Exploited or hacked?

**davotoula** · January 23rd, 2006, 6:08 AM

Every now and then I see the following in my logs:

Code:

PHP Warning:  Cannot modify header information - headers already sent by (output started at http://user7.phpinclude.ru/?...

The question mark is followed by base64 encoded information that contains my URL, IP and a query string.

it is related to two Gallery files:

Code:

slideshow.php

and

Code:

do_command.php

A quick search on Google shows that many sites have been affected:
http://www.google.com/search?hl=en&l...pinclude.ru%22

Does anyone know whether this some sort of "page rank" hi-jacking or whether my gallery installation has been compromised.

Gallery version 1.4.3pl6
http://gallery.menalto.com/

**Kayla** · January 23rd, 2006, 6:15 AM

Where are you seeing this? I went to the site in your signature and I haven't been able to see this error in any of the sections.

**davotoula** · January 23rd, 2006, 6:23 AM

Thanx for quick reply.

For now I redirect all gallery.davidkaspar.com requests to photos.davidkaspar.com as this is a newer 2.0 installation.

The errors are not visible while browsing the site, only in error logs (which suggests page raknk hijacking, there is a status code for it).

This Google search is a further sign:
http://www.google.com/search?hl=en&q...avidkaspar.com

I just noticed that Gallery 1.5.2 is out with "XSS security fixes" so first thing I'll do is upgrade to 1.5.2.

cheers,

**davotoula** · January 24th, 2006, 11:22 AM

It was a "Page Hijack: The 302 Exploit" I was talking about and am worried about.

http://clsc.net/research/google-302-page-hijack.htm

**davotoula** · January 24th, 2006, 1:16 PM

It is now obvious that my site was hacked. I discovered the following symptoms:

1. New php files were dropped into many directories. Names random and often: base, finfo, tests, remote and etc

2. New .htaccess file were in most subdirs. They declared 404 error file to be the one of the above PHP files

3. Added PHP blocks to existing PHP files. The block submitted information to a .ru site

4. Added JS block to PHP (maybe html) files that inserted an iframe from xxx.iframe.ru with malicious content.

I recommend you to scan your directories for suspicious files and change all your passwords (ftp, blog, forum) as I noticed cookie stealing code.

SkinnyDawg · January 24th, 2006, 6:51 PM

I was hit with this. Exactly as described here.

Doesn't seem to be a whole lot one can do to actually stop the hijacking...

**davotoula** · January 25th, 2006, 6:06 AM

Man.. that is one SCARY dog!

It was NOT a form of 302 hi-jacking. I was misled to think this because I saw many errors from the Google bot in my error log. Somehow the Google bot was failing to include the malicious code and this made me aware of the issue.

I think I avoided the worst damage because my affected site is a sub domain which is served from a sub directory in my home dir. This confused the attacking script as it was trying to include it self from the web root and kept adding the subdir to the URL.

In other news, like you say there is no way to protect one self against a 302 hi-jacking. Also there is no way to protect your site against a hack that was caused by an outdated script on a different site that is residing on the same server as your site :-(

h20ho · January 25th, 2006, 2:11 PM

this too happened to my sites
http://surmunity.com/showthread.php?t=17024
how did this happen?

**davotoula** · February 16th, 2006, 10:37 AM

I have now carefully gone through all of my directories and files and have made sure that:

no foreign .htaccess files
no 777 directories
no 777 files
checked all my own php/html files for foreign blocks of code
rebuilt all dynamically generated content (from CMS)

Especially 777 directories seem to be dangerous so I recommend you to chmod them to 755 to stay safe.

My Movable Type installation seemed to be creating 777 directories by default so I had to change a config file to force it to create directories with 755 and files with 644.

January 23rd, 2006, 6:08 AM	#1 (permalink)
davotoula Surpass Fan Comfy Contributor Joined in Oct 2004 148 posts Gave thanks: 2 Thanked 2 times	Exploited or hacked Gallery? Every now and then I see the following in my logs: Code: PHP Warning: Cannot modify header information - headers already sent by (output started at http://user7.phpinclude.ru/?... The question mark is followed by base64 encoded information that contains my URL, IP and a query string. it is related to two Gallery files: Code: slideshow.php and Code: do_command.php A quick search on Google shows that many sites have been affected: http://www.google.com/search?hl=en&l...pinclude.ru%22 Does anyone know whether this some sort of "page rank" hi-jacking or whether my gallery installation has been compromised. Gallery version 1.4.3pl6 http://gallery.menalto.com/ __________________ David Kaspar \| SH60 Last edited by davotoula; January 23rd, 2006 at 6:17 AM..

January 23rd, 2006, 6:15 AM	#2 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	Where are you seeing this? I went to the site in your signature and I haven't been able to see this error in any of the sections. __________________ Follow Surpass on Twitter and Facebook Check out the Surpass Blog

January 23rd, 2006, 6:23 AM	#3 (permalink)
davotoula Surpass Fan Comfy Contributor Joined in Oct 2004 148 posts Gave thanks: 2 Thanked 2 times	Thanx for quick reply. For now I redirect all gallery.davidkaspar.com requests to photos.davidkaspar.com as this is a newer 2.0 installation. The errors are not visible while browsing the site, only in error logs (which suggests page raknk hijacking, there is a status code for it). This Google search is a further sign: http://www.google.com/search?hl=en&q...avidkaspar.com I just noticed that Gallery 1.5.2 is out with "XSS security fixes" so first thing I'll do is upgrade to 1.5.2. cheers, __________________ David Kaspar \| SH60

January 24th, 2006, 11:22 AM	#4 (permalink)
davotoula Surpass Fan Comfy Contributor Joined in Oct 2004 148 posts Gave thanks: 2 Thanked 2 times	It was a "Page Hijack: The 302 Exploit" I was talking about and am worried about. http://clsc.net/research/google-302-page-hijack.htm __________________ David Kaspar \| SH60

January 24th, 2006, 1:16 PM	#5 (permalink)
davotoula Surpass Fan Comfy Contributor Joined in Oct 2004 148 posts Gave thanks: 2 Thanked 2 times	It is now obvious that my site was hacked. I discovered the following symptoms: 1. New php files were dropped into many directories. Names random and often: base, finfo, tests, remote and etc 2. New .htaccess file were in most subdirs. They declared 404 error file to be the one of the above PHP files 3. Added PHP blocks to existing PHP files. The block submitted information to a .ru site 4. Added JS block to PHP (maybe html) files that inserted an iframe from xxx.iframe.ru with malicious content. I recommend you to scan your directories for suspicious files and change all your passwords (ftp, blog, forum) as I noticed cookie stealing code. __________________ David Kaspar \| SH60

January 24th, 2006, 6:51 PM	#6 (permalink)
SkinnyDawg Registered User Comfy Contributor Joined in Nov 2004 Lives in Henderson Kentucky Hosted on PASS49 and dedicated 110 posts Gave thanks: 0 Thanked 0 times	I was hit with this. Exactly as described here. Doesn't seem to be a whole lot one can do to actually stop the hijacking... __________________ Pray Harder ... Time's Short OC10 on PASS49 http://www.smallbusinessnetworks.us

January 25th, 2006, 6:06 AM	#7 (permalink)
davotoula Surpass Fan Comfy Contributor Joined in Oct 2004 148 posts Gave thanks: 2 Thanked 2 times	Man.. that is one SCARY dog! It was NOT a form of 302 hi-jacking. I was misled to think this because I saw many errors from the Google bot in my error log. Somehow the Google bot was failing to include the malicious code and this made me aware of the issue. I think I avoided the worst damage because my affected site is a sub domain which is served from a sub directory in my home dir. This confused the attacking script as it was trying to include it self from the web root and kept adding the subdir to the URL. In other news, like you say there is no way to protect one self against a 302 hi-jacking. Also there is no way to protect your site against a hack that was caused by an outdated script on a different site that is residing on the same server as your site :-( __________________ David Kaspar \| SH60

January 25th, 2006, 2:11 PM	#8 (permalink)
h20ho Registered User Seasoned Poster Joined in Dec 2005 Lives in BKK Hosted on pass49 34 posts Gave thanks: 0 Thanked 0 times	this too happened to my sites http://surmunity.com/showthread.php?t=17024 how did this happen?

February 16th, 2006, 10:37 AM	#9 (permalink)
davotoula Surpass Fan Comfy Contributor Joined in Oct 2004 148 posts Gave thanks: 2 Thanked 2 times	Re: Exploited or hacked? I have now carefully gone through all of my directories and files and have made sure that: no foreign .htaccess files no 777 directories no 777 files checked all my own php/html files for foreign blocks of code rebuilt all dynamically generated content (from CMS) Especially 777 directories seem to be dangerous so I recommend you to chmod them to 755 to stay safe. My Movable Type installation seemed to be creating 777 directories by default so I had to change a config file to force it to create directories with 755 and files with 644. __________________ David Kaspar \| SH60

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search