Spam script includued in Current Package

[peidemiller]

I installed cmsmadesimple-1.12-full.tar.gz on my server this weekend. There is a script in it that starts sending out spam, it started yesterday.

From my system admin
---
/var/www/html/cms_....../lib/lang/cms_selflink/ext/
was file stats72.php

it's a encrypted script, unencrypted version stored in 73.php
created half year ago
attacker ip 97.64.150.78 he send POST queries
POST /lib/lang/cms_selflink/ext/stats72.php HTTP/1.0

------

[calguy1000]

Where did you download the package from? Did you verify the md5 signature of the downloaded package? Are you sure that your PC isn't infected?

I just downloaded the exact same version of CMSMS from CMSMS website site, verified the MD5 signature and then looked at the contents. As you can see from the commands I executed below there is no stats package any where in our archive.

rob@rob-desktop:~/Downloads$ tar ztvf cmsmadesimple-1.12-full.tar.gz | grep cms_selflink
-rw-r--r-- root/root 11640 2015-03-28 10:40 ./plugins/function.cms_selflink.php
drwxr-xr-x root/root 0 2015-04-12 12:06 ./lib/lang/cms_selflink/
drwxr-xr-x root/root 0 2015-04-12 12:06 ./lib/lang/cms_selflink/ext/
-rw-r--r-- root/root 373 2011-04-15 08:03 ./lib/lang/cms_selflink/ext/hu_HU.php
-rw-r--r-- root/root 410 2010-12-14 08:46 ./lib/lang/cms_selflink/ext/pt_BR.php
-rw-r--r-- root/root 318 2012-05-19 13:11 ./lib/lang/cms_selflink/ext/de_DE.php
-rw-r--r-- root/root 399 2010-09-22 06:21 ./lib/lang/cms_selflink/ext/nl_NL.php
-rw-r--r-- root/root 411 2011-09-24 17:59 ./lib/lang/cms_selflink/ext/fa_FA.php
-rw-r--r-- root/root 412 2010-11-01 11:37 ./lib/lang/cms_selflink/ext/fi_FI.php
-rw-r--r-- root/root 383 2011-07-11 02:37 ./lib/lang/cms_selflink/ext/ar_AR.php
-rw-r--r-- root/root 104 2014-05-06 11:31 ./lib/lang/cms_selflink/ext/fr_FR.php
-rw-r--r-- root/root 410 2010-10-02 04:34 ./lib/lang/cms_selflink/ext/sr_YU.php
-rw-r--r-- root/root 380 2010-10-27 09:23 ./lib/lang/cms_selflink/ext/pl_PL.php
-rw-r--r-- root/root 379 2011-02-28 02:57 ./lib/lang/cms_selflink/ext/ro_RO.php
-rw-r--r-- root/root 359 2011-03-27 14:06 ./lib/lang/cms_selflink/ext/da_DK.php
-rw-r--r-- root/root 315 2012-02-15 15:15 ./lib/lang/cms_selflink/ext/et_EE.php
-rw-r--r-- root/root 412 2010-09-22 03:32 ./lib/lang/cms_selflink/ext/hr_HR.php
-rw-r--r-- root/root 402 2011-05-10 02:18 ./lib/lang/cms_selflink/ext/gl_GL.php
-rw-r--r-- root/root 443 2010-10-11 10:27 ./lib/lang/cms_selflink/ext/ru_RU.php
-rw-r--r-- root/root 108 2014-08-19 04:48 ./lib/lang/cms_selflink/ext/sk_SK.php
-rw-r--r-- root/root 422 2010-09-11 12:18 ./lib/lang/cms_selflink/ext/nb_NO.php
-rw-r--r-- root/root 388 2010-09-27 12:15 ./lib/lang/cms_selflink/ext/sv_SE.php
-rw-r--r-- root/root 373 2010-11-02 06:14 ./lib/lang/cms_selflink/ext/it_IT.php
-rw-r--r-- root/root 345 2012-04-02 23:25 ./lib/lang/cms_selflink/ext/vi_VN.php
-rw-r--r-- root/root 396 2010-09-15 11:56 ./lib/lang/cms_selflink/ext/es_ES.php
-rw-r--r-- root/root 395 2011-02-10 08:42 ./lib/lang/cms_selflink/ext/tr_TR.php
-rw-r--r-- root/root 444 2011-02-11 14:40 ./lib/lang/cms_selflink/ext/cs_CZ.php
-rw-r--r-- root/root 394 2010-10-10 11:07 ./lib/lang/cms_selflink/ext/sl_SI.php
-rw-r--r-- root/root 26 2015-04-12 12:06 ./lib/lang/cms_selflink/ext/index.html
-rw-r--r-- root/root 358 2012-08-08 14:54 ./lib/lang/cms_selflink/ext/zh_TW.php
-rw-r--r-- root/root 318 2012-12-29 09:56 ./lib/lang/cms_selflink/ext/lt_LT.php
-rw-r--r-- root/root 313 2012-06-25 05:13 ./lib/lang/cms_selflink/ext/en_CY.php
-rw-r--r-- root/root 373 2012-02-02 14:35 ./lib/lang/cms_selflink/ext/pt_PT.php
-rw-r--r-- root/root 84 2010-09-09 11:02 ./lib/lang/cms_selflink/en_US.php
-rw-r--r-- root/root 26 2015-04-12 12:06 ./lib/lang/cms_selflink/index.html
rob@rob-desktop:~/Downloads$ tar ztvf cmsmadesimple-1.12-full.tar.gz | grep stats
rob@rob-desktop:~/Downloads$

[peidemiller]

I downloaded directly from the downloads link on the CMSMS. I didn't run the signing, shame on me, won't do that again.

The package was downloaded to my Mac, then uploaded and decompressed on my hosting via the Webmin upload functionality on AWS.

I still have the package locally if you want a copy.
---
I did three installs that same on that same server with the same package. I'm double checking with my admin to see if that's the only one that has an issue.

[tumaykilinc]

I and my clients experienced the same problem and still experiencing since August 20. The system is sending spam and hosting providers are suspending our accounts. Not only last version(1.12) was infected, but also an older version of CMSMS(1.11.4) was infected.

The thing is each of them had the malware script in different locations, and index.php and config.php codes were changed (some Crypto code on top).

[removed by moderator]

The other 3 sites had them elsewhere with different file names.

I will do a clean installation on each website as soon as they get unsuspended, and hope it won't happen again.

[Jo Morg]

The system is sending spam and hosting providers are suspending our accounts. Not only last version(1.12) was infected, but also an older version of CMSMS(1.11.4) was infected.

That is not correct. The sites may have been hacked for a number of reasons. We do not provide infected packages.

If you follow a few procedures CMSMS is secure:

• - follow the suggestions of this page: http://docs.cmsmadesimple.org/general-i ... ring-cmsms;
• - make sure you have deleted the install folder of your CMSMS installation;
• - make sure no frontent form submissions are evaluated by Smarty;

Other scripts (CMS's or others) on the same server (and not necessarily on the same account) may be compromised to enable access to the file system.
Typically good hosts work with their clients to find the source or the weak link, so you may have to request some help from your hosting providers (actually: suspending accounts without any warning or attempt to investigate the source of the issue seems a bit uncommon...).

[peidemiller]

Obviously, looking at where the bad file is would lead us to an CMSMS distro issue at first.

We thought we'd nabbed it yesterday, but back today in the same place on one of the cmsms installs.

It's back in this location:
-rw-r--r-- 1 apache apache 155149 Jan 24 2015 ./cms***/admin/themes/OneEleven/page68.php

[peidemiller]

Just checked config.php. found this before "#CMS Made Simple Configuration File" line.

<? php $ cookey="."; preg_replace("."); ? ><?php

is that supposed to there?

I'm not sure that I have a clean reference anywhere in my system if I've got malware.

[Jeff]

No it shouldn't be there.

I would recommend downloading a clean copy from our servers.

[peidemiller]

**Update
We found the <? php $ cookey="."; preg_replace("."); ? ><?php in each config.php cmsms instance on our server. Cleaned the file and locked down permissions to 444 on that and index.php (post above mentioned similar issue with index.php)

We also blocked inbound IPs that were pinging the foreign files added to the cmsms directory structure.

