• 0

I think someone tried to hack my website!


Go to solution Solved by PNWDweller,

Question

DrJohnSmitherson

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

 

Filename - It's just a php file with a jpg extension

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

<snip>

Edited by Barney T.
We do not want our members downloading infected files.
Link to post
Share on other sites

21 answers to this question

Recommended Posts

  • 0
PNWDweller

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 

Link to post
Share on other sites
  • 0
Joe User

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

  • Like 1
Link to post
Share on other sites
  • 0
Farchord

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

This is a PHP hack shell. From there, they can see ALOT of informations about your server and, if the rights are improperly set, they can do DDoS attacks, take over the webserver and so on as well as modify various things on your website.

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

Well it's a PHP file. I don't think this can harm anyone's PC.

Link to post
Share on other sites
  • 0
Gerowen

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

Link to post
Share on other sites
  • 0
DrJohnSmitherson

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

Thanks so much for the advice. I'll check on the logs. I'm also going to remove the upload ability. No one uses it anyway haha

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I don't know much about PHP, but the last section looks like it sends an e-mail to alberticoguerra12@gmail.com .

I noticed that as well. I kind of want to email him/her.

Also earlier in the code it links to tutorials on hacking and downloading pdfs about it. One site was in Moroccan. Very odd.

Link to post
Share on other sites
  • 0
PNWDweller

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

Link to post
Share on other sites
  • 0
Joe User

Well it's a PHP file. I don't think this can harm anyone's PC.

 

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

Link to post
Share on other sites
  • 0
Praetor

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Link to post
Share on other sites
  • 0
DrJohnSmitherson

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Oh sorry. I posted the file name up above. I'll make it clearer. Good tip thanks :)

Link to post
Share on other sites
  • 0
DrJohnSmitherson

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Haha! So far I'm not liking my stay :P  This is the first time it's happened to me. My websites arent very popular!

Link to post
Share on other sites
  • 0
PNWDweller

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

PM Sent.  :)

 

Rather than link to or post code snippets that can hack which is a TOS violation of Neowin AFAIK, I won't.  But it is easy enough to decode this stuff online. 

Link to post
Share on other sites
  • 0
Rohdekill

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Well now you are

Link to post
Share on other sites
  • 0
Rohdekill

Well now you are

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

Link to post
Share on other sites
  • 0
DrJohnSmitherson

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

I'm going off the contents of the file.

Link to post
Share on other sites
  • 0
Rohdekill

I'm going off the contents of the file.

nevermind.  You don't get it.

Link to post
Share on other sites
  • 0
snaphat (Myles Landwehr)

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

 

Pretty sure, he means they attempted to do some sort of injection attack. Possible, uploading it and then trying to run it by injecting unsanitized input somewhere else (or just tried to run it directly from their web browser).

 

 

EDIT: see: http://stackoverflow.com/questions/8025236/is-it-possible-to-execute-php-with-extension-file-php-jpg

Link to post
Share on other sites
  • 0
Barney T.

We do not want to subject our members to suspicious files through our forums. We need to keep this a safe place for all.

 

Thread Closed

 

Barney

  • Like 2
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By News Staff
      Pay What You Want for this Full Stack Web Development Bundle
      by Steven Parker

      Today's highlighted deal comes via our Online Courses section of the Neowin Deals store, where you can Pay What You Want for this Full Stack Web Development Bundle. The world's best developers are Full Stack developers. Here's 122+ hours of instruction to help you join them.



      How does it work?
      With the Pay What You Want bundles, you can get something incredible for as little as you want to pay. And if you beat the average price, you’ll receive the fully upgraded bundle! Included in this Pay What You Want deal, are the following courses:

      Pay What You Want (as little as $1) for the unlocked item:

      Projects in HTML5
      Build 10 Products in HTML5 & JavaScript Or bid the average price to also get the following items:

