SPAMMERS

[Canman2005]

Hi all

 

I was recently contacted by a friend who is having SPAM issues, basically someone has managed to upload tons of crap files and also inserted

 

eval(base64_decode("ZXJyb3Jfcm.....

 

about 10 times into every PHP page on the server, and doing a search reveals 1001 instances of this

 

eval(base64_decode("ZXJyb3Jfcm.....

 

code.

 

How could this have happened and what measures do we need to take to prevent this?

[intellix]

The only way the spammer could have gotten access to these scripts is by having access to the server or FTP... perhaps your friend should use a more password including numbers etc etc (guessing it was done through brute password guessing)

 

My favourite time to eat burgers is at 22:00 > Mfttebia22:00

 

Amazing method of getting a password set in my opinion! (btw that's not mine haha)

[tomfmason]

The only way the spammer could have gotten access to these scripts is by having access to the server or FTP...

 

FTP is not the only way. Actually, his host should have measures in place to prevent FTP brute forcing and if not I recommend a switch immediately. 

 

You most likely have an insecure file upload script. Do you have access to the access logs for your site? Generally the first step in recovering a compromised site is to look through your access logs line by line to nail down the source of the problem.

 

Another potential problem is insecure includes and especially so if your host allows remote includes.

[tomfmason]

Actually the more I think about it the more I think that this caused by an insecure include. something like the following is horribly insecure:

 

<?php
$page = $_GET['page'];
include $page;
?>

 

with anything even remotely as insecure as that and if proc is available I can pwn a site(possibly a server) in just a matter of minutes with a crafted http request.

 

 

[intellix]

well! I didn't know that

 

The file include security issue is mental