• 0

I think someone tried to hack my website!


Go to solution Solved by PNWDweller,

Question

DrJohnSmitherson

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

 

Filename - It's just a php file with a jpg extension

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

<snip>

Edited by Barney T.
We do not want our members downloading infected files.
Link to post
Share on other sites

21 answers to this question

Recommended Posts

  • 0
PNWDweller

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 

Link to post
Share on other sites
  • 0
Joe User

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

  • Like 1
Link to post
Share on other sites
  • 0
Farchord

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

This is a PHP hack shell. From there, they can see ALOT of informations about your server and, if the rights are improperly set, they can do DDoS attacks, take over the webserver and so on as well as modify various things on your website.

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

Well it's a PHP file. I don't think this can harm anyone's PC.

Link to post
Share on other sites
  • 0
Gerowen

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

Link to post
Share on other sites
  • 0
DrJohnSmitherson

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

Thanks so much for the advice. I'll check on the logs. I'm also going to remove the upload ability. No one uses it anyway haha

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

I noticed that as well. I kind of want to email him/her.

Also earlier in the code it links to tutorials on hacking and downloading pdfs about it. One site was in Moroccan. Very odd.

Link to post
Share on other sites
  • 0
PNWDweller

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

Link to post
Share on other sites
  • 0
Joe User

Well it's a PHP file. I don't think this can harm anyone's PC.

 

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

Link to post
Share on other sites
  • 0
Praetor

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Link to post
Share on other sites
  • 0
DrJohnSmitherson

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Oh sorry. I posted the file name up above. I'll make it clearer. Good tip thanks :)

Link to post
Share on other sites
  • 0
DrJohnSmitherson

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Haha! So far I'm not liking my stay :P  This is the first time it's happened to me. My websites arent very popular!

Link to post
Share on other sites
  • 0
PNWDweller

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

PM Sent.  :)

 

Rather than link to or post code snippets that can hack which is a TOS violation of Neowin AFAIK, I won't.  But it is easy enough to decode this stuff online. 

Link to post
Share on other sites
  • 0
Rohdekill

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Well now you are

Link to post
Share on other sites
  • 0
Rohdekill

Well now you are

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

I'm going off the contents of the file.

Link to post
Share on other sites
  • 0
Rohdekill

I'm going off the contents of the file.

nevermind.  You don't get it.

Link to post
Share on other sites
  • 0
snaphat (Myles Landwehr)

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

 

Pretty sure, he means they attempted to do some sort of injection attack. Possible, uploading it and then trying to run it by injecting unsanitized input somewhere else (or just tried to run it directly from their web browser).

 

 

EDIT: see: http://stackoverflow.com/questions/8025236/is-it-possible-to-execute-php-with-extension-file-php-jpg

Link to post
Share on other sites
  • 0
Barney T.

We do not want to subject our members to suspicious files through our forums. We need to keep this a safe place for all.

 

Thread Closed

 

Barney

  • Like 2
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Ather Fawaz
      Trump campaign website briefly defaced by hackers
      by Ather Fawaz

      Image via Alex Brandon With the U.S. Presidential Elections just around the corner, President Donald Trump's campaign website was briefly taken over and defaced by hackers. In an act that lasted close to 30 minutes, The New York Times reports that hackers replaced a section of Trump's campaign website. Gabriel Lorenzo Greschler, who is a journalist at the Jewish News of Northern California, was among the first to report of the incident. Greschler stumbled upon the hack while researching climate change, and proceeded to make a video demonstrating the seized website:

      As seen above, hackers took over the 'Coalitions' tab on the President's website and claimed to have compromised 'multiple devices', essentially giving them access to 'most internal and secret conversations', including classified information. They further threatened to discredit the POTUS by choosing to either release the sensitive data or keep it a secret. The choice of this was left at the hands of site visitors; an encryption key was also dropped on the page so that the hackers could solicit votes in a cryptocurrency called Monero. The hackers also accused the Trump administration of cooperating with foreign actors in manipulating the upcoming elections and of having a hand in the advent of the coronavirus.

      Tim Murtaugh, the spokesman for the Trump campaign confirmed the reports of the website being defaced and said they were “working with law enforcement authorities to investigate the source of the attack.” He later clarified that there was no leak of sensitive data either and that the website had been restored.

