• 0

I think someone tried to hack my website!

Asked by DrJohnSmitherson,

 Share

Question

Veteran

DrJohnSmitherson

Posted
Posted (edited)

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

 

Filename - It's just a php file with a jpg extension

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

<snip>

Edited by Barney T.
We do not want our members downloading infected files.

21 answers to this question

Recommended Posts

  • 0
Grand Master

PNWDweller

Posted
Posted

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 

  • 0
Veteran

Joe User

Posted
Posted

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

  • 0
Veteran

Farchord

Posted
Posted

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

This is a PHP hack shell. From there, they can see ALOT of informations about your server and, if the rights are improperly set, they can do DDoS attacks, take over the webserver and so on as well as modify various things on your website.

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

Well it's a PHP file. I don't think this can harm anyone's PC.

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

Thanks so much for the advice. I'll check on the logs. I'm also going to remove the upload ability. No one uses it anyway haha

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

I don't know much about PHP, but the last section looks like it sends an e-mail to [email protected] .

I noticed that as well. I kind of want to email him/her.

Also earlier in the code it links to tutorials on hacking and downloading pdfs about it. One site was in Moroccan. Very odd.

  • 0
Grand Master

PNWDweller

Posted
Posted

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

  • 0
Veteran

Joe User

Posted
Posted

Well it's a PHP file. I don't think this can harm anyone's PC.

 

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Oh sorry. I posted the file name up above. I'll make it clearer. Good tip thanks :)

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Haha! So far I'm not liking my stay :P  This is the first time it's happened to me. My websites arent very popular!

  • 0
Grand Master

PNWDweller

Posted
Posted

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

PM Sent.  :)

 

Rather than link to or post code snippets that can hack which is a TOS violation of Neowin AFAIK, I won't.  But it is easy enough to decode this stuff online. 

  • 0
Grand Master

Rohdekill

Posted
Posted

Well now you are

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

  • 0
Veteran

DrJohnSmitherson

Posted
  • Author
Posted

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

I'm going off the contents of the file.

  • 0
Mentor

snaphat (Myles Landwehr) Member

Posted
  • Member
Posted

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

 

Pretty sure, he means they attempted to do some sort of injection attack. Possible, uploading it and then trying to run it by injecting unsanitized input somewhere else (or just tried to run it directly from their web browser).

 

 

EDIT: see: http://stackoverflow.com/questions/8025236/is-it-possible-to-execute-php-with-extension-file-php-jpg

  • 0
Grand Master

Barney T. Administrators

Posted
  • Administrators
Posted

We do not want to subject our members to suspicious files through our forums. We need to keep this a safe place for all.

 

Thread Closed

 

Barney

  • +Kyle and snaphat (Myles Landwehr)
  • Like 2
This topic is now closed to further replies.
 Share
Go to question listing

  • Posts

    • Anyone Here With Turbo Pascal Experience?

      By PsYcHoKiLLa · Posted

      Last time I used Pascal was in college about 40 yrs ago, programmed an inventory database for my exam.
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By PsYcHoKiLLa · Posted

      If they don't sell enough of the 1st gen then there won't be a 2nd gen
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By PsYcHoKiLLa · Posted

      Epic fail, should've added an eSata port on the back, also if the memory/NVME are soldered then they're hardly gonna sell any, first thing most people do with their Steamdeck is, or used to be, replacing the NVME with a 2TB one.
    • Politically funny images of the World

      By PsYcHoKiLLa · Posted

    • GEEKOM kicks off Prime Day Sale with discounts up to 30% on Intel and AMD mini PCs

