Compromised Website (Glest.org) and Insecure Logins

[ultifd]

So, this post is actually by tomreyn.
His email is: alsterwassermann (at) gmx.de
I was just helping him post this before he registered.
__________________________________________________________________________________
1. Since the forum requires password authentication to post it is necessary to setup transport encryption (httpS). I can offer to provide a cacert.org or startssl.org certificate free of charge.
Statistics show that even when users' should use generated unique (per website) passwords they will often actually reuse a known password on several websites.
So if their password gets stolen at a site which failed to provide SSL encryption for the authentication, and those credentials were sniffed, it is not unlikely those credentials will also work against other websites.

2. http://glest.org/en/index.php looks like the website was compromised. Scroll down to the bottom or see the source code. It contains spam links. (EDIT: Links are still changing,

the php code inclided in the page may be active in that it loads new web links to display from a remoote side every new day (when the php script is invoked from a web browser or search engine bot). however, this doesn't neccessarily mean the former illegitimate access is still active.
though it would sure seem possible.

display=none, wrapped in <script></script> is so that it will show up in search engine indexes but not in users' web browsers
they just want to increase the search engine ranking of the site the links point to.

)

Code: [Select]

</script><a href="http://www.shemayisrael.com/buy-adobe-photoshop/prices-for-microsoft-office-professional.php">prices for microsoft office professional</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/office-2007-professional.php">office 2007 professional</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-7-retail.php">photoshop 7 retail</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-plug-in.php">photoshop plug in</a>

<a href="http://www.shemayisrael.com/buy-windows-vista-xp/sitemap.php">map of buy-windows-vista-xp</a>
<a href="http://www.shemayisrael.com/buy-autodesk/index.php">index of buy-autodesk</a>
<a href="http://www.shemayisrael.com/buy-microsoft-office/index.php">index</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-without-buying.php">photoshop without buying</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/prices-on-microsoft-office-2003.php">prices on microsoft office 2003</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-patterns.php">photoshop patterns</a>
<a href="http://www.shemayisrael.com/buy-photoshop-cs4/sitemap.php">map of buy-photoshop-cs4</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-fonts.php">photoshop cs fonts</a>
<a href="http://www.shemayisrael.com/buy-microsoft-office/sitemap.php">map of buy-microsoft-office</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-windows-xp-service-pack-2-cd.php">order windows xp service pack 2 cd</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-for-quark.php">price for quark</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-price-comparison.php">photoshop price comparison</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-9.0-price.php">photoshop 9.0 price</a>
<a href="http://www.shemayisrael.com/buy-windows-7/sitemap.php">map of buy-windows-7</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-indesign.php">price indesign</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs3-beta.php">photoshop cs3 beta</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-windows-xp-sp2-cd.php">order windows xp sp2 cd</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-of-quark.php">price of quark</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-photoshop.php">price photoshop</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-extended.php">photoshop extended</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-microsoft-office.php">order microsoft office</a>
<a href="http://www.shemayisrael.com/adobe-cs5-release/index.php">index of adobe-cs5-release</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-2000.php">order 2000</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-raw.php">photoshop cs raw</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-of-microsoft-office-2007.php">price of microsoft office 2007</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-windows-xp-sp2.php">order windows xp sp2</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-adobe.php">photoshop adobe</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-nef.php">photoshop cs nef</a>
<a href="http://www.shemayisrael.com/buy-autocad/sitemap.php">map of buy-autocad</a>
<a href="http://www.shemayisrael.com/order-adobe/sitemap.php">map of order-adobe</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs3-to-buy.php">photoshop cs3 to buy</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/office-2003-professional.php">office 2003 professional</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-tryout.php">photoshop cs tryout</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/office-outlook-2003.php">office outlook 2003</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-of-microsoft-office-in.php">price of microsoft office in</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/index.php">index of buy-adobe-photoshop</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-for-microsoft-office-standard.php">price for microsoft office standard</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-microsoft-windows-xp.php">order microsoft windows xp</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-3-price.php">photoshop cs 3 price</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-2.0.php">photoshop cs 2.0</a>
<a href="http://www.shemayisrael.com/buy-windows-7/is-memory-remapping-enabled-in-windows-7.php">is memory remapping enabled in windows 7</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-video-tutorials.php">photoshop cs video tutorials</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-window-xp.php">order window xp</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/purchase-adobe-illustrator.php">purchase adobe illustrator</a>
<a href="http://www.shemayisrael.com/order-adobe/index.php">index of order-adobe</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/prices-for-microsoft-office-2003.php">prices for microsoft office 2003</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-windows-vista-64.php">order windows vista 64</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-tutorial.php">photoshop cs tutorial</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/prices-on-microsoft-office.php">prices on microsoft office</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-of-adobe-photoshop.php">price of adobe photoshop</a>
<a href="http://www.shemayisrael.com/buy-adobe-reader/index.php">index of buy-adobe-reader</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs2-download.php">photoshop cs2 download</a>
<a href="http://www.shemayisrael.com/buy-microsoft-office/index.php">index of buy-microsoft-office</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/purchase-acrobat.php">purchase acrobat</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/office-xp-2007.php">office xp 2007</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-adobe-cs3-design-premium.php">order adobe cs3 design premium</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-bargain.php">photoshop bargain</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/office-2003-standard-edition.php">office 2003 standard edition</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-on-autocad.php">price on autocad</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-upgrade.php">photoshop upgrade</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-demo.php">photoshop cs demo</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-adobe.php">photoshop cs adobe</a>
<a href="http://www.shemayisrael.com/buy-adobe-reader/sitemap.php">map of buy-adobe-reader</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-3.php">photoshop 3</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-microsoft-office-2003.php">order microsoft office 2003</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-book.php">photoshop cs book</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-of-autocad-lt.php">price of autocad lt</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/sitemap.php">map of buy-adobe-photoshop</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-free-trial.php">photoshop free trial</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-for-free.php">photoshop for free</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/plot-autocad.php">plot autocad</a>
<a href="http://www.shemayisrael.com/buy-windows-vista-xp/index.php">index of buy-windows-vista-xp</a>

