News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Hacked, script injection

Started by vHawkeyev, May 01, 2009, 10:47:02 AM

Previous topic - Next topic

robone

#280
Further to my previous email, can anyone who knows php tell me if this script below will work to look for C99 PHP Shells and others, on the forum:

#!/usr/bin/php
<?php
/*
*    this script find some shell like
*    c99, c100, r57, erne, Safe_Over
*    and try to find some of unknow shell searching specific words this can be
*    not safe
*
*      how to use:
*      the script don't need no-one of these parameter thay are facoltative
*      -e Y/N enable disable eusristic mode (default is enable)
*      -p a number 1-100 , it's the percentual of word that must be find into the file to warm the euristic mode
*      -f check a single file
*     -d check a single dir (normaly the program is recursive chek ALL file )
*        powered by Dr. nefasto
*/
$euristic__ = array("fopen""file(""file_get_contents""sql""opendir""perms""port""eval""system""exec""rename""copy""delete""hack""(\$_""phpinfo""uname""glob""is_writable""is_readable""get_magic_quotes_gpc()""move_uploaded_file""\$dir""& 00""get");
$word__ = array(
            
"c99" => array("c999shexit();""setcookie(\"c999sh_surl\");""c999_buff_prepare();"),
            
"c100" => array("\$back_connect_c=\"f0VMRgEBAQA""function myshellexec(\$command) {""tEY87ExcilDfgAMhwqM74s6o"),
            
"r57" => array("if(strpos(ex(\"echo abcr57\"),\"r57\")!=3)""function ex(\$cfe)""\$port_bind_bd_c=\"I2luY2x1ZGUg"),
            
"erne"=> array("function unix2DosTime(\$unixtime = 0)""eh(\$errno, \$er""\$mtime=@date(\"Y-m-d H:i:s\",@filemti"),
            
"Safe_Over" => array("function walkArray(\$array){""function printpagelink(\$a, \$b, \$link = \"\")""if (\$cmd != \"downl\")"),
            
"cmd_asp" => array("   ' -- Read th""ll oFileSys.D""Author: Maceo")
        );
//the script work
$euristic_active true;
$euristic_sens 40;
for (
$i 1$i $argc$i++)
{
    if (
$argv[$i] == "-h")
        
help($argv[0]);
    elseif(
$argv[$i] == "-e")
    {
        if (
$argv[$i+1] == "Y"$euristic_active true;
        if (
$argv[$i+1] == "N"$euristic_active false;
    }
    elseif(
$argv[$i] == "-p")
        
$euristic_sens $argv[$i+1];
    elseif(
$argv[$i] == "-d")
    {
        
dir_scan($argv[$i+1]);    
        exit;
    }
    elseif(
$argv[$i] == "-f")
    {
        
a($argv[$i+1]);    
        exit;
    }
}
dir_scan(".");
function 
dir_scan($name)
{
    if (!
is_dir($name))
        echo 
"$name is not a dir\n"
    if (
$o = @opendir($name))
    {
        while(
false !== ($file readdir($o)))
        {
            if (
$file == '.' or $file == '..' or $file == basename(__file__)){    continue;}
            else if (
is_dir($name."/".$file)){dir_scan($name."/".$file);}
            else
                
a($name."/".$file);
        }
        
closedir($o);
    }
    else
        echo 
"i can't open $name dir\n";
}
function 
a($file)
{
    global 
$euristic_active;
    global 
$euristic_sens;
    if (
$l file_get_contents($file))
    {
        if ( 
$shell check($l))
        {
            echo 
"[DANGER] word_list > ".$file."\tprobably ".$shell." shell\n";
        } 
        else if (
$euristic_active)
            if (
$t check_euristic($l)   and $t $euristic_sens)
            {    
                echo 
"[_ALERT] euristic $t%> ".$file."\tprobably is a shell\n";
            }
    }
    else
    {
        echo 
"i can't open $file file\n";
    }
}
function 
check($string)
{
    
$check 0;
    global 
$word__;
    foreach(
$word__ as $shell => $code)
        foreach(
$code as $microcode)
            if (
stripos($string$microcode) !== false)
            {
                
$check ++;
                if (
$check == 3) return $shell;
            }
    return 
false;
}
function 
check_euristic($string)
{
    global 
$euristic__;
    
$check 0;
    foreach(
$euristic__ as $code)
        if (
stripos($string$code) !== false)
            
$check++;
    return 
intval(($check 100) / count($euristic__));
}
function 
help($me)
{
    echo     
"Dr. nefasto shell scanner\n".
        
"$me {-e [euristic method default = Y] Y/N   -p [[0-100] euristic sensibility fewer == most feeble ]   [-d [directory] / -f [file] ]}\n".
        
"exemple: $me -e N -d /tmp\n"
        
;
    exit;
}
?>



I am a bit scared to use, as I do not know what the outcome will be.

But if it works, this will be what should be run every so often to ensure a site is safe, because as mentioned previously, I found two C99 shells on my site and am still trying to clean up the code inserted in all my php files.

Sarge

Quote from: robone on May 20, 2009, 08:45:38 AM
Further to my previous email, can anyone who knows php tell me if this script below will work to look for C99 PHP Shells and others, on the forum:

I don't think this script will work.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

robone

Okay......I accept your expertise....... but someone has posted it on a site as a means of detecting PHP shells such as C99, so there must be some validity to it.

Either it works, or it needs tweeking to make it work, or it is pure garbage, or it will add to ones problems.

Is there anything in it that will harm my forum?? If not, I will give it a bash and see what happens.

So, comments will be appreciated

Sarge

robone, what I'm trying to say is that the script you posted does not work on the particular kind of exploit that is being discussed here. It is a modified and "encrypted" copy of the c99 shell, so I think that the script you posted will not detect it at all.

