Author Topic: Feng Office 3.1.2.2 hacked (Read 4719 times)

nunoleite · « **on:** April 10, 2015, 03:37:28 am »

Hi!

Tonight my sub domain with Feng Office 3.1.2.2 was hacked. This comunitty version is not very used, it's almost never used. The last thing done was 2 weeks ago when i updated to 3.1.2.2

These files where instroduced:
help.htm 75bytes
help.html 67bytes
info.htm 75bytes
info.html 67bytes
info.php 21.135bytes (i think this is the bad file)
tmp/sh.php 68bytes
tmp/systemscash.php 68bytes

All the content of the sub domain where feng office is where overrided...
Files php and html where written with the content:
<?php
header('Location: xxxxx');
exit;
?>

In my logs the first lines of the attack are these:
5.61.37.14 - - [09/Apr/2015:20:21:56 +0100] "GET /tmp/systemscash.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:56 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 24131 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:57 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 28977 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:57 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 29611 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:23:54 +0100] "GET /info.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:23:54 +0100] "POST /info.php HTTP/1.1" 200 29586 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:06 +0100] "GET /info.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:06 +0100] "POST /info.php HTTP/1.1" 200 29586 "info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:07 +0100] "POST /info.php HTTP/1.1" 200 29586 "info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:10 +0100] "POST /info.php HTTP/1.1" 200 9791 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:11 +0100] "POST /info.php HTTP/1.1" 200 15635 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.

Gecko/20060728 Firefox/3.5.8"

And then, continues with the same data for about 5000 lines.

It's weird that it starts with a GET to a file that doesn't existed before.

Do you know anything about this?

Thanks
Nuno Leite

franponce87 · « **Reply #1 on:** May 19, 2015, 11:53:17 am »

Where did you upgrade it from?

nunoleite · « **Reply #2 on:** May 19, 2015, 03:59:01 pm »

Hi!

I always use your official downloads, from SourceForge.

I had replaced today for a backup that was good, and updated to 3.1.5.1.

Let's see the next days....

It was very strange as this is one of my sub-domains, and i have some with other scripts, and only this one was hacked.....

franponce87 · « **Reply #3 on:** May 20, 2015, 11:05:58 am »

Hi there!

Glad to know that this new version was ok.. nonetheless, I am surprised of what happened though. As far as I am aware no one else experienced this as otherwise we would have been informed by the rest of the Community. Any chance a malware got into your server somehow else?

I will ask my colleagues to double and triple check just in case though.

Best regards,
Francisco

franponce87 · « **Reply #4 on:** May 20, 2015, 02:31:51 pm »

So, my colleagues looked into the matter and they told me that the 3.1.2.2 version at SF is ok and has not been changed, so if you downloaded the system from there, the hacking may come from somewhere else, but not from our source code.

Just to be safer, we will keep our eyes open and keep on investigating, and if anything, we will make a major announcement.

Should anyone find anything else related to this, please do comment here or drop me a private message.

Thank you.

nunoleite · « **Reply #5 on:** May 22, 2015, 06:47:31 am »

Hi!

So far so good with version 3.1.5.1.

What is strange is that i have lots of other sub-domains and none of them was hacked. And in the case of Feng Office every single file was overwritten.

As this is very easy to do with a simple script, if the attack came from another account inside the server or even the server it self, it would happened to all accounts, and all php files. I even have other users with Feng Office 3.1.2.2 installed in their sub-domains and none where hacked. Only this one was hacked. This is why i thing this is very strange.

This Feng Office is used by only 2 users and has almost no content. It has some tasks and documents and 2 email accounts. Could it be from a bad email? This is the only thing that i think it could be the cause of this.
Has i don't those email accounts in Feng Office, i just deleted all the emails and the accounts.

So, now let's wait and see if it happens again.

Thank you.

Feng Forum

News:

Author Topic: Feng Office 3.1.2.2 hacked (Read 4719 times)

nunoleite

Feng Office 3.1.2.2 hacked

franponce87

Re: Feng Office 3.1.2.2 hacked

nunoleite

Re: Feng Office 3.1.2.2 hacked

franponce87

Re: Feng Office 3.1.2.2 hacked

franponce87

Re: Feng Office 3.1.2.2 hacked

nunoleite

Re: Feng Office 3.1.2.2 hacked