Hacked website: site logs show high access activity in /gallery3/lib/superfish/images/404.php

Michael_W

Joined: 2010-11-29
Posts: 9

Posted: Mon, 2011-03-07 20:17

[Edit: to summarize, I found nothing to suggest that my Gallery3 installation was the cause of this hack--M.W. 03/08/2011]

My website was hacked two days ago, and I am wondering if my Gallery3 installation was connected with this: pages advertising drugs were put in a folder deep in the site, and almost all my page folders had bogus .htaccess files added that redirected users coming in from search engines to the bogus pages instead of the intended pages which showed up eg in Google.

From my site logs, I see that two machines/addresses on baltnet.ru accessed my site 500 times just before this happened; this is larger than any user other than a search bot such as Yahoo or Google. My reason for thinking that Gallery3 may have been connected is that the Russian machines/addresses apparently made 300 requests for a page address in the folder superfish, with this URL: /gallery3/lib/superfish/images/404.php

From the detailed site logs, here is a typical line from the log:
178.68.23.108 - - [05/Mar/2011:10:05:43 -0800] "POST /gallery3/lib/superfish/images/404.php HTTP/1.1" 200 5226 "http://wengam.com/gallery3/lib/superfish/images/404.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.01"

Can anyone tell me what the superfish folder in my Gallery3 installation is for? Is there any way someone using that address could get access to the rest of my site?

For the time being I have changed my passwords, deleted all the bogus .htaccess files and deleted my Gallery3 installation.

Michael_W

Joined: 2010-11-29
Posts: 9

Posted: Mon, 2011-03-07 21:22

Shortly before I deleted my Gallery3 installation, I made a screenshot of the page in the superfish folder that the suspect machine was accessing when my site got hacked. It appears to be a file manager, with options to upload files. My question is: if someone got control of this, would they be able to upload files to my site, and therefore create the junk content pages and .htaccess files that were needed for this 'hack'? And, how could they get control of it?
[img]http://wengam.com/images/screen_shot_superfish.tiff[/img]

inposure

Joined: 2010-04-23
Posts: 304

Posted: Mon, 2011-03-07 22:09

You are not supposed to have a 404.php there. I don't.

But by the look of the sheer size of it (65 kB), I can guess it is the culprit, probably a huge script doing nasty things.

Maybe you should look into your ftpd and sshd accounts, change passwords, block unnecessary ports, only use ssh with key authentication, and finally monitor what's going on with netstat -n

--
http://inposure.se/

Michael_W

Joined: 2010-11-29
Posts: 9

Posted: Mon, 2011-03-07 22:45

Inposure: Thank you for the suggestions. I have changed passwords and my ISP is helping me.

I hope it is clear that the screenshot I posted is for a 'live', interactive, user interface file manager that appeared when I followed the URL that the 'intruder' was using. I don't know why I have it and you do not, except that I have installed plugins, so perhaps one of those put .php file there.

Anyway, it seems like someone who could access this live manager could upload files not only in my Gallery3 area but in other unrelated adjacent folders in my web site.

All the alterations necessary to do this 'hack' were additions to my web site, no deletions seem to have been made.

Also: thanks for pointing out the size of the 404.php file. In fact, I do not recall accessing my Gallery3 installation since before the date of that file you can see in the screen shot.

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Mon, 2011-03-07 22:45

Quote:

and I am wondering if my Gallery3 installation was connected with this

I really doubt it. First, the webserver user shouldn't have access to write to that directory you posted anyway, ever, never.

Do you use plain FTP? Do you use some CMS software such as WordPress?
____________________________________________
Like Gallery? Like the support? Donate now!

Michael_W

Joined: 2010-11-29
Posts: 9

Posted: Mon, 2011-03-07 22:54

Quote:

Do you use plain FTP? Do you use some CMS software such as WordPress?

I use SFTP, either CyberDuck (Mac) for individual files or RapidWeaver uploading by SFTP.

Unless you call Gallery3 a CMS, I don't use a CMS; in particular I don't use WordPress.

Michael_W

Joined: 2010-11-29
Posts: 9

Posted: Tue, 2011-03-08 14:42

Update: the 404.php file inside my Gallery3 installation is just one of seven suspicious '.php' files that my ISP discovered in a variety of folders and locations on my website (and another website included under the same account). This is the only .php file in the Gallery3 installation folders. Needless to say, I have now deleted them all. To avoid discovery, they were all placed deep in folder nests and were given names appropriate to their location and surrounding files. Only the .php extension showed that they were different.