But if you want to give it a try, I suggest getting a full backup first...

I happen to know that a cleaning script for this specific attack is being worked on, so I'll let you know if/when I have more info.

    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

robone


M-DVD

Quote from: rusgard on May 20, 2009, 08:24:05 AM
I banned him ;)
(i hope it's enough to ban the user...also i deactivated the avatar and theme functions...)

This user have other alias. But, yes, is better ban him, but don't close the eyes :P

You can, not disable the upload avatar, instead you can change the dir attachments. Afaik this is very (100%) effective.

The theme functions, enabled or disabled is equal.

Aleksi "Lex" Kilpinen

Quote from: M-DVD on May 20, 2009, 10:53:18 AM
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.

Quote from: metallica48423 on May 16, 2009, 02:35:34 PM
If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Geri Lx

Hi.
My forum was infected too. We cleaned the files and now we got no errors. Also banned the ip's, closed the avatar uploading, and the theme changing.
This topic was very helpful. Thanks to everybody for the efforts.

I am writing now because I wan't to say...Be aware! He is coming back.

I had today three vizits & login atempts from that Latvian IP.


babjusi

Quote from: Geri Lx on May 20, 2009, 11:07:38 AM

I am writing now because I wan't to say...Be aware! He is coming back.

The patch will be released soon and it won''t matter anymore if he or whomever comes back.

M-DVD

#289
Quote from: LexArma on May 20, 2009, 10:55:00 AM
Quote from: M-DVD on May 20, 2009, 10:53:18 AM
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Afaik is very effective. Why? Because...

How the spammer make the inject if don't know the real attachment dir?

ie, How the spammer make a inject with a "correct attactment dir"?

Quote from: LexArma on May 20, 2009, 10:55:00 AM
Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.

I could do the inject and the "avatar inclusion" with the theme change functions disable

Yes, play a role in this, but this role don't is turned off if the changing functions theme is disabled  :)

Jorin

We suggest the following to provide from krisbarteo:

- Don't allow members to choose a theme.
- Don't allow members to upload an avatar and upload an avatar from another server.
- Don't allow to attach any kind of pictures, such as BMP, GIF, JPEG, JPG, TIF, PNG.
- Disable modifications like a gallery (which allow to upload picture files).
- Change registration mode so an Administrator can proof new members.
- Ban the user "krisbarteo", "stilusmagic" and the e-mail-adress "[email protected]". If this users don't exist, create and ban them yourself.
- Check your webspace for unknown PHP files and check the SMF files for the code of krisbarteo.

Aleksi "Lex" Kilpinen

Quote from: M-DVD on May 20, 2009, 11:32:22 AM
Quote from: LexArma on May 20, 2009, 10:55:00 AM
Quote from: M-DVD on May 20, 2009, 10:53:18 AM
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Afaik is very effective.

How you make the inject if you don't know the real attachment dir?

ie, How you make a inject with a "correct attactment dir"?
I don't know this hack thoroughly, but I do tend to think - How does SMF know the correct attachment dir?
I'd think that when you get in in the first place, it's enough that SMF knows the location - you don't have to...
Quote
Quote from: LexArma on May 20, 2009, 10:55:00 AM
Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.
I could do the inject and the "avatar inclusion" with the theme change functions disable
Yes, play a role in this, but this role don't is turned off if the changing functions theme is disabled  :)
OK - I won't argue, as I said - I don't know the hack too thoroughly...

But still, I would suggest that everyone aknowledges the advice given by team members here - as they probably know exactly what they are talking about ;)
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

mghq

Luckily my forum has not been attacked because my server is unreachable at the moment.
This hack works by him uploading an aproximant 1 pixel image which has php code in it. The php code then attacks and tries to create files and infect you other .php file

Jorin

We already know this, thanks.  ;D

M-DVD

#294
Quote from: metallica48423 on May 16, 2009, 02:35:34 PM
QuoteSimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

The reason for this change is twofold:
1.) The pattern of the last SMF exploits has been alterations of prior exploits pertaining to poisoned attachments and avatars.  Rather than close one small hole, we are opting to close the possibility of this type of attack coming up again.
2.) IE6 will pretty much run just about anything injected into an image blindly without thinking twice about it.  This could infect your computer (as others alluded to above).

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.

It's nice to know how you are working to fix this.

Currently are doing is testing, because the solution brings new problems and for several days on this.

A few days ago I made a "personal patch".
This patch/package in the first place "close the hole", and second (in all potentials sites) prevents to include files with unduly manipulating the url as this hacker.

Ie, everything you said in the quote (except the point 2), with the difference that I have not had any side effects.

Yes, I don't know how they are working, or, what they are doing, but if I can help, can tell me.

GKM Crow

Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

Kindred

if you have read the thread, then you may note that we have discussed this...

if not, then the simple answer is NO, that is nto supposed to be there. Likely you will have to clean more than that one file, too...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

GKM Crow

Thank You, I have read the entire thread, but as i am new to this i really wasn't sure and before i did anything i wanted to check with somebody that could confirm that it shouldn't be there.

I am checking all my php files now and so far that is the first one its in.

Thank You again

mycousinvinny

I just banned krisbarteo from my site and altho we have been having some page load lagsand "can't connect to database erorrs"  recently i don't know if he had done any damage nor do i have a clue how to check is there any1 that can check my forum??

He did not have an avatar as far as i can tell!!

thanks very much

http://anything-goe.net/Forum

thanks again,

Vinny

JBlaze

mycousinvinny, make sure the check all php files on line1 for a string of "base64_decode()"

If you have that on ANY file, please let us know and we will do what we can to help.
Jason Clemons
Former Team Member 2009 - 2012

Advertisement: