CiviCRM Community Forums (archive)

The fix for SA-2006-006 is no protection because the exploit was installed outside your site files directory.

If q.php was installed and functional on your site, it is safest to assume the attackers have already had full access to both your codebase and data. (They had the opportunity; the question is only whether they bothered to do so.) You should consider restoring from a known good backup or from sources (ie fresh copy of CiviCRM, Drupal modules etc).

Passwords should be reset for all user accounts, and consider advising the contacts and users of your site of the breach. This may be a legal requirement. If you use an onsite payment processor, you probably have some requirement to advise your provider. Possibly also if you're on shared hosting, IDK.

Logs and so forth might indicate the extent of the breach, but I'd say err as far on the side of caution as possible.

Sorry

we had three sites with a tmp-upload-images directory with either the aaa.php file (and two others)  or code.php .  I don't see anything else.  No issues that we can see either.

Agreed, Totten. Basically I'm giving conservative advice, on the basis that I do not want to give any false assurances. Anyone competent enough to analyse their logfiles is probably equipped to make their own assessment (and ignore my advice). If they aren't, I'd be doing the wrong thing advising them to hope for the best That's what I was "dog-whistling" with

Logs and so forth might indicate the extent of the breach, but I'd say err as far on the side of caution as possible.

"Might be ok" is not enough assurance for me. Contact data is sensitive information for the people concerned, as are CC details (if using onsite processors). Depending on the org, exposing personal data can be simply an annoyance ... or a serious legal problem ... or a life and death matter (eg orgs working under oppressive regimes). I'm not paranoid myself, but I know that some CiviCRM users have quite legitimate reasons to be paranoid.

From what I see in the sites which were scanned for this,

* An automated scan of a large number of sites has been performed.
* Higher profile sites have been targeted first (several dev instances which aren't in Google search did not get scanned).
* If successful, the attack attempts to access the uploaded file immediately after installing it.
* Scanning your logs for accesses to ofc_upload_image.php may show false positives if you use dashboard charts.
* The scans I've seen started on the 17th of April 2013, but the vulnerability was published in 2011.

pkeoghan, if you want to upload the aaa.php / code.php files to gist.github.com or a pastebin, I'd be interested to see them.

FYI:  our sites have either only code.php  or all three code.php, aaa.php, q.php.   It also seems that code.php was uploaded several times.  Code.php generates q.php when executed. It also seems that aaa.php and q.php are basically the same.    aaa.php and q.php -- looks like they are a file manager of some sort. 

right, you want to find the first instance of:

/sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=

in your web log and get a back up before the first call

Hi,

I report an attack involving Open Flash Chart, received today with CiviCRM 4.3.6. The attacker was able to upload abusive files to /administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images on a Joomla! installation.

I followed the advisory and found many calls on Apache logs to ofc_upload_image.php, as bellow:

178.63.107.34 - - [08/Oct/2013:18:51:01 -0300] "POST /servicos-de-tecnologia/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=load.php HTTP/1.1" 404 2230 "-" "libwww-perl/5.836"
It looks like the file (ofc_upload_image.php) was not removed (as I think if should have been) after the 4.2.6 upgrade. I took a look at the list of files and found those dates:

4.0K -rw-r--r-- 1 www-data www-data 1.2K Sep 25 16:16 ofc_tooltip.php
4.0K -rw-r--r-- 1 www-data www-data 1.6K Oct  3  2012 ofc_upload_image.php
4.0K -rw-r--r-- 1 www-data www-data  670 Sep 25 16:16 ofc_x_axis_label.php

It looks like the rest of the package files is being updated in each new upgrade, but the problematic ofc_upload_image.php is still there, in its old Oct 3 version.

Maybe it's a problem with the Joomla! installation script that is unable to remove that file properly? I checked the 4.3.6 and 4.3.7 packages and the file is really not there but, if it was installed before, the script is not cleaning it.

Thanks
Diego

PS: Just find a second site compromised with the same situation. Attacker was able to upload a lot a files, to OpenFlashChart/php-ofc-library/ and the upload directory. They even uploaded a web uploader script :/ !!

I opened a Issue at http://issues.civicrm.org/jira/browse/CRM-13572