      This hack comes less than a week after an ethical hacker claimed to have obtained access to President Trump's official Twitter account with the password 'maga2020!'. It's also days after the President claimed in a campaign rally that “Nobody gets hacked. To get hacked you need somebody with 197 I.Q. and he needs about 15 percent of your password.” Regardless, intelligence agencies have claimed that today's defacement could've been yet another cryptocurrency fraud to solicit money via phishing.

      Source: Gabriel Lorenzo Greschler (Twitter) via The New York Times

    • By News Staff
      Save 94% off the cost of this Essential PHP Coding Bundle
      by Steven Parker

      Today's highlighted deal comes via our Online Courses section of the Neowin Deals store, where for only a limited time, you can save 94% off this Essential PHP Coding Bundle. Get started in web development by learning the fundamentals of PHP coding and practicing object-oriented programming.



      This bundle consists of the following courses:

      Fundamentals of PHP Training Course
      Learn the Basic Programming Concepts in the Most Popularly Used Server-Side Programming Language PHP Development with the Laravel Framework Training Course
      Develop Homepages, Create Accounts & Activate Emails Using the Open-Source Laravel PHP Framework PHP Object Oriented Programming: Build a Login System Training Course
      Create an R/L System Using PHP & OOP Together Python Object Oriented Programming Fundamentals Training Course
      Create Advanced & Easily Maintainable Python Applications with Object-Oriented Programming Good to know
      Length of time users can access this course: 1 Year Certification of completion included Redemption deadline: redeem your code within 30 days of purchase For specifications and instructor info please click here.

      Here's the deal:
      This Essential PHP Coding Bundle normally costs* $516, but it can be yours for just $29.99 for a limited time, that's a saving of $486.01 (94%).

      >> Get this deal, or learn more about it here <<
      See all Online Courses on offer. This is a time-limited offer that ends soon.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      If this offer doesn't interest you, why not check out the following offers:

      The Win Your Dream 2020 Tesla Model 3 Giveaway
      20% off Ivacy VPN subscription with coupon code IVACY20 NordVPN subscription at up to 68% off for a 2 year plan Private Internet Access VPN subscription at up to 71% off Unlocator VPN or SmartDNS unblock Geoblock with 7-day free trial Disable Sponsored posts · Other recent deals · Preferred partner software

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By News Staff
      Get this Interactive Learn to Code Bundle at 73% off for just $29.99
      by Steven Parker

      Today's highlighted deal comes via our Online Courses section of the Neowin Deals store, where you can save 73% off the Interactive Learn to Code Bundle. Start writing codes and programs from scratch with 9 interactive courses on SQL, JavaScript, PHP, jQuery, BootStrap, and more.



      This deal consists of the following courses:

      An Interactive SQL Tutorial for Beginners: Introduction to SQL
      Getting Started with SQL Doesn't Have to Be Hard An Interactive JavaScript Course for Beginners
      Learn JavaScript Interactively with a One-of-a-Kind JS Online Course Interactive jQuery Tutorial: Learn jQuery Step-by-Step
      Take an Interactive jQuery Training Course for Beginners to Quickly Master jQuery Events, Effects & More Learn PHP Online: PHP Basics Explained in an Interactive & Fun Manner
      An Interactive Tutorial for Beginners Who Want to Master PHP Basics in a Non-Boring Way The Complete Solidity Smart Contract Guide
      Master Solidity Programming Through Hands-On Experience Master Python Fundamentals the Fun Way: An Interactive Python Tutorial
      A Python Training Course for Absolute Beginners Who Wants to Master the Language Without Getting Bored A Responsive Web Design Course: Find Out How to Create a Responsive Website
      Make a Website Mobile-Friendly with a Step by Step, Responsive Web Design Tutorial Bootstrap Tutorial: Learn to Create Dynamic Websites in a Pinch
      Find Out How to Use Bootstrap the Fun Way by Using an Interactive Course An Interactive Java Tutorial: Learn by Practice!
      Learn Java From Scratch by Combining Theory with Hands-On Coding Experience Good to know
      Length of time users can access this course: lifetime Certification of completion included Redemption deadline: redeem your code within 30 days of purchase For a full description, specs, and instructor info, click here.

      Here's the deal:
      This Interactive Learn to Code Bundle normally costs* $112, but you can pick it up for just $29.99 for a limited time - that represents a saving of $82.01 (73%) off.

      >> Get this deal, or learn more about it <<
      See all discounted Online Courses. This is a time-limited offer.


