Urgent security issue - php files are downloaded as text

PSS

Well-Known Member
#22
Yes, you were right!

They uploaded a PHP shell to my /forum/customprofilepics/ (chmod 777) as profilepic632436_2.php (12 days ago!!)

Can you please tell me how to stop these shells to be uploaded and even they are uploaded, restricting their functions?

I've uploaded the shell.

Set in php.ini

disable_functions = exec,passthru,system,shell_exec,base64_decode,posix_getpwuid,phpinfo
allow_url_fopen = Off
allow_url_include = Off

That should help some. Note that with exec functions disabled, you need to set vB to use GD2 graphics library as Imagemagick won't work any more.

Here's the interesting bit from script, it tells what apps it uses:
PHP:
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); 
$danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); 
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
 
Last edited:

LiteSpeeder

Well-Known Member
#23
Thanks for the help. The iframe came again after i deleted that shell. I'm searching the server for another shells but i couldn't find any. I can request a server reinstall but it may not be a permanent solution if there are some vulnerable scripts etc. don't know how to find them though..
 

PSS

Well-Known Member
#24
Thanks for the help. The iframe came again after i deleted that shell. I'm searching the server for another shells but i couldn't find any. I can request a server reinstall but it may not be a permanent solution if there are some vulnerable scripts etc. don't know how to find them though..
First I would disable upload of avatars and profile images. Then I would search file contents of all image files (gif, jpg, jpeg, png), maybe also attachments, for strings,

base64_decode

and

eval(


( Linux: grep -liR base64_decode /path/to/your/avatars/ )

If you find none, backup your db and files (download all!), do system restore and install original vB php files (not from backup!) and restore database. You'll have a clean vbulletin. If you still get that iframe then I'm clueless :)

If you seem to be ok after above, add other scripts after you carefully check them for vulnerabilities - if you are not 100% sure do not install them.
 
Last edited:

LiteSpeeder

Well-Known Member
#25
I've found the other shells:

Code:
forum/albumpics/0/r57.php	Trojan.Shell-2				
forum/albumpics/0/099.picture.php	Trojan.PHP.C99Shell				
forum/albumthmbs/0/c99.php	Trojan.PHP.C99Shell
Now i changed all 777 directory permissions to 755 but that will stop image uploading :(
 

PSS

Well-Known Member
#26
"forum/albumpics" seems to suggest that the vulnerable script is an album script you have for vbulletin (a plugin?). Anyways, not forcing a valid image extension for uploaded images is a clear security leak.
 
#27
just a small suggestion , i came across csf website where they are offering some script which scan each and every file uploaded to server with clamav maybe it should help you in some way :)
 

LiteSpeeder

Well-Known Member
#28
Yes, i even ordered it but they ask for confirmation... i had no time to reply, so they refunded the payment. I'm not sure if it'll work with litespeed though...
 

LiteSpeeder

Well-Known Member
#30
***********************
vBSEO SECURITY BULLETIN
***********************

November 17, 2009

A possible exploit was reported today by a big-board vBSEO customer.
After some testing with our development team, we were able to narrow down a case of possible malicious code injection through a legacy code bit in vbseo. The legacy code has been removed from the new versions released herein.

This issue effects ALL versions of vBSEO on forums that use the file system to store attachments/avatars/profile pics/etc. ALL customers using file system storage are urged to upgrade as soon as possible.

All packages have been updated with the patch in the downloads area (https://www.vbseo.com/downloads/). There is no version number change.
You may simply over-write your current version files with those in the download package and follow the *upgrade* instructions included in docs/readme.html file, or you can apply a patch from the list below.
so... end of the story i guess...
 
Top