Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page Can somebody explane what is this php files..
FAQ Members List Calendar Search Today's Posts Mark Forums Read
  #1  
Old 10-25-2008, 07:47 AM
dxflw dxflw is offline
 
Join Date: May 2008
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Can somebody explane what is this php files..
I find this 2 php files and i dont remember if i have uploaded this files on my ftp...
Can explane somebody what is this..?
Attached Files
File Type: php 34914.php (1.4 KB, 13 views)
File Type: php 141171.php (1.4 KB, 6 views)
Reply With Quote
  #2  
Old 10-25-2008, 08:29 AM
MysCha MysCha is offline
 
Join Date: Sep 2008
Posts: 115
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
lolz im never know this is a vbulletin files
Reply With Quote
  #3  
Old 10-25-2008, 10:30 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Looks like someone has uploaded a malicious file. I have not had time to decode the file - but I can assume that it was designed to hack you or something similar.
Reply With Quote
  #4  
Old 10-25-2008, 11:09 AM
UKBusinessLive UKBusinessLive is offline
 
Join Date: Sep 2008
Location: Essex, United Kingdom
Posts: 1,637
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
They definately look like rogue files, change all your passwords to your server and FTP.

Just keep an eye on any attachments you allow your members to post

Reply With Quote
  #5  
Old 10-25-2008, 01:57 PM
dxflw dxflw is offline
 
Join Date: May 2008
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
thanks guys..but can somebody explane to me exsacly what the code can do?
I think my last hosting company have to do with that...
Reply With Quote
  #6  
Old 10-25-2008, 02:28 PM
UKBusinessLive UKBusinessLive is offline
 
Join Date: Sep 2008
Location: Essex, United Kingdom
Posts: 1,637
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
its not good what ever they are doing - first off its from somewhere in russia - so thats immediately bad. the other is that they are trying to execute command line `uname -a` which outputs a single line with the name of the machine and the operating system version.

They are doing their homework before they attack. I would check your processing powers and see if it has sky rocketed, they may have anything on the server now.... if so its time for a rebuild.

just check your server permissions and see if any have been changed, its more than likely that you have a weak password on an ftp account back to your server, delete all unnecessary ftp accounts, whilst your at it and make sure you re new all your passwords a mixture of letters and numbers and perhaps a few caps

Without decoding the static elements of the scripts, I would guess the script collects as much information about the client/server and then transmits it by including a remote file with the data in the URL. These are the lines that will give you the greatest insight:

Code:
base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")
base64_decode("aHR0cDovLw==")
base64_decode("dXNlcjkubXNodG1sLnJ1")
base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")
You should review the permissions and ownership of the files that were placed on your server. If they're owned by the user "nobody", perhaps your compromise is minimal.

Edit: Here is the output of those commands:

Code:
http://bis.iframe.ru/master.php?r_addr=
http://
user9.mshtml.ru
The commands.php script gathers as much information as it can, then provides it to bis.iframe.ru. I assume this is to assist the malicious user in his efforts to steal the identities of others.

The Server has definitely been hacked/cracked but it's possible that it is not owned.

What kernel version is being used?
(if not sure, look under WHM > Server Status > Server Information: System Information)

run this command as 'root' in shell: locate code2.php .Free.php md.pl

if any of those files are found and your running kernel 2.6.xx (where xx is less than 17) then odds are the hackers only found a way to upload the defacement and spammer scripts.

That would mean an OS reload or someone going through the entire Server to find & delete the hacker files "and" setup security to stop them from doing it again.

if you don't own your server then perhaps this is something that you should alk to your hosting company about.

Take care

--------------- Added [DATE]1224949432[/DATE] at [TIME]1224949432[/TIME] ---------------

Just remembered

Check your Code in .htaccess and see if anythings changed there normally these hackers add a file like this...

Code:
Options -MultiViews
ErrorDocument 404 //e107_plugins/htnbook/820220.php
Also view your index.php and make sure the file as no extra lines in along the lines of...


Code:
<title>Hacked By GHoST61</title>
<center><img border="0" src="http://ghst61.by.ru/gh.jpg" weight="30" heigth="35" style="border:0px dashed black; ">
<p align="center"><font face ="Showcard Gothic" size="8"><font color="#bb1122"> Hacked By GHoST61
<HR color=gray SIZE=4>
<p align="center"><font face ="Bradley Hand ITC" size="6"><font color="#0000cc">Copyright �2006 - 2008 By GHoST61
<h1><center>For T?rkiye<h1><center>
This is just a front screen for these hackers but check anyway.



--------------- Added [DATE]1224950097[/DATE] at [TIME]1224950097[/TIME] ---------------

Whilst i've been looking into this it looks like it's a "pay per click" scam.

They hack your site with these bogus files then seed search engines to go there, and just sit back and collect for every click.

Check your file/folder permissions.

FILE permissions shouldn't be higher than 644

FOLDER permissions shouldn't be higher than 755
Reply With Quote
  #7  
Old 10-25-2008, 04:21 PM
dxflw dxflw is offline
 
Join Date: May 2008
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Thank you very much "UKBusinessLive"
I have create new hosting account to new hosting company.
I have find more files like this on my forum folder:
This was on forums root folder:
34914.php
141171.php
and i have find more on:
images/avatar
forum root/modules (this is for CMPS)
includes/
install/
======================
All the files i have find with numbers example 54656.php is deleted
and all the forum is loaded to new server and new company.
I have a data base backup and with this i will restore my forum on the new server.
You think this is enough?
Reply With Quote
  #8  
Old 10-25-2008, 05:36 PM
UKBusinessLive UKBusinessLive is offline
 
Join Date: Sep 2008
Location: Essex, United Kingdom
Posts: 1,637
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by dxflw View Post
Thank you very much "UKBusinessLive"
I have create new hosting account to new hosting company.
I have find more files like this on my forum folder:
This was on forums root folder:
34914.php
141171.php
and i have find more on:
images/avatar
forum root/modules (this is for CMPS)
includes/
install/
======================
All the files i have find with numbers example 54656.php is deleted
and all the forum is loaded to new server and new company.
I have a data base backup and with this i will restore my forum on the new server.
You think this is enough?
Just make sure the following permissions are set...


FILE permissions shouldn't be higher than 644

FOLDER permissions shouldn't be higher than 755

and make sure you use a high strenght password, do regular checks of your image folders as they will most probably try to upload a file as an image.

Regulate and moderate your attachments and exactly what your allowing your members to upload to your server, Set user permissions so that banned, unregistered and guest CANNOT upload anything to your server, i know people will say but we do that anyway, you'll be suprised at the amount of people that apparently leave a "Back Door" open.

Above all just be carefull

Take care

Reply With Quote
  #9  
Old 10-28-2008, 01:02 PM
dxflw dxflw is offline
 
Join Date: May 2008
Posts: 218
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
ok thank you very much.
cu.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:16 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04179 seconds
  • Memory Usage 2,268KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (2)postbit_attachment
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete