As part of my job here at Acunetix, from time to time I analyze source code looking for security problems. Using this information I adjust Acunetix WVS to detect these problems automatically (when it’s possible).

Monday, I downloaded e107 from e107.org and started analyzing the code. e107 is a popular content management system written in PHP.

Looking through the code, the following lines drawn my attention:

The first line

if(md5($_COOKIE[‘access-admin’]) == “cf1afec15669cb96f09befb7d70f8bcb“) {

is used for authentication. If you modify your browser cookies and set a cookie named access-admin with a value like md5(value) = ‘cf1afec15669cb96f09befb7d70f8bcb‘ you will get access to a PHP shell.

As I didn’t knew the exact value to use,  I commented out this line to see how to PHP shell looks like and what can be done with it.

It’s a known PHP shell, I’ve seen it before a few times. It’s pretty powerful, you can execute system commands, execute PHP code, edit&rename files, create files and/or directories. You can also upload new files and browse the file system using the current web server privileges.

BTW, if you search on Google using a few words from this shell (like ~:(expl0rer):~) you will find a bunch of live shells indexed by Google. Most of these sites seem to be running RSGallery (a Joomla! component). I will try to contact these people about their websites being hacked.

Back to e107: I’ve informed the guys from e107.org and a few hours later the problem was fixed.

Here is what happened:

  1. A few days ago, somebody found and exploited a e107 0day (for 0.7.16) on some websites. The e107 guys were informed about this and released 0.7.17 to fix this problem.
  2. However, at this point I suspect they were already hacked because they are running e107 on e107.org and they were an obvious target.
  3. The attackers waited until they released the security fix (0.7.17) and modified the zip file to include the backdoor.
  4. At this point, most e107 site owners were rushing to upgrade because of security update announcement and I suspect that many people have downloaded the backdored binary.

So, if you’ve downloaded e107 in this weekend you have a backdored binary and you should remove it from your website and download a new copy.

SHARE THIS POST
THE AUTHOR
Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.