Secret Backdoor Found on Facebook Server

By | April 22, 2016

FB

Facebook security team recently found a hidden backdoor on its server. According to to the security team probably a blackhat hacker with malicious intent, has breached into its server and installed a backdoor that was configured to steal Facebook employees’ login credentials.

Security Team told that

The backdoor is found on Facebook’s corporate server not on its main server, Facebook user accounts are not affected by this incident.

Security researcher Orange Tsai of Taiwanese security vendor Devco accidentally came across a backdoor script on one of Facebook’s corporate servers while finding bugs to earn cash reward from Facebook.

Tsai scanned Facebook’s IP address space that led him to the files.fb.com domain that was hosting a vulnerable version of the Secure File Transfer application (FTA) made by Accellion and was used by Facebook employees for file sharing and collaboration.
Tsai analyzed the vulnerable FTA and discovered seven security flaws as he explained in his blog post

  • Cross-Site Scripting x 3
  • Pre-Auth SQL Injection leads to Remote Code Execution
  • Known-Secret-Key leads to Remote Code Execution
  • Local Privilege Escalation x 2

 

Report

Tsai told in its blog

After taking control of the server successfully, the first thing is to check whether the server environment is friendly to you. To stay on the server longer, you have to be familiar with the environments, restrictions, logs, etc and try hard not to be detected. 😛

There are some restrictions on the server:

  1. Firewall outbound connection unavailable, including TCP, UDP, port 53, 80 and 443
  2. Remote Syslog server
  3. Auditd logs enabled

Although the outbound connection was not available, but it looked like ICMP Tunnel was working. Nevertheless, this was only a Bug Bounty Program, we could simply control the server with a webshell.

Was There Something Strange?

While collecting vulnerability details and evidences for reporting to Facebook, I found some strange things on web log.

First of all I found some strange PHP error messages in “/var/opt/apache/php_error_log” These error messages seemed to be caused by modifying codes online?

After successfully achieving his goal, Tsai analysed the facebook server logs. Their he spotted popularly known web script PHP Web shell, that had possibly been installed on the server by a malicious hacker.

Tsai then reported all of his findings to the Facebook security team, which rewarded him with $10,000 (€8,850) for his efforts.

Subscribe for latest security updates