Malicious files uploaded to server
A malicious file with extension .phtml was uploaded to the /perch/resources/ folder on my server this morning.
The line from the raw server access log is:
91.236.116.102 - - [24/Nov/2015:23:52:14 +0000] "POST [REDACTED] HTTP/1.1" 200 52 "https://www.[REDACTED]" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/45.0.2454.101 Chrome/45.0.2454.101 Safari/537.36"
It seemed they used a vulnerability to post a file to the server, presumably without actually being logged into Perch.
Diagnostics report is:
Perch: 2.8.14, PHP: 5.4.45, MySQL: mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $, with PDO
I urgently need to work out how this happened. It looks like a serious bug, is this the case?
Many thanks.
This has already been addressed - you need to update to the current version.
Can you please confirm in which version this was addressed.
Was it 2.8.15, which has "Fixes bugs in MarkItUp editor" in the release log?
If so, it would definitely be worth including something a little more pressing in the release log, such as 'Addresses security vulnerability'. Users need to know there is a major vulnerability that allows a malicious user to upload a file, as this can (and, unfortunately, in this case, has) give that user full access to the server.
This is a serious vulnerability and users need to be alerted as such, so they know the importance of upgrading right away.
Yes, that's the one - we marked that release as "recommended for all users" and turned on the update flag so that every customer was notified of the new version within their Perch control panel.
This was a theoretical problem only. The uploader is designed for static assets, so you can't, for example, upload a
.php
file. The only way for it to be a risk is with a poorly configured server. As such, it would have been reckless to point to it and encourage attempted exploits. That would have exposed everyone to unnecessary risk. So we fixed it and recommended to everyone that they should update.As you've now seen someone attempt to exploit it, that changes things a little. We're sending an email out today, so we'll remind customers who haven't yet updated to do so.
(I'm going to edit your original post to remove both your domain name and also the exact details of the file that has been patched.)
Thanks for removing the domain name and exact details of the file.
To let you know, the user managed to upload a .phtml file that contained pretty sophisticated PHP code. This script actually allowed them to carry out terminal/shell commands. Unfortunately this allowed them free reign to browse our server with
ls
commands in search of configuration files, which they found, thus giving them access to database details. They then used the same .phtml file to carry out a number of mysqldumps.I don't know if you can natively use .phtml files in the same way as a .php file, or if our server is poorly configured and allowed a .phtml file to act in this way.
I don't have a reason to believe we were targeted specifically, so suspect someone is looking to make use of this vulnerability to target Perch sites, or other sites using the same editor.
A
.phtml
file is a PHP 2 file. You really don't want to allow those to be executed.We're going to make sure customers are encouraged more strongly to update.
I had a site that has just been hacked with this vulnerability as well. Just to add to the sense of urgency on this.
I checked my logs - they have been finding Perch sites by googling /perch/resources/ . I tried doing the same search, and immediately identified two websites (out of three I checked) that have been similarly compromised (the listing of the files shows the .phtml file named above).
I think this merits a message to Perch users telling them how to check if they've been compromised, to be honest.
Drew / Rachel - I've identified 9 sites that have also been hacked. Have sent you the details by email.
Hi Mallen - we emailed all customers yesterday notifying them that they needed to update.
Yes, but that's not the same as notifying customers who have been hacked that their systems have been compromised.
Given that significant numbers of your customers have been hacked already, giving information on how to check whether or not this has happened to you would be a good idea - but certainly contact ones that have come to your attention as definitely hacked, surely?
I've updated all my Perch Runway sites (2.8.17) and updated the markitup editor, but it'd be reassuring to know how to check if any of them were compromised.
Are we just looking for a
.phtml
file in the /perch/resources/ folder?Hi Stephen - yes, if there's a .phtml file, or any other executable file, in that folder it will indicate you've definitely been compromised. If not, you're probably OK. However, the script they use has a self-destruct facility to remove itself after it's installed a backdoor, so you might also want to go into the site raw logs for the last 24 hours and check for activity around the markitup folder, and anything that calls a phtml file.
So far, however, they seem to be leaving the file in place after they've been.
If you've been compromised, they'll almost certainly have done an sql dump of your database, so make sure you change all user passwords.
Normally a
.phtml
file isn't executable - they're PHP 2 files, so you'd have to have a very strange old server configuration. They do exist, but for most people you just end up with a useless.phtml
file that does nothing.So the presence of a
.phtml
file only indicates that a file has been successfully uploaded. It doesn't mean that anything has been exploited.More here: https://forum.grabaperch.com/forum/11-26-2015-important-security-update-patches-for-markitup
I've seen three working versions of this in the wild, one on my client's website.
If you see this file, click onto it in your web browser. If it works, you'll see a menu of options. At that point, assume your site has been compromised, notify your hosts and take action.
Have a look at the server logs and see what they did (the parameters are passed to the file as _GET variables).
If you click on the file and it doesn't do anything, then it should be ok.
Hi Mallen
sorry if the replies have been a little short but Drew has been busy creating an individual patch for every single version of Perch 2 https://forum.grabaperch.com/forum/11-26-2015-important-security-update-patches-for-markitup and is currently writing an email so people can just patch the precise file rather than having to update their entire install. Because like any third party software we essentially face a losing battle in trying to get people to update.
The reason we are pointing out the issue with .phtml files is so that people can be aware of the seriousness in their case. Allowing .phtml to be executed is - in 2015 - poor server configuration. It wouldn't surprise me if those files being executable causes compromises in a lot of software.
So if you know that your server cannot execute these files then you are in a situation where a file has been uploaded but nothing else done.
So we are taking this seriously, by doing the things we can about it rather than just making noises in the forum.
Rachel
None of the replies here gave any impression that it was being taken seriously. Good communication is hardly "just making noise".
I would like to thank Perch for taking this seriously. We have discovered that this is most likely the cause of several sites being recently compromised. The effect was files being placed that were then used as phishing targets, and a couple of attempts at trigger bulk emails from the server.
For around 10 days we've been suspecting WordPress was the cause - and have tightened up the security even more than usual (a good thing anyway). We never found the actual cause - until now. I just patched all our Perch installs (and upgraded around half of them before the patch came out). I then checked all /resources folders - and found a 'phtml' file in a site where the 'hosted' customer had added this as an allowed PHP extension. Now stopped, but at least we FINALLY found the cause it seems.
If anyone is interested, the exploit reads the Perch config file to get the database credentials. Not sure what it does/did with them next but we are restoring to an older backup as the client's not made any updates for quite a while.
Hi, is there a reason for all the individual version patches? Are we able just to upload the latest markitup?
They are for people who, for whatever reason, don't want to update Perch to the latest version.
Ideally you update Perch to the latest version and update MarkItUp to the latest version.