CMS Made Simple Forums

Posted: **Fri Nov 27, 2015 12:30 am**

Client of a client uses CMSMS on Fasthosts.

*

CMSMS v 1.12.1.

All worked well for a few days. Then Fasthosts switched the site off and sent a message:

[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] -----------------------------------------------------------------------
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] This scan has been initiated by an automated process to search for
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] files and installations that may be compromised
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] No changes are made to your site during this scan.
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] Version 2.1.13 [Built 17-11-2015]
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [               NOTICE ] -----------------------------------------------------------------------
[linweb22] [2015/11/21 18:24:00] [isvpmrtl] [                 INFO ] Checking /home/linweb22/k/example.com-1085056276/user/htdocs/
[linweb22] [2015/11/21 18:24:11] [isvpmrtl] [   HIT (Chundler) (4) ] /home/linweb22/k/example.com-1085056276/user/htdocs/modules/FileManager/untgz.php
[linweb22] [2015/11/21 18:24:35] [isvpmrtl] [              SUMMARY ] [/home/linweb22/k/example.com-1085056276/user/htdocs/] [2319 files found] [1507 files scanned]
[linweb22] [2015/11/21 18:24:35] [isvpmrtl] [              SUMMARY ] [/home/linweb22/k/example.com-1085056276/user/htdocs/] [Compromises: 1 potential hit, Average score=4/5, Highest score=4]
[linweb22] [2015/11/21 18:24:35] [isvpmrtl] [              SUMMARY ] [/home/linweb22/k/example.com-1085056276/user/htdocs/] [Scan completed in 35 seconds]

So it found file /modules/FileManager/untgz.php to be compromised saying "Chundler" is the hit.

I downloaded the file from the switched-off site and compared it to what I uploaded a few weeks earlier. Identical.

I compared the file from the switched-off site with the same file from a similar version of CMSMS. Identical.

The untgz.php file is this one:

https://github.com/svn2github/repo/blob ... /untgz.php

Client of client contacted host and said:

Fasthosts say this file will need cleaning or replacing.

I want a quiet life, so I have just deleted the file for now and asked the client to request a re-scan which should get the site up and running again.

1. What does the file do? (Looks like some zip/unzip utilities)

2. What won't the back end be able to do without it?

3. Has anyone heard of this accusation before? (Couldn't find anything like it with a forum search).

Thanks!

* I used Fasthosts myself in 2001. Service was so bad I left them and vowed never to use them again. I haven't, but sadly some clients choose to.

Posted: **Fri Nov 27, 2015 4:33 am**

Do a file checksum first

Posted: **Fri Nov 27, 2015 8:26 am**

The host has switched off the entire site, admin area included, so I can't (can I?)

Posted: **Fri Nov 27, 2015 9:11 am**

No, you have to have Admin access for that...

Posted: **Fri Nov 27, 2015 12:36 pm**

paulbaker wrote:So it found file /modules/FileManager/untgz.php to be compromised saying "Chundler" is the hit.

I downloaded the file from the switched-off site and compared it to what I uploaded a few weeks earlier. Identical.

I compared the file from the switched-off site with the same file from a similar version of CMSMS. Identical.

There is nothing wrong with that file whatsoever, and I don't get anything on google (not even on false positives in scans) regarding that file. So I have to assume that the algorithm that Fasthosts is using to scan is finding some pattern that may look like a signature of some exploit. Probably an outdated signatures database on their side... but this is me guessing...

paulbaker wrote:I want a quiet life, so I have just deleted the file for now and asked the client to request a re-scan which should get the site up and running again.

1. What does the file do? (Looks like some zip/unzip utilities)

2. What won't the back end be able to do without it?

3. Has anyone heard of this accusation before? (Couldn't find anything like it with a forum search).

1. & 2. File Manager has the ability to unpack archives, and that is part of that functionality. I believe there are other PHP applications using it, other than CMSMS. So you'd lose that feature...
3. Nope, and there seems to be nothing about it on a web search either.

My advice: change host ASAP.

Posted: **Mon Nov 30, 2015 9:52 am**

Jo Morg wrote:My advice: change host ASAP.

Thanks very much for the help Jo and the confirmation that the host has got it wrong. It's not my hosting to change, I was just asked to investigate when it stopped working. I very much doubt they will miss that functionality but if they do and they ask me about it I will be happy to explain what to do to resolve.

Thanks again.

CMS Made Simple Forums

Host Fasthosts thinks /FileManager/untgz.php is compromised

Host Fasthosts thinks /FileManager/untgz.php is compromised

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi

Re: Host Fasthosts thinks /FileManager/untgz.php is compromi