Advertisement:

Author Topic: Hacked, script injection  (Read 271641 times)

Offline robone

  • Semi-Newbie
  • *
  • Posts: 72
Re: Hacked, script injection
« Reply #280 on: May 20, 2009, 08:45:38 AM »
Further to my previous email, can anyone who knows php tell me if this script below will work to look for C99 PHP Shells and others, on the forum:

Code: [Select]
#!/usr/bin/php
<?php
/*
*    this script find some shell like
*    c99, c100, r57, erne, Safe_Over
*    and try to find some of unknow shell searching specific words this can be
*    not safe
*
*      how to use:
*      the script don't need no-one of these parameter thay are facoltative
*      -e Y/N enable disable eusristic mode (default is enable)
*      -p a number 1-100 , it's the percentual of word that must be find into the file to warm the euristic mode
*      -f check a single file
*     -d check a single dir (normaly the program is recursive chek ALL file )
*        powered by Dr. nefasto
*/
$euristic__ = array("fopen""file(""file_get_contents""sql""opendir""perms""port""eval""system""exec""rename""copy""delete""hack""(\$_""phpinfo""uname""glob""is_writable""is_readable""get_magic_quotes_gpc()""move_uploaded_file""\$dir""& 00""get");
$word__ = array(
            
"c99" => array("c999shexit();""setcookie(\"c999sh_surl\");""c999_buff_prepare();"),
            
"c100" => array("\$back_connect_c=\"f0VMRgEBAQA""function myshellexec(\$command) {""tEY87ExcilDfgAMhwqM74s6o"),
            
"r57" => array("if(strpos(ex(\"echo abcr57\"),\"r57\")!=3)""function ex(\$cfe)""\$port_bind_bd_c=\"I2luY2x1ZGUg"),
            
"erne"=> array("function unix2DosTime(\$unixtime = 0)""eh(\$errno, \$er""\$mtime=@date(\"Y-m-d H:i:s\",@filemti"),
            
"Safe_Over" => array("function walkArray(\$array){""function printpagelink(\$a, \$b, \$link = \"\")""if (\$cmd != \"downl\")"),
            
"cmd_asp" => array("   ' -- Read th""ll oFileSys.D""Author: Maceo")
        );
//the script work
$euristic_active true;
$euristic_sens 40;
for (
$i 1$i $argc$i++)
{
    if (
$argv[$i] == "-h")
        
help($argv[0]);
    elseif(
$argv[$i] == "-e")
    {
        if (
$argv[$i+1] == "Y"$euristic_active true;
        if (
$argv[$i+1] == "N"$euristic_active false;
    }
    elseif(
$argv[$i] == "-p")
        
$euristic_sens $argv[$i+1];
    elseif(
$argv[$i] == "-d")
    {
        
dir_scan($argv[$i+1]);    
        exit;
    }
    elseif(
$argv[$i] == "-f")
    {
        
a($argv[$i+1]);    
        exit;
    }
}
dir_scan(".");
function 
dir_scan($name)
{
    if (!
is_dir($name))
        echo 
"$name is not a dir\n"
    if (
$o = @opendir($name))
    {
        while(
false !== ($file readdir($o)))
        {
            if (
$file == '.' or $file == '..' or $file == basename(__file__)){    continue;}
            else if (
is_dir($name."/".$file)){dir_scan($name."/".$file);}
            else
                
a($name."/".$file);
        }
        
closedir($o);
    }
    else
        echo 
"i can't open $name dir\n";
}
function 
a($file)
{
    global 
$euristic_active;
    global 
$euristic_sens;
    if (
$l file_get_contents($file))
    {
        if ( 
$shell check($l))
        {
            echo 
"[DANGER] word_list > ".$file."\tprobably ".$shell." shell\n";
        } 
        else if (
$euristic_active)
            if (
$t check_euristic($l)   and $t $euristic_sens)
            {    
                echo 
"[_ALERT] euristic $t%> ".$file."\tprobably is a shell\n";
            }
    }
    else
    {
        echo 
"i can't open $file file\n";
    }
}
function 
check($string)
{
    
$check 0;
    global 
$word__;
    foreach(
$word__ as $shell => $code)
        foreach(
$code as $microcode)
            if (
stripos($string$microcode) !== false)
            {
                
$check ++;
                if (
$check == 3) return $shell;
            }
    return 
false;
}
function 
check_euristic($string)
{
    global 
$euristic__;
    
$check 0;
    foreach(
$euristic__ as $code)
        if (
stripos($string$code) !== false)
            
$check++;
    return 
intval(($check 100) / count($euristic__));
}
function 
help($me)
{
    echo     
"Dr. nefasto shell scanner\n".
        
"$me {-e [euristic method default = Y] Y/N   -p [[0-100] euristic sensibility fewer == most feeble ]   [-d [directory] / -f [file] ]}\n".
        
"exemple: $me -e N -d /tmp\n"
        
;
    exit;
}
?>


I am a bit scared to use, as I do not know what the outcome will be.

But if it works, this will be what should be run every so often to ensure a site is safe, because as mentioned previously, I found two C99 shells on my site and am still trying to clean up the code inserted in all my php files.
« Last Edit: May 20, 2009, 08:49:44 AM by robone »

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #281 on: May 20, 2009, 09:12:12 AM »
Further to my previous email, can anyone who knows php tell me if this script below will work to look for C99 PHP Shells and others, on the forum:

I don't think this script will work.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline robone

  • Semi-Newbie
  • *
  • Posts: 72
Re: Hacked, script injection
« Reply #282 on: May 20, 2009, 09:29:08 AM »
Okay......I accept your expertise....... but someone has posted it on a site as a means of detecting PHP shells such as C99, so there must be some validity to it.

Either it works, or it needs tweeking to make it work, or it is pure garbage, or it will add to ones problems.

Is there anything in it that will harm my forum?? If not, I will give it a bash and see what happens.

So, comments will be appreciated

Offline Sarge

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 6,209
  • Gender: Male
    • Zëri YT!
Re: Hacked, script injection
« Reply #283 on: May 20, 2009, 09:56:20 AM »
robone, what I'm trying to say is that the script you posted does not work on the particular kind of exploit that is being discussed here. It is a modified and "encrypted" copy of the c99 shell, so I think that the script you posted will not detect it at all.

But if you want to give it a try, I suggest getting a full backup first...

I happen to know that a cleaning script for this specific attack is being worked on, so I'll let you know if/when I have more info.
    Please do not PM me with support requests unless I invite you to.

http://www.zeriyt.com/   ~   http://www.galeriashqiptare.net/


Quote
<H> I had zero posts when I started posting

Offline robone

  • Semi-Newbie
  • *
  • Posts: 72
Re: Hacked, script injection
« Reply #284 on: May 20, 2009, 10:13:19 AM »
Okay..thanks...I will wait

Offline M-DVD

  • SMF Hero
  • ******
  • Posts: 1,650
  • Gender: Male
  • Step by step will update the mods to SMF 2RC2
Re: Hacked, script injection
« Reply #285 on: May 20, 2009, 10:53:18 AM »
I banned him ;)
(i hope it's enough to ban the user...also i deactivated the avatar and theme functions...)

This user have other alias. But, yes, is better ban him, but don't close the eyes :P

You can, not disable the upload avatar, instead you can change the dir attachments. Afaik this is very (100%) effective.

The theme functions, enabled or disabled is equal.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,806
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Hacked, script injection
« Reply #286 on: May 20, 2009, 10:55:00 AM »
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Geri Lx

  • Semi-Newbie
  • *
  • Posts: 17
Re: Hacked, script injection
« Reply #287 on: May 20, 2009, 11:07:38 AM »
Hi.
My forum was infected too. We cleaned the files and now we got no errors. Also banned the ip's, closed the avatar uploading, and the theme changing.
This topic was very helpful. Thanks to everybody for the efforts.

I am writing now because I wan't to say...Be aware! He is coming back.

