Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Result of possible unsuccessful hacking attempt.
#1
Yesteray one of my sites was locked down by the hosting co after it triggered a spam alarm by sending out too many emails. The site has no email form or anything on the front end and never sends mail so the host support person is suggesting it could only be admin/resetpassword.php which is generating mail, in an attempt to guess a username and get a new password somehow. Why anyone should want to hack into this site is a total mystery.

Anyway, well done Shawn et al - it seems the system was secure enough. But several questions:

  1. The hosts want to add a deny from all rule in the .htaccess file for the admin area and allow the access only for specified ranges of IP address. I would rather manage this myself but can someone tell me how it is done? and if it is wise?
  2. Is there anything else I should or could do to prevent a repeat attempt? Could I limit the number of emails sent for password reset for instance?
  3. I thought I had better reset my own password and attempted to do it via the login and email rather than via the back end. I think the email address I left on the site is redundant so I never got the reset message. Can someone remind me how I get back my password by ftp? I upload a new user.xml file or something?
Reply
#2
I think the ktlock plugin might lock down password reset attempts as well
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#3
Also the reset password only generates mail on successful resets. So that makes no sense
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#4
so trying to guess a password if they know the username? That doesn't generate mail either. The whole thing is a bit unreal but they are adamant that the emails were being sent.
Reply
#5
you need to check your actual logs and see what the traffic was

you sure you dont have anything else on your server, or a plugin ( disabled or not )

very old versions of GS used to email on 404 errors also, fyi
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#6
@Tim: who is the host?

The email address is in plain-text in <user>.xml, so you can check/change it by ftp.

Code:
011c945f30ce2cbafc452f39840f025693339c42
in <user>.xml forces password to 1111, provided you don't have custom salt.
--
Nick.
Reply
#7
Thanks Shawn, I don't have access to logs on this hosting setup. I had moved the site to this host a few months back so it was up-to-date from a clean install without any old plugins

Thanks Hameau, hostroute, generally good ime and yes, that was the code I was looking for. I must put it somewhere safe.

A day after the initial panic of locked down site I am almost certain it was a false alarm. None of it makes any sense and the site seems totally unaltered. Since I only have a very limited dashboard / ersatz control panel there isn't much I can do to check. I am hoping it just won't happen again.
Reply
#8
how can you have no access to host logs?
it is kind of a requirement, for any analytics or debugging.

I just ftp to my host and there is a folder of logs, or log into cpanel
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#9
(2015-01-15, 02:48:10)Timbow Wrote: hostroute, generally good ime and
... cheap! Big Grin

We had this discussion with IMAP services, I think? Pay a bit more for a lot more! Honestly, the peace of mind is priceless.
--
Nick.
Reply
#10
did you check your failed logins and error log just to see if anything shows up ?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#11
No failed logins for those days. No errors at all in the errors log (for those days).

It all makes me think it might be a bit of BS from the host.
Reply
#12
yeah very odd, sounds like an open email relay on a shared host.
could have been anyones account
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#13
(2015-01-15, 06:47:09)shawn_a Wrote: yeah very odd, sounds like an open email relay on a shared host.
could have been anyones account

Today I had a repeat lockdown on the same site. The host named the dir /public_html/theme/Innovation/assets/images
and to my great suprise there was a file called page.php there which should not have been there. I don't pretend to know how it got there or how it was sending emails, and I presume it is nothing to do with GetSimple specifically, but do you need to see it? I downloaded it before I deleted it.
Reply
#14
post its code on a clipboard site or something, sounds like someone was able to upload it or copy it to your host.

maybe via a plugin or on your host.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#15
The php file is viewable at
http://www.wepaste.com/dodgyfile/

anonymous_data.php Disabled Plugin
Child Menu Version 1.8
Current Parent Version 1.0
Custom Title Version 1.3
HitCount Version 2.1.3
I18N Gallery Version 2.0
Imagizer Version 0.2
Innovation Theme Plugin Disabled Plugin
Multi User Version 1.8.2

I am the only person to have ftp access. No addon domains or subdomains.
Reply
#16
your code is incomplete most likely it is this, exploit
http://paste.ee/p/RKEuz

are you running wordpress anywhere on your host

what is imagizer ?

imagizer does a weak job of sanitizing paths
(isset($_GET['path']) ? tsl("../data/uploads/".str_replace('../','', $_GET['path'])) : "../data/uploads/" ) :

But I doubt that it is responsible, it doesn't expose any front end function that I can tell.

Id say this is coming from your host or someone on your host exploiting it, and not GS

But to be safe i would wipe your install, and reinstall from clean files.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#17
Thanks for looking. I appreciate it.
Reply
#18
This code is very well obfuscated.
It barely uses any native php functions also.

Very hard to decompile.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#19
@shawn_a
Imagizer is a quite useful plugin, automatically reduces size of uploaded images.
http://get-simple.info/extend/plugin/imagizer/320/
It's on GitHub too: https://github.com/Zorato/Imagizer
Reply
#20
maybe there was an access from an other script of your webspace/host and it puts the page-file into the getsimple folder. i think everything is possible here...

edit: also access over your ftp would be possible Sad
Reply
#21
yeah log files are the only way to figure this out
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#22
(2015-03-29, 00:30:36)shawn_a Wrote: i would wipe your install, and reinstall from clean files.

I did. there were a lot of malicious files in there. Mostly php files but also text inserted into existing php files, altered htaccess files, jpgs(which appeared empty) and html files.
Reply
#23
yeah most of these things corrupt every file it can write to.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply




Users browsing this thread: 1 Guest(s)