My hosting provider has notified me of malware that imunify has detected. On my ocs. I can clean these files, but I would like to know where the vulnerability is. Perhaps there are experts who can tell me or there are those who have encountered similar cases. I’m not sure what is worth uploading the code of the files, I will only indicate their names.
/245-189-1-SM.phtml
/shell.phtml
Thanks in advance for your answers.
Hello @Heorhii
Thank you for your interest in Open Conference Systems (OCS). Please note that OCS is no longer supported or maintained by PKP. However, other community members may wish to offer assistance.
-Roger
PKP Team
Hi @rcgillis. Thanks for the answer. I know OCS has stopped updating, but it’s a great product. I hope there are people who have solved this problem.
Hi @Heorhii,
It’s hard to know without more information, but the likeliest attack vector will be an incorrectly configured files_dir (see config.inc.php). Is your files_dir located inside your web root? If so, a malicious user could upload a .phtml file as a submission document, then guess the URL to the files directory and invoke it directly through the web server to execute it. For this reason it’s important to put the files_dir outside the web root, or protect it from direct access using an .htaccess file or similar mechanism.
However, the existence of a .phtml file inside the files_dir is not evidence of a successful attack; it’s possible that a malicious user was attempting to guess a direct URL but was not able to.
Regards,
Alec Smecher
Public Knowledge Project Team
Hello @asmecher! As always, thanks for your prompt reply! The config settings are by default, the directory with the files is located in the OCS directory. At the moment, I determined by the access log who did it, and added 2 IPs to the ban list.
I did not delete these two files, but removed the permissions.
I was going to delete them, but I thought you might want to take a look at this. If you have the time and desire to look at this, I can provide you with access to these 2 files in the web form and / or throw the files themselves directly. I can also provide the logs of this person’s actions. I’m not sure, but maybe this will help avoid similar cases for other community members.
Hi @Heorhii,
The files directory should not be located in the OCS directory unless you take steps to protect it; see docs/README:
* Install OCS so that the files directory is NOT a subdirectory of
the OCS installation and cannot be accessed directly via the web
server.
Until you move it elsewhere, or protect it from direct access e.g. using a .htaccess file, your system will probably continue to be occasionally attacked.
The .phtml files are probably just generic back-door scripts, and won’t be very interesting.
Regards,
Alec Smecher
Public Knowledge Project Team
They have an interface) For me, this is a very rare and interesting case. Inject which has a web interface.
Hi @Heorhii,
It’s actually pretty common for a remote-code execution vulnerability to be used to install a web-based backdoor script.
Regards,
Alec Smecher
Public Knowledge Project Team
Unfortunately or fortunately, this is the first time in my practice. The initial installation was not made by me, I will try to bring our ocs into the correct form. Thanks for the recommendations!
P.S. Maybe someone makes a mistake like me and can find some advice on searching.
IP from which the attack occurred and the name of the software.
180.247.76.194
36.74.15.62
Shell CowoKerensTeam v1.5 Mini Shell Backdoor
This topic was automatically closed after 30 days. New replies are no longer allowed.