      By Steven P. · Posted

      GEEKOM kicks off Prime Day Sale with discounts up to 30% on Intel and AMD mini PCs by Steven Parker GEEKOM has kicked off its Prime Day Sale letting you save up to 30% on mini PCs in every price class. Below we are sharing a few highlights from the A series of AMD mini PCs, along with an Intel variant with pretty beefy specs. We start off with the very affordable GEEKOM A5 in the AMD Ryzen 5 7430U, 16GB RAM, and 512GB NVMe SSD configuration, with some of its highlighted specs listed below: Operating System: Windows 11 Pro CPU Model: AMD Ryzen 5 7430U CPU Speed: 3.5 GHz Cache Size: 16 MB Graphics: Integrated AMD Radeon Vega 7 Graphics Memory: 16 GB 3200 MT/s DDR4 Copilot+ PC: No SSD: 512 GB Connectivity: Bluetooth 5.2 + WiFi 6E I never got the chance to review this variant, but here is how GEEKOM describes it: GEEKOM A5 [Ryzen 5 7430U, 16GB+512GB] for $371 —was $439 (15% off) Next up is the GEEKOM A6 in the AMD Ryzen 7 6800H, 16GB DDR5 RAM, with a 1TB PCIe 4.0 NVMe SSD configuration, with the below highlights: Operating System: Windows 11 Pro CPU Model: AMD Ryzen 7 6800H CPU Speed: 4.7 GHz Cache Size: 16 MB Graphics: Integrated AMD Radeon 680M Memory: 16 GB 4800 MT/s DDR5 Copilot+ PC: No SSD: 1 TB Connectivity: Bluetooth 5.2 + WiFi 6E I gave the A6 high marks in my dedicated review from just over a year ago; GEEKOM has this to say about this compact Mini PC: GEEKOM A6 [Ryzen 7 6800H, 16GB+1TB] for $524 —was $649 (19% off) Next up is the MAX variant of A-series mini PCs in the Prime Day Sale. The GEEKOM A7 MAX [2026 Edition] powered by the AMD Ryzen 9 7940HS with 16GB of DDR5 and a 1TB SSD. Below are some of its more important specifications: Operating System: Windows 11 Pro CPU Model: AMD Ryzen 9 7940HS CPU Speed: 5.2 GHz Cache Size: 24 MB Graphics: Integrated AMD Radeon 780M Memory: 16 GB 5600 MT/s DDR5 Copilot+ PC: No SSD: 1 TB Connectivity: Bluetooth 5.2 + WiFi 6E I reviewed this Mini PC a year and a half ago, and praised it for its modern internals like a dedicated NPU and DDR5 memory, as such it is more than capable of keeping up with today's offerings of Mini PC on the market. GEEKOM A7 MAX [Ryzen 9 7940HS, 16GB+1TB] for $594 —was $699 (15% off) Next we have another in the MAX series of A mini PC. The GEEKOM A9 MAX powered by the AMD Ryzen AI HX 470 with 32GB DDR5 and a 2TB SSD. Below are some of its more important specifications: Operating System: Windows 11 Pro CPU Model: AMD Ryzen 9 AI HX 470 CPU Speed: 5.4 GHz Cache Size: 24 MB Graphics: Integrated AMD Radeon 890M NPU: 55 TOPS Copilot+ PC: Yes (combined NPU+CPU=86 TOPS) Memory: 32GB 5600 MT/s DDR5 SSD: 2 TB Connectivity: Bluetooth 5.4 + WiFi 7 We reviewed this Mini PC last month, also in the 64GB configuration. Be sure to check out both reviews before dropping this kind of money on it, you won't be sorry! I praised it for its excellent NPU (AI) performance and premium all-metal build, as such it is more than capable of keeping up with today's offerings of Mini PC on the market. GEEKOM A9 MAX [Ryzen AI 9 470 HX, 32GB+2TB] for $1,444 —was $1,699 (19.72% off) Last but not least we have the GEEKOM IT13 MAX, which is an Intel configuration featuring the Ultra 9 185H with 16GB DDR5 memory and a 1TB SSD. Below are some of its more important specifications: Operating System: Windows 11 Pro CPU Model: Intel Ultra 9 185H (65W TDP) CPU Speed: 5.1 GHz Cache Size: 24 MB Graphics: Integrated Intel ARC Graphics Copilot+ PC: No Memory: 16GB 5600MT/s DDR5 SSD: 1 TB Connectivity: Bluetooth 5.4 + WiFi 7 I never got a chance to review the IT13 MAX, but I did review the GEEKOM X14 Pro which has comparable specifications if you want to get an idea of the IT13 MAX's capabilities. In any case this is what GEEKOM has to say about this variant: GEEKOM IT13 MAX [Intel U9 185H, 16GB+2TB] for $764 —was $899 (15% off) Check out other US and UK deals too These are just a sample of discounts in GEEKOM's Prime Day Sale, you can check out the entire line up, which include more Intel and AMD mini PCs, discounted at up to 30% off, which was more than the recent Spring Sale they ran earlier this year. You can check out the entire lineup of Prime Day deals on the dedicated GEEKOM store page at Amazon in the following regions: Amazon US GEEKOM Prime Day Sales (up to 30% off) Amazon UK GEEKOM Prime Day Sales (up to 30% off) What's more, all products from GEEKOM receive a 3-year free Warranty from the date you receive the product. If needed, you can RMA or return locally relative to your region (the U.S. has a U.S. warehouse, mainland E.U. has a German warehouse, U.K. has a U.K. warehouse, Australia has an AU warehouse). To recap, here are all of the above mentioned deals, available on Amazon US. GEEKOM A5 [Ryzen 5 7430U, 16GB+512GB] for $371 —was $439 (15% off) GEEKOM A6 [Ryzen 7 6800H, 16GB+1TB] for $524 —was $649 (19% off) GEEKOM A7 MAX [Ryzen 9 7940HS, 16GB+1TB] for $594 —was $699 (15% off) GEEKOM A9 MAX [Ryzen AI 9 470 HX, 32GB+2TB] for $1,444 —was $1,699 (19.72% off) GEEKOM IT13 MAX [Intel U9 185H, 16GB+2TB] for $764 —was $899 (15% off) Please be aware that the above promotional discounts expire on June 26 Between June 23 - 26 it's Prime Day week on Amazon, click here to check out all the deals. As an Amazon Associate we earn from qualifying purchases.

  • Recent Achievements

    • One Month Later
      nates earned a badge
      One Month Later
    • Week One Done
      Almohandis earned a badge
      Week One Done
    • Rookie
      dorf went up a rank
      Rookie
    • First Post
      mike_rumble earned a badge
      First Post
    • Dedicated
      tuben earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      487
    2. 2
      +Edouard
      204
    3. 3
      PsYcHoKiLLa
      94
    4. 4
      Michael Scrip
      91
    5. 5
      neufuse
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!