I had today three vizits & login atempts from that Latvian IP.


babjusi

  • Guest
Re: Hacked, script injection
« Reply #288 on: May 20, 2009, 11:09:54 AM »

I am writing now because I wan't to say...Be aware! He is coming back.

The patch will be released soon and it won''t matter anymore if he or whomever comes back.

Offline M-DVD

  • SMF Hero
  • ******
  • Posts: 1,650
  • Gender: Male
  • Step by step will update the mods to SMF 2RC2
Re: Hacked, script injection
« Reply #289 on: May 20, 2009, 11:32:22 AM »
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Afaik is very effective. Why? Because...

How the spammer make the inject if don't know the real attachment dir?

ie, How the spammer make a inject with a "correct attactment dir"?

Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.

I could do the inject and the "avatar inclusion" with the theme change functions disable

Yes, play a role in this, but this role don't is turned off if the changing functions theme is disabled  :)
« Last Edit: May 20, 2009, 11:55:43 AM by M-DVD »

Offline Jorin

  • SMF Hero
  • ******
  • Posts: 2,021
  • Gender: Male
    • ElkArte-Hilfe.de
Re: Hacked, script injection
« Reply #290 on: May 20, 2009, 11:50:36 AM »
We suggest the following to provide from krisbarteo:

- Don't allow members to choose a theme.
- Don't allow members to upload an avatar and upload an avatar from another server.
- Don't allow to attach any kind of pictures, such as BMP, GIF, JPEG, JPG, TIF, PNG.
- Disable modifications like a gallery (which allow to upload picture files).
- Change registration mode so an Administrator can proof new members.
- Ban the user "krisbarteo", "stilusmagic" and the e-mail-adress "stilusmagic@googlemail.com". If this users don't exist, create and ban them yourself.
- Check your webspace for unknown PHP files and check the SMF files for the code of krisbarteo.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,806
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Hacked, script injection
« Reply #291 on: May 20, 2009, 11:55:53 AM »
You can not disable the upload avatar, instead you can change the dir attachments. afaik this is very effective.
No - changing dir would probably have 0 effect on this.

Afaik is very effective.

How you make the inject if you don't know the real attachment dir?

ie, How you make a inject with a "correct attactment dir"?
I don't know this hack thoroughly, but I do tend to think - How does SMF know the correct attachment dir?
I'd think that when you get in in the first place, it's enough that SMF knows the location - you don't have to...
Quote
Quote
The theme functions, enabled or disabled is equal.
No. The theme functions play a role in this.
I could do the inject and the "avatar inclusion" with the theme change functions disable
Yes, play a role in this, but this role don't is turned off if the changing functions theme is disabled  :)
OK - I won't argue, as I said - I don't know the hack too thoroughly...

But still, I would suggest that everyone aknowledges the advice given by team members here - as they probably know exactly what they are talking about ;)
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline mghq

  • Jr. Member
  • **
  • Posts: 194
    • Mega Gaming Hq
Re: Hacked, script injection
« Reply #292 on: May 20, 2009, 12:06:52 PM »
Luckily my forum has not been attacked because my server is unreachable at the moment.
This hack works by him uploading an aproximant 1 pixel image which has php code in it. The php code then attacks and tries to create files and infect you other .php file

Offline Jorin

  • SMF Hero
  • ******
  • Posts: 2,021
  • Gender: Male
    • ElkArte-Hilfe.de
Re: Hacked, script injection
« Reply #293 on: May 20, 2009, 12:28:57 PM »
We already know this, thanks.  ;D

Offline M-DVD

  • SMF Hero
  • ******
  • Posts: 1,650
  • Gender: Male
  • Step by step will update the mods to SMF 2RC2
Re: Hacked, script injection
« Reply #294 on: May 20, 2009, 06:01:52 PM »
Quote
SimpleMachines should have warned everybody through our SMF Admin panel - I'm sure it would have prevented many of the hackings.

We hope to release a patch in the next few days, but we've found some serious bugs as a result of the changes.

In the interim, I believe disabling attachments and user-uploaded avatars should prevent the injection from being uploaded.

We are already working on a patch for this which will be released once between the developers, the team, and the beta testers, we've worked all the bugs out.  If we released it right now, your attachment and avatar systems would not work.