From access logs, most of the early suspicious activity on my site (as early as 6 weeks ago) came from a machine in Russia although, after I deleted some of the rogue files, further suspicious activity, as recently as today, was made from a machine located in the USA but apparently operated by the same intruder (rather unusually for the US, the intruder consistently uses Opera browser).

So, just to make it quite clear: there is nothing to suggest that this hack is anything to do with Gallery3. I will be reinstalling it when I have time.

[Edit]: and I was incorrect in saying I do not use WordPress, I do have it installed in the other website included under the same account as the 'hacked' one. It is not kept up to date so I will update it.

floridave

Joined: 2003-12-22
Posts: 26107

Posted: Wed, 2011-03-09 00:19

Quote:

there is nothing to suggest that this hack is anything to do with Gallery3.

Thanks for that.

We are glad that you and your host are sorting things out.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Michael_W

Joined: 2010-11-29
Posts: 9

Posted: Wed, 2011-03-09 00:45

I appreciate the civil and helpful replies here to my post, at a stressful moment!

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2011-03-09 01:00

If it truly was a problem with Gallery we want to know. But that sort of hack really wreaks of your typical <insert WordPress like software that has NEVER received any sort of security audit> hack

Most sites are hacked/defaced because of shoddy written software (WordPress), people still using FTP, some other user's compromised account on the server if Apache or PHP happen to be ran as a common user that has access to all sites hosted by the server, or occasionally the server itself or the root account is hacked. I've personally been at a host where the last 2 have happened and that's where I quickly started becoming an a-hole about what hosts to avoid and what hosts are o.k.

This is a real PITA, but if Apache or PHP are run as your user account you really should make sure that your files are read-only by you and the only files that must be changed on a regular basis (like those under /gallery3/var) are writable by the web server user. The PITA part comes when you want to do any updates, edit pages, etc. But you can use scripts to change permissions to "lock" things down and open them up if need be. The other option, keep good and frequent backups
____________________________________________
Like Gallery? Like the support? Donate now!

nekochan

Joined: 2005-12-22
Posts: 35

Posted: Wed, 2011-03-09 16:14

nivekiam: Could you elaborate on the comment"people still using FTP". How is this a potential security hole?

Cheers...

Brian Grover
http://www.car-free.ca/gallery/

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2011-03-09 16:25

When using FTP instead of SFTP your username and password are sent in the clear. That means anyone sitting between you and your server (dozens of routers, etc) can see all of that traffic and with a packet sniffer it's really fast and easy to grab any and all usernames and passwords flying around on the wire or in the air. Not to mention any virus/trojan on the computer can see that information if it's not already acting as a key logger.

It is how the vast majority of user accounts are hacked.

Then things like this happen:
http://blog.dreamhosters.com/2007/06/06/dreamhost-ftp-accounts-hacked/

There is nothing even remotely secure about using plain old FTP.
____________________________________________
Like Gallery? Like the support? Donate now!

nekochan

Joined: 2005-12-22
Posts: 35

Posted: Wed, 2011-03-09 16:30

Thanks, nivekiam. I did not know that. We're way off topic now but is Filezilla FTP or SFTP?

Cheers...

Brian Grover
http://www.car-free.ca/gallery/

nivekiam

Joined: 2002-12-10
Posts: 16503

Posted: Wed, 2011-03-09 16:44

FileZilla can do SFTP. Take a look at the port you're connecting with. If it's 21, your using FTP. If it's 22, you're using SSH (SFTP) Unless you're host has really screwed things up and is using non-standard ports for stuff.

See the 2nd feature listed here:
http://filezilla-project.org/client_features.php

Quote:

Supports FTP, FTP over SSL/TLS (FTPS) and SSH File Transfer Protocol (SFTP)

FTP = bad, if your host only allows this, find a new host.
FTP over SSL/TLS (FTPS) = good, your information would be encrypted. I haven't seen a lot of hosts who support it though.
SSH FTP (SFTP) = good, if your host allows you SSH access then you can use this option for sure, otherwise check with them.

If you have more questions, start a new thread in the general chit-chat forum:
http://gallery.menalto.com/forum/53

____________________________________________
Like Gallery? Like the support? Donate now!

nekochan

Joined: 2005-12-22
Posts: 35

Posted: Wed, 2011-03-09 18:14

Thanks, nivekiam, for the heads up. It took a couple tries but I got SFTP working. I'll never use plain vanilla FTP again. I wonder if this doesn't warrant a sticky. Could save an awful lot of grief.

Cheers...

Brian Grover
http://www.car-free.ca/gallery/

Michael_W Joined: 2010-11-29 Posts: 9	Posted: Mon, 2011-03-07 20:17
	[Edit: to summarize, I found nothing to suggest that my Gallery3 installation was the cause of this hack--M.W. 03/08/2011] My website was hacked two days ago, and I am wondering if my Gallery3 installation was connected with this: pages advertising drugs were put in a folder deep in the site, and almost all my page folders had bogus .htaccess files added that redirected users coming in from search engines to the bogus pages instead of the intended pages which showed up eg in Google. From my site logs, I see that two machines/addresses on baltnet.ru accessed my site 500 times just before this happened; this is larger than any user other than a search bot such as Yahoo or Google. My reason for thinking that Gallery3 may have been connected is that the Russian machines/addresses apparently made 300 requests for a page address in the folder superfish, with this URL: /gallery3/lib/superfish/images/404.php From the detailed site logs, here is a typical line from the log: 178.68.23.108 - - [05/Mar/2011:10:05:43 -0800] "POST /gallery3/lib/superfish/images/404.php HTTP/1.1" 200 5226 "http://wengam.com/gallery3/lib/superfish/images/404.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.01" Can anyone tell me what the superfish folder in my Gallery3 installation is for? Is there any way someone using that address could get access to the rest of my site? For the time being I have changed my passwords, deleted all the bogus .htaccess files and deleted my Gallery3 installation.
	XUser login Login/Register
Michael_W Joined: 2010-11-29 Posts: 9	Posted: Mon, 2011-03-07 21:22
	Shortly before I deleted my Gallery3 installation, I made a screenshot of the page in the superfish folder that the suspect machine was accessing when my site got hacked. It appears to be a file manager, with options to upload files. My question is: if someone got control of this, would they be able to upload files to my site, and therefore create the junk content pages and .htaccess files that were needed for this 'hack'? And, how could they get control of it? [img]http://wengam.com/images/screen_shot_superfish.tiff[/img]

inposure Joined: 2010-04-23 Posts: 304	Posted: Mon, 2011-03-07 22:09
	You are not supposed to have a 404.php there. I don't. But by the look of the sheer size of it (65 kB), I can guess it is the culprit, probably a huge script doing nasty things. Maybe you should look into your ftpd and sshd accounts, change passwords, block unnecessary ports, only use ssh with key authentication, and finally monitor what's going on with netstat -n -- http://inposure.se/

Michael_W Joined: 2010-11-29 Posts: 9	Posted: Mon, 2011-03-07 22:45
	Inposure: Thank you for the suggestions. I have changed passwords and my ISP is helping me. I hope it is clear that the screenshot I posted is for a 'live', interactive, user interface file manager that appeared when I followed the URL that the 'intruder' was using. I don't know why I have it and you do not, except that I have installed plugins, so perhaps one of those put .php file there. Anyway, it seems like someone who could access this live manager could upload files not only in my Gallery3 area but in other unrelated adjacent folders in my web site. All the alterations necessary to do this 'hack' were additions to my web site, no deletions seem to have been made. Also: thanks for pointing out the size of the 404.php file. In fact, I do not recall accessing my Gallery3 installation since before the date of that file you can see in the screen shot.

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Mon, 2011-03-07 22:45
	Quote: and I am wondering if my Gallery3 installation was connected with this I really doubt it. First, the webserver user shouldn't have access to write to that directory you posted anyway, ever, never. Do you use plain FTP? Do you use some CMS software such as WordPress? ____________________________________________ Like Gallery? Like the support? Donate now!

Michael_W Joined: 2010-11-29 Posts: 9	Posted: Mon, 2011-03-07 22:54
	Quote: Do you use plain FTP? Do you use some CMS software such as WordPress? I use SFTP, either CyberDuck (Mac) for individual files or RapidWeaver uploading by SFTP. Unless you call Gallery3 a CMS, I don't use a CMS; in particular I don't use WordPress.