      The Full Stack Web Development Course
      Handle Every Facet of An App's Development, Ascend to the Top of the Developer Mountain Projects In ReactJS: The Complete React Learning Course
      Dive Into One of Today's Most In-Demand Front End Development Tools Projects in JavaScript & JQuery
      Gain Practical Experience in JavaScript & jQuery By Completing 10 Projects ReactJS and Flux: Learn By Building 10 Projects
      Learning These Facebook-Created Development Tools Will Greatly Accelerate Your Workflow Projects in MongoDB: Learn MongoDB Building 10 Projects
      Explore the World's Most Popular Cross-Platform NoSQL Database Projects Using PHP Frameworks
      Build 10 Unique Projects to Get a Complete Grasp On Multiple PHP Frameworks Learn NodeJS by Building 10 Projects
      Use This Popular Runtime Environment to Craft Lightweight, Highly Scalable Apps Here's the deal:
      The bundle represents an overall retail value of $476 But you can Pay What You Want for the unlocked items (as little as $1) Beat the average price and you'll take home the entire bundle. Beat the Leader's price and get entered into the epic giveaway. Pay What You Want for this Full Stack Web Development Bundle
      See other Pay What You Want deals. This is a time-limited deal that ends soon.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other free eBooks on offer you can check out here.



      Home Gym Giveaway | Bitcoin (BTC) Investment Giveaway Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2 year subscription at up to 68% off Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Neowin Store for our preferred partners. Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: A valid email address is required to fulfill your request. Complete and verifiable information is required in order to receive this offer. By submitting a request, your information is subject to TradePub.com's Privacy Policy.

    • By Sszecret
      Microsoft Weekly: An unfortunate Exchange, Ignite in the spring, and Windows generations
      by Florin Bodnarescu



      The week brought everything from Ignite news aplenty – as expected – to a rather serious set of Exchange on-prem vulnerabilities, and the usual Windows Insider builds. You can find info about that, as well as much more below, in your Microsoft digest for the week of February 28 – March 6.

      An unfortunate Exchange


      CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, otherwise known as the set of vulnerabilities in Exchange on-premises servers that were used by state-sponsored Chinese hacking group HAFNIUM in its attacks this week (and the days prior).

      While news of the exploits started circulating at the beginning of the year, the vulnerability chaining did not happen until earlier this week. Microsoft has outlined a number of Indicators of Compromise (or IOCs), along with pushing out out-of-band patches for all affected Exchange on-prem servers - versions 2013 through to 2019. The company has urged admins to apply those patches as soon as possible, as the vulnerabilities are actively being exploited via the use of web shells.

      It is alleged by KrebsOnSecurity that as many as 30,000 U.S. organizations are affected by these newly discovered vulnerabilities, and that the number may be far greater than that worldwide. It’s unclear whether this attack was made possible as a result of the Solorigate security event that unfolded earlier this year.

      Ignite in the spring


      As previously announced, on March 2, Microsoft kicked off the second part of its Ignite conference. At the virtual event, the company took the wraps off a number of solutions ranging from the consumer to the enterprise sectors, from previews to services and products now entering general availability.

      For one, there’s a new service called Intelligent Order Management, due to be integrated in the company’s enterprise resource planning (or ERP) platform, Dynamics 365. There’s also integration with Teams to look forward to, as well as the advent of a new low-code language for Power BI dubbed Power Fx.

      Remaining in the management sphere, there’s now RBAC (role-based access control) support in Azure Machine Learning, updates to Cloud for Healthcare and new industry clouds, compute and storage updates for mission-critical apps in Azure, and more.

      The company also took to the virtual stage to highlight a number of Azure and Microsoft 365 security solutions – ranging from Azure Sentinel to Azure Firewall and Secured-core – either in GA or preview, along with data loss prevention and compliance solutions previews, and new certifications for compliance and Windows Virtual Desktop. The firm also highlighted Zero Trust updates and other identity solution upgrades as part of the virtual event.

      It's worth also mentioning that the firm is opening a new datacenter region in China, has put out Visual Studio 2019 version 16.9 – as well as adding Apple Silicon Mac support in VS Code -, as well as a preview version of Windows Server 2022 with the same Secured-core enhancements it added in Azure. On a somewhat related note to the latter, Windows Admin Center version 2103 is now available with automatic update support, and tons of other features.

      Switching to productivity, Outlook now has a more free-form view for its calendar section, Universal Print has been made available to all Microsoft 365 customers, there are new modules available for the company’s Viva Employee Experience Platform (EXP), and Teams now has PowerPoint Live support that’s GA, more Teams Rooms features, and up to 1,000-person webinar support for the education sector.

      Lastly, we’ll highlight the fact that Microsoft has announced a bunch of new mixed reality services that can be used with the HoloLens 2, along with the Azure-powered mixed reality platform, Microsoft Mesh.

      The latter, while continuing the company’s “tradition” of terrible naming schemes – no, this has nothing to do with Windows Live Mesh -, is more of an extension to its original vision presented with the unveiling of the HoloLens v1.