<a href="http://www.shemayisrael.com/adobe-cs5-release/sitemap.php">map of adobe-cs5-release</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-adobe-illustrator.php">order adobe illustrator</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs3-tutorials.php">photoshop cs3 tutorials</a>
<a href="http://www.shemayisrael.com/buy-autodesk/sitemap.php">map of buy-autodesk</a>
<a href="http://www.shemayisrael.com/buy-photoshop-cs4/index.php">index of buy-photoshop-cs4</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-on-photoshop.php">price on photoshop</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs3-buy-online.php">photoshop cs3 buy online</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs2-sale.php">photoshop cs2 sale</a>
<a href="http://www.shemayisrael.com/buy-windows-7/index.php">index of buy-windows-7</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-for-autocad-2007.php">price for autocad 2007</a>
<a href="http://www.shemayisrael.com/buy-autocad/index.php">index of buy-autocad</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-dwg.php">order dwg</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-on-microsoft-office-2003.php">price on microsoft office 2003</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-user-discount.php">photoshop user discount</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-photoshop-cs.php">order photoshop cs</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photography.php">photography</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/order-crack.php">order crack</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-price-list.php">photoshop price list</a>

<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-texture.php">photoshop texture</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-6-price.php">photoshop 6 price</a>
<a href="http://www.shemayisrael.com/buy-windows-7/windows-7-beta-feedback.php">windows 7 beta feedback</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-cs-plugin.php">photoshop cs plugin</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/price-for-microsoft-office.php">price for microsoft office</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-buy-now.php">photoshop buy now</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/office-2003.php">office 2003</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photo-retouching.php">photo retouching</a>
<a href="http://www.shemayisrael.com/buy-adobe-photoshop/photoshop-software-sale.php">photoshop software sale</a>

Those links are embedded in a PHP file apparently. As such, it must be assumed that the web hosting account was (at least partially) compromised.
This is often due to an insecure FTP login/password, insecure web application (forum software with known security issues?), but can also be due to a sniffed FTP authentication session (since FTP is not encrypted by default).

[Gabbe]

dOES THIS MEAN PEOPLE CAN STEAL MY ACC?  CRappy keyboard...

[tomreyn]

Hi,

I'm the initial reporter and have registered here now. I've since been told that the compromise has happened long ago, and that, supposedly, almost everything has been cleaned up since, and the spam on the non forum pages (see the bottom of the page source on e.g. http://glest.org/) is just a remainder from then. I have no ways to verify that a complete cleanup (aside from this) has taken place so I'll rely on the statements I've been provided with, which were somewhat reassuring. That's also why I signed up here.

So the case about the compromised website may be less an issue than it seemed initially. However, the insecure authentication (due to lack of HTTPS) remains to be an issue in my opinion.

Looking forward to work and play with you,

Tom Reyn

[Omega]

Could this have anything to do with kukacs missing account? You state that it was a long time ago, but is it still possible? 

Unfortunately, I don't even know much about what to do there, since converting to HTTPS I not only don't know how to do, but would be unable to do that, and of course, it raises the question, if HTTP is so needed, why are the majority of sites, even very important sites, HTTP? Really only banks, paypal, etc seem to use HTTPS.

