Sign in to follow this  
Followers 0
thatguyandrew1992

hack I think someone tried to hack my website!

22 posts in this topic

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

 

Filename - It's just a php file with a jpg extension

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

<snip>

Edited by Barney T.
We do not want our members downloading infected files.

Share this post


Link to post
Share on other sites

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 

Share this post


Link to post
Share on other sites

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

1 person likes this

Share this post


Link to post
Share on other sites

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

This is a PHP hack shell. From there, they can see ALOT of informations about your server and, if the rights are improperly set, they can do DDoS attacks, take over the webserver and so on as well as modify various things on your website.

Share this post


Link to post
Share on other sites

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

Well it's a PHP file. I don't think this can harm anyone's PC.

Share this post


Link to post
Share on other sites

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

Share this post


Link to post
Share on other sites

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

Thanks so much for the advice. I'll check on the logs. I'm also going to remove the upload ability. No one uses it anyway haha

Share this post


Link to post
Share on other sites

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

I noticed that as well. I kind of want to email him/her.

Also earlier in the code it links to tutorials on hacking and downloading pdfs about it. One site was in Moroccan. Very odd.

Share this post


Link to post
Share on other sites

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

Share this post


Link to post
Share on other sites

Well it's a PHP file. I don't think this can harm anyone's PC.

 

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Share this post


Link to post
Share on other sites

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

Share this post


Link to post
Share on other sites

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Share this post


Link to post
Share on other sites

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Oh sorry. I posted the file name up above. I'll make it clearer. Good tip thanks :)

Share this post


Link to post
Share on other sites

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Haha! So far I'm not liking my stay :P  This is the first time it's happened to me. My websites arent very popular!

Share this post


Link to post
Share on other sites

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

PM Sent.  :)

 

Rather than link to or post code snippets that can hack which is a TOS violation of Neowin AFAIK, I won't.  But it is easy enough to decode this stuff online. 

Share this post


Link to post
Share on other sites

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Share this post


Link to post
Share on other sites

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Well now you are

Share this post


Link to post
Share on other sites

Well now you are

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

Share this post


Link to post
Share on other sites

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

I'm going off the contents of the file.

Share this post


Link to post
Share on other sites

I'm going off the contents of the file.

nevermind.  You don't get it.

Share this post


Link to post
Share on other sites

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

 

Pretty sure, he means they attempted to do some sort of injection attack. Possible, uploading it and then trying to run it by injecting unsanitized input somewhere else (or just tried to run it directly from their web browser).

 

 

EDIT: see: http://stackoverflow.com/questions/8025236/is-it-possible-to-execute-php-with-extension-file-php-jpg

Share this post


Link to post
Share on other sites

We do not want to subject our members to suspicious files through our forums. We need to keep this a safe place for all.

 

Thread Closed

 

Barney

2 people like this

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.