Reply
#11
Before getting too drastic and doing brain surgery, you may have a few options. I backup parts of my server either weekly or monthly (depending on usage) and ALWAYS backup before a day of hard editing.

1) download your existing install.
2) If you have backups, you can use a program like Win Merge or similar and run a compare with one of your backups.
3) In your case, look for differences in .php files.
4) If all looks well, there is no reason to go through a fresh install.
5) Monitor closely for a month. If the back door is still open, they will be back and do it again. If you plugged the hole, this will be the end of the problem.

if on a linux system you can also do a "find -R..." and GREP and look for the "location..." or include text.
I wrote a set of PHP tools that allow server side pseudo Linux like tools that include a pseudo GREP find &  replace.
It includes a report only feature so you can decide if you really want to proceed with a command.

https://sourceforge.net/projects/php-toolbox/
Thanks,
jwzumwalt
(\__/)
(='.'=)
(")_(")
Reply
#12
You can also hack shared hosts on the same server.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#13
Yeah this is usually a script that inserts into everything. Since ga does not do password throttling its wise to pick a very secure password as it can be brite forced for months. You might also want to check about adding noexec to your uploads htaccess
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#14
I would also check the dates against access logs and error logs to see of the attack came from the net or the server
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#15
Thank you again everybody for all your help. I really appreciate the quick responses and the additional info regarding site security. A million times thanks! You guys are awesome. Big Grin
Reply
#16
(2016-03-08, 08:09:54)jmagro Wrote: added a php include into my index.php file that pointed to a php file in my \images\ folder.
Is it possible without logging in? Can a GS login cookie be added manually?
Reply
#17
Yes cookies can be stolen
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply




Users browsing this thread: 6 Guest(s)