[tomreyn]

Could this have anything to do with kukacs missing account? You state that it was a long time ago, but is it still possible? 

Yes, it could. But it seems unlikely to me, there's no reason why just a single account would be removed off the forums. If someone was playing around with the site it'd be more likely the complete forum would get deleted, or they'd just pretend nothing had happened and would just lurk and take regular backups of the complete database instead, hoping to find sensitive information like CC numbers or similar in the private messages or hidden forums.

Unfortunately, I don't even know much about what to do there, since converting to HTTPS I not only don't know how to do, but would be unable to do that, and of course, it raises the question, if HTTP is so needed, why are the majority of sites, even very important sites, HTTP? Really only banks, paypal, etc seem to use HTTPS. Another, and more urgent precautionary measure is ensuring that only secure passwords (there is a definition for what secure passwords are, and this changes over time) are being used.

Let's not mix two things up. HTTPS over HTTP is a precautionary measure, which I think is very recommendable since it can prevent the hosting account from getting compromised in the future (and actually all websites providing logins and storing user date should be using HTTPS, and many do, not just banks and payment processors).

It is not, however, not a counter measure for the suspected on-going attack. If there is such an attack going on then what needs to happen is for everyone who has FTP access to change their FTP passwords, all mysql database user and all forum user passwords need to be changed (whatever the users' forum rank may be). Additionally, the existing code needs to be screened for more malware or backdoors contained in it. The server administrator (root) should be informed quickly, too). To be safe, it is a good measure to take down the website completely until the issue is sufficiently researched and resolved.

[Little Helper]

Using my cousin's iphone anyways,...Why take down Glest.org completely? Why not change the FTP password. AND WHY DON"T KUKAC MAKE A NEW ACCOUNT AND INFORM US WHAT REALLY HAPPEN TO HIS ACCOUNT?!?!?!? A quick serious question: Maybe this attacked happen when the day glest's entire website was crashed and closed?  

Some actions recommended to take:
1) Identify and remove the malware link/code from server copy of website
2) Identify and remove any unknown/suspicious files from your cgi-bin/php-scripts/.html folders
3) Install the latest patches for any third party software installs you have done, e.g. wordpress/fantastico etc.
4) Look through you http access logs to try and locate the offending IP from which the insertion was done
5) Review your site security by contacting professionals specializing in web-site hardening
6) Scan your server and local computer with a good anti-virus

[ultifd]

Using my cousin's iphone anyways

Ok, Cool. 

Why take down Glest.org completely?

Safer, as (I think tomreyn) said... if this is really serious, (could be, if not now.)

Why not change the FTP password.

Why not...not? If the person who is going to update the site, is going to change it, you might as well do the other things... 

AND WHY DON"T KUKAC MAKE A NEW ACCOUNT AND INFORM US WHAT REALLY HAPPEN TO HIS ACCOUNT?!?!?!?

That kinda more belongs to the other thread, but I could see why...
Anyways, just read what happened or may have happened...in the other thread(well, people don't really don't know what happened, but people are discussing ways of bringing his account back...but some ways have consequences, and such...) ...Yeah. Also, please don't use CAPS...because...if we were actually debating...you would be like screaming...  and that it isn't like...polite? to...

Maybe this attacked happen when the day glest's entire website was crashed and closed?

Could be, we will never really know...really, until martino and/or the others in the glest team read this thread...so we need to PM them, and/or email them. (I hope we don't send them too many though, because if we SPAM them...well...  )

To be safe, it is a good measure to take down the website completely until the issue is sufficiently researched and resolved.

That would probably be the "best" thing, as this could be really serious, but...probably the glest users community wouldn't like that...Since it is best, I would be fine with it...but first as you said before, we need to get the Glest Team's attention about this. (oh, and as I said before too,  )...

Thanks. Good Luck, to everyone I guess, 

[Little Helper]

So if we take down glest's website we won't be able to do things on glest   

[ultifd]

So if we take down glest's website we won't be able to do things on glest   

If that happens, then yes, that would be a "con", but if this is really serious, and could, let's say, oh and (knock on wood I guess) that the forum would go bye bye, our passwords, etc. Then the whole big thing would be...gone...the bigger image I guess.

Of course, we should wait until Tucho or Martino replys...first they need to know this first though... 
We'll see.

Good Luck...

[josepzin]

BUAFffffgrrrr....

It is a shit virustroyan-something... i will clean it...

[ultifd]

BUAFffffgrrrr....

It is a shit virustroyan-something... i will clean it...

OK, thank you, that is all I will say... (for now  )
Good Luck...and...sorry?  or not.

[josepzin]

I have deleted all (i think) virus files and repair the PHP files.

