SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    748
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)

    dz.php and private.php

    Has anyone run into these files before?

    A client had these files added to a page of their site, which were uploaded as an image. First off I don't know how any hacker could have gotten access to the Admin section of the site where images can be added. The client has no idea where they came from. I also don't think the image upload script would accept a file with a php extension yet the name of the file was added into the database in the image column for the page in question as if the upload script worked. I will be looking into that.

    My question is, has anyone seen these files before? They look like machine-code when viewing them.

    There is a possibility that an approved user (Owners wife) upload an image from say a WORD file or something. Still not sure. Any ideas?

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,192
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    WordPress site?

    Look to be Shell script

    ala Google
    Website Auto Shell Finder Private Scripts - MaDLeeTs
    www.madleets.com Coding Languages Perl, Python , Ruby‎
    Oct 4, 2013 - Website Auto Shell Finder Private Scripts. Asalam u Alikum All .... 'whmcs/downloads/dz.php','L3b.php','d.php','tmp/d.php','tmp/L3b.php' ...

  3. #3
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    748
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    No it's not a WordPress site. The page does have a "comments" form on it which has been attacked on a regular basis by spam bots. I've blocked around 300 IPs hitting the page/form with ads. This form though is not related to the file uploads in anyway that I'm aware of. Completely different section of the site and database table, but as far as the public is concerned, it is the same page where files were found.

  4. #4
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    748
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Looking up whmcs/downloads/dz.php brings up a bunch of hacker sites. Boy this sounds like trouble. I wonder how it could have been added where it was found? As mentioned before, the upload section is in Admin.

  5. #5
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,638
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Are you running any popular open source control panel or management software on this site? There are lots of ways to exploit something to upload a malicious file and once they get a file up there it is trivial to download other malicious files.

  6. #6
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    748
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    wwb_99, no. There's no open source coding on this site. It is using a back office I made some years ago. In Admin there are a number of checks to validate user on each page before they would have access to where the upload script would process to DB. I'm still suspecting (a valid user) may have tried to upload what they thought was a valid image, but maybe it was a partial downloaded image or an image that was changed like from a WORD document. I have not heard back from the owner yet.

  7. #7
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,192
    Mentioned
    191 Post(s)
    Tagged
    2 Thread(s)
    Maybe an FTP hijacking of some sort?

    Or if a shared host, maybe from another site?

  8. #8
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    748
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Well the thing is these files were added using the image upload script, which resizes "images" and puts them into four different directories, Slides, Thumbs etc. So each of these folders had a copy of the two files.

  9. #9
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,656
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Drummin,

    If these files have been uploaded to your website (they have been), then you may assume that you've been hacked via these files. I have provided a checklist for getting control of your website after being hacked (it's been about a year) but you need to (1) change your login password(s) - make them strong (http://strongpasswordgenerator.com), (2) DELETE EVERYTHING and (3) RELOAD EVERYTHING from your master set of files. After that, I'd also recommend adding your own files to create daily hashes of all your files and compare them with the last daily hashes so you know which files have been changed (and compare that list with your known changes - yes, I've written a SitePoint article on that, too, and included code [which needed to be updated after the original posting - ARGH!]).

    If you need either the full checklist or the article with its code, you may PM me for those but please check SitePoint's system first.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  10. #10
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,241
    Mentioned
    266 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by dklynn View Post
    I have provided a checklist for getting control of your website after being hacked
    Do you mean this one, in the sticky? http://www.sitepoint.com/forums/show...=1#post5324870


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •