On Apr 4, 2009, at 21:51, "TG" <tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Had to deal with a rogue PHP based backdoor situation recently. Two
remote
management scripts were installed somehow that would allow you to do
something like what you describe.
You probably want to download a fresh copy of the entire site
(assuming you
don't have remote shell access and/or the desire to use remote *nix
commands to do any of this) and see if whatever your favorite editor
is
has a "find in files" function.
Using this, I searched for all the files that may contain the PHP
"eval"
function, or "fopen" or other commands that could potentially allow
editing/creating files or executing *nix commands or arbitrary PHP
functions.
Also, check the permissions on the files and directories on your site.
Another thing I did was to use a version control software to see if
any
files changed after I redownloaded the site and if any new files were
added. I'm sure there's a way to do this with SVN or CVS or GIT or
something, but I used a Windows based system called Code Co-op.
If/when you find the script that may have allowed this, you can look
at
your raw web logs and see who was accessing that file. You should be
able to at least get their IP address and with that, you can get some
information about them. Or just hand it over to the authorities or
whatever you want to do.
If you're really curious... if you find the backdoor script file,
you can
modify it to either not function, or appear to function but not
really do
anything bad, etc. More importantly, you could modify it to collect
information (what little you can at least) about the person
accessing it.
This could include some javascript to get additional information about
their browser, OS, etc. Google "Browserhawk" for an example of what
information you can get from someone's browser.
Anyway, just some thoughts. Good luck!
-TG
----- Original Message -----
From: sono-io@xxxxxxxxxxxxx
To: php-general@xxxxxxxxxxxxx
Date: Sat, 4 Apr 2009 16:12:06 -0700
Subject: Possible Server Infection?
Hi all,
I was wondering if someone might know about a problem I'm having
on
my server. It appears that I've been infected by a rogue PHP
script(?). Something has gone through my server and placed .htaccess
files in every directory that didn't have one with contents that look
like this:
Options -MultiViews
ErrorDocument 404 //graphics/cc/111152.php
The path is different for each file and corresponds to the
directory
that it's in. The php document name is a different number for each
file I've found.
Does this sound familiar to anyone? What would be the purpose of
placing files like these in the directories? As far as I know, there
isn't a file called "111152.php" anywhere on my site, so this doesn't
make any sense to me.
I realize that this is a very general question, but I'm hoping
that
someone has seen or heard of this type of thing before and can help
me
eliminate the problem.
I'm using A2 Hosting and they don't know why this happened.
Thanks,
Frank
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
It's likely happened because something was not validated correctly
after an upload by a hacker. Perhaps form field data was not cleaned
properly or an image/ document was uploaded and the type was not
filtered out.
Also note that you can run strip_tags() on an image to prevent code
from being embedded in the image.
Once you figure out how yoursite got hijacked, do your best to close
that door and learn from the experience to help improve your code.
Bastien
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