Please, tell me if the shit-virustroyanmalware is back.

I have added Google Webmaster Tools to notify me about that contaminations.

[ultifd]

I have deleted all (i think) virus files and repair the PHP files.

Please, tell me if the shit-virustroyanmalware is back.

I have added Google Webmaster Tools to notify me about that contaminations.

I see, thank you, you solved the problem at least, basically.
Good Luck, and thanks again...we will PM you or email you if it comes back, or something similar.
hmm...google? 
make sure you change passwords... "and stuff", "just in case"...
 

[Omega]

I have deleted all (i think) virus files and repair the PHP files.

Please, tell me if the shit-virustroyanmalware is back.

I have added Google Webmaster Tools to notify me about that contaminations.

Hmm? Could this have contaminated Kukacs account?

[Gabbe]

I have deleted all (i think) virus files and repair the PHP files.

Please, tell me if the shit-virustroyanmalware is back.

I have added Google Webmaster Tools to notify me about that contaminations.

Hmm? Could this have contaminated Kukacs account?

exactly my thought too

[ultifd]

https://www.eff.org/https-everywhere
https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension
Hmm...going to try it.
For firefox only, I think.

[tomreyn]

The "HTTPS everywhere" extension is nice, but its name is a little misleading. It won't give you SSL everywhere, but just on some (mainstream) sites where it is supported server-side but not enabled everywhere within that site by default. As the article ultifd pointed us to mnetiones there is also a similar extension for Chrome/Chromium. If you like "HTTPS everywhere" (and use Firefox), you may also like ForceTLS http://forcetls.sidstamm.com/ (make sure you read up on how to use it, otherwise it's useless), SSL Blacklist http://codefromthe70s.org/sslblacklist.aspx (warns you about compromised SSL certificates - make sure you install the 'local database' extension, too), CertPatrol http://patrol.psyced.org/ (warns you when an SSL certificate for a known/previously visited web site has changed, which can be indication of a Man-in-the-Middle attack against you).

Coming back to the original topic of this thread: josepzin has, as he told us, and as it looks like by what we can tell (the spam links are gone), since cleared up the malware off this website. He also provided me with some of the files the attacker had uploaded and I had a look at them. One of those files was a so-called PHP shell, a variant of the old C99 PHP shell. Once uploaded, it allows you to run shell commands on the web server as the user PHP runs as. Amongst others, this allows you to view and write to other files within the constraints of the same website (apache VirtualHost), to upload and download files, and to execute system/shell commands as a non-privileged user on the server. It has not been clear how the original attack was carried out which allowed the attacker to upload the PHP shell. It is unknown whether the board software or other parts of the site may, while a recent version, have been modified by the attacker to place a backdoor (this is not too probable, though, since it may mean some extra manual work and you'd need to know what you're doing to do it at all and in a non-obvious manner, but most intruders don't have those capabilities or just don't go to such lengths). I still don't think it's too likely the the deleted forum account is related to this intrusion, but I can be wrong (and I don't care too much about the original cause since all that really matters is whether his posts is available, and it is). So I assume the intrusion has been cleaned up completely at this point. Let's hope it doesn't happen again too soon. Peoples' awareness is now raised, and that alone is a good safety measure.

[ultifd]

Yeah, I know... Also, I checked, and it doesn't work for glest...but now I supposedly use a safer version of google? Might as well use Scroogle. 

Coming back to the original topic of this thread: josepzin has, as he told us, and as it looks like by what we can tell (the spam links are gone), since cleared up the malware off this website. He also provided me with some of the files the attacker had uploaded and I had a look at them. One of those files was a so-called PHP shell, a variant of the old C99 PHP shell. Once uploaded, it allows you to run shell commands on the web server as the user PHP runs as. Amongst others, this allows you to view and write to other files within the constraints of the same website (apache VirtualHost), to upload and download files, and to execute system/shell commands as a non-privileged user on the server. It has not been clear how the original attack was carried out which allowed the attacker to upload the PHP shell. It is unknown whether the board software or other parts of the site may, while a recent version, have been modified by the attacker to place a backdoor (this is not too probable, though, since it may mean some extra manual work and you'd need to know what you're doing to do it at all and in a non-obvious manner, but most intruders don't have those capabilities or just don't go to such lengths). I still don't think it's too likely the the deleted forum account is related to this intrusion, but I can be wrong (and I don't care too much about the original cause since all that really matters is whether his posts is available, and it is). So I assume the intrusion has been cleaned up completely at this point. Let's hope it doesn't happen again too soon. Peoples' awareness is now raised, and that alone is a good safety measure.

Yes, also, thanks for telling...me, then us about it. I think we all missed it...