CALL US

+91 9116117170

Exploiting CMS Web Applications | Cyberops

Exploiting CMS Web Applications

By Palash Verma 0 Comment October 16, 2018

There are frequent cases of hacking websites on all servers, preferably CMS Joomla and WordPress, in this article we want to tell how and why this is done, and what measures can be taken to protect.

If the site has been hacked, it is not enough just to delete the downloaded PHP Shell script, or the PHP script sending spam, you need to find the reason for hacking the site, most often it is a vulnerability in the CMS itself, or in a plugin (module) to it, or a stolen password from an FTP account.
The process of hacking sites takes place with special botnets, now in the logs of almost any site, even a newly registered domain you can see something like this:


"GET /dbadmin/scripts/setup.php HTTP/1.1" 404 2445 "-" "ZmEu"
"GET /myadmin/scripts/setup.php HTTP/1.1" 404 2445 "-" "ZmEu"
"GET /mysql-admin/scripts/setup.php HTTP/1.1" 404 2449 "-" "ZmEu"


Bots use known exploits to popular CMS (most often Joomla and WordPress), hack sites, install their scripts on them and can use the hacked site for any purpose. Trojans steal passwords from your FTP, connect to your account and infect your sites with a virus code, which in turn infects site visitors, after which the circle repeats.
What usually happens to the site after hacking:

Site deface – the home page of the site is replaced with another one, usually with the placement of the Turkish flag and awesome music in the background, or simple threats. Site content is usually not deleted.

Infection of the site pages with malicious code. Usually viruses are written to the end of files and it looks like this:

<script type="text/javascript" src="<?php eval(base64_decode("DjsdgY3b... 

or so

<script src="http://*******.dyndns.info/rss.js"></script>

Sending large amounts of spam from your account

Redirect for mobile devices when visiting your website is prescribed in .htaccess


RewriteCond %{HTTP_USER_AGENT} "up.browser|up.link|windowssce|iemobile|mini|mmp" [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} "symbian|midp|wap|phone|pocket|mobile|pda|psp" [NC]
RewriteRule (.*) http://ссылка_для_перенаправления [L]

Download PHP Shell and perform any of the above actions, and even attempts to hack the provider’s server.

After hacking, there are almost always files that were used by attackers, this is the PHP Shell, or a script to send spam.

How do the scripts get into the account? Usually this happens in the following scenario:
Through any vulnerability in the script, PHP Shell is loaded, or through a CMS vulnerability, access to the CMS admin panel is downloaded and PHP Shell is loaded via the built-in file manager.
Then through PHP Shell can do everything they need.
Example of PHP Shell: 

 

From inside PHP Shell usually looks like this:


<?php
$auth_pass = "xxxxxxxxx";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x..... много-много кода в base64

Our site was hacked and downloaded malware, let’s start the search. 
As a rule, downloaded scripts are called rather unusual and stand out among the standard scripts inside the CMS, for example, for a site with a Joomla CMS it will be unusual to see the wp-config.php file in the root, some hackers use more interesting file names, but they also usually do not make labor calculate:

  • a210891d.php
  • sd3434.php.2323
  • default.php

Files can be in any folder of the site, but most often – the root directory of the site and temporary folders (/tmp, /uploads, /cache). 
You also need to inspect the .htaccess, the index file, and the script configuration files, examples of what’s usually there add, or what a PHP Web Shell might look like above. 

To avoid such trouble, we recommend the following:

  • Timely update of your CMS and its modules
  • Setting correct permissions for folders and files
  • Do not save passwords from admin panel and FTP in browsers and FTP clients
  • Downloading CMS from official sites (some creators of ready-made CMS assemblies with modules like to embed shells into the code and other bad things).


R
ecommendations for cleaning the site:

  • Disable access to the site for visitors
  • Find the reason for hacking
  • Change FTP password
  • Restore the site from a backup, it will help to roll back all changes on the site
  • Update CMS and modules
  • Check permissions on folders and files.

If you have found suspicious files, or a suspicious code in some of the site’s files in your account, and you cannot independently understand their origin, you can contact our support team and ask to see these files.

error: Content is protected by Cyberops !!