Suspicious File - Interactive Tools or Hacker?

9 posts by 3 authors in: Forums > CMS Builder
Last Post: June 23, 2011   (RSS)

Hi there, just running a security scan on a client site and this came up:

Possible malicious file found (doc.php - Suspicious PHP Code)

in the cms /data directory

It appears to be a File Utility - FileMan WSO 2.3

I don't remember putting this on the site - I had some consulting work done by interactive tools around the time stamp so would this be something interactivetools would have used?

Have attached the php file below.

Many thanks
Jan

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Jason - June 23, 2011

Hi Jan,

We don't have a file called doc.php as part of CMS Builder. The attachment didn't come through, though. Could you try attaching the file again and we can take a look at it for you.

Thanks
Jason.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Suspicious File - Interactive Tools or Hacker?

whoops, here it is...

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Jason - June 23, 2011

Hi,

This doesn't look like anything we've put together. As a precaution, you should do a search through your other .php files (cmsb files included) looking for references to "doc.php". Another option would be to do a backup of your data, and then re-upload CMS Builder to overwrite any references to the file that may have been put into CMS Builder.

Since it looks like your server was probably compromised, you can also contact your hosting provider with this information.

Hope this helps. Please let us know if you need anything else.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Suspicious File - Interactive Tools or Hacker?

Thanks jason, fyi, here is a screen grab of the interface.
Attachments:

screen.png 92K

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Dave - June 23, 2011

Do you have any other software on the server? Especially open-source software such as email scripts, wordpress, etc? It looks like it may be the result of an automated vulnerability scanner hacking your site.

I double-clicked on some random unique-looking content in the file ("2Qc0Hpyg2nrp9KjEQiyKGwqbjCeRy3ta2NDfiyqIcT2OVMNiIXLTdQW") and searched google and saw a number of results: http://www.google.com/search?q=2Qc0Hpyg2nrp9KjEQiyKGwqbjCeRy3ta2NDfiyqIcT2OVMNiIXLTdQW

Including this one: http://stackoverflow.com/questions/3328235/how-does-this-giant-regex-work

So it looks like this is an exploit that is commonly out there. I decoded some of the code and it looks like this particular script is called "Web Shell by oRb". You can read more about people being affected by it here:
http://www.google.ca/search?q=Web%20Shell%20by%20oRb

Hope that helps!
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Suspicious File - Interactive Tools or Hacker?

Hi Dave, thanks for that, will do some more digging. I am surprised as this particular site is a cms builder only site - no wordpress or anything else like that - will double check if there is any other php code used for any special functions.

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Dave - June 23, 2011

Hi Jan,

No, that's not part of the software or anything we use.
Dave Edis - Senior Developer
interactivetools.com