I'd like to note that this is *not* just a patch to close a small hole, this is a patch to prevent this type of attack from being possible again.  This patch will beef up attachment and avatar security significantly.  Though it is technically a new security enhancement "feature", the patch will still cover 1.0, 1.1, and 2.0 despite all three being feature locked.

The reason for this change is twofold:
1.) The pattern of the last SMF exploits has been alterations of prior exploits pertaining to poisoned attachments and avatars.  Rather than close one small hole, we are opting to close the possibility of this type of attack coming up again.
2.) IE6 will pretty much run just about anything injected into an image blindly without thinking twice about it.  This could infect your computer (as others alluded to above).

If you've already experienced the hack, i reccommend virus scanning your computer as well.

Again, i'd suggest disabling your attachment and avatar uploads temporarily until the patch is out.  Everyone should also make sure there are no rows for themes in the themes table that should not exist.

It's nice to know how you are working to fix this.

Currently are doing is testing, because the solution brings new problems and for several days on this.

A few days ago I made a "personal patch".
This patch/package in the first place "close the hole", and second (in all potentials sites) prevents to include files with unduly manipulating the url as this hacker.

Ie, everything you said in the quote (except the point 2), with the difference that I have not had any side effects.

Yes, I don't know how they are working, or, what they are doing, but if I can help, can tell me.
« Last Edit: May 20, 2009, 06:05:12 PM by M-DVD »

Offline GKM Crow

  • Semi-Newbie
  • *
  • Posts: 12
Re: Hacked, script injection
« Reply #295 on: May 20, 2009, 09:02:10 PM »
Hi,

My forum has been hacked today by krisbarto he came online for about 1 minute and uploaded a image very small dot, but i only found this an hour later. I searched the name and found this thread. I have banned him, removed the image from database and attachments folder and i am currently going though all php files, so far i have not found a line at the top but i have found this in the gallery php file :

die(base64_decode('UG93ZXJlZCBieSBHYWxsZXJ5IEZvciBTTUYgIG1hZGUgYnkgdmJnYW1lcjQ1IGh0dHA6Ly93d3cuc21maGFja3MuY29t'));

Is that meant to be there ? I don't really know what i'm doing this is all new to me.

Thank you for any help

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 59,218
  • Gender: Male
    • Kindred-999 on GitHub
Re: Hacked, script injection
« Reply #296 on: May 20, 2009, 09:09:27 PM »
if you have read the thread, then you may note that we have discussed this...

if not, then the simple answer is NO, that is nto supposed to be there. Likely you will have to clean more than that one file, too...
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline GKM Crow

  • Semi-Newbie
  • *
  • Posts: 12
Re: Hacked, script injection
« Reply #297 on: May 20, 2009, 09:17:11 PM »
Thank You, I have read the entire thread, but as i am new to this i really wasn't sure and before i did anything i wanted to check with somebody that could confirm that it shouldn't be there.

I am checking all my php files now and so far that is the first one its in.

Thank You again

Offline mycousinvinny

  • Jr. Member
  • **
  • Posts: 177
Re: Hacked, script injection
« Reply #298 on: May 20, 2009, 09:41:01 PM »
I just banned krisbarteo from my site and altho we have been having some page load lagsand "can't connect to database erorrs"  recently i don't know if he had done any damage nor do i have a clue how to check is there any1 that can check my forum??

He did not have an avatar as far as i can tell!!

thanks very much

http://anything-goe.net/Forum

thanks again,

Vinny

Offline JBlaze

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 12,165
  • Gender: Male
    • jason.p.clemons on Facebook
    • jasonclemons on GitHub
    • jasonclemons1 on LinkedIn
    • @fragicide on Twitter
    • clemons.io
Re: Hacked, script injection
« Reply #299 on: May 20, 2009, 09:42:39 PM »
mycousinvinny, make sure the check all php files on line1 for a string of "base64_decode()"

If you have that on ANY file, please let us know and we will do what we can to help.
Jason Clemons
Former Team Member 2009 - 2012