phpCOIN
Merry Christmas

Forum Rules Important

For discussions on issues encountered in Snapshots or Release Candidates. Please include the Snapshot version and Date, and your server environment as applicable (OS, PHP version, server daemon type and version, MySQL version)when posting.

  Reply to this topicStart new topicStart Poll

> Vulnerability In Phpcoin 1.6.5, Vulnerability in phpcoin 1.6.5
qtriangle
  Posted: July 07, 2012 05:00 am
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



Yesterday I noticed there were several orders in my phpcoin setup.

All of them seemed to be fake orders, which was kind of not alarming.

However, today I noticed that mod.php file was changed. Whenever it was accessed (which is accessed heavily by all modules), it was redirected to paypal add card option.

I think there is a security vulnerability somewhere which allowed over write of mod.php file.

If moderator wants a copy of mod.php I can provide that.

Please see how it was possible, and also suggest what steps can be taken to prevent this in future.
PMEmail Poster
Top
lightman
Posted: July 07, 2012 05:04 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



Which developer snapshot are you referring to ?

If this is NOT a developer snapshot related issue, and you are running the current version of phpCOIN with the HotFixs applied (unmodified) then please see http://forums.phpcoin.com/index.php?showtopic=2916 and http://forums.phpcoin.com/index.php?showtopic=2915

I would be interested in seeing the mod.php file to see what URL they are sending you to - adding a card would seem innocent enough unless the URL is used in a 'Man-In-The-Middle' attack, or the landing page is spoofed !


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
qtriangle
Posted: July 07, 2012 10:44 am
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



Hi Lightman,
Well I think I have the latest production version with all patches.
I have sent you all the information required on your support id.
PMEmail Poster
Top
lightman
Posted: July 07, 2012 12:43 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



This is NOT a development snapshot or release candidate issue - however it is interesting so I shall make some comments here that might help smile.gif

Three core phpCOIN files have been compromised (I did NOT check any of the extra user created files) and will need restoring to the original state:
  • mod.php
  • /coin_modules/ipn/vendors/paypal.php
  • /coin_cron/paypal.php
The scripting is quite elegant and consists of two basic parts.

The first is to push a user or admin into adding a credit card to their PayPal account - and then email ALL the details the user types into the form to b6f@hotmail.fr

The second is to use a dummy domain to spoof PayPal transactions and IPN payments - this domain is pyapal.net (look carefully at the spelling) which, at time of writing, is not registered. However this domain could be used together with a DNS poisoning to redirect the queries anywhere the attacker wanted.

As to HOW the files were compromised - I have no idea. Unfortunately, without the access and transfer logs from the server, there is nowhere to start - and remember the core access exploit could have been put in place some time ago and left dormant.

Listed below are some of the attack vectors I have seen in the past that you may want to research.
  • Compromised or guessed FTP credentials
  • Compromised control panel access (eg Plesk SQL injection vulnerability)
  • Some other script on the server is vulnerable to XSS or SQL injection
  • phpCOIN is vulnerable due to the dozens of extra (and many redundant) user created files in the phpCOIN folder structure which may contain some exploitable code, or some modification to the security.php file relaxed the integrity of defences
  • An attacker has uncovered some new and previously unknown method to lever phpCOIN into allowing them access to write files onto the server.
  • A malicious server or domain [ex?]operator/administrator with access has sabotaged the site
Recommendations:
1) Check for shell scripts or unknown php or executable files or scripts in unexpected places (eg the server /tmp folder) and try to use the logs to ascertain where they came from.
2) Change ALL passwords for root, control panels and FTP access
3) Ensure all control panels, OS and components (eg httpd, php, mysqld etc) are fully patched and don't contain any previously injected malicious files and that any other domains running scripted programming on the server are also fully patched up-to-date

Unless you can determine exactly where the access to the file set was granted, and what the extent of the access was, you should probably assume that EVERY web site hosted on the same server is vulnerable to exploit.


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
qtriangle
Posted: July 07, 2012 04:42 pm
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



Did u find anything in DB?

BTW in my view rare that a hacker after getting access to complete machine just makes this kind of change only.

I think either only 1 account was compromised, or some vulnerability might have been used.

I am meanwhile inspecting access logs as well.
PMEmail Poster
Top
lightman
Posted: July 07, 2012 04:57 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



I found the vendor vendor_url for PayPal had been changed to pyapal.net in the database which could indicate that phpcoin admin login credentials had been compromised, or that the hacker was able to access the mysql databases directly (possibly through the control panel ?)

The same string was also in the phpcoin_vendors_bak table which is written when an update is performed if the admin checks the 'make a backup' of the database during the install process - I have no way of telling when this was done or if the hacker just did a quick find and replace of paypal.com when he accessed the database.

I don't believe this to be the case as there are many iterations of paypal.com still in the database that would likely have been changed if the hacker had done a global find/replace.


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
qtriangle
Posted: July 07, 2012 05:05 pm
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



PMEmail Poster
Top
qtriangle
Posted: July 07, 2012 05:07 pm
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009




QUOTE
phpcoin_vendors_bak

This table was created more than 2 years back.
I believe hacker has replaced a full URL, not just paypal.com, in the sqldump of the whole db.

This post has been edited by qtriangle on July 07, 2012 05:07 pm
PMEmail Poster
Top
qtriangle
Posted: July 07, 2012 05:10 pm
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



do i need to make any correction in DB?
PMEmail Poster
Top
lightman
Posted: July 07, 2012 05:13 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



Just to the vendor url for PayPal as far as I can see - but I haven't gone through the db dump line for line ...... biggrin.gif


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
qtriangle
Posted: July 07, 2012 05:20 pm
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



i think I can rule out breach through phpcoin admin panel, since 3 php files were also changed?
Unfortunately access logs are rotated so not much info sad.gif

This post has been edited by qtriangle on July 07, 2012 05:21 pm
PMEmail Poster
Top
lightman
Posted: July 07, 2012 05:46 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



If the phpCOIN admin or user account was breached and the details of the cPanel username and password, and/or the FTP username and password existed for the domain that hosts the phpCOIN installation - what more could a hacker ask for ? smile.gif

I'm not stating that this is what has happened in your case, but it is a scenario that has been worrying me for some time dry.gif

A good move is to set Admin > parameters > group=common subgroup=domains >

Domain CP/FTP Show Passwords To Clients > No


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
qtriangle
Posted: July 08, 2012 01:17 am
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



No, I don't store actual hosting password in phpcoin, as in phpcoin we yet don't have a good integration with hosting panels.
What I meant is that someone got into panel somehow' I dont know how though unsure.gif
PMEmail Poster
Top
lightman
Posted: July 08, 2012 03:49 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



Please let us know if you find out how the hacker gained access to the server control panel.

What we know at this time:
  • An attacker gained access to the server via an unknown method.
  • So far, no evidence has been presented that supports the server breach vector was an exploit of the phpCOIN code
  • The database was modified directly (outside of phpCOIN) probably using the control panel SQL manager eg phpMyAdmin or similar
  • The 3 files were modified using an unknown method - the time stamps on 2 of the files is half an hour apart (the third one we don't know as it had been renamed by admin after the hack was discovered) suggesting the files were modified through a control panel file manager rather than being bulk uploaded by FTP
  • The malware itself was not especially sophisticated and could be applied to any shopping cart that uses PayPal /IPN as a payment portal with suitable code changes.
  • The malware is specifically targeting PayPal users in an attempt to trick them into giving card information that is then harvested by the attacker.
  • The domain URL used in the attack is unregistered at this time and does not resolve, and it is doubtful if the the modified code would run as the attacker expected.
  • All credit card details typed into any forms that were displayed to a user would have been emailed to the address mentioned above (you may want to advise any user that you suspect of having done this to cancel their cards wink.gif )


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
lightman
Posted: July 12, 2012 04:06 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



With no further information at this time indicating that phpCOIN was responsible for an attacker breaching this users server and subsequently access the fileset to change the 3 files, and to access the MySQL database to edit records :- I thought I would make some additional comments that might be useful to our users if they suspect anything similar might have happened to them.


We know that the hack was a phishing exercise to gain users credit card details. The fact that the domain name used in the code did not resolve and was not even registered at the time of the reported exploit raises a couple of red flags.

For the phish to have fully worked, the attacker would have had to have access to a DNS server or hosts file to poison the DNS lookup and send the user to an pre-set IP. It is unlikely that this was the case.

I suspect this script was quite old and had been used by a script kiddie who had happened to have levered/exploited/brute forced or stumbled upon the username/password for the WHM control panel of the site in question. It may have worked well when the domain in question was active but is likely to produce strange results at this time.

What we don't know is if the email address that was used in the code to mail all the fake forms POST information to, was active and current. If it was - there is a risk that users did indeed get their card details stolen in the phish.

With no further reports, I am going to delete the bug report for the moment. If we get any new information corroborating that the initial attack vector was through phpCOIN, I shall re-open the issue.

If you are unsure of whether you have been compromised, grep your fileset for the domain name mentioned above or inspect the 3 files that are mentioned.



--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll

 


Inscrita el Registro Mercantil de Mallorca Tomo 2140, Hoja No. PM-51034, Folio 135
This website owned and operated by: Technology Services RPVW S.L. CIF# B57345084
Avda Constitucion 48 Bajos Alaro 07340 Baleares SPAIN
Tel:+34 971518362    Fax: +34 971518368    eMail: support@phpcoin.com