Author Topic: Feng Office 3.1.2.2 hacked  (Read 4729 times)

nunoleite

  • Newbie
  • *
  • Posts: 5
    • View Profile
Feng Office 3.1.2.2 hacked
« on: April 10, 2015, 03:37:28 am »
Hi!

Tonight my sub domain with Feng Office 3.1.2.2 was hacked. This comunitty version is not very used, it's almost never used. The last thing done was 2 weeks ago when i updated to 3.1.2.2

These files where instroduced:
help.htm   75bytes
help.html   67bytes
info.htm   75bytes
info.html   67bytes
info.php   21.135bytes (i think this is the bad file)
tmp/sh.php   68bytes
tmp/systemscash.php   68bytes

All the content of the sub domain where feng office is where overrided...
Files php and html where written with the content:
<?php
header('Location: xxxxx');
exit;
?>

In my logs the first lines of the attack are these:
5.61.37.14 - - [09/Apr/2015:20:21:56 +0100] "GET /tmp/systemscash.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:56 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 24131 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:57 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 28977 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:21:57 +0100] "POST /tmp/systemscash.php HTTP/1.1" 200 29611 "/tmp/systemscash.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:23:54 +0100] "GET /info.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:23:54 +0100] "POST /info.php HTTP/1.1" 200 29586 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:06 +0100] "GET /info.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:06 +0100] "POST /info.php HTTP/1.1" 200 29586 "info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:07 +0100] "POST /info.php HTTP/1.1" 200 29586 "info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:10 +0100] "POST /info.php HTTP/1.1" 200 9791 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"
5.61.37.14 - - [09/Apr/2015:20:24:11 +0100] "POST /info.php HTTP/1.1" 200 15635 "/info.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.1.8) Gecko/20060728 Firefox/3.5.8"

And then, continues with the same data for about 5000 lines.

It's weird that it starts with a GET to a file that doesn't existed before.

Do you know anything about this?

Thanks
Nuno Leite

franponce87

  • Administrator
  • Hero Member
  • *****
  • Posts: 1819
    • View Profile
    • Email
Re: Feng Office 3.1.2.2 hacked
« Reply #1 on: May 19, 2015, 11:53:17 am »
 :o :o
Where did you upgrade it from?
Would you like to install Feng Office Professional or Enterprise Edition in your servers? No problem! Read this article!

nunoleite

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Feng Office 3.1.2.2 hacked
« Reply #2 on: May 19, 2015, 03:59:01 pm »
Hi!

I always use your official downloads, from SourceForge.

I had replaced today for a backup that was good, and updated to 3.1.5.1.

Let's see the next days....

It was very strange as this is one of my sub-domains, and i have some with other scripts, and only this one was hacked.....

franponce87

  • Administrator
  • Hero Member
  • *****
  • Posts: 1819
    • View Profile
    • Email
Re: Feng Office 3.1.2.2 hacked
« Reply #3 on: May 20, 2015, 11:05:58 am »
Hi there!

Glad to know that this new version was ok.. nonetheless, I am surprised of what happened though. As far as I am aware no one else experienced this as otherwise we would have been informed by the rest of the Community. Any chance a malware got into your server somehow else?

I will ask my colleagues to double and triple check just in case though.

Best regards,
Francisco
Would you like to install Feng Office Professional or Enterprise Edition in your servers? No problem! Read this article!

franponce87

  • Administrator
  • Hero Member
  • *****
  • Posts: 1819
    • View Profile
    • Email
Re: Feng Office 3.1.2.2 hacked
« Reply #4 on: May 20, 2015, 02:31:51 pm »
So, my colleagues looked into the matter and they told me that the 3.1.2.2 version at SF is ok and has not been changed, so if you downloaded the system from there, the hacking may come from somewhere else, but not from our source code.

Just to be safer, we will keep our eyes open and keep on investigating, and if anything, we will make a major announcement.

Should anyone find anything else related to this, please do comment here or drop me a private message.

Thank you.
Would you like to install Feng Office Professional or Enterprise Edition in your servers? No problem! Read this article!

nunoleite

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Feng Office 3.1.2.2 hacked
« Reply #5 on: May 22, 2015, 06:47:31 am »
Hi!

So far so good with version 3.1.5.1.

What is strange is that i have lots of other sub-domains and none of them was hacked. And in the case of Feng Office every single file was overwritten.

As this is very easy to do with a simple script, if the attack came from another account inside the server or even the server it self, it would happened to all accounts, and all php files. I even have other users with Feng Office 3.1.2.2 installed in their sub-domains and none where hacked. Only this one was hacked. This is why i thing this is very strange.

This Feng Office is used by only 2 users and has almost no content. It has some tasks and documents and 2 email accounts. Could it be from a bad email? This is the only thing that i think it could be the cause of this.
Has i don't those email accounts in Feng Office, i just deleted all the emails and the accounts.

So, now let's wait and see if it happens again.

Thank you.