hack I think someone tried to hack my website!

[DrJohnSmitherson]

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

 

Filename - It's just a php file with a jpg extension

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

<snip>

Edited December 10, 2013 by Barney T.
We do not want our members downloading infected files.

[PNWDweller]

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

 

[Joe User]

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

[Farchord]

Hey all,

One of my sites allows users to upload images and I had this file uploaded. I don't think it was able to run since it was saved a jpg. How can I tell if the hack was sucessful?

dz.php;.jpg

 

Here is the file in a zip. You might need to turn off your antivirus. Mine keeps catching it. If you don't want to download it, I understand. The main concern for me is figuring out if I was compromised. :(

The file is really interesting though.

 

This is a PHP hack shell. From there, they can see ALOT of informations about your server and, if the rights are improperly set, they can do DDoS attacks, take over the webserver and so on as well as modify various things on your website.

[DrJohnSmitherson]

I don't know if this is legit or not, but offering to download something that might be infected with a virus isn't something the average user here should be exposed to.

Well it's a PHP file. I don't think this can harm anyone's PC.

[Gerowen]

I don't know much about PHP, but the last section looks like it sends an e-mail to [email protected] .

[DrJohnSmitherson]

Certainly looks like an injection script. 

 

You really should make sure that your directory permissions are proper as well as the publicly accessible files.  What should be written to and what is read only type of thing. 

 

I have seen this type of hack attempt all to often with various CMS systems having incorrect permissions and vulnerabilities.  I'm guessing your site isn't a CMS based one though, so this goes back to permissions and if you coded it yourself, you might want to look at any potential security holes they can exploit in your code that you may have overlooked. Also, if you haven't done so already - make sure your PHP is up to date and Apache is as well. 

 

You can always view the access and/error logs to see if this file is accessed a lot, (Botnet or Spammer type of thing), or analyze them for when the POST request was put on your site for the affected file. 

 

The hacker(s) that messed with your site embedded base 64 code in the script to make it non-readable by humans, but you can pretty much decode it online if you want.

Thanks so much for the advice. I'll check on the logs. I'm also going to remove the upload ability. No one uses it anyway haha

[DrJohnSmitherson]

I don't know much about PHP, but the last section looks like it sends an e-mail to [email protected] .

I noticed that as well. I kind of want to email him/her.

Also earlier in the code it links to tutorials on hacking and downloading pdfs about it. One site was in Moroccan. Very odd.

[PNWDweller]

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

[Joe User]

Well it's a PHP file. I don't think this can harm anyone's PC.

 

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

[DrJohnSmitherson]

I'm having an interesting time decoding the script online.  Pretty funny how they didn't even change their default password for the hack tool they are using. Best of luck on your end for sure and for safety's sake, run an updated  ClamAV scan on your site as well to make sure nothing else was compromised.  ;)

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

[Praetor]

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

[DrJohnSmitherson]

You didn't say it was PHP. That makes it a lot less serious to the average desktop user.

 

Checking MIME types on upload is a good way to stop some of the script kiddie stuff. Also, your upload directory should never have execute access.

Oh sorry. I posted the file name up above. I'll make it clearer. Good tip thanks :)

[DrJohnSmitherson]

your site was hacked? welcome to the Internet :D

as long you don't keep users emails and CC numbers in plain text, you will be fine.

Haha! So far I'm not liking my stay :P  This is the first time it's happened to me. My websites arent very popular!

[PNWDweller]

If you want, post anything interesting here in this thread, or PM. I'm relly interested in it. Sadly my logs seem to get overriden everyday but it doesn't look like this file was accessed. Maybe it was never able to run.

PM Sent.  :)

 

Rather than link to or post code snippets that can hack which is a TOS violation of Neowin AFAIK, I won't.  But it is easy enough to decode this stuff online. 

[Rohdekill]

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

[DrJohnSmitherson]

I wasn't aware that someone taking a php file, adding a ".jpg" extension, and uploading it to a site which sponsors file uploading is categorized as "hacking".

Well now you are

[Rohdekill]

Well now you are

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

[DrJohnSmitherson]

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

I'm going off the contents of the file.

[Rohdekill]

I'm going off the contents of the file.

nevermind.  You don't get it.

[snaphat (Myles Landwehr) Member]

I think you need to look up the definition.  If I wanted to share/save a large file with anyone and your site allows JPG file uploads, anyone could just add ".jpg" to any file and upload it.  So......how is that hacking a site?

 

Pretty sure, he means they attempted to do some sort of injection attack. Possible, uploading it and then trying to run it by injecting unsanitized input somewhere else (or just tried to run it directly from their web browser).

 

 

EDIT: see: http://stackoverflow.com/questions/8025236/is-it-possible-to-execute-php-with-extension-file-php-jpg

[Barney T. Administrators]

We do not want to subject our members to suspicious files through our forums. We need to keep this a safe place for all.

 

Thread Closed

 

Barney