HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

1,198 Posts

Nicola (Banzai) Reply #41, 9 years, 9 months ago

in the last two days lot of my Evo sites have been compromised. Almost all already updated to 1.0.14 (the older one was a 1.0.12).

I think the problem is not only in ajax search, but in tinymice.

I'm not a security expert, but I suspect that Tinymice is used to access to images folders of maxigallery and the old 0.9x ImageEditor (manager / media / ImageEditor)

Free MODx Graphic resources and Templates www.tattoocms.it
-----------------------------------------------------

MODx IT www.modx.it
-----------------------------------------------------

bubuna.com - Web & Multimedia Design

☆ A M B ☆
1,031 Posts

Jako Reply #42, 9 years, 9 months ago

Do you have a server access log the time it was compromised?

1,613 Posts

fourroses666 Reply #43, 9 years, 9 months ago

Quote from: kp52 at Aug 08, 2014, 11:13 AM

I use FileZilla FTP, which now has a useful search tool

Good tip, didn't know about this, I use FileZilla also.

I forgot about updating EvoGallery for one domain, really did a big cleanup.
Did it by updating the /assets folder manually (remove only the snippets/plugins/modules and checking all other folders), also removed the /manager folder complete and just added the config file after checking it. Then upgrade.
There where no new users or manager logins.

Evolution user, I like the back-end speed and simplicity

1,198 Posts

Nicola (Banzai) Reply #44, 9 years, 9 months ago

Quote from: Jako at Aug 08, 2014, 11:55 AM

Do you have a server access log the time it was compromised?

After more investigation, I realized that the attack to my sites occurred several weeks ago, probably before the upgrade 1.0.14.

Once inside, they had access to all folders containing images and where was available an upload script (maxigallery folders, imegeeditor, directresize folders)

Free MODx Graphic resources and Templates www.tattoocms.it
-----------------------------------------------------

MODx IT www.modx.it
-----------------------------------------------------

bubuna.com - Web & Multimedia Design

928 Posts

kp52 Reply #45, 9 years, 9 months ago

Quote from: Jako at Aug 08, 2014, 11:55 AM

Do you have a server access log the time it was compromised?

Log entries related to index-ajax.php and the hack file:

Hits on index-ajax.php that don't seem to have resulted in anything:

80.243.184.227	[30/Apr/2014:13:40:39	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
188.208.33.18	[22/Jul/2014:00:22:41	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/12.1

31 July - this is the one that planted the spam file:

91.200.14.107	[31/Jul/2014:03:08:48	HEAD / HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
91.200.14.107	[31/Jul/2014:03:08:48	GET /assets/snippets/ajaxSearch/ajaxSearch_readme.txt HTTP/1.1	206	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
91.200.14.107	[31/Jul/2014:03:08:52	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
91.200.14.107	[31/Jul/2014:03:08:56	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
91.200.14.107	[31/Jul/2014:03:08:59	GET /assets/images/tmp_e646ff8ab.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
91.200.14.107	[31/Jul/2014:03:09:03	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0

The start of spam-sending; first user-agent once, then 80+ of the second one over a few hours while it was live, continuing hundreds of attempts after site was quarantined and returning 404:

146.185.239.40	[07/Aug/2014:14:00:27	POST /assets/images/4e6800380.php HTTP/1.1	200	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0
				
146.185.239.40	[07/Aug/2014:15:38:01	POST /assets/images/4e6800380.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

:( KP

1,198 Posts

Nicola (Banzai) Reply #46, 9 years, 9 months ago

I'm not an expert but this is what i can see in my today log

91.197.229.160 - - [08/Aug/2014:16:06:53 +0200] "POST /assets/galleries/184/model.php HTTP/1.1" 404 14098 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
37.59.11.161 - - [08/Aug/2014:16:07:08 +0200] "POST /assets/galleries/184/model.php HTTP/1.1" 404 14098 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
62.75.168.203 - - [08/Aug/2014:16:07:45 +0200] "POST /assets/galleries/184/model.php HTTP/1.1" 404 14073 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

46.118.124.162 - - [08/Aug/2014:13:12:29 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://fantasytown.ru/" "Opera/9.00 (Windows NT 4.0; U; en)"
46.118.124.162 - - [08/Aug/2014:13:12:29 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://www.dverprom.ru/" "Opera/8.01 (Windows NT 5.1)"
46.118.124.162 - - [08/Aug/2014:13:12:30 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://fantasytown.ru/" "Opera/9.00 (Windows NT 4.0; U; en)"
46.118.124.162 - - [08/Aug/2014:13:12:31 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://fantasytown.ru/" "Opera/9.00 (Windows NT 4.0; U; en)"
46.118.124.162 - - [08/Aug/2014:13:12:33 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://www.dverprom.ru/" "Opera/8.01 (Windows NT 5.1)"
46.118.124.162 - - [08/Aug/2014:13:12:34 +0200] "GET /domain-name/ HTTP/1.1" 200 13526 "http://www.dverprom.ru/" "Opera/8.01 (Windows NT 5.1)"

88.191.238.61 - - [08/Aug/2014:14:45:34 +0200] "POST /assets/plugins/tinymce/jscripts/tiny_mce/plugins/directionality/images/global.php HTTP/1.1" 403 743 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
83.169.33.16 - - [08/Aug/2014:14:50:26 +0200] "POST /assets/plugins/tinymce/jscripts/tiny_mce/plugins/directionality/images/global.php HTTP/1.1" 403 743 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
50.62.161.74 - - [08/Aug/2014:14:51:32 +0200] "POST /assets/plugins/tinymce/jscripts/tiny_mce/plugins/directionality/images/global.php HTTP/1.1" 403 743 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

