Announcement

Collapse
No announcement yet.

Is this a trojan or backdoor in my images/attachments folder?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • iardon
    replied
    I'm on a shared host, is there anything I can do or do I have to ask my hosting company to turn it off for the whole server?

    Originally posted by sensimilla
    It looks like a backdoor inclusion hole, make sure that php setting allow_url_fopen is OFF on the server to counter such attacks.

    Leave a comment:


  • Lt. Dan
    replied
    I've passed this thread on to HR tech support, also, the VBB team did some digging and have discovered that this may be a phpBB and phpNuke security flaw. I had both of these installed on my server at one time.

    It appears that these files are used for spamming a redirecting to search engines.

    Leave a comment:


  • sensimilla
    replied
    It looks like a backdoor inclusion hole, make sure that php setting allow_url_fopen is OFF on the server to counter such attacks.

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by MarcoH64
    Only if the hack is done on your account.

    Is it a dedicated server, or shared hosting?

    PS The script could be almost anywhere on your server, even embedded in a regular file/script.

    There are some tools to help finding this kind of things like chrootkit, your host should know more about them. Unfortunatly, unless you can find exactly how the server was compromised and you can find all traces of it, the only secure way to get rid of things like this, i s acomplete new install (OS and everything) with clean files.
    I'm on a shared server with HostRocket. VBB team is investigating if it is a VBB security hole, if not, I'll notify HR.

    Leave a comment:


  • Marco van Herwaarden
    replied
    Only if the hack is done on your account.

    Is it a dedicated server, or shared hosting?

    PS The script could be almost anywhere on your server, even embedded in a regular file/script.

    There are some tools to help finding this kind of things like chrootkit, your host should know more about them. Unfortunatly, unless you can find exactly how the server was compromised and you can find all traces of it, the only secure way to get rid of things like this, i s acomplete new install (OS and everything) with clean files.

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by MarcoH64
    Probably by a script somewhere on your server that you have not found yet.
    If that is the case, deleting everything in my public_html directory should get it, right?

    Leave a comment:


  • Marco van Herwaarden
    replied
    Probably by a script somewhere on your server that you have not found yet.

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by MarcoH64
    You don't always need to notice something if you are hacked. It could also be that your server is used for spamming or to do a DDOS attack.
    Agreed, that is why I'm trying to find out what is going on. I've got the VBB guys looking at this as well. I dug through all of my files and haven't found this any place else.

    I deleted all the suspicious PHP and .htaccess files and then uploaded my attachments into a directory with a different name to see if these files reappear.

    The odd thing is that these files were uploaded via http, not ftp. How was this done?

    Leave a comment:


  • Marco van Herwaarden
    replied
    You don't always need to notice something if you are hacked. It could also be that your server is used for spamming or to do a DDOS attack.

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by sensimilla
    it looks like a backdoor shell uploaded by a script kid to your forum directories
    delete those files at once, change all dbs passwords, change all users passwords
    ask your hoster to change your FTP access pass
    and I would recommand deleting all files from server and replacing them with new ones downloaded form vbulletin.com

    btw.. this part

    PHP Code:
    ("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9"
    after decoding gives


    you are pwned
    That's what I was thinking myself. Nothing has happened on my server, so I'm guessing this was something automated. These files only show up in my VBB images/attachments folders and no place else.

    I installed a second VBB to my server about a month ago and these files popped up in this one too.

    The image/attachments folder is the default location that VBB looks to put attachments when you pull them out of the database, so perhaps its a script that looks to exploit those folders. VBB recommended CHMODD 777 when I created that folder, so that directory and all files are 777, which is probably how it was exploited.

    The guy that found this on my server said that these scripts will allow the hacker to execut any function allowed on my server, but I've never had anything malicious happen on my server.

    Leave a comment:


  • sensimilla
    replied
    it looks like a backdoor shell uploaded by a script kid to your forum directories
    delete those files at once, change all dbs passwords, change all users passwords
    ask your hoster to change your FTP access pass
    and I would recommand deleting all files from server and replacing them with new ones downloaded form vbulletin.com

    btw.. this part

    PHP Code:
    ("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9"
    after decoding gives

    you are pwned
    Last edited by sensimilla; Wed 15 Feb '06, 6:39am.

    Leave a comment:


  • RedWingFan
    replied
    What permissions do you have on these folders? I have avatars and attachments stored in the filesystem, and when I did the conversion, vB set up the directories for me. I went in now and noticed that permissions are 707 for both of these directories, meaning they are writeable. Had I known, I may have opted to keep these in the database.

    Didn't find these files mentioned above, but IMHO, it's only a matter of time before someone attempts it. I wish the conversion function in vB had warned me about this beforehand. (Or maybe it did, and I don't remember...?)

    The only cure I can think of is a cron job that would delete any files with the .php extension, since these contain only images. Or even setup my own PHP script to run via cron that would clear out anything that is not an image file. Not the best idea, but it might work for now...

    Originally posted by Lt. Dan
    I also found a .htaccess file in each of the attachment directorys which appear to reference the suspect .php files.
    Could you post the contents of that here (removing anything sensitive, of course)?
    Last edited by RedWingFan; Wed 15 Feb '06, 6:32am.

    Leave a comment:


  • Lt. Dan
    replied
    Originally posted by MarcoH64
    I didn't really analyze the scripts you posted, but it looks like someone gained access to your server and placed some unknown scripts there.

    You might want to check your server logs to see how they came there.

    I also suggest you ask your host for support on cleaning the server after a possible hack.
    Its very odd that these same files appeared in a new directory on a different forum in the same locations.

    The guy that analyzed them for me send they were uploaded via http and not ftp, which he thought was odd.

    I also found a .htaccess file in each of the attachment directorys which appear to reference the suspect .php files.
    Last edited by Lt. Dan; Wed 15 Feb '06, 5:19am.

    Leave a comment:


  • Marco van Herwaarden
    replied
    I didn't really analyze the scripts you posted, but it looks like someone gained access to your server and placed some unknown scripts there.

    You might want to check your server logs to see how they came there.

    I also suggest you ask your host for support on cleaning the server after a possible hack.

    Leave a comment:


  • Lt. Dan
    replied
    I have another board running on 3.5.3 and I've found that it too already has these php files embedded in all the attachement folders as well.

    Every attachment folder has a messages.php and a configs.php file in them with the same code.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X