      It essentially allows folks to be present in the same virtual environment and use the perks of said environment in the discussion and prototyping of various products, ideas, and concepts. In other words, kind of similar to Together mode in Teams, but with holograms and virtual avatars.

      Windows generations
      It wouldn’t be a weekly Microsoft column without talking at least a little bit about Windows.



      As such, we’ve seen the company push out 21H1 to all Beta channel users as a “recommended update”. Following in the footsteps of some of its predecessors, 21H1 is an enablement package, meaning it acts like a switch to enable features already present in the code.

      The company has also pushed out build 21327 to the Dev channel, complete with a number of News and Interest improvements, as well as the usual array of bug fixes. Though not in this particular build, the firm has also fixed a weird drive bug whereby upon navigating to a specific location via CMD, the user would be presented with a “The file or directory is corrupted and unreadable” message triggering a restart prompt and subsequent running of the check disk (chkdsk) utility.

      In other, not quite as surprising news, the Surface Hub Windows 10 Team rollout has experienced yet another delay, and Chief Product Officer Panos Panay is pumped for the “next generation of Windows”. Then again, I don’t think there’s been a time when Panay wasn’t pumped, so that isn’t saying much. I guess we’ll need to see Sun Valley with our own eyes later this year to see what the excitement is all about.

      Dev channel
      The new Extensions menu is available to Insiders in the Canary and Dev channels, with the Dev build 90.0.810.1 adding vertical tab improvements, Bing search and sleeping tabs – as well as vertical tabs – in Edge 89 (stable). In addition, the company is also testing a built-in Math Solver, improvements to the PDF reader, and an eventual unification of the Edge codebase on all platforms. A new job listing points to 5G and better camera in the next Surface Duo, one of the brains behind the Lumia PureView tech has joined the Surface team, the Surface Laptop 1 and 2 have gotten new firmware and driver updates, and our very own Rich Woods has reviewed the Surface Pro 7+. Windows Terminal Preview 1.7 adds UI improvements, PowerToys 0.33.1 is now out featuring a new first load experience, Microsoft Lists will soon get custom template support, Outlook is getting support for more accounts on the Mac, and new poll features are coming to Teams. Additionally, runtime inspection of XLM macros is now supported in Excel, as is version history in Excel on the web, while the OneDrive roadmap updates include dark mode on the web, and Microsoft is shuttering its UserVoice forms. Logging off
      To log off, we’ll take a look at some gaming deals and freebies.



      First off, there are the ever-present Deals with Gold, which allow folks who are subscribed to Xbox Live Gold to get even steeper discounts on a number of games. Among those on offer this time are Alien: Isolation – The Collection, Far Cry 2, Need For Speed, Rayman 3 HD, and more.

      And if those aren’t quite your cup of tea, there’s always Metal Slug 3 and Warface: Breakout to claim at no additional cost for Live Gold members. Dandara: Trials of Fear Edition, from the previous Games with Gold promotion, is still up for grabs as well.

      Missed any of the previous columns? Be sure to have a look right here.

    • By News Staff
      Save 97% off this Complete Front-End Developer Bundle
      by Steven Parker

      Today's highlighted deal comes via our Online Courses section of the Neowin Deals store, where for only a limited time you can save 97% off this Complete Front-End Developer Bundle. Start building websites from scratch with 66 hours of training in JavaScript, CSS, Adobe Design Tools and more.



      What's the deal?
      This deal consists of the following courses:

      Learn CSS Web Design & Development
      Learn How to Apply CSS Styling to HTML Elements Complete Bootstrap 4 Course: Build 5 Projects From Scratch
      Get Familiar with Bootstrap 4, One of the Best Tools for Rapid Site Design & Development Adobe Illustrator CC 2018 Master Class
      Master the Industry-Standard Vector Graphics Application Step-by-Step HTML & CSS for Absolute Beginners
      Create Your Own Web Pages with HTML & CSS JavaScript for Beginners
      Learn JavaScript Through Whiteboard Videos, Coding In the Browser & Building a Website JavaScript Specialist Designation
      Study to Pass the JavaScript Specialist Designation Exam React for Absolute Beginners
      The Complete Guide to Professional Development Using React Mastering Mobile App Design With Sketch 3
      The Beginner's Guide to Awesome Mobile App Development Adobe Photoshop CC: Your Complete Beginner's Guide
      The World's Most Popular Photo Editing Software Taught to You From A to Z Good to know
      Length of time users can access courses: lifetime Certification of completion included Redemption deadline: redeem your code within 30 days of purchase For full details, terms, and instructor info for the above courses, click here.

