npsari Posted June 13, 2008 Share Posted June 13, 2008 Hello there, There was an annoying maleware in my website It tries to install something everytime a page is loaded I dont know who hacked my website and done it but, my hosting company got rid of it And when i told them to show me how to delete it next time, (in case the hacker strikes back again) They said: You'd have to have shell access to fix it in the future. However, here is the one-liner. The code has been removed. cd /home/mysite/public_html && find . -type f | while read FILE; do sed -i -e "s/function .*(.*){ var .* return( parseInt(.*'));//g" "$FILE" ; done Please can you tell me what that means Because the maleware is back Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted June 13, 2008 Share Posted June 13, 2008 This has nothing to do with PHP, unless you're asking us to help you determine where they are getting in -- in that case you will have to post some of your code. I'm moving this to the Miscellaneous area. Ken Quote Link to comment Share on other sites More sharing options...
jonsjava Posted June 13, 2008 Share Posted June 13, 2008 Because you're the owner of the files (your user) you should be able to run this (it's their code that they told you to run) <?php /* Try running their script */ shell_exec("cd /home/mysite/public_html && find . -type f | while read FILE; do sed -i -e \"s/function .*(.*){ var .* return( parseInt(.*'));//g\" \"$FILE\" ; done"); ?> Quote Link to comment Share on other sites More sharing options...
npsari Posted June 13, 2008 Author Share Posted June 13, 2008 Ohh, i didn't know this is php code Ok, i put it in the /menu/index.php file just now And i ran it However, the malware is still showing Which file should i put it Or did you mean something else Quote Link to comment Share on other sites More sharing options...
Lefteris Posted June 13, 2008 Share Posted June 13, 2008 This is not php code. This is a shell script. Jonsjava just gave you the phpcode to run the script. It searches the public_html directory of your website and finds all the files, then inside those files it erases all the functions which contain : var .* return( parseInt(.*') In regular expressions .* means any zero or more characters, so this effectively deletes all the function which contain this. Maybe this is the malware code your webhosting company detected so they made this shell script for you to run. But ofcourse since I am no expert I might be wrong Quote Link to comment Share on other sites More sharing options...
npsari Posted June 13, 2008 Author Share Posted June 13, 2008 Ohh, i see so how come when i put this php script, and runt it, it did not work Does that mean i done something wrong Quote Link to comment Share on other sites More sharing options...
redbullmarky Posted June 13, 2008 Share Posted June 13, 2008 often if you have shared hosting, you cannot run shell scripts via PHP. http://www.php.net/shell_exec To be honest though, you're pissing up the wrong tree here IMO - if you get this script to work, it will remove the said trouble lines. however - you should probably be looking for the code that was used to cause the exploit in the first place so that it CANT happen again. Else you're just gonna be running this script only for them to come back and do it again. Quote Link to comment Share on other sites More sharing options...
evulness Posted June 13, 2008 Share Posted June 13, 2008 what type of site is it? how are you cleaning your user inputs, etc? something you might find useful.... have them re-clean your files for you like they did previously. and fix your scripts, because to me, it sounds like you haven't properly secured your inputs try something like this... <?php function EvClean($string){ if(get_magic_quotes_gpc()){ $string = stripslashes($string); }elseif(!get_magic_quotes_gpc()){ $string = addslashes(trim($string));//strip your slashes, or add them to break any injections. } $string = escapeshellcmd($string);//escapes all inputs and prevent php shell commands $string = mysql_real_escape_string($string); //strips all mysql injection attempts $string = stripslashes(strip_tags(htmlspecialchars($string, ENT_QUOTES))); //removes all html special tags return $string; } $message = EvClean($_POST['message']); echo $message; ?> what this does is it runs your $message through the "Cleaner" and strips, or add's slashes, depending on your setup, then it cleans all shell commands, then strips all html/javascript, etc... and then returns the cleaned string, which you can then insert into your database, flatfiles, or echo straight out, as i have above. this isn't a 100% foolproof way to stop the attack, but it should prevent them from inserting malware onto your site. that is, unless it is the server itsself that has been compromised. in which case, you can't control that. Quote Link to comment Share on other sites More sharing options...
evulness Posted June 13, 2008 Share Posted June 13, 2008 I am not sure why i can't reply to your PM, but... Hello there, Thank you for the code What input do you mean, because my members can save their nicknames, phone numbers, About me stuff, etc... So, should i put your code in each one, before savingit to the database Do you think this is how the hacker installed the maleware He saved his code into the mySQL database using these fields are you using custom made scripts? or is it a system like this forum, using SMF? if you are using an already made system, chances are, they already have this security feature on their scripts. along with others. SMF has the reputation to be one of the more secure systems, where php-nuke has quite a few flaws. all you would need to do with that snippet, depending on how you have your site setup, is when processing the post data from your forms, before it is inserted into the database, is use the clean function... something like this as an example.... var $data = array(); function EvRegister($username, $password, $email, $ip){ $data['username'] = EvClean($_POST['usr_nme']); $data['password'] = EvClean($_POST['password']); $data['cpass'] = EvClean($_POST['cpass']); $data['email'] = EvClean($_POST['email']); $data['password'] = EvEncrypt($_POST['password']); $data['cpass'] = EvEncrypt($_POST['cpass']); $getuser = "SELECT username FROM users where username = '". $data['username'] ."'"; $getemail = "SELECT email FROM users where email = '". $data['$email'] ."'"; $checkuser = EvQuery($getuser) or die( mysql_error() ); $checkemail = EvQuery($getemail) or die (mysql_error() ); if( $data['password'] !== $data['cpass'] ){ die("The passwords you entered don't match!n"); }elseif( $data['username'] == NULL && $data['password'] == NULL & $data['email'] == NULL ){ die("Please enter data into the specified boxes!n"); }elseif( strlen($data['email']) < 5 ){ die("Please enter a valid email address"); }elseif( mysql_num_rows( $checkuser ) > 0 ){ die('The Username you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message }elseif( mysql_num_rows( $checkemail ) > 0 ){ die('The Email you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message }else { $query = EvInsertUser($data);//my insert checks for an array and breaks it down to key => value $ip = $_SERVER['REMOTE_ADDR']; $result = EvQuery($query)or die( mysql_error() );//Send the query to the query page if($result){ echo 'You have successfully registered!<a href="javascript:history.go(-2)">Go back</a>';//Return a success message }else{ die(mysql_error()); } } } what this does, is see how the data array is assigned to the post variables? and each post variable is cleaned via that function to answer your question, yes you have to run this function on EVERY input. without this, said hacker can insert something like this.... x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--'; into any one of your input areas, and inject his own account onto your database. there are countless other things they can to do with injections like this. in your case though, the attacker is probably using an XSS (cross site scripting) attack, so that whatever they ran on your system, is alowing them to keep reinserting the malware even after the shell commands strip the malicious code out. if you do manage to get this function onto your scripts, and the attacker is still inserting stuff, than i can almost guarantee that the server you are hosting on has been compromised. Ask them if they've had any issues like this with other clients, or if it is just you. might suggest changing your account, and passwords too... possible chance you used a weak password, and they have admin access to your account, to insert the code where ever, and whenever they like. i could sit here and list of a TON of security measures you can take on your scripts, but unless the server is 100% secure (which none ever are). you will never be completly safe. Nothing is ever 100% secure, there are always ways to get around any security measure. all you can do is take as many steps as you can to prevent. Quote Link to comment Share on other sites More sharing options...
tomfmason Posted June 13, 2008 Share Posted June 13, 2008 imo, or die(mysql_error()) is just ugly. You should add some real error handling. Quote Link to comment Share on other sites More sharing options...
Guest Xanza Posted June 13, 2008 Share Posted June 13, 2008 Yes, it is shell script, but it can easily be run via PHP like you have been shown already... If it fails this way though, you'll be forced to either use SSH or use the Administrative Tools that your hosting has provided for you, and manually enter the string in the console. (I assume it's Linux hosting.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.