Permissions change doesn't seem to have impacted site performance.

[tumaykilinc]

That is not correct. The sites may have been hacked for a number of reasons. We do not provide infected packages.

No, this is not what i said of course. However i experienced this issue on 4 hosting companies with only CMSMS installed on them, and i think there is an exploit to cause this. Each hosting company handled the situation in a different way, most are solved, i did clean installation on all of them. However i request you to look into this issue please, because this can happen again.

While searching about this issue i found another CMSMS site that was infected. [edit: remove link to possibly infected website]

Hence the date and issue addressed, they are the same as our problem.

We found the <? php $ cookey="."; preg_replace("."); ? ><?php in each config.php cmsms instance on our server.

Peidemiller, it existed in my config.php as well. It is also in version.php page, you might want to check that too.

[Jo Morg]

That is not correct. The sites may have been hacked for a number of reasons. We do not provide infected packages.

No, this is not what i said of course.

I stand corrected, sorry. Given the original post title that was my read.

However i experienced this issue on 4 hosting companies with only CMSMS installed on them, and i think there is an exploit to cause this. Each hosting company handled the situation in a different way, most are solved, i did clean installation on all of them. However i request you to look into this issue please, because this can happen again.

Most, if not all, of the Dev Team members work with tons of CMSMS installations, from the pretty simple simple one page sites, to huge and complex sites, from test sites to popular sites with hundreds of hits. We do take seriously all security reports, even though only act upon the valid ones. If this was a CMSMS vulnerability there would be far more reports and, inevitably, we would witness 1st hand the results of such attacks.
A quick search on Google gave me the impression that this is a WP vulnerability, particularly related with a specific plugin.
If this was to be a CMSMS vulnerability we would need far more information than what has been given in any of the posts so far, including but not limited to:
- System info (CMSMS version, PHP version, etc...);
- server error and access logs;
- list of other scripts installed on the same server;
- Server environment settings;
- etc...

In short: we would need to be able to reproduce the vulnerability in order to solve it.

So far there is no evidence that this is a CMSMS vulnerability.

Additionally, please keep in mind that there are other factors that concur to opening a backdoor to a system:
- other accounts on the same server with vulnerable scripts or otherwise compromised (doesn't have necessarily to be on the same account);
- site developers with infected computers (possible viruses, trojans and keyloggers);

Also please remember that, after recovering a site from a backup, additional measures should be taken to ensure that the system cannot be further compromised:
- change ALL passwords, for FTP, cPanel, administrator accounts and make sure you do not have any FTP accounts on your server that should not be there at all;
- update CMSMS and 3rd party modules to the latest versions;
- try to implement our security suggestions;
- update and secure other scripts or web applications that might be running on your server;

HTH

[stephane]

Hello,

I experienced the same problem since the 20 aug....

I can reproduce the "hack".... it can be exploited when install folder is not deleted....

it is this exploit: http://seclists.org/bugtraq/2014/Dec/39

sorry for my bad english, I am french....

I post only for thoses who experience this problem.... delete the install folder !!!

cordialement...
s. o.

[scooper]

Just to add my twopennoth to stephane's comment.

We had a site infected with this cookey hack last week as well. When we trawled through the log files we found the vector was indeed through the install script which hadn't been removed (yes yes I know it should have been deleted).

There were several files that had been uploaded to the server in various seemingly random places as well as changes to the config file so it was not just a case of removing the code injected into config.php. You'll need to revert to a known good backup if you're not able to determine which files have been changed.

I guess the lesson is to make sure you remove the install folder when upgrading / installing. Could we perhaps insist the folder is removed rather than just showing the warning?

[Jo Morg]

I guess the lesson is to make sure you remove the install folder when upgrading / installing. Could we perhaps insist the folder is removed rather than just showing the warning?

In CMSMS 2.0 the installer locks the config.php file so that it is read only. You won't be able to alter the config file by reinstalling CMSMS.
Removing the folder after installation is, IMO, not a CMSMS installer responsibility for a number of reasons. But the warning is there... if people choose to ignore it...

[hexdj]

I am currently having this issue with an old site. I did clean up the config.php file and removed the install directory but ALL .php files in every directory have been infected.