[richy96]

Hi folks

I woke up this morning to find my site was down and errors on every page sayimg $GLOBAL '_ty_' was already defined - or something like that

It turned out there was a line of code on just about every php fle on my site, at the start of the file just after <?php

The line was

Code:

eva l(base 64_ decode("CmV2YW blah blah blah Owo="));
phpinfo();

The funny thing is that non of the 'file modified' dates had changed to the current date/time - though some of them strangely enough had changed to 26-11-11

I spoke to my web host 1and1 internet. My site runs on two dedicated servers, one for the webserver and the other for the media server (webcams etc). Of these two my webserver is a 'managed' server and the media server is a root server.

Anyway the guy on tech support could offer no explanation to how most of my php files had been altered but suggested I restored if I had a backup

He said possibly sql injection but could not explain how that could edit php files. Other than that he said 'brute force attack'

Now ee did have a peculiar episode going on a few weeks ago where we had like 2300 guest crawling around the site - this went on for about 24 hrs and gradually petered out. Could this be related?


So basically to get the site back up and running, I overwrote all the php files from a full backup I just happen to make on 26th December. This was the php files I replaced, not the restore the database.

I do have a datbase backup but it is 8 days old and my site gets 100-150 new member signups most days, plus lot's of member activity so this would not really be a good backup to use


OK so my site is back up and running. I then copied everything back off the server and used a program I have to search through all the files and I found three more instances of this eval(base 64_ decode junk

The problem I then had is two instances of this hack were in new php files in my 'logs' folder called info.php and info.php5 which I don't have permissions to delete (I could read them) as that folder is owned by root! And this is a managed server!!

OK so a call to 1and1 supprt got those rogue files deleted but how could they have been put in a folder owned by root??? Again no real help from 1and1 support

OK so now I have my site up and running but I am very worried

First any idea's how my site could have got hacked?

Secondly my logs folder went from 10Mb to 500Mb since 26th December! A lot of the logs seem to be to do with email with lines like these

Code:

2013-12-15 23:44:31 uxxxxxxxxx 0Y2Xpc-1WD0jw37t1-00O1SO |< REMOTE=208.115.111.72 SCRIPT=/forums/forumdisplay.php -- /usr/sbin/sendmail -t -i
2013-12-15 23:44:31 uxxxxxxxxx 0Y2Xpc-1WD0jw37t1-00O1SO <= S=admin@swapscene.com SZ=1752 D=0 SID=3xxxxxxx5
2013-12-15 23:44:31 uxxxxxxxxxx 0Y2Xpc-1WD0jw37t1-00O1SO => some-site-memberr@yahoo.co.uk localhost[127.0.0.1] 250 OK id=1VsKQJ-0000hP-OU

There are thousands of these and some come from scripts on different files eg SCRIPT=/forums/showthread.php

Also the REMOTE= IP address comes in blocks of the same one but then changes to a different one. There are hundreds or even thousands remote IPs in these logs I think

Can anyone tell me if that is supposed to be an emailsupposedly being sent by admin to one of our members - or an email containing one of our members address being sent to a third party?

There also seems to have been an ftp attack going on trying different usernames


I don't believe that succeeded though

I have however asked all mods/admins to change their site password


I had a look at that ev al(base 64_ decode("CmV2YW blah blah blah Owo=")); code

Basically I base 64 decoded it and echoed the output - which contained a gzipped and base 64 encoded string

So I decoded that and found three encoded eval statements

So I decoded those and found an array of encoded data field and an encoded function

So I decoded al the array and the function and eventually ended up with some sort of crazy function that looks like it was comparing globals to see if a user was logged in and running round and round in a while loop with mad 'if' statements and I thnk it eventually would exit if a certain condition was met, and return some encoded value

Now I don't really know what this code does - is it OK to post it all here what I found so some experts can look at it and tell me what this code was doing?


Also is it possible to run that line of code on my test site (server on my lan) and if I did something like

Code:

$string=eval(base 64_ decode("CmV2YW blah blah blah Owo="));

echo 'string' would it give some info as to what it is doing, or would that be dangerous to try?

Sorry this has been a long post

To recap:
Any ideas how my site got hacked

Did I do enough to secure the site? What else should I do to try and make it more secure?

Is it OK to post up the source of that crazy function code I decoded so someone can tell me what it actually does or is attempting to do?

Can I run that function on my test site to find out what data it outputs?

What was my email server doing with members email addresses?

Thanks for your time and assistance
Rich

--------------- Added [DATE]1389382764[/DATE] at [TIME]1389382764[/TIME] ---------------

Sorry had to include a few spurious spaces in that base 64 decode thng as this site would not let me post this thread here for some reason!