Security Issue - mass.php?

wordpress

#1

I thought I should bring this to the attention of the Dreamhost community just in case this issue wasn’t confined to my account due to my own negligence (better safe than sorry):

Today I found two instances of a mass emailer in different subdirectories of two of my domains. The actual mailer was named “mass.php,” and judging by the email lists that accompanied it, had not been put into use yet.

Again, I want to make it VERY clear that this security issue may just be that someone got my password and used it to upload the files in question, so this MAY NOT BE A DREAMHOST ISSUE.

To check if you have fallen victim to the same problem, SSH into your account and use the following command:

find . -name mass.php

This will recursively search for any files named “mass.php.” Please let me know if any of you have similar issues.

Good luck, and I hope this was just due to my own stupidity of leaving my password lying around!


#2

I nearly had a heart attack when I found an instance of this file, until I realized that I had created it myself (a mass conversion tool).

Thank you for posting about this potential vulnerability, by the way. In a shared hosting environment such as this, any help of this nature is very valuable to other customers. Props to you for that.


Simon Jessey
Keystone Websites (business site) | si-blog (personal site with affiliate links)


#3

Okay, this is really making me freak out. After making that post yesterday I changed my shell/ftp password. Later on in the day, more files started appearing on my sites. Ebay related things… looks like someone is using it for some kind of phishing scam.

I haven’t gotten a response back yet from Dreamhost.

I don’t know what’s going on, but I think there is reason to be worried at this point.

I’ll keep you all updated.


#4

It’s very unlikely that the attacker gained access by stealing your password. It’s much more likely that they broke in through an insecure web application of some sort. I’d make sure you’re running up to date versions of any and all web applications that are publicly accessible, whether or not you’re using them.

DH support should be able to figure out how they got in by looking at your access logs.


#5

Will is right about this. We rarely see passwords stolen and it’s much easier to gain access to websites through insecure uploading scripts or the like. If you feel like getting your hands dirty you can check for what scripts have been POSTed to recently to see what scripts may have been exploited. You can do that with this command:

grep POST logs/mydomain.com/http/access.log

That will spit out a lot of text and may not tell you what you need to know but it’s something to try. It’s pretty much the first thing I do when looking into these situations.

  • Dallas
  • DreamHost Head Honcho/Founder

#6

The only possibility here is my Wordpress installation, which I wasn’t using and have removed. The logs aren’t really telling me much, though, so I don’t know if this was the source.

The only file upload scripts I have is a private one that is password protected and very simple, and the other is a Drupal installation which is completely patched and up to date.

Also, even if someone was exploiting an upload script, they would either have to get some kind of directory listing in order to upload files to my other domains. For example, r8d.net is a completely empty folder. I have nothing on the site. There is absolutely no way anyone would know about it prior to my mentioning right now, on this forum. How would you exploit an upload script on another domain to upload to …/…/…/r8d.net/… without even knowing about it?

Something very odd is going on. I must be missing something silly.


#7

The attackers regularly upload a php based ‘shell’ script that acts like a unix shell through the web and they use that to browse around. Also, the exploits often allow for the execution of arbitrary commands on the server and they can use that to their advantage and figure out how things are set up. We do block the most common attacks we know about but there are so many variations that it’s difficult to keep up with them all.

  • Dallas
  • DreamHost Head Honcho/Founder

#8

[quote]if someone was exploiting an upload script, they
would either have to get some kind of directory
listing in order to upload files to my other domains.

[/quote]

The DH system has a known vulnerability that allows that - through another user inspecting your web logs.