Jump to content



Photo

I think someone tried to hack my website!

Answered Go to the full post hack php

  • This topic is locked This topic is locked
21 replies to this topic

#1 thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 09 December 2013 - 23:36

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

 

Filename - It's just a php file with a jpg extension

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

<snip>



Best Answer +Medfordite , 09 December 2013 - 23:55

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 

Go to the full post

Edited by Barney T., 10 December 2013 - 00:52. Reason: We do not want our members downloading infected files.



#2 +Medfordite

Medfordite

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 16-March 06
  • Location: Medford Oregon
  • OS: Win 8.1 Pro
  • Phone: Samsung Galaxy Axiom

Posted 09 December 2013 - 23:55   Best Answer

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 



#3 Joe User

Joe User

    Lazy Joe's

  • Tech Issues Solved: 1
  • Joined: 29-May 07
  • Location: Somewhere in the US
  • OS: Windows 8.1 Update 1
  • Phone: Nexus 5

Posted 09 December 2013 - 23:57

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.



#4 Farchord

Farchord

    Life is but a sum of your achievements

  • Joined: 06-November 01
  • Location: Shawinigan, Quebec, Canada
  • Phone: iPhone 5

Posted 09 December 2013 - 23:57

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

This is a PHP hack shell. From there, they can see ALOT of informations about your server and, if the rights are improperly set, they can do DDoS attacks, take over the webserver and so on as well as modify various things on your website.



#5 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 09 December 2013 - 23:58

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

Well it's a PHP file. I don't think this can harm anyone's PC.



#6 Gerowen

Gerowen

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 28-August 05
  • Location: Hills of Kentucky
  • OS: Ubuntu Linux

Posted 09 December 2013 - 23:58

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .



#7 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 09 December 2013 - 23:59

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

Thanks so much for the advice. I'll check on the logs. I'm also going to remove the upload ability. No one uses it anyway haha



#8 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 10 December 2013 - 00:00

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

I noticed that as well. I kind of want to email him/her.

Also earlier in the code it links to tutorials on hacking and downloading pdfs about it. One site was in Moroccan. Very odd.



#9 +Medfordite

Medfordite

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 16-March 06
  • Location: Medford Oregon
  • OS: Win 8.1 Pro
  • Phone: Samsung Galaxy Axiom

Posted 10 December 2013 - 00:06

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)



#10 Joe User

Joe User

    Lazy Joe's

  • Tech Issues Solved: 1
  • Joined: 29-May 07
  • Location: Somewhere in the US
  • OS: Windows 8.1 Update 1
  • Phone: Nexus 5

Posted 10 December 2013 - 00:08

Well it's a PHP file. I don't think this can harm anyone's PC.

 

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.



#11 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 10 December 2013 - 00:10

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.



#12 Praetor

Praetor

    ASCii / ANSi Designer

  • Tech Issues Solved: 3
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 10 December 2013 - 00:11

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.



#13 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 10 December 2013 - 00:11

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Oh sorry. I posted the file name up above. I'll make it clearer. Good tip thanks :)



#14 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 22-January 09

Posted 10 December 2013 - 00:12

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Haha! So far I'm not liking my stay :p  This is the first time it's happened to me. My websites arent very popular!



#15 +Medfordite

Medfordite

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 16-March 06
  • Location: Medford Oregon
  • OS: Win 8.1 Pro
  • Phone: Samsung Galaxy Axiom

Posted 10 December 2013 - 00:15

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

PM Sent.  :)

 

Rather than link to or post code snippets that can hack which is a TOS violation of Neowin AFAIK, I won't.  But it is easy enough to decode this stuff online.