Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6791 closed Bug/Something is broken (fixed)

mx1 site compromise

Reported by: https://id.mayfirst.org/jamie Owned by: https://id.mayfirst.org/erq
Priority: Urgent Component: Tech
Keywords: mx1.mayfirst.org Cc:
Sensitive: no

Description (last modified by https://id.mayfirst.org/jamie)

We recieved an email reporting that a process on mx1 is making remote requests to another server that suggest a site on mx1 is compromised.

The snippet from the remote server's log that was provided to us is:

[Tue Jan 22 12:31:03 2013] [error] [client 209.234.253.242] script 'C:/xampp/vhosts/dietersaccessories.com/tmp/wegh.php' not found or unable to stat

Change History (7)

comment:1 Changed 6 years ago by https://id.mayfirst.org/jamie

  • Description modified (diff)

comment:2 Changed 6 years ago by https://id.mayfirst.org/jamie

I'm not sure how to debug in this direction (since we don't have log files of requests going out of the server).

Some ideas...

  • Turn off apache and see if any php processes (or any suspicious looking processes) are still running
  • grep recursively for wegh.php in /tmp/ and /var/www/virtual

comment:3 Changed 6 years ago by https://id.mayfirst.org/erq

  • Owner set to https://id.mayfirst.org/erq
  • Status changed from new to assigned

Just received this hint from Alan by mail. Thanks Alan.

If it helps at all, this article explains how our server was compromised:
http://www.joshpate.com/2013/01/how-to-fix-hacked-by-hmei7-on-joomla-web-site/

- Al
---
Alan Gilson, CISSP
Chief Technology Officer
OTC Group of Companies

I'm checking mx1.mayfirst.org right now, based on his suggested article.

comment:4 Changed 6 years ago by https://id.mayfirst.org/jamie

  • Sensitive set

We are still having trouble identifying the site that is responsible.

We added an iptables rule that will log all OUTPUT requests to port 80, however, there seems to be many legitimate requests.

We also found the reference to the com_jce vulnerability that seems to be the compromise of Alan's site.

We identified serveral sites using this component. I'm listing them below and marking this ticket as sensitive until they can be patched:

  • mielsolidaria.org.mx
  • grupoparlamentarioalternativa.org.mx
  • solaris.org.mx
  • edicionesera.com.mx
  • observatorioequidadmedios.org
  • comunicacioncomunitaria.org

jamie

comment:5 Changed 6 years ago by https://id.mayfirst.org/erq

This sites where disabled from the vhcs control panel:

  • mielsolidaria.org.mx
  • grupoparlamentarioalternativa.org.mx
  • comunicacioncomunitaria.org

this joomla installations have the com_jce component upgraded now

  • solaris.org.mx
  • edicionesera.com.mx
  • observatorioequidadmedios.org
  • comunicacioncomunitaria.org

Hoping this will make it.

comment:6 Changed 6 years ago by https://id.mayfirst.org/erq

  • Resolution set to fixed
  • Status changed from assigned to closed

I got in touch with comunicacioncomunitaria.org to explain what is MFPL, need to follow up with them, perhaps they will be joining as members one of this days. Closing this ticket now

Thanks Jamie

Enrique

comment:7 Changed 6 years ago by https://id.mayfirst.org/erq

  • Sensitive unset

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.