Server PHP Security Issues with Bottega Theme

Support Area Forums Bottega Server PHP Security Issues with Bottega Theme

Viewing 2 posts - 1 through 2 (of 2 total)
URL to the page in question:
  • Author
    Posts
  • #6590
    CHRISTOPHER BOYD
    Participant

    Hi,

    I have been using the Bottega Theme for about a month without any problems, but yesterday whenever I tried to update an existing page or add images a PHP security error started appearing. After spending a day investigating, the host determined that the theme itself appears to be running code which appears to attack the server. Not good.

    Here are more details along with error log information we put together:

    When you run code that appears to be attacks to the server it is not good. As long as there are no issues that occur as a result of me disabling those rules we can leave it be. However, should something happen that require the rules to be put back in place then you will need to either modify your code to not appear malicious or move the site to a dedicated server on which our security restrictions would not apply.

    The following is from the log which you can give them if desired:

    [Tue Jun 26 16:08:44 2012] [error] [client 68.233.224.156] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_60_correlation.conf”] [line “37”] [id “981204”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=5): Possible XSS Attack Detected – HTML Tag Handler”] [hostname “baxters.u23.icwebgroup.com”] [uri “/php5bin/php/wp-admin/admin-ajax.php”] [unique_id “T@oWy0JgUAkAAEJ9YKgAAAAE”]

    [Tue Jun 26 16:08:58 2012] [error] [client 68.233.224.156] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\binsert\b\W*?\binto\b” at ARGS:send[234]. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “264”] [id “959015”] [rev “2.2.0”] [msg “SQL Injection Attack”] [data “insert into”] [severity “CRITICAL”] [tag “WEB_ATTACK/SQL_INJECTION”] [tag “WASCTC/WASC-19”] [tag “OWASP_TOP_10/A1”] [tag “OWASP_AppSensor/CIE1”] [tag “PCI/6.5.2”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/media-upload.php”] [unique_id “T@oW2kJgUAkAAEJ7W3UAAAAC”]

    [Tue Jun 26 16:09:43 2012] [error] [client 68.233.224.156] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_60_correlation.conf”] [line “37”] [id “981204”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=5): Possible XSS Attack Detected – HTML Tag Handler”] [hostname “baxters.u23.icwebgroup.com”] [uri “/php5bin/php/wp-admin/admin-ajax.php”] [unique_id “T@oXB0JgUAkAAEJ6WMkAAAAB”]

    [Tue Jun 26 16:11:43 2012] [error] [client 68.233.224.156] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_60_correlation.conf”] [line “37”] [id “981204”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=5): Possible XSS Attack Detected – HTML Tag Handler”] [hostname “baxters.u23.icwebgroup.com”] [uri “/php5bin/php/wp-admin/admin-ajax.php”] [unique_id “T@oXf0JgUAkAAEYmgusAAAAO”]

    [Tue Jun 26 16:14:43 2012] [error] [client 68.233.224.156] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_60_correlation.conf”] [line “37”] [id “981204”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=, XSS=5): Possible XSS Attack Detected – HTML Tag Handler”] [hostname “baxters.u23.icwebgroup.com”] [uri “/php5bin/php/wp-admin/admin-ajax.php”] [unique_id “T@oYM0JgUAkAAEcVkLIAAAAD”]

    [Tue Jun 26 16:19:11 2012] [error] [client 173.162.214.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\bsrc\b\W*?\bhttp:” at ARGS:content. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_xss_attacks.conf”] [line “157”] [id “958030”] [rev “2.2.0”] [msg “Cross-site Scripting (XSS) Attack”] [data “src=\x22http:”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A2”] [tag “OWASP_AppSensor/IE1”] [tag “PCI/6.5.1”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/post.php”] [unique_id “T@oZPkJgUAkAAE7Ok3YAAAAP”]

    [Tue Jun 26 16:19:20 2012] [error] [client 173.162.214.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\bsrc\b\W*?\bhttp:” at ARGS:content. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_xss_attacks.conf”] [line “157”] [id “958030”] [rev “2.2.0”] [msg “Cross-site Scripting (XSS) Attack”] [data “src=\x22http:”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A2”] [tag “OWASP_AppSensor/IE1”] [tag “PCI/6.5.1”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/post.php”] [unique_id “T@oZSEJgUAkAAE7NkHkAAAAO”]

    [Tue Jun 26 16:22:03 2012] [error] [client 173.162.214.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\bsrc\b\W*?\bhttp:” at ARGS:content. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_xss_attacks.conf”] [line “157”] [id “958030”] [rev “2.2.0”] [msg “Cross-site Scripting (XSS) Attack”] [data “src=\x22http:”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A2”] [tag “OWASP_AppSensor/IE1”] [tag “PCI/6.5.1”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/admin-ajax.php”] [unique_id “T@oZ60JgUAkAAFLGewUAAAAH”]

    [Tue Jun 26 16:22:29 2012] [error] [client 173.162.214.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\bsrc\b\W*?\bhttp:” at ARGS:content. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_xss_attacks.conf”] [line “157”] [id “958030”] [rev “2.2.0”] [msg “Cross-site Scripting (XSS) Attack”] [data “src=\x22http:”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A2”] [tag “OWASP_AppSensor/IE1”] [tag “PCI/6.5.1”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/post.php”] [unique_id “T@oaBUJgUAkAAFLGewYAAAAH”]

    [Tue Jun 26 16:37:46 2012] [error] [client 173.162.214.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:cookie. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_20_protocol_violations.conf”] [line “266”] [id “950109”] [rev “2.2.0”] [msg “Multiple URL Encoding Detected”] [severity “NOTICE”] [tag “PROTOCOL_VIOLATION/EVASION”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/admin-ajax.php”] [unique_id “T@odmkJgUAkAAF82GmsAAAAF”]

    [Tue Jun 26 16:37:50 2012] [error] [client 173.162.214.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match “\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:cookie. [file “/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_20_protocol_violations.conf”] [line “266”] [id “950109”] [rev “2.2.0”] [msg “Multiple URL Encoding Detected”] [severity “NOTICE”] [tag “PROTOCOL_VIOLATION/EVASION”] [hostname “baxters.u23.icwebgroup.com”] [uri “/wp-admin/admin-ajax.php”] [unique_id “T@odnkJgUAkAAF82GmwAAAAF”]

    #6591
    Bill Robbins
    Moderator

    Christopher,

    That’s awful. It sounds like you’ve been hacked. Absolutely I would remove all of those rules.

    To be honest, if you have a backup from before the problem, I would roll back to that just to be sure. Some hacks are self-replicating so removing all traces is the best hope for making sure they don’t come back.

    The theme itself won’t doesn’t use any cross site scripts. Find where the hacker left them and take them out. Make sure your site is well locked down so they won’t be able to break in again.

    If you have any questions or trouble, let me know,
    Bill

Viewing 2 posts - 1 through 2 (of 2 total)
  • The topic ‘Server PHP Security Issues with Bottega Theme’ is closed to new replies.