Can't get rid of Trojan.PHP-43

Kindred · July 16, 2012, 09:23:13 AM

yeah, the whole upload/permissions thing is screwy and I'm not sure there is any good way around it...
(in theory, ANY script which allows you to upload, install, etc through the script has the issue - right?)

For the original vector, I think WordPress may have been it... The OP did state that s/he had WP on the same server... right?

Arantor · July 16, 2012, 10:21:35 AM

Quoteyeah, the whole upload/permissions thing is screwy and I'm not sure there is any good way around it...
(in theory, ANY script which allows you to upload, install, etc through the script has the issue - right?)

Correct. Any script that can upload files will be uploading files owned by the webserver.

Night09 · July 16, 2012, 02:46:47 PM

This kind of attack has been documented for other setups but this link will give the general idea of whats at risk and the resolution they took. Its not directly for SMF but gives a decent insight. http://twiki.org/cgi-bin/view/Codev/SecurityAlertSecureFileUploads

Arantor · July 16, 2012, 02:51:53 PM

It gives a decent insight into a separate and not-really-related issue. In SMF parlance, the context is essentially about the attachments system not having executable extensions (which has been the case in SMF for years)

The issue I'm referring to is nothing to do with that, but the fact that uploading mods and themes means uploading PHP files that are by their nature vulnerable on shared hosting.

Kindred · July 16, 2012, 03:13:10 PM

right...

Files Uploaded (from FTP) are owned by the logged in user on the server.
Files Uploaded (from a script) are owned by php, the script, the server or various other combinations -- all depending on how the server and php are set up.

If your files are owned by the user, then - when a hacker breaking into your file system, he can only do limited damage - because, assuming your permissions are not 777, there is a good chance that his scripts will be refused permissions to edit the existing files.

It is POSSIBLE to lock down a system like SMF or WP (or most others) which allows the script to upload, extract and run files... but doing so requires a fair bit of manual effort and access to chown and chmod.

Мel · July 21, 2012, 04:30:47 AM

Well, here it is again. I've uploaded the infected file for anyone interested to check out.

NanoSector · July 21, 2012, 05:04:42 AM

...that is *not* a regular wp-config file. There's a huge preg_replace() in there, along with an eval(), and no settings at all...

Sorry if this is too much work but i'd reinstall WP to be safe...

Мel · July 21, 2012, 06:08:39 AM

I see that it's not normal WP, that's why it's called "infected"

How do I reinstall WP?

NanoSector · July 21, 2012, 06:11:33 AM

Quote from: Мel on July 21, 2012, 06:08:39 AM
I see that it's not normal WP, that's why it's called "infected"
How do I reinstall WP?

ACP > Updates > Reinstall

Мel · July 21, 2012, 07:52:10 AM

Quote from: Yoshi2889 on July 21, 2012, 06:11:33 AM
ACP > Updates > Reinstall

Sorry, where is that exactly?

Kindred · July 21, 2012, 08:11:23 AM

in wordpress admin panel.

Alternatively, do as I suggested for the SMF re-install.... delete the files in the wordpress directory and all subdorectories (just kill everything) and do a fresh installation of files, but then point the reinstall to your existing database

News:

Can't get rid of Trojan.PHP-43