Greenguy's Board - View Single Post

cd34 · 2013-08-13, 10:32 AM

The site that was hacked had half a dozen tubeace installs, all but one were the most recent update. By looking at the logs, I wasn't able to determine how they got in, but, it looked like a call to functions.php had been used - or perhaps just used to check to see if it was vulnerable and they got in a different way.

If you run on a machine with Apache in Setuid mode, none of these changes matter as the hackers can write their exploits anywhere. If you run Apache in low privilege mode, these rules prevent them from being able to execute scripts in the directories that are commonly uploaded to. Since those directories are normally chmod 777, any existing .htaccess could be modified. A directory could be created with a new .htaccess that changes the handler to allow .eiw files to be executed as php, hence disabling overrides.

At this point it is a bug in Tubeace that is automated. A file called 885.php is dropped into the thumbs directory and a few days later, they start to use that file to add other tools.

We're testing a very similar combination of rules for WordPress as one of the templates included with one site contained a remote exploit. I suspect we'll do the same with Joomla since it is also constantly under attack and older versions get compromised.

When you have software that is at least actively updated, make sure you keep up with those updates especially with WordPress and Joomla. However, in TubeAce's case, development is dead and security holes in it will probably never get patched.

2013-08-13, 10:32 AM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	The site that was hacked had half a dozen tubeace installs, all but one were the most recent update. By looking at the logs, I wasn't able to determine how they got in, but, it looked like a call to functions.php had been used - or perhaps just used to check to see if it was vulnerable and they got in a different way. If you run on a machine with Apache in Setuid mode, none of these changes matter as the hackers can write their exploits anywhere. If you run Apache in low privilege mode, these rules prevent them from being able to execute scripts in the directories that are commonly uploaded to. Since those directories are normally chmod 777, any existing .htaccess could be modified. A directory could be created with a new .htaccess that changes the handler to allow .eiw files to be executed as php, hence disabling overrides. At this point it is a bug in Tubeace that is automated. A file called 885.php is dropped into the thumbs directory and a few days later, they start to use that file to add other tools. We're testing a very similar combination of rules for WordPress as one of the templates included with one site contained a remote exploit. I suspect we'll do the same with Joomla since it is also constantly under attack and older versions get compromised. When you have software that is at least actively updated, make sure you keep up with those updates especially with WordPress and Joomla. However, in TubeAce's case, development is dead and security holes in it will probably never get patched. __________________ SnapReplay.com a different way to share photos - iPhone & Android