      Here's the deal:
      This Complete Front-End Developer Bundle normally costs $1,419.97, but you can pick this up for just $41 for a limited time, that's a saving of 97% ($1,378.97) off the normal price!

      Get this deal, or learn more about it
      See all discounted Online Courses on offer. This is a time-limited deal.
      Get $1 credit for every $25 spent · Give $10, Get $10 · 10% off for first-time buyers.

      Not for you?
      That's OK, there are other deals on offer you can check out here.



      Home Gym Giveaway | Ultimate Gaming Giveaway (feat. PlayStation 5 & Xbox Series X) Ivacy VPN - 5 year subscription for just $1 per month NordVPN - 2 year subscription at up to 68% off Private Internet Access VPN - subscriptions at up to 71% off Unlocator VPN or SmartDNS - unblock Geoblock with 7-day free trial Neowin Store for our preferred partners. Subscribe to Neowin - for $14 a year, or $28 a year for Ad-Free experience Disable Sponsored posts · Neowin Deals · Free eBooks · Neowin Store

      Disclosure: This is a StackCommerce deal or giveaway in partnership with Neowin; an account at StackCommerce is required to participate in any deals or giveaways. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through our branded deals site, and it all goes toward the running costs.

    • By zikalify
      Malwarebytes says it was targeted by SolarWinds hackers too
      by Paul Hill



      In a blog post, the digital security firm Malwarebytes said that it had been targeted by the nation state actor implicated in the SolarWinds breach late last year that affected the U.S. government, Microsoft, Nvidia, VMware, and others.

      According to the computer security firm, it does not use SolarWinds but was attacked via another intrusion vector that leveraged applications that had privileged access to Microsoft Office 365 and Azure. Malwarebytes said that the attacker managed to get access to "a limited subset of internal company emails" but didn't find any evidence that their production systems had been compromised.

      Malwarebytes’ incident response group worked with Microsoft’s Detection and Response Team (DART) to find out how the attack happened. Explaining what the teams did, Malwarebytes CEO Marcin Kleczynski said:

      To ensure that none of its products and systems were compromised, it carried out an analysis of the Malwarebytes source code, build and delivery processes and even reverse-engineered its software. This, coupled with the fact that none of its internal systems were compromised, led the company to declare that its software remains safe to use.

      To combat these sophisticated attacks, Malwarebytes has called on other security companies to continue sharing information so that responses are effective. It also thanked the security community for working over the holiday period to respond to the hack.

    • By Ather Fawaz
      iPhones of multiple Al Jazeera journalists hit by a zero-click hack
      by Ather Fawaz

      According to The Guardian, many journalists using iPhones with iOS versions lower than 14, have been targeted in a digital espionage campaign. Using a vulnerability present in iMessage (nicknamed Kismet), malicious actors using an NSO Group software were able to hack into the iPhones of 37 journalists leaving their passwords, microphone input, and photos at risk.

      The report, which came out of Citizen Lab at the University of Toronto links four operators to the United Arab Emirates (U.A.E.) and Saudi Arabia. Moreover, out of the 37 targeted journalists, most are from the Qatari state-owned news channel Al Jazeera. The motivation for the hack isn't entirely clear at this point, but some journalists believe that their work on certain controversial topics in these countries could be the reason.

      The hack was first discovered when a renowned investigative journalist for Al Jazeera's Arabic network, Tamer Almisshal, became concerned that his phone had been compromised. He then turned to Citizen Lab for assistance. After monitoring the journalist's phone, Citizen Lab reported that the attack was based on a zero-click strategy, meaning that one would not have had to click any malicious links to be targeted. "...his phone had connected to an NSO server after it was infected with an apparent malicious code delivered through Apple’s servers. Seconds later, researchers found technical evidence that Almisshal’s phone had been infiltrated," the Guardian wrote.

      Due to the zero-click nature of the attack, it was hard to detect and left behind few traces. The Israeli cyber intelligence and security firm, NSO Group, said it wasn’t familiar with Citizen Lab’s claims and affirmed that it does not have access to the targets’ data. Apple later gave out a statement stating that the attack was "highly targeted", and that it could not verify Citizen Lab's report. The Cupertino firm reaffirmed its recommendation of installing the latest version of iOS since the hack does not appear to work on iOS 14.

      Source: The Guardian