      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      If this offer doesn't interest you, why not check out the following offers:

      The Win Your Dream 2020 Tesla Model 3 Giveaway
      The Nintendo Gaming Bundle Giveaway 20% off Ivacy VPN subscription with coupon code IVACY20 NordVPN subscription at up to 68% off for a 2 year plan Private Internet Access VPN subscription at up to 71% off Unlocator VPN or SmartDNS unblock Geoblock with 7-day free trial Disable Sponsored posts · Other recent deals · Preferred partner software

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

      running costs.

    • By News Staff
      Save 73% off the Interactive Learn to Code Bundle - now just $29.99
      by Steven Parker

      Today's highlighted deal comes via our Online Courses section of the Neowin Deals store, where you can save 73% off the Interactive Learn to Code Bundle. Start writing codes and programs from scratch with 9 interactive courses on SQL, JavaScript, PHP, jQuery, BootStrap, and more.



      This deal consists of the following courses:

      An Interactive SQL Tutorial for Beginners: Introduction to SQL
      Getting Started with SQL Doesn't Have to Be Hard An Interactive JavaScript Course for Beginners
      Learn JavaScript Interactively with a One-of-a-Kind JS Online Course Interactive jQuery Tutorial: Learn jQuery Step-by-Step
      Take an Interactive jQuery Training Course for Beginners to Quickly Master jQuery Events, Effects & More Learn PHP Online: PHP Basics Explained in an Interactive & Fun Manner
      An Interactive Tutorial for Beginners Who Want to Master PHP Basics in a Non-Boring Way The Complete Solidity Smart Contract Guide
      Master Solidity Programming Through Hands-On Experience Master Python Fundamentals the Fun Way: An Interactive Python Tutorial
      A Python Training Course for Absolute Beginners Who Wants to Master the Language Without Getting Bored A Responsive Web Design Course: Find Out How to Create a Responsive Website
      Make a Website Mobile-Friendly with a Step by Step, Responsive Web Design Tutorial Bootstrap Tutorial: Learn to Create Dynamic Websites in a Pinch
      Find Out How to Use Bootstrap the Fun Way by Using an Interactive Course An Interactive Java Tutorial: Learn by Practice!
      Learn Java From Scratch by Combining Theory with Hands-On Coding Experience Good to know
      Length of time users can access this course: lifetime Certification of completion included Redemption deadline: redeem your code within 30 days of purchase For a full description, specs, and instructor info, click here.

      Here's the deal:
      This Interactive Learn to Code Bundle normally costs* $112, but you can pick it up for just $29.99 for a limited time - that represents a saving of $82.01 (73%) off.

      >> Get this deal, or learn more about it <<
      See all discounted Online Courses. This is a time-limited offer.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      If this offer doesn't interest you, why not check out the following offers:

      The Nintendo Gaming Bundle Giveaway 20% off Ivacy VPN subscription with coupon code IVACY20 NordVPN subscription at up to 68% off for a 2 year plan Private Internet Access VPN subscription at up to 71% off Unlocator VPN or SmartDNS unblock Geoblock with 7-day free trial Disable Sponsored posts · Other recent deals · Preferred partner software

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By Usman Khan Lodhi
      Twitter hack could have been aided by more than 1,000 employees
      by Usman Khan Lodhi



      More than a thousand people, which include Twitter employees and contractors, earlier this year had access to internal tools that could change account settings, according to former employees. The firm and the FBI are probing into the hack that permitted hackers to repeatedly tweet from verified accounts of Microsoft co-founder Bill Gates, SpaceX CEO Elon Musk, Amazon CEO Jeff Bezos, and more.

      Twitter stated on Saturday that the hackers "manipulated a small number of employees and used their credentials" to access tools, and take control of 45 accounts, whilst it revealed on Wednesday that 36 accounts also had their direct messages accessed. The firm did not identify the affected users.

      Former Twitter employees familiar with how the firm operates remarked that a considerable number of people could have acted similarly, more than 1,000 as of earlier this year. This also includes several contractors like Cognizant, the employees said. Companies that have a massive user base often have to outsource support staff, which opens it up to threats. Cybersecurity experts believe that the greater the number of people who can alter these settings, the stronger oversight there must be to prevent such happenings.

      When asked the number of employees who had access to these internal tools before or since the hack, Twitter declined to comment. The firm was looking for a new security head, working to secure its platform and training its workers on how to be wary of social engineering attacks. Cognizant did not comment on the matter either.

      Source: Reuters