64.78.58.4 - - [08/Aug/2014:13:37:03 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 737 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
217.172.32.84 - - [08/Aug/2014:13:39:41 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
80.237.132.238 - - [08/Aug/2014:13:40:14 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 737 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
89.163.225.1 - - [08/Aug/2014:13:42:38 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 737 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
195.190.28.173 - - [08/Aug/2014:13:43:53 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.240.176.17 - - [08/Aug/2014:13:44:10 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
198.57.216.208 - - [08/Aug/2014:13:48:42 +0200] "POST /manager/media/ImageEditor/img/option.php HTTP/1.1" 403 704 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
85.143.166.103 - - [08/Aug/2014:13:49:55 +0200] "POST /assets/plugins/tinymce/js/themes.php HTTP/1.1" 200 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"

Free MODx Graphic resources and Templates www.tattoocms.it
-----------------------------------------------------

MODx IT www.modx.it
-----------------------------------------------------

bubuna.com - Web & Multimedia Design

928 Posts

kp52 Reply #47, 9 years, 9 months ago

The hack on the other site - doesn't seem to have been put to use before I deactivated the site:

91.200.14.107	[31/Jul/2014:00:14:53	HEAD / HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1
91.200.14.107	[31/Jul/2014:00:14:53	GET /assets/snippets/ajaxSearch/ajaxSearch_readme.txt HTTP/1.1	206	Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1
91.200.14.107	[31/Jul/2014:00:14:56	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1
91.200.14.107	[31/Jul/2014:00:15:01	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1
91.200.14.107	[31/Jul/2014:00:15:05	GET /assets/images/tmp_0cd59b69c.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1
91.200.14.107	[31/Jul/2014:00:15:11	POST /index-ajax.php HTTP/1.1	200	Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/18.0.1

:) KP

77 Posts

hgw7m Reply #48, 9 years, 9 months ago

Hello mrhaw,

thanks for your "3 things to do" to secure old sites. I have a lot of MODX Evo client installations out there in the wild and as a marketer and web developper more than a server and security expert I appreciate very much your hints here. I just want to make sure I completely understand your helpful 3 things:

Item 1: Do you recommend to include all 9 lines of your code or only line 1? They have to go to the root htaccess?
Item 2: This restrictions should be put by htaccess into the assets folder, right?
Item 3b: You recommend removing "Forgot manager password" and index-ajax.php also from 1.0.14 installations?

If I understand well, these things can give some better sleep also for updated and new sites?

Thanks a lot for your help!

Quote from: mrhaw at Jul 03, 2014, 01:50 PM

Most security holes reside in Extras being uploaded to assets folder.

There are 3 things you can do to secure old sites:

1. Don't allow http, https and ftp as values for URL vars. (See first line)
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)(reflect\.php|contact\.php)(.*) [NC,OR]
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) 
RewriteRule ^(.*)$ /blackhole/index.php? [R,L]
2. Restrict access to .tpl and .php files in assets folder:
<filesmatch "\.(php|tpl)$"="">
   Order allow,deny
   Deny from all
</filesmatch>
3. Never log into FTP on a public network.
http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329/FTPS-vs-SFTP-What-to-Choose.htm

3b. Delete "Forgot manager password" plugin, AjaxSearch snippet+folder (if you decide NOT to upgrade them) and index-ajax.php in root

1,613 Posts

fourroses666 Reply #49, 9 years, 9 months ago

3. If you don't use AjaxSearch you can remove this for sure: /index.ajax.php /assets/snippets/ajaxsearch and also the snippet in your manager. Forgot manager password can be removed also, thats what I do. When I can't access my manager there are other ways to get back or change the password.

Evolution user, I like the back-end speed and simplicity

2,877 Posts

mrhaw Reply #50, 9 years, 9 months ago

Quote from: hgw7m at Aug 08, 2014, 02:34 PM

Hello mrhaw,

thanks for your "3 things to do" to secure old sites. I have a lot of MODX Evo client installations out there in the wild and as a marketer and web developper more than a server and security expert I appreciate very much your hints here. I just want to make sure I completely understand your helpful 3 things:

Item 1: Do you recommend to include all 9 lines of your code or only line 1? They have to go to the root htaccess?

Item 2: This restrictions should be put by htaccess into the assets folder, right?

Item 3b: You recommend removing "Forgot manager password" and index-ajax.php also from 1.0.14 installations?

If I understand well, these things can give some better sleep also for updated and new sites?

Thanks a lot for your help!

1) I have those 9, all awesome, lines under the friendly URL rules
The last line could be a burp instead!

--> http://forums.modx.com/index.php?topic=33783.0
I send the attacker to my blackhole folder --> http://forums.modx.com/thread/19997/securing-your-site-wiki-instructions?page=3#dis-post-111538
but the point is you want to interrupt the attacker with an http response code.

2) Yes.

3) If it's old. --> http://forums.modx.com/thread/81545/modx-evolution-1-0-7-and-prior-forgotmanager-plugin-vulnerability

// In the very top of my .htaccess I have this:

SetEnvIfNoCase User-Agent "Jakarta Commons" keep_out
SetEnvIfNoCase User-Agent "Y!OASIS/TEST"    keep_out
SetEnvIfNoCase User-Agent "libwww-perl"     keep_out
SetEnvIfNoCase User-Agent "MOT-MPx220"      keep_out
SetEnvIfNoCase User-Agent "MJ12bot"         keep_out
SetEnvIfNoCase User-Agent "Nutch"           keep_out
SetEnvIfNoCase User-Agent "cr4nk"           keep_out

@hawproductions | http://mrhaw.com/

Infograph: MODX Advanced Install in 7 steps:
http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower