Jump to content

Recommended Posts

Hello there,

 

There was an annoying maleware in my website

It tries to install something everytime a page is loaded

I dont know who hacked my website and done it

 

but, my hosting company got rid of it

 

And when i told them to show me how to delete it next time, (in case the hacker strikes back again)

 

They said:

 

You'd have to have shell access to fix it in the future. However, here is the one-liner. The code has been removed.

 

cd /home/mysite/public_html && find . -type f | while read FILE; do sed -i -e "s/function .*(.*){ var .* return( parseInt(.*'));//g" "$FILE" ; done

 

Please can you tell me what that means

Because the maleware is back :(

Link to comment
https://forums.phpfreaks.com/topic/110064-hackers-are-attacking-me/
Share on other sites

Because you're the owner of the files (your user) you should be able to run this (it's their code that they told you to run)

<?php
/* Try running their script */
shell_exec("cd /home/mysite/public_html && find . -type f | while read FILE; do sed -i -e \"s/function .*(.*){ var .* return( parseInt(.*'));//g\" \"$FILE\" ; done");
?>

This is not php code. This is a shell script. Jonsjava just gave you the phpcode to run the script. It searches the public_html directory of your website and finds all the files, then inside those files it erases all the functions which contain :

 

var .* return( parseInt(.*')

 

In regular expressions .* means any zero or more characters, so this effectively deletes all the function which contain this. Maybe this is the malware code your webhosting company detected so they made this shell script for you to run.

 

But ofcourse since I am no expert I might be wrong  :P

often if you have shared hosting, you cannot run shell scripts via PHP. http://www.php.net/shell_exec

 

To be honest though, you're pissing up the wrong tree here IMO - if you get this script to work, it will remove the said trouble lines. however - you should probably be looking for the code that was used to cause the exploit in the first place so that it CANT happen again. Else you're just gonna be running this script only for them to come back and do it again.

what type of site is it? how are you cleaning your user inputs, etc?

 

something you might find useful.... have them re-clean your files for you like they did previously.

 

and fix your scripts, because to me, it sounds like you haven't properly secured your inputs

 

try something like this...

<?php
function EvClean($string){
if(get_magic_quotes_gpc()){
    $string = stripslashes($string);
}elseif(!get_magic_quotes_gpc()){
    $string = addslashes(trim($string));//strip your slashes, or add them to break any injections.
}
$string = escapeshellcmd($string);//escapes all inputs and prevent php shell commands

$string = mysql_real_escape_string($string); //strips all mysql injection attempts

$string = stripslashes(strip_tags(htmlspecialchars($string, ENT_QUOTES))); //removes all html special tags
    return $string;
}

$message = EvClean($_POST['message']);
echo $message;
?>

 

what this does is it runs your $message through the "Cleaner" and strips, or add's slashes, depending on your setup, then it cleans all shell commands, then strips all html/javascript, etc... and then returns the cleaned string, which you can then insert into your database, flatfiles, or echo straight out, as i have above. this isn't a 100% foolproof way to stop the attack, but it should prevent them from inserting malware onto your site.

that is, unless it is the server itsself that has been compromised. in which case, you can't control that.

 

 

I am not sure why i can't reply to your PM, but...

 

Hello there,

 

Thank you for the code

 

What input do you mean, because my members can save their nicknames, phone numbers, About me stuff, etc...

 

So, should i put your code in each one, before savingit to the database

 

Do you think this is how the hacker installed the maleware

 

He saved his code into the mySQL database using these fields

 

are you using custom made scripts? or is it a system like this forum, using SMF?

if you are using an already made system, chances are, they already have this security feature on their scripts. along with others. SMF has the reputation to be one of the more secure systems, where php-nuke has quite a few flaws.

 

all you would need to do with that snippet, depending on how you have your site setup, is when processing the post data from your forms, before it is inserted into the database, is use the clean function... something like this as an example....

 

var $data = array();

function EvRegister($username, $password, $email, $ip){
        $data['username'] = EvClean($_POST['usr_nme']);
$data['password'] = EvClean($_POST['password']);
$data['cpass'] = EvClean($_POST['cpass']);
$data['email'] = EvClean($_POST['email']);
$data['password'] = EvEncrypt($_POST['password']);
$data['cpass'] = EvEncrypt($_POST['cpass']);
        $getuser = "SELECT username FROM users where username = '". $data['username'] ."'";
        $getemail = "SELECT email FROM users where email = '". $data['$email'] ."'";
        $checkuser = EvQuery($getuser) or die( mysql_error() );
        $checkemail = EvQuery($getemail) or die (mysql_error() );
if( $data['password'] !== $data['cpass'] ){
    die("The passwords you entered don't match!n");
}elseif( $data['username'] == NULL && $data['password'] == NULL & $data['email'] == NULL ){
    die("Please enter data into the specified boxes!n");
}elseif( strlen($data['email']) < 5 ){
    die("Please enter a valid email address");
}elseif( mysql_num_rows( $checkuser ) > 0 ){
    die('The Username you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message
}elseif( mysql_num_rows( $checkemail ) > 0 ){
    die('The Email you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message
}else
    {
$query = EvInsertUser($data);//my insert checks for an array and breaks it down to key => value 
$ip = $_SERVER['REMOTE_ADDR'];
$result = EvQuery($query)or die( mysql_error() );//Send the query to the query page
if($result){
    echo 'You have successfully registered!<a href="javascript:history.go(-2)">Go back</a>';//Return a success message
}else{
    die(mysql_error());
}
}
}

 

what this does, is see how the data array is assigned to the post variables? and each post variable is cleaned via that function

 

to answer your question, yes you have to run this function on EVERY input.

 

without this, said hacker can insert something like this....

x';
        INSERT INTO members ('email','passwd','login_id','full_name') 
        VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--';

into any one of your input areas, and inject his own account onto your database. there are countless other things they can to do with injections like this. in your case though, the attacker is probably using an XSS (cross site scripting) attack, so that whatever they ran on your system, is alowing them to keep reinserting the malware even after the shell commands strip the malicious code out.

 

if you do manage to get this function onto your scripts, and the attacker is still inserting stuff, than i can almost guarantee that the server you are hosting on has been compromised.

Ask them if they've had any issues like this with other clients, or if it is just you.

 

might suggest changing your account, and passwords too... possible chance you used a weak password, and they have admin access to your account, to insert the code where ever, and whenever they like.

 

i could sit here and list of a TON of security measures you can take on your scripts, but unless the server is 100% secure (which none ever are). you will never be completly safe. 

 

Nothing is ever 100% secure, there are always ways to get around any security measure. all you can do is take as many steps as you can to prevent.

Guest Xanza

Yes, it is shell script, but it can easily be run via PHP like you have been shown already... If it fails this way though, you'll be forced to either use SSH or use the Administrative Tools that your hosting has provided for you, and manually enter the string in the console. (I assume it's Linux hosting.)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.