Host Fasthosts thinks /FileManager/untgz.php is compromised

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
User avatar
paulbaker
Dev Team Member
Dev Team Member
Posts: 1465
Joined: Sat Apr 18, 2009 10:09 pm
Contact:
Contact paulbaker

Host Fasthosts thinks /FileManager/untgz.php is compromised

Post by paulbaker »

Client of a client uses CMSMS on Fasthosts. :-X *

CMSMS v 1.12.1.

All worked well for a few days. Then Fasthosts switched the site off and sent a message:

Code: Select all

[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] -----------------------------------------------------------------------
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] This scan has been initiated by an automated process to search for
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] files and installations that may be compromised
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] No changes are made to your site during this scan.
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] Version 2.1.13 [Built 17-11-2015]
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] -----------------------------------------------------------------------
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [                 INFO ] Checking /home/linweb22/k/example.com-1085056276/user/htdocs/
[linweb22] [2015/11/21 18:24:11] [isvpmrtl] [   HIT (Chundler) (4) ] /home/linweb22/k/example.com-1085056276/user/htdocs/modules/FileManager/untgz.php
[linweb22] [2015/11/21 18:24:35] [isvpmrtl] [              SUMMARY ] [/home/linweb22/k/example.com-1085056276/user/htdocs/] [2319 files found] [1507 files scanned]
[linweb22] [2015/11/21 18:24:35] [isvpmrtl] [              SUMMARY ] [/home/linweb22/k/example.com-1085056276/user/htdocs/] [Compromises: 1 potential hit, Average score=4/5, Highest score=4]
[linweb22] [2015/11/21 18:24:35] [isvpmrtl] [              SUMMARY ] [/home/linweb22/k/example.com-1085056276/user/htdocs/] [Scan completed in 35 seconds]
So it found file /modules/FileManager/untgz.php to be compromised saying "Chundler" is the hit.

I downloaded the file from the switched-off site and compared it to what I uploaded a few weeks earlier. Identical.

I compared the file from the switched-off site with the same file from a similar version of CMSMS. Identical.

The untgz.php file is this one:

https://github.com/svn2github/repo/blob ... /untgz.php

Client of client contacted host and said:
Fasthosts say this file will need cleaning or replacing.
I want a quiet life, so I have just deleted the file for now and asked the client to request a re-scan which should get the site up and running again.

1. What does the file do? (Looks like some zip/unzip utilities)

2. What won't the back end be able to do without it?

3. Has anyone heard of this accusation before? (Couldn't find anything like it with a forum search).

Thanks!

* I used Fasthosts myself in 2001. Service was so bad I left them and vowed never to use them again. I haven't, but sadly some clients choose to.
To copy System Information to the forum:
https://docs.cmsmadesimple.org/troubles ... nformation

CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
Top
User avatar
Rolf
Power Poster
Power Poster
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Contact:
Contact Rolf

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Post by Rolf »

Do a file checksum first
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Top
User avatar
paulbaker
Dev Team Member
Dev Team Member
Posts: 1465
Joined: Sat Apr 18, 2009 10:09 pm
Contact:
Contact paulbaker

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Post by paulbaker »

The host has switched off the entire site, admin area included, so I can't (can I?)
To copy System Information to the forum:
https://docs.cmsmadesimple.org/troubles ... nformation

CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
Top
User avatar
Rolf
Power Poster
Power Poster
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Contact:
Contact Rolf

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Post by Rolf »

No, you have to have Admin access for that...
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Top
User avatar
Jo Morg
Dev Team Member
Dev Team Member
Posts: 1973
Joined: Mon Jan 29, 2007 4:47 pm

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Post by Jo Morg »

paulbaker wrote:So it found file /modules/FileManager/untgz.php to be compromised saying "Chundler" is the hit.

I downloaded the file from the switched-off site and compared it to what I uploaded a few weeks earlier. Identical.

I compared the file from the switched-off site with the same file from a similar version of CMSMS. Identical.
There is nothing wrong with that file whatsoever, and I don't get anything on google (not even on false positives in scans) regarding that file. So I have to assume that the algorithm that Fasthosts is using to scan is finding some pattern that may look like a signature of some exploit. Probably an outdated signatures database on their side... but this is me guessing...
paulbaker wrote:I want a quiet life, so I have just deleted the file for now and asked the client to request a re-scan which should get the site up and running again.

1. What does the file do? (Looks like some zip/unzip utilities)

2. What won't the back end be able to do without it?

3. Has anyone heard of this accusation before? (Couldn't find anything like it with a forum search).
1. & 2. File Manager has the ability to unpack archives, and that is part of that functionality. I believe there are other PHP applications using it, other than CMSMS. So you'd lose that feature...
3. Nope, and there seems to be nothing about it on a web search either.

My advice: change host ASAP.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Top
User avatar
paulbaker
Dev Team Member
Dev Team Member
Posts: 1465
Joined: Sat Apr 18, 2009 10:09 pm
Contact:
Contact paulbaker

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Post by paulbaker »

Jo Morg wrote:My advice: change host ASAP.
Thanks very much for the help Jo and the confirmation that the host has got it wrong. It's not my hosting to change, I was just asked to investigate when it stopped working. I very much doubt they will miss that functionality but if they do and they ask me about it I will be happy to explain what to do to resolve. ;D

Thanks again.
To copy System Information to the forum:
https://docs.cmsmadesimple.org/troubles ... nformation

CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
Top
Post Reply

Return to “CMSMS Core”