Eval Gz inflate Base64 decode
Posted: Sat Oct 16, 2010 1:58 pm
I've had a boat building website online since 1999.
My site got hacked for the first time in those ten years just the other day.
I use a "virtual dedicated" server at godaddy.
I found a file with the spurious eval gz inflate base 64 decode stuff in it,
which ultimately allowed (somebody) to display a phoney pharacutical website,
that prompts unsuspecting users for credit card numbers.
I used find and grep to identify all the bad files (some had names like dot comma '.,' )
Then I changed the root password and my login password.
And then I changed ALL files to 555 permissions, except for a few LOG files here
and there that need to be written to. That was two weeks ago and I seem to be OK.
MY QUESTION:
How the hell were they able to write to my hand-written PHP files in the first place?
I have run phorum for almost a decade, with now close to 15,000 individual posts.
Right before the hack I experimented with the SMF forum, for perhaps a week.
I imported all 15,000 posts to SMF, and immediately started to get bot-like spam.
I say bot like, because the server logs showed zillions of failed login attempts.
And maybe 6 successful SMF posts per day. The SMF captcha was visually weak.
So maybe they have code that guesses captcha images. Each spam post to the
SMF forum was matched with a new user_id in the SMF mysql user table, with machine like names (cnFall2010 etc)
So I zapped SMF and went back to phorum.
But a few days later I noticed the eval gzinflate hack. Maybe this had nothing to do with SMF.
I just want to know how it was done in the first place.
I do also use a mysql password system (written by me)--users who pay for a password (PayPal)
get a password which grants them access to normally hidden directories of
boat building information. All page content in my home-rolled CMS system comes from files (div contents = file_get_contents($filepath).
But that system checks for illegal file paths and exits silently. I've tried to break it a million times and never yet succeeded.
And unlike Wordpress, Drupal, etc, nobody in the whole world knows my souce code except me.
I use mysql for the login mechanism only. I do not encrypt the login passwords. I figured
thieves don't care about boat building instructions anyway. I could generate keys and switch to https.
I'll think about that one. Probably have to get that together soon.
I do also now run fail2ban. Anyway, is there any hope of somehow figuring out how this
was done? Analyzing error_log.gz stuff? What do I look for?
My site got hacked for the first time in those ten years just the other day.
I use a "virtual dedicated" server at godaddy.
I found a file with the spurious eval gz inflate base 64 decode stuff in it,
which ultimately allowed (somebody) to display a phoney pharacutical website,
that prompts unsuspecting users for credit card numbers.
I used find and grep to identify all the bad files (some had names like dot comma '.,' )
Then I changed the root password and my login password.
And then I changed ALL files to 555 permissions, except for a few LOG files here
and there that need to be written to. That was two weeks ago and I seem to be OK.
MY QUESTION:
How the hell were they able to write to my hand-written PHP files in the first place?
I have run phorum for almost a decade, with now close to 15,000 individual posts.
Right before the hack I experimented with the SMF forum, for perhaps a week.
I imported all 15,000 posts to SMF, and immediately started to get bot-like spam.
I say bot like, because the server logs showed zillions of failed login attempts.
And maybe 6 successful SMF posts per day. The SMF captcha was visually weak.
So maybe they have code that guesses captcha images. Each spam post to the
SMF forum was matched with a new user_id in the SMF mysql user table, with machine like names (cnFall2010 etc)
So I zapped SMF and went back to phorum.
But a few days later I noticed the eval gzinflate hack. Maybe this had nothing to do with SMF.
I just want to know how it was done in the first place.
I do also use a mysql password system (written by me)--users who pay for a password (PayPal)
get a password which grants them access to normally hidden directories of
boat building information. All page content in my home-rolled CMS system comes from files (div contents = file_get_contents($filepath).
But that system checks for illegal file paths and exits silently. I've tried to break it a million times and never yet succeeded.
And unlike Wordpress, Drupal, etc, nobody in the whole world knows my souce code except me.
I use mysql for the login mechanism only. I do not encrypt the login passwords. I figured
thieves don't care about boat building instructions anyway. I could generate keys and switch to https.
I'll think about that one. Probably have to get that together soon.
I do also now run fail2ban. Anyway, is there any hope of somehow figuring out how this
was done? Analyzing error_log.gz stuff? What do I look for?