Michael_W Joined: 2010-11-29 Posts: 9	Posted: Tue, 2011-03-08 14:42
	Update: the 404.php file inside my Gallery3 installation is just one of seven suspicious '.php' files that my ISP discovered in a variety of folders and locations on my website (and another website included under the same account). This is the only .php file in the Gallery3 installation folders. Needless to say, I have now deleted them all. To avoid discovery, they were all placed deep in folder nests and were given names appropriate to their location and surrounding files. Only the .php extension showed that they were different. From access logs, most of the early suspicious activity on my site (as early as 6 weeks ago) came from a machine in Russia although, after I deleted some of the rogue files, further suspicious activity, as recently as today, was made from a machine located in the USA but apparently operated by the same intruder (rather unusually for the US, the intruder consistently uses Opera browser). So, just to make it quite clear: there is nothing to suggest that this hack is anything to do with Gallery3. I will be reinstalling it when I have time. [Edit]: and I was incorrect in saying I do not use WordPress, I do have it installed in the other website included under the same account as the 'hacked' one. It is not kept up to date so I will update it.

floridave Joined: 2003-12-22 Posts: 26107	Posted: Wed, 2011-03-09 00:19
	Quote: there is nothing to suggest that this hack is anything to do with Gallery3. Thanks for that. We are glad that you and your host are sorting things out. Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

Michael_W Joined: 2010-11-29 Posts: 9	Posted: Wed, 2011-03-09 00:45
	I appreciate the civil and helpful replies here to my post, at a stressful moment!

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2011-03-09 01:00
	If it truly was a problem with Gallery we want to know. But that sort of hack really wreaks of your typical <insert WordPress like software that has NEVER received any sort of security audit> hack Most sites are hacked/defaced because of shoddy written software (WordPress), people still using FTP, some other user's compromised account on the server if Apache or PHP happen to be ran as a common user that has access to all sites hosted by the server, or occasionally the server itself or the root account is hacked. I've personally been at a host where the last 2 have happened and that's where I quickly started becoming an a-hole about what hosts to avoid and what hosts are o.k. This is a real PITA, but if Apache or PHP are run as your user account you really should make sure that your files are read-only by you and the only files that must be changed on a regular basis (like those under /gallery3/var) are writable by the web server user. The PITA part comes when you want to do any updates, edit pages, etc. But you can use scripts to change permissions to "lock" things down and open them up if need be. The other option, keep good and frequent backups ____________________________________________ Like Gallery? Like the support? Donate now!

nekochan Joined: 2005-12-22 Posts: 35	Posted: Wed, 2011-03-09 16:14
	nivekiam: Could you elaborate on the comment"people still using FTP". How is this a potential security hole? Cheers... Brian Grover http://www.car-free.ca/gallery/

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2011-03-09 16:25
	When using FTP instead of SFTP your username and password are sent in the clear. That means anyone sitting between you and your server (dozens of routers, etc) can see all of that traffic and with a packet sniffer it's really fast and easy to grab any and all usernames and passwords flying around on the wire or in the air. Not to mention any virus/trojan on the computer can see that information if it's not already acting as a key logger. It is how the vast majority of user accounts are hacked. Then things like this happen: http://blog.dreamhosters.com/2007/06/06/dreamhost-ftp-accounts-hacked/ There is nothing even remotely secure about using plain old FTP. ____________________________________________ Like Gallery? Like the support? Donate now!

nekochan Joined: 2005-12-22 Posts: 35	Posted: Wed, 2011-03-09 16:30
	Thanks, nivekiam. I did not know that. We're way off topic now but is Filezilla FTP or SFTP? Cheers... Brian Grover http://www.car-free.ca/gallery/

nivekiam Joined: 2002-12-10 Posts: 16503	Posted: Wed, 2011-03-09 16:44
	FileZilla can do SFTP. Take a look at the port you're connecting with. If it's 21, your using FTP. If it's 22, you're using SSH (SFTP) Unless you're host has really screwed things up and is using non-standard ports for stuff. See the 2nd feature listed here: http://filezilla-project.org/client_features.php Quote: Supports FTP, FTP over SSL/TLS (FTPS) and SSH File Transfer Protocol (SFTP) FTP = bad, if your host only allows this, find a new host. FTP over SSL/TLS (FTPS) = good, your information would be encrypted. I haven't seen a lot of hosts who support it though. SSH FTP (SFTP) = good, if your host allows you SSH access then you can use this option for sure, otherwise check with them. If you have more questions, start a new thread in the general chit-chat forum: http://gallery.menalto.com/forum/53 ____________________________________________ Like Gallery? Like the support? Donate now!

nekochan Joined: 2005-12-22 Posts: 35	Posted: Wed, 2011-03-09 18:14
	Thanks, nivekiam, for the heads up. It took a couple tries but I got SFTP working. I'll never use plain vanilla FTP again. I wonder if this doesn't warrant a sticky. Could save an awful lot of grief. Cheers... Brian Grover http://www.car-free.ca/gallery/

Hacked website: site logs show high access activity in /gallery3/lib/superfish/images/404.php

XUser login